Talk to a security vendor and they’ll try to sell you the moon to secure your network, data, email, and everything else. But what are you already doing to strengthen your security posture without breaking your budget? I believe that it’s always best to try the free tools and resources first. Not only will it give you experience and insight into what is out there, but you may also find one of the many great solutions out there. This four part series of articles will go over what you can do with free or budget friendly items to get as far as you can on a mission to a better security posture. First we’ll focus on reasons why and some good places to find information as well as good starting points for finding best practice guides, next network security, then on application security, and finally on windows security.
“Many attacks on Internet and network systems have no particular target. The attacker simply sends a large broadcast that uses any unprotected system as a staging point from which to launch an attack. Using computers without basic protections like firewalls, anti- virus software, and user education not only affects your own business, but many other businesses as the virus is spread around the Internet.
Your system’s lack of protection makes you a target: it can destroy your computer, your network, and can contribute to a virus distribution that slows or halts portions of the Internet. All of us who use the Internet have a responsibility to help create a culture of security that will enhance consumer and business confidence. But most importantly, failing to heed best practice advice could hurt your company significantly” - Internet Security Alliance Guide1
The ISA is a great resource for articles and publications on information security best practices. Attackers will always be attempting to get in.
Whether it’s a targeted attack, or your network just falls in the mix with a larger list around the world. Best practices across your infrastructure go a long way in preventing the broad automated attacks. Here are a couple daily reads good for any size business:
1. http://isc.sans.edu - The Internet Storm Center was created in 2001 following the successful detection, analysis, and widespread warning of the Li0n worm. Today, the ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers.2
2. http://dashboard.csoonline.com - This dashboard combines some of the more important feeds from around the internet combined all into one easy to read format. It includes some industry specific feeds as well as provides a good quick overview on daily security happenings.
1. http://bit.ly/UbyO2q
2. https://isc.sans.edu/about.html
Saturday, November 8, 2014
Vulnerability Assessments and Penetration Tests: The differences and why you need both
It’s 2014. There is so much data out there. How much are you responsible for? If you own data and it rests under your control you are at risk, it’s as simple as that. What are you actively doing to mitigate those risks or report on them? Two very important additions to any security planning would be Vulnerability Assessments and Penetration Tests. While both can teach you a lot about the weak spots in your infrastructure they are both equally different and important.
A Vulnerability Assessment (VA) will show you all of the places on your network that are susceptible to attack due to improper configuration, missing patches, or unsupported software. You should expect to end up with a list of vulnerabilities listed from most to least critical. This list will help you prioritize items that need remediated in your network and applications. Common findings include missing windows or adobe/java patches, insecure passwords, improper IIS/apache or SQL configurations. The report may also include recommendations on network changes including restructuring and segmentation.
Many different organizations are required to have VAs from Approved Scanning Vendors (ASV’s) to be considered compliant. PCI DSS, HIPAA, & SOX are some of the standards that require compliance, depending on your business model you may fall under one or more. With a little work, running your own VA scans are something that should be done. While running them yourself doesn’t qualify towards compliance, it is still a good idea to perform tests between ASV’s coming out on site. Some of the most popular scanning packages are Nexpose, Nessus, Qualys, and Burp Suite. With a little research and the approval from your organization you can go a long way with preventative steps between VAs.
A Penetration test (pentest) is a simulation of an internal or external (or both) attack on your network. There is usually a goal in mind, like accessing a company database, modifying or capturing files, or accessing key infrastructure. The deliverable for this test would be a report of how your system was breached, what was able to be accessed, and what can be done to remediate. If something shows up on a Vulnerability Assessment, it can be used by an attacker in some fashion. One other thing that can be leveraged during a pentest is probably one of the weakest elements in your organization, the human element. Things such as phishing (fake emails) , pretexting (fake calls) , tailgating (following people into secure areas), and the like can be used to gain access to areas or systems that don’t even have a technical vulnerability.
You can consider a Penetration Test like a fire drill compared to the Vulnerability Assessment which is more of a building inspection. While both are giving you a better look into the security of your network they are equally different and important. If you haven't yet, I highly suggest contacting an information security company and scheduling one.
