now browsing by tag
Extra security, but not for security, but for “bots” _OR_ How I embraced the API and learned to love it
Oh Packt, Packt, Packt, why did you do it?
After troubleshooting a lot of issues that I was having with my login for Packt Publishing, I found something, that I found a little bit disturbing, and I would like to reach out to management at Packt Publishing just so that I can get an idea of why they did it.
But what did they do?
Packt recently added captcha’s to their website, in multiple locations to prevent automatic logins, scraping, and automated book downloads.
Why did they do it?
When a scenario like this occurs, there is usually 2 things happening. There is something happening that causes the owner of the website, and usually this means, the owner of the company, wants to prevent something from occurring.
On the other side, there is usually something happening at the user end, for this action to be occurring. Now, it can get tricky here, there are various reasons end-users or customers would use automation; that range from down right nefarious, to purely innocuous reasons.
On the nefarious side of things, a “bad guy” could be spamming forums, product reviews, and many other pieces of the website. I’d like to hear from Packt, to see if this was any sort of concern during the decision-making process to include captcha’s on their site.
On the innocuous side, there are people like me. I automate a login, and a form submission, so I can get Packt’s Free Learning Book of the Day. I also use a script, or a “bot” to download the books that I have either purchased, or acquired free from Packt, through their program, because doing that by hand, would literally take hours upon hours to complete, due to the mechanics of their website.
Ok, are you ready for it? This is where irony comes in. Packt sells multiple books (by multiple, I mean 30+) on automating tasks, or scripting, or literally on scraping websites using Python. Which is more-or-less what I’m doing.
Packt, please redeem yourself and become awesome at doing what you do
What does this mean? I think what I’m asking for, is Packt to remove the captcha’s from their website, open the site, as it was previously, to allow authenticated users to scrape the necessary info they are trying to get at, and embrace what their user’s or their customer’s want from them and their website.
Remove the captcha’s from your website, or if you can somehow claim that they are for security reasons, put them in the exact spot, where you’re trying to stop the auto-posting bots; that is, move them from the login page, or from the Free Learning page, and move them to where the bots are potentially posting malicious information.
Step 2 (this is the whole extend part)
Make it _easier_ for users to get the data that they are after. Create an authenticated API to call up purchased books, and that they wish to download. Make it easier for users to — again, authenticate in — claim the Free Learning book of the day.
Extra Credit — The Challenge
What I want to see is a 3-month ledger on profits/costs, if this is implemented. I would be willing to bet, that profits would be up.
Packt, take the Open Organization challenge and open yourself up.
I’m going to attempt to contact someone at Packt to get these answers, and I will return later, in new posts, if Packt is kind enough to reach back to me, and answer those questions.
So, I can honestly say, that this will be one of the last, if not, the last post about this course.
As you no doubt can see from the last several posts on my website, I will be teaching the SANS SEC504 course in Denver, beginning February 26, 2016. What this course offers is helping you understand attackers’ tactics and strategies in detail, giving you hands-on experience in finding vulnerabilities and discovering intrusions, and equipping you with a comprehensive incident handling plan, this course helps you turn the tables on computer attackers. It addresses the latest cutting-edge insidious attack vectors, the “oldie-but-goodie” attacks that are still prevalent, and everything in between. Instead of merely teaching a few hack attack tricks, this course provides a time-tested, step-by-step process for responding to computer incidents, and a detailed description of how attackers undermine systems so you can prepare, detect, and respond to them. In addition, the course explores the legal issues associated with responding to computer attacks, including employee monitoring, working with law enforcement, and handling evidence. Finally, students will participate in a hands-on workshop that focuses on scanning for, exploiting, and defending systems. It will enable you to discover the holes in your system before the bad guys do!
We are approaching crunch-time for this class, and this month, is going to be your last chance to register for this class.
No need to travel or be out of the office for a week to take SANS Live
training. The SANS Mentor Program is bringing Security 504: Hacker
Tools, Techniques, Exploits & Incident Handling to Denver starting
February 26th. Our popular Mentor format meets a few hours a week over
multiple weeks, giving you time between classes to absorb the material
and master the course content. Class details and information can be
found at: http://www.sans.org/u/agT
For a limited time, receive the Early Bird Pricing and a GCIH Exam
Attempt at no charge, a savings of over $800! Register by February
Enter Promo Code: MGIAC16 when registering to receive your GCIH Exam
Attempt at no charge
SANS Mentor courses feature:
-DOWNLOADABLE MP3 AUDIO FILES
-MULTI-WEEK CLASS SCHEDULE
-LIVE CLASSROOM INSTRUCTION
Course: Security 504: Hacker Tools, Techniques, Exploits & Incident
Instructor: Mentor Mike Harris
Start Date: February 26, 2016. Class will meet over 10 Friday evenings.
