lord of the flies

The popularity of a security consultant within a development oriented organisation is most certainly bi-polar. Occasionally, after thwarting a breach or reporting a bug directly to a developer rather than through JIRA (where it would expose their incompetence), we are gifted the opportunity of feeling a little more human and receive – for once – some warmth from our fellow compatriots. Most of the time, however, we’re that troll under the bridge pulling at peoples ankles, standing in their way and grunting orders at them as they try to cross. On the other hand, the reality is that the very nature of our jobs is to protect and help others, and to do so requires a solid understanding of all layers of the stack. So, for the most part we’re not grunting orders whilst having no clue as to what we’re talking about: we’re making well informed observations that warrant attention.

Many a dev shop I’ve stepped into can be likened to the Lord of the Flies, where the developers are so focused on design, functionality and UX that they lose touch with what really makes a product: engineering. Design may sell a product, but without solid engineering it will almost certainly see a short lifespan, significant downtime, no sales via word-of-mouth and/or reputational harm. What I’ve been trying to teach developers is that security not only has the function of protecting data and users, but it also promotes robust engineering. Making security a priority throughout the entire design and development process ultimately forms a more reliable product that will require less ongoing downtime to patch bugs – allowing developers to focus more on functionality and design during post go-live sprints. Think of it this way: if you cut corners when constructing the foundations and frame of a house, only to later discover that there is a critical issue with either, you’re going to have one hell of a time trying to address the issue without seriously impacting it’s occupants. So, the key to forcing a shift toward secure development practices is education: knowing vulnerabilities and their impact, coding securely, testing and how to efficiently integrate standards into projects. An effective tool to illustrate this and to get developers adopting more of a hacker mindset are HackMe applications. Previously I developed and released vuln_demo, however I’ve recently ended this project and created FooBl0g. Continue reading “lord of the flies”

oinkception

A project I’m involved with that’s still in it’s early stages is the development of an automated, intelligent security environment that consists of:

  • Firewall, router and switch configuration management (existing in-house developed software).
  • Asset management and vulnerability scanning (Metasploit and OpenVAS).
  • Malware detection and analysis (analysis performed by Cuckoo).
  • Intrusion detection and analysis.

The last two are the final pieces to our puzzle, and given the data has high:

  • Variety: applicance, application and server logs.
  • Velocity and Volume: dozens of networks across the globe, hundrens of servers, 1000+ databases, 1000+ applications.

… it’s really a no brainer to use Hadoop as the storage framework. To dip our toes into the newfound waters of big data, whilst also evaluating a solution that could prove useful in piecing together our environment, I pieced together a network analysis server consisting of Snort, Hadoop, Pig and PacketPig. Continue reading “oinkception”

slow search

This morning when searching for a module in Metasploit I received the dreaded error:

Database not connected or cache not built, using slow search

Surprisingly, there was very little information on forums or other blogs regarding this in the context of Kali 2.0 – so I’ll document my fix here.

Further to the above error, entering the command ‘db_status‘ returns:

postgresql selected, no connection

The solution: to create a new database and connect metasploit to it. But first, the postgresql service must be started and set to auto-start:

service postgresql start
update-rc.d postgresql enable

The database can then be created:

su postgres
createuser msf_user –P
(enter password)

createdb –owner=msf_user msf_database

… and Metasploit configured to point to the newly created database:

msfconsole

db_connect msf_user:@127.0.0.1/msf_database

This will automatically initiate a rebuild of the module cache (the equivalent of running update_db_cache).

burn after reading

On Tuesday evening I delivered a presentation to a fairly diverse group comprised of local IT business owners and staff – the largest of it’s kind in my city. The subject of it was incident response: hiring the right staff and educating existing staff, designing networks that reduce the impact of breaches, log correlation and malware analysis, etc. One point that I made, which visibly provoked deep thought throughout much of the audience, was that shifting infrastructure into the cloud moves our data further out of the reach of security controls and into the hands of potentially untrustworthy and incompetent 3rd parties. You may say: “well, duh”. Trust me, it too came as a surprise to me that this would cause distress for people, as in my mind it’s absolute common sense – but obviously not. The concern of outsourcing security was, however, one of the reasons that I chose to introduce a policy within my workplace that prohibits the transmission of confidential data (e.g. credentials) via email or SMS, as data retention and the security of cloud and telco services is at times somewhat questionable. So, you want to eliminate the storage of confidential information in any such outsourced services. Faced with having to devise a solution that is usable by even the most technically inept, I decided to build upon a concept already used by some online services: self-destructing, encrypted messages.

direct dealings

A client of mine operates a fairly large trading website that allows users to upload media (e.g. images, videos and documents) to accompany their listings, and respondent’s to do the same with their responses. The uploaded files are stored on disk, i.e. not in a database. Following some operational re-architecture, it has also been decided that the architecture and development of the application will also be tidied up a bit. As a good portion of the application is already in Amazon, it has been suggested that one option is to store the flatfiles in S3 – cue my input on how this could be achieved. Continue reading “direct dealings”

bubblewrap

As a company grows in size and it’s public image becomes more and more prominent, it is inevitable that it will become a more attractive target to attackers – whether it be the prime focus of an attack, or the low hanging fruit attached to a greater one. I certainly see this with my employer, and the effort put into some emails that I have had forwarded to me for inspection following my most recent social engineering test have very much illustrated that we are on the radar of some people who possess both determination and resource. However, regardless of how much effort you put into education you’re still guaranteed to get someone who opens a malicious attachment, so to guide incident response you need to analyse the behavior of the file(s) to have meaningful data to work with.

worst phishing attempt ever – recently sent to our hr team

Continue reading “bubblewrap”

negative reinforcement

Security Questionnaires and Wiki’s are all well and good: they tick the auditors boxes and teach those who already have a vague comprehension of security an extra thing or two… but, they fail at reinforcing their teachings. To most they are yet another painful administration exercise that you unwillingly undertake on a regular basis. They are completed, yet people still consistently fall for the same tricks. So, is there any way to begin reinforcing the basic principles that we are forever trying to shove down the throats of staff?
Continue reading “negative reinforcement”