Monthly Archives: March 2018

Ben is a chatbot that lets you learn about and buy Bitcoin

IMG_0577

It’s generally a given that whenever a new technology takes off people rush into the space to build everything under the sun, and eventually natural selection kicks in and only the truly useful remain. For example, chatbots became trendy last year and we quickly began seeing chatbots for weather, movie recommendations, personal finance, etc. Some of these are useful, but until natural language processing improves you’re probably better just doing the task yourself.

But there are a few exceptions, with one in particular being chatbots designed for the purpose of making a very complex topic or task approachable to the average person.

Like cryptocurrencies.

Ben is a chatbot that lets anyone become familiar with cryptocurrencies via a recognizable chat interface. By talking with “Ben”, users can do things like take lessons and learn about cryptocurrency, read the latest industry news, and of course buy and sell Bitcoin.

By focusing on an underserved market (i.e people who have no idea what Bitcoin is or how to buy it) Ben has the unique advantage of not having to go head to head with established crypto titans like Coinbase or Circle.

The startup is part of Y Combinator’s Winter ’18 batch, and previously raised a $580K pre-seed from Third Kind Venture Capital and various angel investors.

After completing a KYC check (which is also done via chat) users in 21 states can buy and sell Bitcoin, with other states and support for Ethereum, Ripple, and Bitcoin Cash rolling out in the coming months. The startup charges 1% for buys and sells, which is in line or lower than most major exchanges.

The app also has a social feature where you can link with friends to see their returns (only on a percentage basis) to see who is a better investor.

User’s cryptocurrency is stored in the cloud but their private keys live only on their own personal device, which isn’t as secure as complete cold storage but does ensure that your bitcoin can’t be spent without someone having access to your phone. Ben also gives new users a backup seed to write down in case they lose their phone.

But Ben isn’t necessarily meant to support an experienced crypto user who has a high-value portfolio and needs advanced features and security.

Instead, the startup’s goal is to make buying and learning about cryptocurrency accessible to anyone, especially those without the technical knowledge or desire to spend the time learning how an exchange world. And as natural language technology evolves Ben will be able to answer more and more questions over time, making it a perfect on-ramp for people who need a little more hand holding before they open their wallet and trade their (actual) benjamins for a string of ones and zeros.

 

via:  techcrunch

Microsoft makes it simpler to port your favorite distros : Linux on Windows 10

The company is releasing code designed streamline the process of porting a Linux distribution to run on the Windows Subsystem for Linux (WSL).

Microsoft is making it easier for Linux-based operating systems to run on top of Windows 10.

The company is releasing code designed to streamline the process of porting a Linux distribution to run on the Windows Subsystem for Linux (WSL).

The WSL allows Windows 10 to run various GNU/Linux distros from the Windows Store, providing access to Ubuntu, openSUSE, Fedora, and Kali Linux, with Debian due soon, and other distros to be added over time.

“We know that many Linux distros rely entirely on open-source software, so we would like to bring WSL closer to the OSS community,” said Tara Raj of Microsoft’s WSL team, announcing the release of the code for a”reference implementation for a WSL distribution installer application” on the code repository GitHub.

“We hope open-sourcing this project will help increase community engagement and bring more of your favorite distros to the Microsoft Store.”

WSL distros run with a command line shell, rather than offering graphical desktops, and support a range of command line tools, as well as applications such as Apache web server and Oracle MySQL.

Those managing Linux distributions will be able to study the sample code for the Microsoft’s reference installer to help them turn their distribution into an app that can be submitted to the Microsoft Store.

Raj also announced that developers will be able to sideload custom Linux distros on their Windows 10 machine, although these custom distros will typically not be distributed through the Windows Store.

WSL allows different Linux distros to run side-by-side within Windows and Microsoft has previously stated that its aim with the WSL is to provide “the best development environment, regardless of the technologies that developers use, or the platforms they wish to target”.

However, at present, the WSL also has many disadvantages over a running a dedicated GNU/Linux system. Microsoft doesn’t support desktop environments or graphical applications running on WSL, and also says it is not suitable for running production workloads, for example an Apache server supporting a website.

WSL is a work in progress, with Microsoft adding new features and support over time.

windows-10-linux.png

Calling tools from different Linux distros from the Windows command line.

