- Bitcoin Wisdom - Trading-type Terminal for Bitcoin - https://bitcoinwisdom.com/
- Zone Transfer Tutorial - https://digi.ninja/projects/zonetransferme.php
- Debian Hardening Wiki - https://wiki.debian.org/Hardening
- Standard Password Manager for UNIX - https://www.passwordstore.org/
- Is your Browser safe against tracking? - https://panopticlick.eff.org
- Have I been Pwned? - https://haveibeenpwned.com/
- CryptoPals -Cool CTF for Crypto - http://cryptopals.com/
- Nice Tool to Tell What CMS A Site is Running - https://whatcms.org/
- A simple SSL/TLS proxy with mutual authentication for securing non-TLS services - https://github.com/square/ghostunnel
- Find out if a site is down globally - http://www.downforeveryoneorjustme.com/
- DNS Zone Transfer Tool - https://github.com/stryngs/axfr-tools
- Nice Coding Guide for N00bs - http://download-mirror.savannah.gnu.org/releases/pgubook/ProgrammingGroundUp-1-0-booksize.pdf
- Ransomware seems to be popular these days. Here's a site that tracks the variants - https://ransomwaretracker.abuse.ch/tracker/
- Need I say more? - http://www.routerpwn.com/
Saturday, May 28, 2016
Security Links for March 2016
Here are some new security-related (for the most part ;) links from the month of March 2016:
Security Links for February 2016
- Security links for February 2016. Application Security Learning Resources - https://github.com/paragonie/awesome-appsec#application-security-learning-resources
- A Dead Simple TCP Intercepting Proxy Tool Set - https://www.praetorian.com/blog/trudy-a-dead-simple-tcp-intercepting-proxy-mitm-vm
- Let's Encrypt Audit - https://community.letsencrypt.org/t/independent-audits-of-lets-encrypt-finished/6518
- Introducing the Keybase filesystem - Sounds like a sane approach to encrypting data at rest - https://keybase.io/docs/kbfs
- Securely Hash Passwords - https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords
- An Interesting Online Scanner - https://www.censys.io/
- Another Attempt at Creating a Secure Linux Distro - https://www.parabola.nu/
- An open-source network simulator/emulator hybrid (Tor & Bitcoin) - https://shadow.github.io/
- For Encrypting/Decrypting Data on the Fly - https://encipher.it/
- Red Team Field Manual - http://www.amazon.com/Rtfm-Red-Team-Field-Manual/dp/1494295504/ref=pd_bxgy_14_3?ie=UTF8&refRID=19V4X7X4WW7215V446N7
- Decentralized DNS for Blockchain Applications - https://blockstack.org/
- Github Bounty Program - https://bounty.github.com/index.html#open-bounties
- Send An Urgent Message to a Friend When your in Trouble (i.e. Feds are knocking at your door) - http://www.snapmailemergency.com/
- Get your cheap exploits here - http://cheapbugs.net/#home
Educating Youth for Cyber Security Careers
This past week I attended the Northeast Ohio Cyberconsortium conference sponsored by a number of entities in the Cleveland,Oh area. The goal of the conference was to stimulate a collaborative effort around building up and sharing information around Cyber Security as it relates to the North East Ohio area. One of the main talks was about the skills shortage in Information Security and what should be done to increase the talent pool. The proposition(they loved throwing this word around) offered was to build educational programs in the school systems around Cyber Security at as early of an age as possible. I think the NSA said that they get the gifted ones as early as 3rd grade and for security we should consider preschool.
The goal is an excellent ones, but the reductionist attitude offered presents a number of challenges. The one problem is that you simply cannot teach Information Security as an isolated discipline. There are a number of prerequisites that are necessary before you can even start to teach kids security. To name a few:
Computer Architecture – X86/X64/ARM
Operating Systems – UNIX/Windows/OSX/Android/IOS
Programming – Powershell/Python/Perl/Bash
Networking – TCP/IP, OSI, Ethernet, Wifi
These are all complex domains by themselves and then add on to that the various security principles that need to be applied and you can see it’s not as cut and dry as you may think. Then there are the ethical challenges in that to really understand how to secure things is you have to understand how to break things. This will no doubt create dilemmas with existing school policy and what the kids can currently do with school equipment. So I think what really needs to happen to make this achievable is a complete rewrite of existing educational plans. I think a structure more like college should be implemented where kids that are interested in a given domain like Cyber Security can elect to make it their ‘major’ and by doing so a specific roadmap would be produced for their educational career. The other thing to keep in mind is not all kids will be interested in such a field nor have an aptitude as you need to think about problems in a very detailed and logical way and not everyone’s brain is wired this way.
These are all complex domains by themselves and then add on to that the various security principles that need to be applied and you can see it’s not as cut and dry as you may think. Then there are the ethical challenges in that to really understand how to secure things is you have to understand how to break things. This will no doubt create dilemmas with existing school policy and what the kids can currently do with school equipment. So I think what really needs to happen to make this achievable is a complete rewrite of existing educational plans. I think a structure more like college should be implemented where kids that are interested in a given domain like Cyber Security can elect to make it their ‘major’ and by doing so a specific roadmap would be produced for their educational career. The other thing to keep in mind is not all kids will be interested in such a field nor have an aptitude as you need to think about problems in a very detailed and logical way and not everyone’s brain is wired this way.
Let’s Encrypt Talk @ Debconf15
At this years Debconf15, a nice overview of the Let’s Encrypt project was given that you can view here. It’s a nice exposition as to the current broken state of CA’s and the projects plan to solve them. Let’s Encrypt is going to be making free certificates available in the next month or so.
Will this be a game changer for commercial CA’s that make their profit off of selling certificates? Probably not in the short term and a large part of the answer will depend upon adoption and getting the Root & Issuing CA’s added to the trusted browser stores.
Security Implementations & Scaling
I have been doing Information Security for a decade and a half and there is a disturbing pattern that still to this day has not abated. That pattern involves more of a philosophy than the actual scaling you would need to for designing a security solution for an organization. The scaling law I'm talking about is one that is usually recognized too late in the implementation process, namely the post-production phase of a project.
What I'm referring to is the amount of output you have to deal with that is a result of implementing a security solution without considering the resources necessary to manage and the resulting business process that need to accommodate this reality.
One of the best use cases that demonstrates this phenomena is around the implementation of a Data Loss Prevention (DLP) solution for an enterprise. A typical DLP solution usually involves three main areas:
- Data in Motion - Data that traverses the network
- Data at Rest - Data that is stored on disk
- Endpoint Data - Data that typically is read and written to removable media
Subscribe to:
Comments (Atom)