Archive | June, 2015

Agile Security – How Does It Fit Into A World Of Continuous Delivery


So, Agile Security? How does it fit into the new age of rapid iteration, continuous integration and continuous development? It’s an interesting discussion and personally very on point for me as I operate in an agile organisation and just today took (and passed yay me) my Scrum Master certification.

The traditional silo approach of security is already breaking down as in smaller organisations it was typically part of the ops team, and with the whole DevOps movement, infrastructure as code and CI/CD – that silo is already getting busted up.

Agile Security - How Does It Fit Into A World Of Continuous Delivery

And I have to agree, the next silo to combust will be security – it has to adapt, become more agile and more integrated into the development flow from the beginning.

Continuous delivery of software and applications is one of the most significant advancements that has taken place in the computing industry in the past 25 years. It is catching on so fast that you can now hear the death rattle of the 18-month software delivery cycle. The rise of cloud computing infrastructures — both in corporate data centers and infrastructure-as-as-service providers (IaaS) such as Amazon Web Services (AWS) — is powered by agile software development teams using orchestration tools like Puppet and Chef to decouple application development from the infrastructure, adding speed and agility to the enterprise.

Just as enterprise computing is having its DevOps moment, though, much of the security profession has woken up to the fact they are mired in the traditional infrastructure and silo approach. When everything in computing is dynamic, distributed, heterogeneous, and hybrid (i.e., alive), security that is bonded to static infrastructures like the network — an architecture based on hierarchies and chokepoints — appears out of sync with the new reality. If you are a security professional, continuous delivery and agile development is your future.

Consider the traditional approach to securing applications. Development creates a new app and then passes it over to the infrastructure team, which then onboards it to server, storage, and networking platforms. When that is complete, the security team comes in to protect it so employees, partners, suppliers, and customers can use it securely.


Waterfall is dying off, I mean it’s still ok for simple projects with few changes (low complexity) but for the real world, agile is SO much better at adapting to change and building relevant, high quality software which delivers maximum value to the business.

So security needs to get out of the oldskool models of being an after-thought, or an entire separate “ops” stage like architecture, infrastructure and deployment used to be.

For security to flourish in the age of continuous delivery, it must meet the following requirements:

1. Security policy must be embedded into the application development cycle at inception. This means developers must co-join with infrastructure and security teams to create and instrument policy when they are creating new apps. Just as continuous delivery dissolves the barriers between developers and infrastructure, security will be the next silo to go.

2. Enforcement of security policies must move and adapt with the continuous delivery approach. If new applications are moved between private clouds and IaaS environments, security must move with the applications.

3. Thus, security must be decoupled from infrastructure to support the distributed and fluid nature of continuous, on-demand applications and supporting infrastructures. This provides an added benefit of being able to dynamically add resources on-demand, including security

4. Finally, as Gartner notes, security must offer detective, preventive, responsive, and predictive capabilities that adapt with changes in the threat environment and provide transparency to the various IT constituencies involved.

So what do we do? What’s the way forwards? I’m personally a huge fan of tools like Code Climate which perform static analysis on every commit to your Github repo, it actually uses Brakeman for Ruby security for example and it’s all integrated so it works brilliantly in an agile development flow.

This pushes basic security responsibility to the developers and couples it with code quality, style and test coverage.

There’s much more than this we can do, but it’s a whole new movement I guess – exciting times ahead.

Source: Security Week

Posted in: Countermeasures, Secure Coding

Topic: Countermeasures, Secure Coding


Latest Posts:


Judas DNS - Nameserver DNS Poisoning Attack Tool Judas DNS – Nameserver DNS Poisoning Attack Tool
Judas DNS is a Nameserver DNS Poisoning Attack Tool which functions as a DNS proxy server built to be deployed in place of a taken over nameserver to perform targeted exploitation.
dsniff Download - Tools for Network Auditing & Password Sniffing dsniff Download – Tools for Network Auditing & Password Sniffing
Dsniff download is a collection of tools for network auditing & penetration testing. Dsniff, filesnarf, mailsnarf, msgsnarf, URLsnarf, and WebSpy passively monitor a network
OWASP Amass - DNS Enumeration, Attack Surface Mapping & External Asset Discovery OWASP Amass – DNS Enumeration, Attack Surface Mapping & External Asset Discovery
The OWASP Amass Project is a DNS Enumeration, Attack Surface Mapping & External Asset Discovery tool to help information security professionals perform network mapping of attack surfaces.
Cameradar - Hack RTSP Video Surveillance CCTV Cameras Cameradar – Hack RTSP Video Surveillance CCTV Cameras
Cameradar is a Go-based tool to hack RTSP Video Surveillance CCTV Cameras, it can detect open RTSP hosts, detect device models and launch automated attacks.
dSploit APK Download - Hacking & Security Toolkit For Android dSploit APK Download – Hacking & Security Toolkit For Android
dSploit APK Download is a Hacking & Security Toolkit For Android which can conduct network analysis and penetration testing activities.
Scallion - GPU Based Onion Hash Generator Scallion – GPU Based Onion Hash Generator
Scallion is a GPU-driven Onion Hash Generator written in C#, it lets you create vanity GPG keys and .onion addresses (for Tor's hidden services).


Patator – Multi-threaded Service & URL Brute Forcing Tool


Patator is an extremely flexible, module, multi-threaded, multi-purpose service & URL brute forcing tool written in Python that can be used in many ways. Basically the author got tired of using Medusa, Hydra, ncrack, metasploit auxiliary modules, nmap NSE scripts and the like because:

  • They either do not work or are not reliable (got me false negatives several times in the past)
  • They are not flexible enough (how to iterate over all wordlists, fuzz any module parameter)
  • They lack useful features (display progress or pause during execution)

Patator - Multi-threaded Service & URL Brute Forcing Tool

Features

Basically you should give Patator a try once you get disappointed by Medusa, Hydra or other brute-force tools and are about to code your own small script because Patator does the following:

  1. No false negatives, as it is the user that decides what results to ignore based on the status code of the response, the size of the response and/or matching strings/regex
  2. Modular Design (not limited to network modules, e.g. unzip_pass)
  3. Interactive runtime (shows progress, pause/unpause)
  4. Use persistent connections
  5. Multi-threaded
  6. Flexible user input (any module parameter can be fuzzed)
  7. Save every response (along with the request) to separate log files for later review.

Modules

  • ftp_login : Brute-force FTP
  • ssh_login : Brute-force SSH
  • telnet_login : Brute-force Telnet
  • smtp_login : Brute-force SMTP
  • smtp_vrfy : Enumerate valid users using the SMTP VRFY command
  • smtp_rcpt : Enumerate valid users using the SMTP RCPT TO command
  • finger_lookup : Enumerate valid users using Finger
  • http_fuzz : Brute-force HTTP/HTTPS
  • pop_login : Brute-force POP
  • pop_passd : Brute-force poppassd (not POP3)
  • imap_login : Brute-force IMAP
  • ldap_login : Brute-force LDAP
  • smb_login : Brute-force SMB
  • smb_lookupsid : Brute-force SMB SID-lookup
  • rlogin_login : Brute-force rlogin
  • vmauthd_login : Brute-force VMware Authentication Daemon
  • mssql_login : Brute-force MSSQL
  • oracle_login : Brute-force Oracle
  • mysql_login : Brute-force MySQL
  • mysql_query : Brute-force MySQL queries
  • pgsql_login : Brute-force PostgreSQL
  • vnc_login : Brute-force VNC
  • dns_forward : Brute-force DNS
  • dns_reverse : Brute-force DNS (reverse lookup subnets)
  • ike_enum : Enumerate IKE transforms
  • snmp_login : Brute-force SNMPv1/2 and SNMPv3
  • unzip_pass : Brute-force the password of encrypted ZIP files
  • keystore_pass : Brute-force the password of Java keystore files
  • umbraco_crack : Crack Umbraco HMAC-SHA1 password hashes

Patator is NOT script-kiddie friendly, please read the README inside patator.py before reporting/complaining/asking how to use this tool..

You can download Patator v0.6 here:

patator-0.6.zip

Or read more here.

Posted in: Hacking Tools, Networking Hacking, Password Cracking

Topic: Hacking Tools, Networking Hacking, Password Cracking


Latest Posts:


Judas DNS - Nameserver DNS Poisoning Attack Tool Judas DNS – Nameserver DNS Poisoning Attack Tool
Judas DNS is a Nameserver DNS Poisoning Attack Tool which functions as a DNS proxy server built to be deployed in place of a taken over nameserver to perform targeted exploitation.
dsniff Download - Tools for Network Auditing & Password Sniffing dsniff Download – Tools for Network Auditing & Password Sniffing
Dsniff download is a collection of tools for network auditing & penetration testing. Dsniff, filesnarf, mailsnarf, msgsnarf, URLsnarf, and WebSpy passively monitor a network
OWASP Amass - DNS Enumeration, Attack Surface Mapping & External Asset Discovery OWASP Amass – DNS Enumeration, Attack Surface Mapping & External Asset Discovery
The OWASP Amass Project is a DNS Enumeration, Attack Surface Mapping & External Asset Discovery tool to help information security professionals perform network mapping of attack surfaces.
Cameradar - Hack RTSP Video Surveillance CCTV Cameras Cameradar – Hack RTSP Video Surveillance CCTV Cameras
Cameradar is a Go-based tool to hack RTSP Video Surveillance CCTV Cameras, it can detect open RTSP hosts, detect device models and launch automated attacks.
dSploit APK Download - Hacking & Security Toolkit For Android dSploit APK Download – Hacking & Security Toolkit For Android
dSploit APK Download is a Hacking & Security Toolkit For Android which can conduct network analysis and penetration testing activities.
Scallion - GPU Based Onion Hash Generator Scallion – GPU Based Onion Hash Generator
Scallion is a GPU-driven Onion Hash Generator written in C#, it lets you create vanity GPG keys and .onion addresses (for Tor's hidden services).


Shadow Daemon – Web Application Firewall


Shadow Daemon is a collection of tools to detect, protocol and prevent attacks on web applications. Technically speaking, Shadow Daemon is a web application firewall that intercepts requests and filters out malicious parameters. It is a modular system that separates web application, analysis and interface to increase security, flexibility and expandability.

Shadow Daemon - Web Application Firewall

Shadow Daemon is easy to install and can be managed with a clear and structured web interface. The interface lets you examine attacks in great detail. If you just want to protect your site, but otherwise do not care about attacks you can forget about the web interface once Shadow Daemon is installed and configured. The interface also comes with shell scripts that can be used to send weekly reports via e-mail, rotate the logs and the like.

Language Connectors

Shadow Daemon strives to be a single solution for all popular web languages. At the moment the following programming languages are supported:

  • PHP
  • Perl
  • Python

Accurate Detection

Shadow Daemon combines white and blacklisting to accurately detect malicious requests. The blacklist makes use of sophisticated regular expressions to search for known attack patterns in the user input. The whitelist on the other hand searches for irregularities in the user input based on strict rules that define how the input should look like. Together they can detect almost any attack on a web application and still have a very low false-positive rate.

Shadow Daemon is able to detect common attacks like:

  • SQL Injections
  • XML Injections
  • Code Injections
  • Command Injections
  • Cross-Site Scripting
  • Local/Remote File Inclusions
  • Backdoor Access

Discreet Protection

Unlike many other web application firewalls Shadow Daemon does not completely block malicious requests. Instead it only filters out the dangerous parts of a request and lets it proceed afterwards. This makes attacks impossible, but does not unnecessary frustrate visitors in the case of false-positives.

Secure Architecture

Shadow Daemon is closer to the application than most other web application firewalls. It receives exactly the same input that the web application receives and thus it is almost impossible to bypass the detection by obfuscating the attack. However, the most complex parts of Shadow Daemon are separated from the web application to guarantee a certain standard of security.

You can get Shadow Daemon here:

Debian/Ubuntu

Download here.

or

Red Hat / CentOS / Fedora

Download here.

Or read more here.

Posted in: Countermeasures, Security Software, Web Hacking

Topic: Countermeasures, Security Software, Web Hacking


Latest Posts:


Judas DNS - Nameserver DNS Poisoning Attack Tool Judas DNS – Nameserver DNS Poisoning Attack Tool
Judas DNS is a Nameserver DNS Poisoning Attack Tool which functions as a DNS proxy server built to be deployed in place of a taken over nameserver to perform targeted exploitation.
dsniff Download - Tools for Network Auditing & Password Sniffing dsniff Download – Tools for Network Auditing & Password Sniffing
Dsniff download is a collection of tools for network auditing & penetration testing. Dsniff, filesnarf, mailsnarf, msgsnarf, URLsnarf, and WebSpy passively monitor a network
OWASP Amass - DNS Enumeration, Attack Surface Mapping & External Asset Discovery OWASP Amass – DNS Enumeration, Attack Surface Mapping & External Asset Discovery
The OWASP Amass Project is a DNS Enumeration, Attack Surface Mapping & External Asset Discovery tool to help information security professionals perform network mapping of attack surfaces.
Cameradar - Hack RTSP Video Surveillance CCTV Cameras Cameradar – Hack RTSP Video Surveillance CCTV Cameras
Cameradar is a Go-based tool to hack RTSP Video Surveillance CCTV Cameras, it can detect open RTSP hosts, detect device models and launch automated attacks.
dSploit APK Download - Hacking & Security Toolkit For Android dSploit APK Download – Hacking & Security Toolkit For Android
dSploit APK Download is a Hacking & Security Toolkit For Android which can conduct network analysis and penetration testing activities.
Scallion - GPU Based Onion Hash Generator Scallion – GPU Based Onion Hash Generator
Scallion is a GPU-driven Onion Hash Generator written in C#, it lets you create vanity GPG keys and .onion addresses (for Tor's hidden services).


OpenSSH On Windows – It’s Happening!


So it seems like getting rid of Ballmer was the best thing Microsoft has done in years, Satya is definitely pushing them in a much more positive direction with a focus on Azure and open sourcing technology and moves like this OpenSSH on Windows!

A real show of support for open source technology and a commitment to making Windows servers more technologically relevant.

OpenSSH On Windows - It's Happening!

There have long been 3rd integrations with Windows to provide SSH support, but it’s good to finally a see real commitment by Microsoft themselves to do encrypted remote access the right way.

Microsoft has finally decided to add support for SSH to PowerShell, allowing people to log into Windows systems and use software remotely over an encrypted connection.

Users of Linux, the BSDs, and other operating systems, will know all about OpenSSH and its usefulness in connecting machines in a secure way to execute commands and transfer data. And soon Windows PowerShell – the command-line shell and scripting language – can be used over SSH, we’re told.

“The PowerShell team [will] adopt an industry-proven solution while providing tight integration with Windows; a solution that Microsoft will deliver in Windows while working closely with experts across the planet to build it,” wrote Microsoft group software engineering manager Angel Calvo.

“I’m pleased to announce that the PowerShell team will support and contribute to the OpenSSH community.”

PowerShell’s SSH support will allow users to “interoperate between Windows and Linux – both Linux connecting to and managing Windows via SSH and, vice versa, Windows connecting to and managing Linux via SSH.”


This brings in a whole new era of monitoring and automation for Windows DevOps guys, more integration with Linux tools and easier deployment etc as pretty much everything already supports SSH.

In many environments the use of a 3rd party SSH server would be prohibited (against service contracts etc) so the fact it’s going to be ‘officially’ part of Windows going forwards is great.

This isn’t the first time Microsofties have tried to adopt SSH for Windows. Engineers at Redmond giant say they had tried on two separate occasions to allow the secure protocol to be used within Windows, attempts that were struck down by leadership.

Third-party SSH tools have been available on Windows for years, but this announcement is effectively Microsoft’s official endorsement of the open-source technology.

The change in policy has been linked directly to changes at the top of Microsoft – the departure of Steve Ballmer as CEO and the rise of Satya Nadella, a move that MS employees say brought a change in culture and perspective in Redmond.

“Given our changes in leadership and culture, we decided to give it another try and this time, because we are able to show the clear and compelling customer value, the company is very supportive,” Calvo wrote.

“So I want to take a minute and thank all of you in the community who have been clearly and articulately making the case for why and how we should support SSH! Your voices matter and we do listen.”

Well, they listen now that Ballmer is out of the picture.

There’s no time-line for release of this right now, I wonder if it’s something that will come out with Windows 10? Or something they are only just starting to work on now?

Either way it’s definitely a positive move and I hope to see more industry standards infiltrate the Microsoft ecosystem and the era of proprietary technologies for remote control, network stacks and so on die off.

Source: The Register

Posted in: Countermeasures, Windows Hacking

Topic: Countermeasures, Windows Hacking


Latest Posts:


Judas DNS - Nameserver DNS Poisoning Attack Tool Judas DNS – Nameserver DNS Poisoning Attack Tool
Judas DNS is a Nameserver DNS Poisoning Attack Tool which functions as a DNS proxy server built to be deployed in place of a taken over nameserver to perform targeted exploitation.
dsniff Download - Tools for Network Auditing & Password Sniffing dsniff Download – Tools for Network Auditing & Password Sniffing
Dsniff download is a collection of tools for network auditing & penetration testing. Dsniff, filesnarf, mailsnarf, msgsnarf, URLsnarf, and WebSpy passively monitor a network
OWASP Amass - DNS Enumeration, Attack Surface Mapping & External Asset Discovery OWASP Amass – DNS Enumeration, Attack Surface Mapping & External Asset Discovery
The OWASP Amass Project is a DNS Enumeration, Attack Surface Mapping & External Asset Discovery tool to help information security professionals perform network mapping of attack surfaces.
Cameradar - Hack RTSP Video Surveillance CCTV Cameras Cameradar – Hack RTSP Video Surveillance CCTV Cameras
Cameradar is a Go-based tool to hack RTSP Video Surveillance CCTV Cameras, it can detect open RTSP hosts, detect device models and launch automated attacks.
dSploit APK Download - Hacking & Security Toolkit For Android dSploit APK Download – Hacking & Security Toolkit For Android
dSploit APK Download is a Hacking & Security Toolkit For Android which can conduct network analysis and penetration testing activities.
Scallion - GPU Based Onion Hash Generator Scallion – GPU Based Onion Hash Generator
Scallion is a GPU-driven Onion Hash Generator written in C#, it lets you create vanity GPG keys and .onion addresses (for Tor's hidden services).