Image: Microsoft

 

 

via:  techrepublic

Why Does Data Exfiltration Remain an Almost Unsolvable Challenge?

From hacked IoT devices to corporate infrastructures hijacked for crypto-mining to automated ransomware, novel and sophisticated cyber-attacks are notoriously hard to catch. It is no wonder that defending against these silent and never-seen-before threats dominates our security agendas. But while we grapple with the challenge of detecting the unknown, data exfiltration – an old and very well-known risk – doesn’t command nearly the same amount of attention. Yet data exfiltration happens, and it happens by the gigabyte.

As attackers improve their methods of purloining the sensitive data we trust our organizations to keep safe, one critical question remains: why does data exfiltration present the security community with such a formidable challenge?

Gigawatts and Flux Capacitors. Let’s go Back in Time.

All data exfiltration attacks share one common trait:  the early warning signs of anomalous activity on the network were present but traditional security failed to catch them. Regardless of level of subtlety, or the number of devices involved, perimeter tools missed the window of opportunity between impact and unauthorized data transfer  – allowing for hundreds of gigabytes of data to be exfiltrated from the organization.

The Sony hack of 2014 brought the world to a startling halt when it was revealed that attackers had spent over a year leaking 100 terabytes of data from the network. The next year brought us the Panama Papers, where allegedly 2.6 terabytes of data were leaked, causing reputational damage to some of the world’s most recognizable public figures. And in 2016, allegedly 80 gigabytes of data escaped from the Democratic National Committee’s network, launching two years of skepticism and distrust around the US elections. Each of these cases of sizeable data exfiltration remained undetected for months, or even years – only to be discovered when the data had already long been lost.

When we look at this cycle of stealthy and silent data breaches, we have to ask ourselves: how can such tremendous amounts of data leave our corporate networks without raising any alarms?

Data Exfiltration

Modern Networks: Living Organisms

The challenge in identifying indicators of data exfiltration lies partly in the structure of today’s networks. As our businesses continue to innovate, we open the door to increased digital complexity and vulnerability – from BYOD to third party supply chains, organizations significantly amplify their cyber risk profile in the name of optimal efficiency.

Against this backdrop, our security teams are hard-pressed to identify the subtle telling signs of a data exfiltration attempt in the hope to stop it in its tracks. To add to the complexity, they need to find the proverbial needle in an ever growing haystack of hundreds of thousands of devices on their network that they did not build, install, or even know existed.

Networks today are much like living organisms: they grow, they shrink, and they evolve at a rapid rate. If we think about a network as a massive data set that changes hundreds, if not thousands, of times per second, then we have to realize that no security team will ever be able to keep up with which actions are authorized versus which actions are indicative of data exfiltration.

The Old Approach Needs Victims Before it Can Offer Solutions

Compounding the challenge of today’s labyrinthine networks, stretched security teams are always on the offense – fighting back-to-back battles against the latest form of unpredictable threat. So how can security teams cut through the noise and discern the subtle differences between legitimate activity and criminal data exfiltration campaigns?

Five years ago, we relied on historical intelligence to define tomorrow’s attack. But the never-ending cycle of data breaches have taught us that these approaches were just as insufficient then as they are now. Identifying data exfiltration should be a low-hanging fruit for security teams, but to do so, we need to rely upon technologies that make no assumptions on what ‘malicious’ activity looks like.

Organizations are increasingly turning to AI technology for the answer, capable of identifying subtle deviations from normal network activity. By understanding the nuances of day-to-day network activity, self-learning technology correlates seemingly-irrelevant pieces of information to form a comprehensive picture of what is happening within our network borders. Consequently, AI spots the subtle indicators of exfiltration as it’s happening – giving security teams valuable time to mitigate the crisis before it becomes a headline.

To break the cycle of high-profile data breaches, we must embrace AI technologies that evolve with our organizations, strengthen its defenses over time, and identify data exfiltration tactics before our sensitive information is long past the network perimeter. And as we face a global cyber skills shortage, it is now more imperative than ever that we work in tandem with technology capable of doing the heavy lifting for us. Attackers seeking to leak our most sensitive data are evolving to keep up with our defenses – are we evolving too?

 

via:  securityweek

World celebrates, cyber-snoops cry as TLS 1.3 internet crypto approved

Forward-secrecy protocol comes with the 28th draft.

A much-needed update to internet security has finally passed at the Internet Engineering Task Force (IETF), after four years and 28 drafts.

Internet engineers meeting in London, England, approved the updated TLS 1.3 protocol despite a wave of last-minute concerns that it could cause networking nightmares.

TLS 1.3 won unanimous approval (well, one “no objection” amid the yeses), paving the way for its widespread implementation and use in software and products from Oracle’s Java to Google’s Chrome browser.

The new protocol aims to comprehensively thwart any attempts by the NSA and other eavesdroppers to decrypt intercepted HTTPS connections and other encrypted network packets. TLS 1.3 should also speed up secure communications thanks to its streamlined approach.

The critical nature of the protocol, however, has meant that progress has been slow and, on occasion, controversial. This time last year, Google paused its plan to support the new protocol in Chrome when an IT schools administrator in Maryland reported that a third of the 50,000 Chromebooks he managed bricked themselves after being updating to use the tech.

Most recently, banks and businesses complained that, thanks to the way the new protocol does security, they will be cut off from being able to inspect and analyze TLS 1.3 encrypted traffic flowing through their networks, and so potentially be at greater risk from attack.

Unfortunately, that self-same ability to decrypt secure traffic on your own network can also be potentially used by third parties to grab and decrypt communications.

An effort to effectively insert a backdoor into the protocol was met with disdain and some anger by internet engineers, many of whom pointed out that it will still be possible to introduce middleware to monitor and analyze internal network traffic.

Nope

The backdoor proposal did not move forward, meaning the internet as a whole will become more secure and faster, while banks and similar outfits will have to do a little extra work to accommodate and inspect TLS 1.3 connections as required.

At the heart of the change – and the complaints – are two key elements: forward secrecy, and ephemeral encryption keys.

TLS – standing for Transport Layer Security – basically works by creating a secure connection between a client and a server – your laptop, for example, and a company’s website. All this is done before any real information is shared – like credit card details or personal information.

Under TLS 1.2 this is a fairly lengthy process that can take as much as half-a-second:

  • The client says hi to the server and offers a range of strong encryption systems it can work with
  • The server says hi back, explains which encryption system it will use and sends an encryption key
  • The client takes that key and uses it to encrypt and send back a random series of letters
  • Together they use this exchange to create two new keys: a master key and a session key – the master key being stronger; the session key weaker.
  • The client then says which encryption system it plans to use for the weaker, session key – which allows data to be sent much faster because it doesn’t have to be processed as much
  • The server acknowledges that system will be used, and then the two start sharing the actual information that the whole exchange is about

TLS 1.3 speeds that whole process up by bundling several steps together:

  • The client says hi, here’s the systems I plan to use
  • The server gets back saying hi, ok let’s use them, here’s my key, we should be good to go
  • The client responds saying, yep that all looks good, here are the session keys

As well as being faster, TLS 1.3 is much more secure because it ditches many of the older encryption algorithms that TLS 1.2 supports that over the years people have managed to find holes in. Effectively the older crypto-systems potentially allowed miscreants to figure out what previous keys had been used (called “non-forward secrecy”) and so decrypt previous conversations.

A little less conversation

For example, snoopers could, under TLS 1.2, force the exchange to use older and weaker encryption algorithms that they knew how to crack.

People using TLS 1.3 will only be able to use more recent systems that are much harder to crack – at least for now. Any effort to force the conversation to use a weaker 1.2 system will be detected and flagged as a problem.

Another very important advantage to TLS 1.3 – but also one that some security experts are concerned about – is called “0-RTT Resumption” which effectively allows the client and server to remember if they have spoken before, and so forego all the checks, using previous keys to start talking immediately.

That will make connections much faster but the concern of course is that someone malicious could get hold of the “0-RTT Resumption” information and pose as one of the parties. Although internet engineers are less concerned about this security risk – which would require getting access to a machine – than the TLS 1.2 system that allowed people to hijack and listen into a conversation.

In short, it’s a win-win but will require people to put in some effort to make it all work properly.

The big losers will be criminals and security services who will be shut out of secure communications – at least until they figure out a way to crack this new protocol. At which point the IETF will start on TLS 1.4.

 

via:  theregister

Why do the Vast Majority of Applications Still Not Undergo Security Testing?

Did you know that 84% of all cyber attacks target applications, not networks? What’s even more curious is that 80% of Internet of Things (IoT) applications aren’t even tested for security vulnerabilities.

It is 2018, and despite all the evidence around us, we haven’t fully accepted the problem at hand when it comes to software security. Because we haven’t accepted the problem, we are not making progress in addressing the associated vulnerabilities. Which is why after an active 2017, we are already seeing numerous new attacks before we leave the first quarter of the year.

So why the lack of progress?

The evidence that software is a primary attack point is everywhere, yet many choose to ignore security testing—at least for four out of every five IoT applications running today. Since IoT has proven to be an attractive attack vector, one would think that securing them would be of the utmost importance. Apparently not.

The mythology around limiting testing to perceived high-risk applications has been wrote about in other columns, so I will not cover that ground today. In summary, the evidence is overwhelming; there have been numerous cases where an application perceived as low-risk was used as the entry point to eventually breach high-risk applications to access high-value targets.

A testing regime that ignores large blocks of an organization’s software is no longer viable. However, doing cursory testing simply to check a box is not much better, and may create a false sense of security. Running a test because an auditor dictates that a test be run is not security. Running a test and addressing the findings is a step forward. You would be shocked by the number of organizations I have seen that generate lots of test results but never act on them.

Effectively evaluating secure code

The RSA Conference will be upon us in April, and a trip through the exhibit hall will find numerous application security testing (AST) vendors of all shapes, sizes, and approaches, each breathlessly promising you they are the one silver bullet you need to test your software security. At best they are telling you a partial truth, as the nature of today’s software demands multiple tests to comprehensively evaluate the security of any application. That is because applications contain three specific components where vulnerabilities can be found, and each must be tested in a different way for security testing to be complete.

1. The code you write. In spite of the adoption of open source and the move to agile methodologies, one thing remains constant: Your coders still write code. Source code analysis (static analysis) is designed to find security vulnerabilities and quality issues in your code as it’s being developed.

2. The code you get from open source. With the growing use of open source, the amount of code from external sources in any application is rising exponentially. This open source code may contain profound vulnerabilities that immediately become part of your software. Software composition analysis (SCA) detects open source and third-party component risks in development and production. It also identifies potential licensing issues in open source code used in your applications.

3. The running application. When code is deployed on the web, the runtime environment must be tested for vulnerabilities through dynamic testing. Testing the application in its running state will reveal problems simply not detectable by static analysis. For high-risk applications, many organizations step up their game by including the human element in the dynamic testing process in the form of ethical hacking.

Getting a sense of the problem here? Taking IoT as a widespread example, 80% of these applications are not tested at all. For the one-fifth that does receive some form of testing, the testing is likely incomplete. And we already established that many organizations find but do not fix problems.

No wonder the news in 2018 sounds all too familiar.

Until organizations shift their security priorities from endpoint and network security and start paying more attention to software security, I do not see the carousel stopping anytime soon. I estimate that at any large IT security conference, only 10% of the conference is focused on software security, while the traditional emphasis on perimeter defenses continues to dominate the conversation.

Practical steps to move forward

The best way to reduce the impact of security practices on development is to establish an emphasis on building secure code at the source by integrating secure coding practices into the secure development life cycle. This is a subject near and dear to my heart that I addressed in a previous column.

So how do you move your organization forward? While I do not have a silver bullet for you, I do have practical advice:

● Rebalance your IT security priorities and budgets to shift the emphasis where the problem exists—software security.

● Build a software security group that can then construct and manage a rational and comprehensive software testing program.

● Employ tools and programs that empower developers to write secure, quality software from the start. Building security in is a far better approach than trying to test yourself clean.

It is time for a balanced approach to IT security that places the appropriate emphasis on where you are being attacked: your software. The path to effectively addressing the problem is known, so make the hard choices to give the problem the attention it deserves. 2019 will be here sooner than you think.