Tuesday, September 30, 2014
My first year of cons - Knowledge and Squishy Feels
Last year DerbyCon 3.0 was my first hacker con ever, and I just sat down from a long week at DerbyCon 4.0. In this year I've now been to 7 total. I've gone from a lowly attendance goer with no clue of who anyone was and zero self confidence to a conference organizer, blog writer, speaker, and volunteer with 0.1% self confidence. It's been an amazing journey of learning, networking, experience, and fun.
My first DerbyCon got me hooked. I was in somewhat of a volatile and unhealthy relationship at the time (now looking from the outside in) and the only way that I was "allowed" to attend was the fact that Dave Kennedy (founder of DerbyCon) had given me a free ticket to attend. I spent the entire con moving from talk to talk, taking notes, not actually speaking to anyone much (lest I get in trouble). The moment it really hit me that this is where I belong was during the DerbyCake CTF (capture the flag) Challenge. I was working solo into the early morning hours on different challenges, even though I was not even close to being as technical to the other people in the room competing or the organizer Rob Fuller (mubix). The amount of help, comradery, and just good fun that we all had in that room just opened my mind and made me realize what I wanted to do in life. I walked away from that CTF with some amazing knowledge and some great friends. That led into the closing ceremonies where I saw what amazing and giving people they all were. It was a true family!! I could totally be a part of this!!
The person inside of me that had been lost and oppressed was awoken, which sped up the decline of my marriage. Shortly after this I was given the (false sense of a) choice between my career and my marriage. I still believe that I made the right move. Going after a career that means so much to me shouldn't be mutually exclusive to a relationship. If you'd like the long story sometime just let me know. I spent such a long time in a state of depression and anxiety that I had started on some anti-depression and anti-anxiety medication about 4 months prior. The meds helped a lot with my internal struggles. I wouldn't be where I am today without them and the infosec community.
After my husband and I split up (a week following derby) I dove headfirst into the community, working, and learning. An article I wrote transitioned into me submitting my first, second, and third CFPs (call for presenters); being accepted to speak and volunteering for CircleCityCon. CircleCityCon was my fourth con ever. I enjoyed volunteering so much for BsidesNash that I volunteered for that as well and submitted to speak. I had some of the things go through my head that so many others have. "Who wants to hear what I have to say, I don't know anything!!" My friends pushed me to go for it. I had to start somewhere. CircleCityCon needed more help after I volunteered so I became an organizer and plan on doing so again next year.
At my second con, Bsides Columbus, I was still super shy and didn't really talk to many people. Fast forward to BsidesNash I met some amazing people, had Raf Los convince me to ride a mechanical bull, and met some people in person that I had known online for awhile. I thought I was going to just wait until DerbyCon for my next con after that. Which I was ok with. It's way worth it. After all I did get an anonymous donation to send me to training. That was something that just blew my mind. Someone, somehow, figured out I was interested in becoming a pentester and wanted me to realize my dream. Instead of waiting for derby my friend tehExodus decided to start a crowdfund for me so I could go to my first DEFCON. Even though I was starting to get a grip on my place in the community, DEFCON is still something that was a little intimidating. Really just from the stories I had heard; creepy dudes, no family vibe like derby, Vegas craziness. I signed up right away to volunteer for BsidesLV. Volunteering is a great way to meet people, learn the behind the scenes of a con, and contribute back to the community. BsidesLV and DEFCON were both amazing. I had a great time at a lot of different parties, workshops, and CTFs. I didn't have a single issue with creepy dudes, rockstars, or rude people. I am forever thankful for the people and friends that donated to me so I could make the trip.
A close friend of mine told me that the reason that it works so well and we feel so close to each other is that many of us are broken. We are broken in different ways. Whether it be from bad relationships, to medical/physical/psychological/emotional issues, to clinical depression, to a whole range of other brokenness. I guess in summary I just want to point out that we all have a starting point. Sometimes we'll be lifted out of a dark and horrible place into the light among new friends. Other times we just need that nudge in the right direction of where to start. Either way, welcome to our community, I can't wait to see what this next year brings!!
A special thanks goes out to Dave Kennedy (@HackingDave), Rob Fuller (@mubix), Steve Loughran (@z0rlac), Adrian Crenshaw (@irongeek_adc), Josh Louden (@tehEx0dus), Bill Garder (@oncee), Nate Husted (@DrWhomPhD), Jason Samide (@jason_samide), Michael Smith (@drbearsec), Ben Ten (@Ben0xA), Michael Cooley (@irishjack), DerbyCon (@DerbyCon), CircleCityCon (@CircleCityCon), BsidesNash (@BsidesNash), BsidesLV (@BsidesLV), Defcon (@_defcon_) and every other person that has helped me realize that I have potential, helped me through the bad times, and have made me feel welcome.
My first DerbyCon got me hooked. I was in somewhat of a volatile and unhealthy relationship at the time (now looking from the outside in) and the only way that I was "allowed" to attend was the fact that Dave Kennedy (founder of DerbyCon) had given me a free ticket to attend. I spent the entire con moving from talk to talk, taking notes, not actually speaking to anyone much (lest I get in trouble). The moment it really hit me that this is where I belong was during the DerbyCake CTF (capture the flag) Challenge. I was working solo into the early morning hours on different challenges, even though I was not even close to being as technical to the other people in the room competing or the organizer Rob Fuller (mubix). The amount of help, comradery, and just good fun that we all had in that room just opened my mind and made me realize what I wanted to do in life. I walked away from that CTF with some amazing knowledge and some great friends. That led into the closing ceremonies where I saw what amazing and giving people they all were. It was a true family!! I could totally be a part of this!!
The person inside of me that had been lost and oppressed was awoken, which sped up the decline of my marriage. Shortly after this I was given the (false sense of a) choice between my career and my marriage. I still believe that I made the right move. Going after a career that means so much to me shouldn't be mutually exclusive to a relationship. If you'd like the long story sometime just let me know. I spent such a long time in a state of depression and anxiety that I had started on some anti-depression and anti-anxiety medication about 4 months prior. The meds helped a lot with my internal struggles. I wouldn't be where I am today without them and the infosec community.
After my husband and I split up (a week following derby) I dove headfirst into the community, working, and learning. An article I wrote transitioned into me submitting my first, second, and third CFPs (call for presenters); being accepted to speak and volunteering for CircleCityCon. CircleCityCon was my fourth con ever. I enjoyed volunteering so much for BsidesNash that I volunteered for that as well and submitted to speak. I had some of the things go through my head that so many others have. "Who wants to hear what I have to say, I don't know anything!!" My friends pushed me to go for it. I had to start somewhere. CircleCityCon needed more help after I volunteered so I became an organizer and plan on doing so again next year.
At my second con, Bsides Columbus, I was still super shy and didn't really talk to many people. Fast forward to BsidesNash I met some amazing people, had Raf Los convince me to ride a mechanical bull, and met some people in person that I had known online for awhile. I thought I was going to just wait until DerbyCon for my next con after that. Which I was ok with. It's way worth it. After all I did get an anonymous donation to send me to training. That was something that just blew my mind. Someone, somehow, figured out I was interested in becoming a pentester and wanted me to realize my dream. Instead of waiting for derby my friend tehExodus decided to start a crowdfund for me so I could go to my first DEFCON. Even though I was starting to get a grip on my place in the community, DEFCON is still something that was a little intimidating. Really just from the stories I had heard; creepy dudes, no family vibe like derby, Vegas craziness. I signed up right away to volunteer for BsidesLV. Volunteering is a great way to meet people, learn the behind the scenes of a con, and contribute back to the community. BsidesLV and DEFCON were both amazing. I had a great time at a lot of different parties, workshops, and CTFs. I didn't have a single issue with creepy dudes, rockstars, or rude people. I am forever thankful for the people and friends that donated to me so I could make the trip.
A close friend of mine told me that the reason that it works so well and we feel so close to each other is that many of us are broken. We are broken in different ways. Whether it be from bad relationships, to medical/physical/psychological/emotional issues, to clinical depression, to a whole range of other brokenness. I guess in summary I just want to point out that we all have a starting point. Sometimes we'll be lifted out of a dark and horrible place into the light among new friends. Other times we just need that nudge in the right direction of where to start. Either way, welcome to our community, I can't wait to see what this next year brings!!
A special thanks goes out to Dave Kennedy (@HackingDave), Rob Fuller (@mubix), Steve Loughran (@z0rlac), Adrian Crenshaw (@irongeek_adc), Josh Louden (@tehEx0dus), Bill Garder (@oncee), Nate Husted (@DrWhomPhD), Jason Samide (@jason_samide), Michael Smith (@drbearsec), Ben Ten (@Ben0xA), Michael Cooley (@irishjack), DerbyCon (@DerbyCon), CircleCityCon (@CircleCityCon), BsidesNash (@BsidesNash), BsidesLV (@BsidesLV), Defcon (@_defcon_) and every other person that has helped me realize that I have potential, helped me through the bad times, and have made me feel welcome.
Sunday, August 17, 2014
#Soapbox #Rant #Sexism #BsidesLV #Bonehenge
So just in case it doesn't get approved for being a valid comment, here is my response to
http://valleywag.gawker.com/nothing-says-welcome-to-our-tech-conference-like-a-towe-1617722289
I 100% agree with ladywhohacks. I was one of the chicks (and there were several of us) who helped the dudes create this amazing masterpiece of engineering. I don't normally get into the whole sexist in infosec bitchfest that manifests itself among articles like this as well as twitter, facebook, and other mediums unless I'm trolling them of course. But I think we were all very proud of this! Every single one of us had fun erecting this magnificent structure.
A couple things that are my views on the whole sexism stuff (I'm always willing to talk at length in private if you'd like):
1. I understand that some people have witnessed it first hand. But it's not just infosec it's life in general. Yea so have I.... so what. That doesn't mean that I'm going to get butt hurt on everything that has somewhat of a sexual connotation to it. Sex is awesome, it's in our lives everywhere, and it can be extremely funny. If it (or anything else for that matter) makes you uncomfortable, then leave or go into a profession that isn't so fun loving or crude. For God Sake McAfee signed a poster board sized goatse, and we're complaining about a tower of condoms?
2. It's awesome that they were promoting safe sex. But honestly how is it all of a sudden women being oppressed by it? Isn't it both parties responsibility to be safe? So we decided to have fun with them. I myself along with another girl and her husband created an anatomically correct Trojan horse!! Get it?!?! Well if you're complaining you either don't get it or are as equally offended.
3. How about OMG They were BLACK boxes?!?! Where are all the colored folk screaming about their feelings?! Or it started out short but then got taller. HEIGHT EQUALITY!! I'm 100% for all equality. But this isn't how you go about it. I recently had a get together at CircleCityCon in June called #girlpowerlunch Bondage & Backups. This was met with a little bit of scrutiny and some girls in infosec getting their panties all bunched up and acting like they were on a high school cheer leading squad again. Again let me reiterate, if it's something that you don't agree with ignore it. Unless it's a blatant disregard of human life or someone is going to seriously get (physically) hurt.
4. Almost every guy that I've met in this industry is extremely open and willing to teach everyone and anyone what they know and their passion. Yes there are assholes out there. But that's life. So how about we pick out the people that are actually being jerks and ostracize them instead.
In summary: grow a fucking pair and get a sense of humor
EDIT:
After another "incident" at Shmoocon 2015 A friend of mine decided to try and approach the topic as well and also nails it in the article and responses in the comments.
http://www.iamit.org/blog/2015/01/sensationalism-doing-more-damage-than-good/comment-page-1/#comment-933
Which made me also add this, a shortened portion of a conversation that I've had with an abundance of people.
5. I know a decent amount of people in this industry that are into the con circuit. Each and every one of them would come to someone's help if there was an act of harassment or worse happening. No it doesn't always happen in public, but sometimes it does. That's what we do. we stick up for each other, we have each other's backs, we're a family. Taking care of our own is what we do.
http://valleywag.gawker.com/nothing-says-welcome-to-our-tech-conference-like-a-towe-1617722289
I 100% agree with ladywhohacks. I was one of the chicks (and there were several of us) who helped the dudes create this amazing masterpiece of engineering. I don't normally get into the whole sexist in infosec bitchfest that manifests itself among articles like this as well as twitter, facebook, and other mediums unless I'm trolling them of course. But I think we were all very proud of this! Every single one of us had fun erecting this magnificent structure.
A couple things that are my views on the whole sexism stuff (I'm always willing to talk at length in private if you'd like):
1. I understand that some people have witnessed it first hand. But it's not just infosec it's life in general. Yea so have I.... so what. That doesn't mean that I'm going to get butt hurt on everything that has somewhat of a sexual connotation to it. Sex is awesome, it's in our lives everywhere, and it can be extremely funny. If it (or anything else for that matter) makes you uncomfortable, then leave or go into a profession that isn't so fun loving or crude. For God Sake McAfee signed a poster board sized goatse, and we're complaining about a tower of condoms?
2. It's awesome that they were promoting safe sex. But honestly how is it all of a sudden women being oppressed by it? Isn't it both parties responsibility to be safe? So we decided to have fun with them. I myself along with another girl and her husband created an anatomically correct Trojan horse!! Get it?!?! Well if you're complaining you either don't get it or are as equally offended.
3. How about OMG They were BLACK boxes?!?! Where are all the colored folk screaming about their feelings?! Or it started out short but then got taller. HEIGHT EQUALITY!! I'm 100% for all equality. But this isn't how you go about it. I recently had a get together at CircleCityCon in June called #girlpowerlunch Bondage & Backups. This was met with a little bit of scrutiny and some girls in infosec getting their panties all bunched up and acting like they were on a high school cheer leading squad again. Again let me reiterate, if it's something that you don't agree with ignore it. Unless it's a blatant disregard of human life or someone is going to seriously get (physically) hurt.
4. Almost every guy that I've met in this industry is extremely open and willing to teach everyone and anyone what they know and their passion. Yes there are assholes out there. But that's life. So how about we pick out the people that are actually being jerks and ostracize them instead.
In summary: grow a fucking pair and get a sense of humor
EDIT:
After another "incident" at Shmoocon 2015 A friend of mine decided to try and approach the topic as well and also nails it in the article and responses in the comments.
http://www.iamit.org/blog/2015/01/sensationalism-doing-more-damage-than-good/comment-page-1/#comment-933
Which made me also add this, a shortened portion of a conversation that I've had with an abundance of people.
5. I know a decent amount of people in this industry that are into the con circuit. Each and every one of them would come to someone's help if there was an act of harassment or worse happening. No it doesn't always happen in public, but sometimes it does. That's what we do. we stick up for each other, we have each other's backs, we're a family. Taking care of our own is what we do.
Monday, February 3, 2014
Hackers Are People Too
We are hackers and we are proud.
We question and answer, we break and fix, we create and destroy, we attack and defend, we teach and are taught.
We provide value by inspiring others to do the same.
We care about the safety of your data!
Hopefully this article will help enlighten you to what a "hacker" truly is. We want to spread the word and break the negative stereotypes that come with the word and profession.
We'll start off with a couple questions.
1. When you think of a hacker what do you think of?
Some of the most prominent hackers in recent news would be Edward Snowden or Anonymous as well as other nameless groups or people. Most of these people/groups/activities have a negative connotation right? Nothing but a bunch of hi-tech criminals. But then again, most of the news that sells is negative. Who wants to write a story about the 99% of hackers that are doing good work in the local and global economies? Well, since you're here reading this article, it means this newspaper, website, blog, etc... feels that it is just as important.
The first time I actually considered myself a hacker was during my first trip to a “hackercon” (conference) called DerbyCon in Louisville, KY. When I arrived I was blown away at the sheer amount of knowledge and skill that I was surrounded by. I felt like a very small fish in a giant ocean. But I have to tell you, there wasn’t a single person that was too good to talk to me. They would strike up conversations as you walked by, while we were in talks learning, and if they saw you out in a restaurant. They were there to teach just as much as they were there to learn. The security practices and tools that I learned about that weekend not only would help the security of the organization that I work for, but the security of the data of everyone in the community. In those three days I realized that I wanted to work in Information Security and become a good hacker (aka “White hat”).
One thing that really upset me was during DerbyCon a reporter at WDRB in Louisville posted to his Facebook and Twitter account this
“I don’t know how I feel about this--DerbyCon happening at Hyatt downtown. It’s a convention for computer hackers. Sessions include password cracking, hacker war games and a lock picking pavilion. Thoughts?” - Sterling Riggs
This sparked some very hurtful comments from the residents of the city. Such as “The cops should be waiting to arrest anyone upon their arrival. It’s a shame that people have the brains to do stuff like that, but are too lazy to get a real job…” and “Should be outlawed”. We need to stop letting this fear mongering happen and stop participating in it when it does. As a single mom of three, I’ve had a steady job since I was 16 and would rather not go to jail for trying to help others.
Hackers are all around you. Hopefully bettering the company you work for, the hospital you need to visit, the stores you shop at, and the services you use. We’re there, but you don’t realize it because we’re doing our job to protect you and your data. Yes there are a lot of threats out on the internet, but with the bad come a whole lot of good.
An amazing group of hackers is Hackers For Charity (HFC) www.hackersforcharity.org. Hackers for Charity's Food for Work Program feeds hungry children in Africa but also teaches them to grow gardens to become self-sufficient. They have a whole group of volunteers that travel from city to city and attend hacker cons to raise money for this cause through auctions, t-shirts, zombie makeup drives, and more.
An extremely popular con is DEF CON. Located in Las Vegas, Nevada, DEF CON is possibly the largest con in the USA, drawing people from around the world. In 2010, over 10,000 people attended DEF CON 18. At almost last minute notice project Bloodkode was setup to accept blood donations for a member of the community that had become ill. In the first hour all of the appointments had been filled, and they had to actively turn away donors. Bloodkode has now been expanded and will continue to collect donations at each DEF CON.
2. How many of you would purchase a car for your family that had never gone through crash or safety testing?
Companies of every size and every household should think of their data the same way. Wouldn’t you want to be for certain that your car wouldn’t blow up at the next pothole? Or that it had seatbelts, warning lights, airbags, etc? Well that’s a good analogy that describes why hackers break stuff! We enjoy and most times get paid to try and break into systems or make them do things that they aren’t meant to do. Because if we didn’t someone else would.
3. What questions can we answer for you? About our community, the work we do, or the lives we lead? Maybe you’re interesting in getting into this field of work as well?
#HackersArePeopleToo <3 @Infosystir
We question and answer, we break and fix, we create and destroy, we attack and defend, we teach and are taught.
We provide value by inspiring others to do the same.
We care about the safety of your data!
Hopefully this article will help enlighten you to what a "hacker" truly is. We want to spread the word and break the negative stereotypes that come with the word and profession.
We'll start off with a couple questions.
1. When you think of a hacker what do you think of?
Some of the most prominent hackers in recent news would be Edward Snowden or Anonymous as well as other nameless groups or people. Most of these people/groups/activities have a negative connotation right? Nothing but a bunch of hi-tech criminals. But then again, most of the news that sells is negative. Who wants to write a story about the 99% of hackers that are doing good work in the local and global economies? Well, since you're here reading this article, it means this newspaper, website, blog, etc... feels that it is just as important.
The first time I actually considered myself a hacker was during my first trip to a “hackercon” (conference) called DerbyCon in Louisville, KY. When I arrived I was blown away at the sheer amount of knowledge and skill that I was surrounded by. I felt like a very small fish in a giant ocean. But I have to tell you, there wasn’t a single person that was too good to talk to me. They would strike up conversations as you walked by, while we were in talks learning, and if they saw you out in a restaurant. They were there to teach just as much as they were there to learn. The security practices and tools that I learned about that weekend not only would help the security of the organization that I work for, but the security of the data of everyone in the community. In those three days I realized that I wanted to work in Information Security and become a good hacker (aka “White hat”).
One thing that really upset me was during DerbyCon a reporter at WDRB in Louisville posted to his Facebook and Twitter account this
“I don’t know how I feel about this--DerbyCon happening at Hyatt downtown. It’s a convention for computer hackers. Sessions include password cracking, hacker war games and a lock picking pavilion. Thoughts?” - Sterling Riggs
This sparked some very hurtful comments from the residents of the city. Such as “The cops should be waiting to arrest anyone upon their arrival. It’s a shame that people have the brains to do stuff like that, but are too lazy to get a real job…” and “Should be outlawed”. We need to stop letting this fear mongering happen and stop participating in it when it does. As a single mom of three, I’ve had a steady job since I was 16 and would rather not go to jail for trying to help others.
Hackers are all around you. Hopefully bettering the company you work for, the hospital you need to visit, the stores you shop at, and the services you use. We’re there, but you don’t realize it because we’re doing our job to protect you and your data. Yes there are a lot of threats out on the internet, but with the bad come a whole lot of good.
An amazing group of hackers is Hackers For Charity (HFC) www.hackersforcharity.org. Hackers for Charity's Food for Work Program feeds hungry children in Africa but also teaches them to grow gardens to become self-sufficient. They have a whole group of volunteers that travel from city to city and attend hacker cons to raise money for this cause through auctions, t-shirts, zombie makeup drives, and more.
An extremely popular con is DEF CON. Located in Las Vegas, Nevada, DEF CON is possibly the largest con in the USA, drawing people from around the world. In 2010, over 10,000 people attended DEF CON 18. At almost last minute notice project Bloodkode was setup to accept blood donations for a member of the community that had become ill. In the first hour all of the appointments had been filled, and they had to actively turn away donors. Bloodkode has now been expanded and will continue to collect donations at each DEF CON.
2. How many of you would purchase a car for your family that had never gone through crash or safety testing?
Companies of every size and every household should think of their data the same way. Wouldn’t you want to be for certain that your car wouldn’t blow up at the next pothole? Or that it had seatbelts, warning lights, airbags, etc? Well that’s a good analogy that describes why hackers break stuff! We enjoy and most times get paid to try and break into systems or make them do things that they aren’t meant to do. Because if we didn’t someone else would.
3. What questions can we answer for you? About our community, the work we do, or the lives we lead? Maybe you’re interesting in getting into this field of work as well?
#HackersArePeopleToo <3 @Infosystir
Tuesday, December 24, 2013
T'was The Scan Before Christmas
Twas the scan before Christmas, when all through the NOCs
Not an admin was patching, not even for SOX.
The cat5 was strung up in beautiful spindles,
As the hope it would stay that way quickly dwindles.
The servers were nestled all snug in their racks,
While disks hummed and lights flashed on jacks.
The sysadmin in his Tux shirt, and I in my cap,
Had just hyped up on coffee to stave off a nap.
When on the monitoring screen arose such a clatter,
I turned just slightly to see what was the matter.
Away to my command prompt I typed in a flash,
Right-click, open, come to me bash.
I panic, I sweat, the desk meets my head,
What piece of shit did they successfully embed.
When, what to my wondering eyes should appear,
But a dude with no pants on, it was perfectly clear.
With a high-gain antenna along for his quest,
I knew in a moment it was a pentest.
More rapid than fiber his fingers did fly,
A grumble he made, the jr. admin starts to cry.
Now APT! Now phish! Now, vuln and attack!
On HIV! On, encrypt! On, cyber and crack!
To Hell we must go! Turn up the dubstep!
To deal with the vendors, cope with inept!
As the time comes around to check mark the boxes,
To keep vendors happy, those damn sly foxes.
So on to the testing, start up the scan,
Lets punch some holes in that software tincan.
And then, in a twinkling, I heard in his voice,
Spearfishing will be my method of choice.
As I drew in my head, and was turning around,
His eyes said don't worry, just CTF down.
He now spent time waiting, biding his time,
For what he had set was a victimless crime.
A shell he had wanted, now shown on his screen,
His face had lit up like an excited pre-teen.
His eyes-how they twinkled! His neck-beard so hairy!
His legs were so placid, his name, maybe Gary?
His teeth were clenched in a victory smile,
As he exported his findings to an ascii text file.
The scope he was given, made him laugh just a bit,
POS systems are not something to omit.
But write his report he shall do with a grin,
Oh, your whole network, the places he's been!
Default creds, sa password, and local admin,
PCI data, HIPAA, and click to login.
Metasploit helped with a bit of SET magic,
The board's quote? "This is fucking tragic."
He said no worries, we're here to help you out,
This place will be cleaned, beyond any doubt.
To defcon, derbycon, shmoocon you'll go,
Oh, all the wonderful things you'll now know!
He left in a fluster, red team let's leave!
These admins need some good time to greive.
But I heard him exclaim, ‘ere he stomped out of sight,
Pwny Christmas to all, and to all a good fight!
(What happens when I work on Christmas Eve)
Thursday, December 5, 2013
Internal Social Engineering Documents
So I know it's not pretty, but I'll work on that later. I've added a second "Downloads" page linked to my Google Drive. These are documents that I've worked on for our internal Social Engineering and Training program. The program is still being developed, but I've stripped out all of our company headers and info so you can customize as you wish.
Subscribe to:
Posts (Atom)