Tuition: Save over $1000 including the GCIH Exam Attempt at no charge,
if you register this month.
Registration Details at: http://www.sans.org/u/agT
From the five, ten, or even one hundred daily probes against your
Internet infrastructure to the malicious insider slowly creeping through
your most vital information assets, attackers are targeting your systems
with increasing viciousness and stealth. As defenders, it is essential
we understand these hacking tools and techniques.
Source: ComputerWorld by Ira Winkler
Interesting article up for a read at ComputerWorld. Which all in all, is a good thing. The article talks of “The myth of the cybersecurity skills shortage” Winkler calls out companies that are claiming there is a cybersecurity skills shortage; which I don’t necessarily believe there is.
From the article at ComputerWorld:
The approach that seems to prevail these days — seeking a new hire who already has the right skills and experience or hiring them away from another organization — just doesn’t work. But it is why so many people believe there is a shortage of security professionals.
Mr. Winkler hit the nail on the head with this statement. I have a significant amount of security experience, I’ve worked for the government, large companies, medium companies, and small companies. I will generally do reasonably well at any interview question poised for me. The problem I’m seeing, is there are companies out there, that have beaten it into the head of their employees, that they are looking for someone that is an absolute master of skillset X, and disregard everything else. I, like many other security practitioners have my weaknesses; if I am slightly weaker in skillset X, then I am immediately assumed not a good fit for the job.
The way I like to pursue jobs, is I aim for something I want to do, with a company I wouldn’t mind doing it for. Whether I have 100% strength on skillset X, or whether I’m slightly weaker at X, but extremely strong, at skillsets Y and Z; I will still apply, but a decent amount of time, I’ll get shot-down, due to the assumption, that because my skillset at X isn’t the greatest, I’ll never be able to catch up. This is where the fallacy in the argument lies. Company X, needs to look at candidate skills, and make their decision the ability of the candidate to learn skillset X (if skillset X is truly the reason for hiring). So again, there are areas where I’m slightly weaker, such as DLP. That doesn’t mean I don’t know what DLP is, or how it functions, but I’ve never sat in front of a host that does DLP and used it on a day to day basis. Does that mean I’m not right for any position at your organization due to the fact I’ve not been a DLP administrator?
Just something to think about. I always judge interview candidates on not just what they know, but what I think they will learn, and how strong of learners they are.
Just wanted to post a quick update. The class has been moved back a week, to July 18.
About the Class:
Location: Denhac 700 Kalamath Street
Time: 11am – 4pm
Source: Software Freedom School
Class: Penetrations and Remediations
Date: July 11, 2015, 11AM – 4PM
Location: Denhac, 700 Kalamath St, Denver, CO 80204 [ Google Maps ]
See the post at SFS:
The past two years have been some of the craziest times in computer security. It is now common for major vulnerabilities to have a pretty name attached to them (thanks PR), vulnerabilities have been found in some of our (previously) most trusted protocols (SSL), and huge vulnerabilities are occurring each day.
Mike has been working primarily on the “blue-team” side of things, that is, the defense side. A lot of times we don’t see the same thing that the “red-team” sees when they are attacking our servers, and a lot of the time, we don’t know the real impact that some of the vulnerabilities have on the systems we have been trusted to defend.
Mike is going to provide a blue-teamers view, on red-team attacks, using recent vulnerabilities. We want the defense, to see the same stuff that the attackers see. Then, we will take steps in securing systems, to be safe, or minimize the effect of attacks that are coming in.
Mike will provide a DVD with some images of vulnerable machines, and VirtualBox that will allow you to run these vulnerable machines, and play with them, so you can see the effects, first hand.
About the teacher:
Mike Harris is passionate about Security, Free Software, and Educating our community.
He is certified as a CISSP, GCIH, GISP, CCNA-Security, CCNA, RHCT, and RHCSA. Mike has additional technical certifications which include Digital Forensics Examiner, Network Protocol Analyst, Project+, Linux+, and A+. He will soon graduate with a Bachelor of Science in Information Technology – Security.
Mike has built a CSIRT from the ground-up, including a secure infrastructure using Linux systems (Red Hat and Ubuntu). Mike has extensive knowledge as a Technology Security Auditor conducting assessments, measuring vulnerabilities, security posture on internal and external networks, and account activities for insider threats and abuse.
He is one of the founders and a former board member of TinkerMill, a non-profit organization dedicated to furthering the knowledge of our kids, adults, businesses, and municipalities in the use of high tech with the incorporation of creativity and art. He is also a Red Team Member of the Rocky Mountain Regional Collegiate Cyber Defense Competition.
I use encryption in nearly aspect of my life. Some uses are more effective than others, admittedly, however, there is encryption everywhere. For an example:
My Android phone is encrypted
My computer’s partitions are LUKS encrypted
The website you’re reading this on, is encrypted
Encryption is an integral part of life, in assuring both security and integrity of my website, my emails, and pretty much everything I do in life. I don’t partake in any criminal acts, but I still don’t want anyone to be able to view my data, if I don’t want them to.
I found this excellent article over at TED, discussing why you should care about encryption too.
So why does encryption matter, anyway?
Well, some would have you believe that encryption is a tool for the “bad guys,” enabling terrorists to have an easy way of plotting their next crimes. In reality, banning encryption won’t stop terror attacks or end religious extremism. But such a ban could stifle democratic movements, scuttle online security, and undermine our open society.
Source: Tech Legends
A very basic, yet, very good article from Tech Legends, discussing safety concerns everyone should have when browsing the internet.
There are some important tips in here, to remember, especially regarding SSL certificates and passwords.
From the article:
It has now been a few days following 2015. So, we thought to enlighten our readers mind about some Internet Security facts which will help you to keep yourself more secure in the New Year 2015.
If you think you are already secure then do read the article carefully, because if you find anything which makes your internet insecure then you may find a way to correct it. The points discussed below are basic things which usually a “layman” internet user doesn’t care of. You will find some useful Internet Security facts below which will help you secure your internet activity.
Source: Dark Reading
Dark Reading is going back, and re-hashing some of the major vulnerabilities found in 2014. Specifically, they bring up the following: Heartbleed (CVE-2014-0160), Shellshock (CVE-2014-6271), Winshock (CVE-2014-6332), and Kerberos Checksum (CVE-2014-6324).
The article continues to go into detail about these 4 vulnerabilities, because, combined, they equate up to 90% of the internet. That is 90% of the internet, vulnerable to these bugs, for a long time — I believe the article stated nearly 15 years or more. That is huge.
It is also important that you are protected against these massive vulnerabilities. While when these vulnerabilities dropped in 2014, you can bet there was a scramble to get each one of these fixed. 556 Forensics can assist you in finding and mitigating similar threats.
In a very interesting move, Microsoft has made the decision to ax its “Advanced Notification Service”. Almost as a move to alienate more of its customer base, Microsoft has decided that the Advanced Notification Service will only be available to select premier customers, that are involved with Microsoft’s security program.
This seems to be a very bad move on the part of Microsoft, with no real advantage coming from it. Since they are still distributing the information to select customers, there will be no savings there. I just don’t understand why Microsoft would make this move.
From the Norse Blog:
But Microsoft believes that organizations who employ their products have shifted how they use the ANS, and the company has come to the decision that the majority of the non-premium customers no longer need the lead time to prepare, as they typically just wait for automatic patching to occur.
“While some customers still rely on ANS, the vast majority wait for Update Tuesday, or take no action, allowing updates to occur automatically. More and more customers today are seeking to cut through the clutter and obtain security information tailored to their organizations,” Betz said.
Source: CNN Money
Internet Explorer must die! I love the title of this article. Internet Explorer first roared onto the market, to battle Netscape Navigator, in 1995 (over 19 years ago). Since then, Internet Explorer has been plagued by numerous security, compatibility, and usability issues, making it one of the most despised applications by security experts.
I have used Internet Explorer minimally (only required to to access certain SharePoint sites, within company’s intranet). I whole-heartedly agree, that Internet Explorer should be placed in the scrap-heap, and either re-done, or preferably removed, and let the Internet Explorer team focus on writing plug-ins for Chrome and Firefox.
From the article:
The browser has become synonymous with bugs, security problems and outdated technology. Even as Internet Explorer has improved dramatically in recent years, it continues to lose serious ground to rival browsers.
Once the most-used Web browser, Internet Explorer had been on a steady downward trajectory for years. Its share of the browser market fell below the 50% threshold in 2010 and sank below 20% in October, according to browser usage tracker StatCounter.Google’s ( , Tech30) Chrome is currently the browser leader, commanding a 48% share of the market.