 

via:  securityweek

GitHub Security Alerts Lead to Fewer Vulnerable Code Libraries

GitHub says the introduction of security alerts last year has led to a significantly smaller number of vulnerable code libraries on the platform.

The code hosting service announced in mid-November 2017 the introduction of a new security feature designed to warn developers if the software libraries used by their projects contain any known vulnerabilities.

The new feature looks for vulnerable Ruby gems and JavaScript NPM packages based on MITRE’s Common Vulnerabilities and Exposures (CVE) list. When a new flaw is added to this list, all repositories that use the affected version are identified and their maintainers informed. Users can choose to be notified via the GitHub user interface or via email.

When it introduced security alerts, GitHub compared the list of vulnerable libraries to the Dependency Graph in all public code repositories.

The Dependency Graph is a feature in the Insights section of GitHub that lists the libraries used by a project. Since the introduction of security alerts, this section also informs users about vulnerable dependencies, including CVE identifiers and severity of the flaws, and provides advice on how to address the issues.

The initial scan conducted by GitHub revealed more than 4 million vulnerabilities in over 500,000 repositories. Affected users were immediately notified and by December 1, roughly two weeks after the launch of the new feature, more than 450,000 of the flaws were addressed either by updating the affected library or removing it altogether.

According to GitHub, vulnerabilities are in a vast majority of cases addressed within a week by active developers.

“Since [December 1], our rate of vulnerabilities resolved in the first seven days of detection has been about 30 percent,” GitHub said. “Additionally, 15 percent of alerts are dismissed within seven days—that means nearly half of all alerts are responded to within a week. Of the remaining alerts that are unaddressed or unresolved, the majority belong to repositories that have not had a contribution in the last 90 days.”

GitHub was recently hit by a record-breaking distributed denial-of-service (DDoS) attack that peaked at 1.3 Tbps, but the service was down for less than 10 minutes.

 

 

via:  securityweek

Microsoft to lock out Windows RDP clients if they are not patched against hijack bug

No update installed? No connection.

Microsoft will prevent Windows Server from authenticating RDP clients that have not been patched to address a security flaw that can be exploited by miscreants to hijack systems and laterally move across a network.

The bug, CVE-2018-0886, was fixed in March’s Patch Tuesday software update, and involves Microsoft’s implementation of its Credential Security Support Provider protocol (CredSSP). A miscreant-in-the-middle on a corporate network can abuse the flaw to send arbitrary commands to a server to execute while masquerading as a legit user or admin.

From there, lateral movement through an intranet becomes possible, and that’s just the sort of thing bad actors love. The flaw was discovered by security company Preempt, which explained it the video below.

Microsoft’s documentation for the patch reads: “Mitigation consists of installing the update on all eligible client and server operating systems and then using included Group Policy settings or registry-based equivalents to manage the setting options on the client and server computers.

“We recommend that administrators apply the policy and set it to ‘Force updated clients’ or ‘Mitigated’ on client and server computers as soon as possible.”

The Microsoft advisory also mentions two planned actions to address the vulnerability. On April 17, 2018, an update to Microsoft’s RDP client “will enhance the error message that is presented when an updated client fails to connect to a server that has not been updated.” And on May 8, or perhaps later, “an update to change the default setting from vulnerable to mitigated” will arrive.

On Friday March 23rd, Preempt personnel told the Black Hat Asia conference in Singapore that the May patches will cause un-patched RDP clients to be rejected by patched Windows Server boxes, so that the vulnerability can’t be exploited.

It seems sensible to keep a close eye on April and May’s Patch Tuesday dump. It’s also worth looking for updates from vendors of third-party RDP clients, as they can also fall foul of this vulnerability.

 

via:   theregister

When it comes to web apps, healthcare is the biggest target for hackers- Report

Data gathered by Positive Technologies found that healthcare web apps are experiencing an average of 1,526 separate attacks per day. Here’s what IT security teams need to look for.

Enterprise cybersecurity firm Positive Technologies has released a report detailing the scope of cyberattacks against web apps during Q3 2017.

Web apps are obviously a hot target for hackers, and leading the pack are healthcare web apps. The data that can be captured from them is in many ways more valuable than banking data or government records—healthcare provides an intimate look at the details of a person’s identity.

The types of attacks that dominate web app hack attempts aren’t surprising: SQL injections are number one, followed by cross-site scripting and local file inclusion.

Attacks facing healthcare web apps are dominated by cross-site scripting and local file inclusion (SQL injections barely rank), suggesting that hackers are trying to accomplish a different objective on those popular targets.

An ill wind for healthcare web apps

Positive Technologies said that the numbers for healthcare rose dramatically between Q2 and Q3, primarily because of what it tracked: “Most of the web applications in the healthcare category this quarter are used to provide information; in other words, they do not handle private data or patient medical records.”

That suggests attackers could have been slamming healthcare web apps with cross-site scripting and local file inclusion attacks for some time with it going totally unnoticed.

Since most healthcare web apps included in the survey didn’t contain personal data, hackers shifted to attack methods that enable them to drop malware into a web app.

The result is a situation nearly identical to how Bad Rabbit spread: Malicious code injected into the web app tricks users into downloading malware that masquerades as a Flash update or some other legitimate application.

Malware downloaded in this way can be easy to spread from a source like a healthcare web app, Positive Technologies said, because they are trusted websites we wouldn’t expect to be exploited.

What IT teams need to do to protect their web apps

The major spectre haunting web apps, according to Positive Technologies’ conclusions, is that attackers are moving faster than IT teams.

“Many companies still fail to quickly update web application components and install necessary patches. The result is that attackers are able to slip through defenses by using already known vulnerabilities,” the report concludes.

Keeping web apps safe from attackers requires just as much vigilance as protecting the rest of the IT infrastructure. In this case, IT teams need to be aware of any CVE notices that may affect their systems, apply updates as soon as they can be approved, be proactive by installing a web application firewall, and monitor traffic to head off attacks early.

There’s nothing new under the sun to be found here: Constant vigilance and proactive policies make for safe systems.

The top three takeaways for TechRepublic readers:

  1. A report out from Positive Technologies reveals that web app attacks in Q3 2017 were most common in the healthcare industry.
  2. Cross-site scripting and local file inclusion were the most common attacks on healthcare web apps, suggesting that attackers are trying to plant malware downloaders in apps as opposed to stealing user data.
  3. To keep web apps safe, Positive Technologies recommends monitoring CVE notices, applying updates promptly, installing a web application firewall, and monitoring traffic for irregularities.

via:  techrepublic

A Complete Penetration Testing Tool List for Security Professionals

Penetration testing is the practice of launching authorized, simulated attacks against computer systems and their physical infrastructure to expose potential security weaknesses and vulnerabilities.

Contents

Online Resources

Penetration Testing Resources
Exploit Development
OSINT Resources
Social Engineering Resources
Lock Picking Resources
Operating Systems

Tools

Penetration Testing Distributions
  • Kali – GNU/Linux distribution designed for digital forensics and penetration testing.
  • ArchStrike – Arch GNU/Linux repository for security professionals and enthusiasts.
  • BlackArch – Arch GNU/Linux-based distribution for penetration testers and security researchers.
  • Network Security Toolkit (NST) – Fedora-based bootable live operating system designed to provide easy access to best-of-breed open source network security applications.
  • Pentoo – Security-focused live CD based on Gentoo.
  • BackBox – Ubuntu-based distribution for penetration tests and security assessments.
  • Parrot – Distribution similar to Kali, with multiple architecture.
  • Buscador – GNU/Linux virtual machine that is pre-configured for online investigators.
  • Fedora Security Lab – Provides a safe test environment to work on security auditing, forensics, system rescue and teaching security testing methodologies.
  • The Pentesters Framework – Distro organized around the Penetration Testing Execution Standard (PTES), providing a curated collection of utilities that eliminates often unused toolchains.
  • AttifyOS – GNU/Linux distribution focused on tools useful during Internet of Things (IoT) security assessments.
Docker for Penetration Testing
Multi-paradigm Frameworks
  • Metasploit – Software for offensive security teams to help verify vulnerabilities and manage security assessments.
  • Armitage – Java-based GUI front-end for the Metasploit Framework.
  • Faraday – Multiuser integrated pentesting environment for red teams performing cooperative penetration tests, security audits, and risk assessments.
  • ExploitPack – Graphical tool for automating penetration tests that ships with many pre-packaged exploits.
  • Pupy – Cross-platform (Windows, Linux, macOS, Android) remote administration and post-exploitation tool.
Vulnerability Scanners
  • Nexpose – Commercial vulnerability and risk management assessment engine that integrates with Metasploit, sold by Rapid7.
  • Nessus – Commercial vulnerability management, configuration, and compliance assessment platform, sold by Tenable.
  • OpenVAS – Free software implementation of the popular Nessus vulnerability assessment system.
  • Vuls – Agentless vulnerability scanner for GNU/Linux and FreeBSD, written in Go.
Static Analyzers
  • Brakeman – Static analysis security vulnerability scanner for Ruby on Rails applications.
  • cppcheck – Extensible C/C++ static analyzer focused on finding bugs.
  • FindBugs – Free software static analyzer to look for bugs in Java code.
  • sobelow – Security-focused static analysis for the Phoenix Framework.
  • bandit – Security oriented static analyser for python code.
Web Scanners
  • Nikto – Noisy but fast black box web server and web application vulnerability scanner.
  • Arachni – Scriptable framework for evaluating the security of web applications.
  • w3af – Web application attack and audit framework.
  • Wapiti – Black box web application vulnerability scanner with built-in fuzzer.
  • SecApps – In-browser web application security testing suite.
  • WebReaver – Commercial, graphical web application vulnerability scanner designed for macOS.
  • WPScan – Black box WordPress vulnerability scanner.
  • cms-explorer – Reveal the specific modules, plugins, components and themes that various websites powered by content management systems are running.
  • joomscan – Joomla vulnerability scanner.
  • ACSTIS – Automated client-side template injection (sandbox escape/bypass) detection for AngularJS.
Network Tools
  • zmap – Open source network scanner that enables researchers to easily perform Internet-wide network studies.
  • nmap – Free security scanner for network exploration & security audits.
  • pig – GNU/Linux packet crafting tool.
  • scanless – Utility for using websites to perform port scans on your behalf so as not to reveal your own IP.
  • tcpdump/libpcap – Common packet analyzer that runs under the command line.
  • Wireshark – Widely-used graphical, cross-platform network protocol analyzer.
  • Network-Tools.com – Website offering an interface to numerous basic network utilities like ping, traceroute, whois, and more.
  • netsniff-ng – Swiss army knife for for network sniffing.
  • Intercepter-NG – Multifunctional network toolkit.
  • SPARTA – Graphical interface offering scriptable, configurable access to existing network infrastructure scanning and enumeration tools.
  • dnschef – Highly configurable DNS proxy for pentesters.
  • DNSDumpster – Online DNS recon and search service.
  • CloudFail – Unmask server IP addresses hidden behind Cloudflare by searching old database records and detecting misconfigured DNS.
  • dnsenum – Perl script that enumerates DNS information from a domain, attempts zone transfers, performs a brute force dictionary style attack, and then performs reverse look-ups on the results.
  • dnsmap – Passive DNS network mapper.
  • dnsrecon – DNS enumeration script.
  • dnstracer – Determines where a given DNS server gets its information from, and follows the chain of DNS servers.
  • passivedns-client – Library and query tool for querying several passive DNS providers.
  • passivedns – Network sniffer that logs all DNS server replies for use in a passive DNS setup.
  • Mass Scan – TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.
  • Zarp – Network attack tool centered around the exploitation of local networks.
  • mitmproxy – Interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.
  • Morpheus – Automated ettercap TCP/IP Hijacking tool.
  • mallory – HTTP/HTTPS proxy over SSH.
  • SSH MITM – Intercept SSH connections with a proxy; all plaintext passwords and sessions are logged to disk.
  • Netzob – Reverse engineering, traffic generation and fuzzing of communication protocols.
  • DET – Proof of concept to perform data exfiltration using either single or multiple channel(s) at the same time.
  • pwnat – Punches holes in firewalls and NATs.
  • dsniff – Collection of tools for network auditing and pentesting.
  • tgcd – Simple Unix network utility to extend the accessibility of TCP/IP based network services beyond firewalls.
  • smbmap – Handy SMB enumeration tool.
  • scapy – Python-based interactive packet manipulation program & library.
  • Dshell – Network forensic analysis framework.
  • Debookee – Simple and powerful network traffic analyzer for macOS.
  • Dripcap – Caffeinated packet analyzer.
  • Printer Exploitation Toolkit (PRET) – Tool for printer security testing capable of IP and USB connectivity, fuzzing, and exploitation of PostScript, PJL, and PCL printer language features.
  • Praeda – Automated multi-function printer data harvester for gathering usable data during security assessments.
  • routersploit – Open source exploitation framework similar to Metasploit but dedicated to embedded devices.
  • evilgrade – Modular framework to take advantage of poor upgrade implementations by injecting fake updates.
  • XRay – Network (sub)domain discovery and reconnaissance automation tool.
  • Ettercap – Comprehensive, mature suite for machine-in-the-middle attacks.
  • BetterCAP – Modular, portable and easily extensible MITM framework.
  • CrackMapExec – A swiss army knife for pentesting networks.
  • impacket – A collection of Python classes for working with network protocols.
Wireless Network Tools
  • Aircrack-ng – Set of tools for auditing wireless networks.
  • Kismet – Wireless network detector, sniffer, and IDS.
  • Reaver – Brute force attack against WiFi Protected Setup.
  • Wifite – Automated wireless attack tool.
  • Fluxion – Suite of automated social engineering based WPA attacks.
Transport Layer Security Tools
  • SSLyze – Fast and comprehensive TLS/SSL configuration analyzer to help identify security mis-configurations.
  • tls_prober – Fingerprint a server’s SSL/TLS implementation.
  • testssl.sh – Command line tool which checks a server’s service on any port for the support of TLS/SSL ciphers, protocols as well as some cryptographic flaws.
Web Exploitation
  • OWASP Zed Attack Proxy (ZAP) – Feature-rich, scriptable HTTP intercepting proxy and fuzzer for penetration testing web applications.
  • Fiddler – Free cross-platform web debugging proxy with user-friendly companion tools.
  • Burp Suite – Integrated platform for performing security testing of web applications.
  • autochrome – Easy to install a test browser with all the appropriate setting needed for web application testing with native Burp support, from NCCGroup.
  • Browser Exploitation Framework (BeEF) – Command and control server for delivering exploits to commandeered Web browsers.
  • Offensive Web Testing Framework (OWTF) – Python-based framework for pentesting Web applications based on the OWASP Testing Guide.
  • WordPress Exploit Framework – Ruby framework for developing and using modules which aid in the penetration testing of WordPress powered websites and systems.
  • WPSploit – Exploit WordPress-powered websites with Metasploit.
  • SQLmap – Automatic SQL injection and database takeover tool.
  • tplmap – Automatic server-side template injection and Web server takeover tool.
  • weevely3 – Weaponized web shell.
  • Wappalyzer – Wappalyzer uncovers the technologies used on websites.
  • WhatWeb – Website fingerprinter.
  • BlindElephant – Web application fingerprinter.
  • wafw00f – Identifies and fingerprints Web Application Firewall (WAF) products.
  • fimap – Find, prepare, audit, exploit and even Google automatically for LFI/RFI bugs.
  • Kadabra – Automatic LFI exploiter and scanner.
  • Kadimus – LFI scan and exploit tool.
  • liffy – LFI exploitation tool.
  • Commix – Automated all-in-one operating system command injection and exploitation tool.
  • DVCS Ripper – Rip web accessible (distributed) version control systems: SVN/GIT/HG/BZR.
  • GitTools – Automatically find and download Web-accessible .git repositories.
  • sslstrip – Demonstration of the HTTPS stripping attacks.
  • sslstrip2 – SSLStrip version to defeat HSTS.
  • NoSQLmap – Automatic NoSQL injection and database takeover tool.
  • VHostScan – A virtual host scanner that performs reverse lookups, can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.
  • FuzzDB – Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery.
  • EyeWitness – Tool to take screenshots of websites, provide some server header info, and identify default credentials if possible.
  • webscreenshot – A simple script to take screenshots of list of websites.
Hex Editors
  • HexEdit.js – