Forum Replies Created
March 24, 2019 at 6:11 pm #170900
I like VMware. It seems to hang less, and I move through it easily, even from one VM to another, or to my computer host. Lately I have had to use Kali on an online VM, and I miss the smooth operation of VMware. I also recently worked with an ISO that had to be run on VirtualBox, and it hung enough to make VMware a clear favorite. At work I am setting up a lab with Hyper V, but I have not worked with it enough to give a report, and it may be some time before I run Kali there.
February 21, 2019 at 2:04 pm #170613
Thanks Ray and Don for a great Webinar. I always learn a lot with the webinars, and from this one I have already bought two new books to read!. The best thing about this webinar is your authenticity. There was so much I could relate to. I also really appreciate the commitment both of you show to the InfoSec community.
October 8, 2018 at 11:19 pm #169434
I am not new to programming, but I think Java 9 for Programmers by Paul Deitel and Harvey Dietel
is presented in a format that is easy to read, code and learn. It has example code to work with, and it has tutorials to set you up with an IDE if you like. I work with VIM. I suggest Java 8 jdk and jre with the current distribution at 1.8.0_181. Java is up to Java 11, but Java 9 as a text has a better price (about $100 less), and you will learn what you need to know.
- This reply was modified 1 year, 7 months ago by MTGreen.
September 26, 2018 at 6:38 pm #169345
I enjoyed your article very much. I can relate to your comments on the responses you get to working in Cryptography, and you eased my way though Cryptography with the grace of a Pro. There are many components of cryptography that the average user needs to become familiar with to maintain integrity and system security in general, and techies need to know this as well.
From a ethical hacker in training perspective, some of the conversions used in cryptography can get you though CTF challenges.
Personally, the process driven randomness of cryptography, from XOR to s-box and so many other factors, is amazing to me, and I hope you can address some of these issues in your future articles as well as you addressed collisions in this article.
September 25, 2018 at 8:26 pm #169327
I think that sounds like a plan.
It is great to have an objective for your home lab, and with permission from the developer you will have room to move. I would like to learn about the permission and how it is expressed. I would also be glad to learn of interesting developments along the way (hopefully not getting banned).
September 22, 2018 at 8:35 am #169317
September 21, 2018 at 3:28 pm #169315
I appreciate the follow up. NIST SP 800-60 does make an effort to provide more information, but as you say it point on to other reverences, and is far from definitive. It does seem that the maintenance of indefinite terms is designed to support the concept that the customer is always right, or the flexibility of system owners. It will be interesting to see how that changes over time.
September 20, 2018 at 10:59 pm #169306
I appreciate the insights, as I have studied the issues but have not worked on authorizing a system. Criteria for system categorization is covered in FIPS PUB 199 and for a system to be categorized as high then your owner would have to show
“The potential impact is HIGH if—
− The loss of confidentiality, integrity, or availability could be expected to have a severe or
catastrophic adverse effect on organizational operations, organizational assets, or individuals.
AMPLIFICATION: A severe or catastrophic adverse effect means that, for example, the loss of
confidentiality, integrity, or availability might: (i) cause a severe degradation in or loss of mission
capability to an extent and duration that the organization is not able to perform one or more of its
primary functions; (ii) result in major damage to organizational assets; (iii) result in major financial
loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries.”
I can understand how DoD might have owners who can loosely interpret “major damage to organizational assets” but get some lawyers involved and these terms can get nailed down a little tighter.
I totally agree with your comments on tailoring, narrowing controls, and having proper input for a risk assessment. Observing operations is important, and tangible artifacts demonstrating the expected output of control processes are good if you are talking about a operational system because they express operations over time.
Thanks for the post, and I have been glad to read your other input as well.
September 10, 2018 at 7:35 pm #169209
I have had some similar experiences to the ones you describe in your article. I am obviously a little more open then your average InfoSec guy, but I have also found that InfoSec people generally want to help, and your description of the mentor relationship is right on.
You are very insightful. I think your final comments about the correlative effects of demonstrating respect, support and caring for the community can be widely applied, but are particularly true in InfoSec.
Keep up the good work. I look forward to your next article.
September 5, 2018 at 9:37 am #169148
Good points, of course. It seems that containers are more about provisioning and functionality then anything else (Security). Early entry of security considerations will make products more viable in the long term. I read that containers can be distinguished from VMs in that VMs rely upon their own kernel, while containers rely upon the hardwired kernel. This gives less overhead to the container, and makes them easier to spin up, but it actually expands the attack surface because it is another avenue into the user’s kernel in the hardwired machine.
September 1, 2018 at 1:24 am #169141
I just read an interesting write up on a Docker for windows hack. The vulnerability was associated with third party access and the availability to join user groups. I think it is an interesting read. The third parties were not following best practices (only allow trusted users to control Docker Damon). The post is here https://srcincite.io/blog/2018/08/31/you-cant-contain-me-analyzing-and-exploiting-an-elevation-of-privilege-in-docker-for-windows.html
August 31, 2018 at 11:03 pm #169139
Hi Haydn, Thanks for the article.
Your article gave me a great chance to consider containers, and I am always glad to learn.
I must say that I was thrown a little bit by your BYOD bring your own device reference. Bring your own device expands the attack surface. The purpose of containers is to limit the attack surface through restricting interactions between applications. This happens by maintaining application resources within the container.
In that sense a container is like an application programming interface (API) but instead of limiting an applications access to the kernel, it is limiting access to the application by other applications. Of course the Cloud plays a big role in all of this. Containers are essentially modularity in the cloud.
Another analogy is virtual machines, but instead of segmenting up to an entire network, containers are a lightweight version that isolates and secures applications that then can be utilized on existing systems virtual or not.
I was glad to see that you included some of the challenges of hardening containers. There is a consistent tension between security and functionality, and functionality will win as long as it drives profits. Even though a container is modular in concept, an application still needs to interact with other resources to get the job done, and that will always include the introduction of vulnerabilities.
- This reply was modified 1 year, 8 months ago by MTGreen.
August 30, 2018 at 12:57 am #169296
Don’t tell me you were hacking in the 80’s. Phone phreak perhaps? The closest I came to anything like that was finding a dime in the coin return of a pay phone. I’ll take the leg warmers and the VHS tapes, but for me computers were BASIC programming, word processors, a free game with poor graphics, or a mainframe where my parents worked.
Okay now, out with it. What was the secret to free phone calls, and how many times did you get arrested? : )
August 28, 2018 at 10:07 am #169067
Thanks for the review Bill!
My favorite part was “Tips on avoiding a black eye.” 🙂
I think that observation is a key element of social engineering. Pay attention to how people are prone to act, and give them an opportunity to act that way.
I think you comments on pretexting and building a rapport are important.
Social Engineering is a new face on the old confidence man subject. The more you person thinks they will get out of the interaction, the more likely that are to give.
I am a coach, and fakes are a part of many sports. I have found that if an athlete fakes in a way his opponent expects him to go, the opponent bites hard. A commonly used word today outside of sports is narrative. If your actions are consistent with the subjects perspective on what should happen, you are set. Another way to put it is that people see what they want to see.
That would suggest that reconnaissance is an important part of social engineering. Observe regular routines, and mimic them. Add a shift that is not so far out of scope to draw suspicion. The closer an action is to habit, the less thought will go into completing the action.
From a pen testing perspective, I think it is important to look at an organization’s purposeful routines and exploit them, and also to introduce an unaddressed but predictable issue, and see how the employees respond.
Finally, as for the art or the science. I thing the the most effective perspective is that social engineering is an art that barrows some techniques from science. The art is knowing which technique to use when, and being able to freestyle when necessary.
August 24, 2018 at 7:54 pm #169060
Thanks for the article, and the upcoming series commitment.
I like your identification of a four-phase process. Context will of course vary, but it is important that these phases are evaluated within a context of an organizational security strategy and the achievement of well-defined objectives. Considering a given problem, solution, test, evaluate sequence within the framework of a pre-defined security strategy reduces the tendency to skew each of those stages towards a favorable view of an identified outcome. Problem statements can otherwise be written with a given solution in mind rather than a given objective. Metrics chosen that support a given technology rather than organizational progress towards a performance objective.
You obviously have more to write on the subject, and I look forward to the reading.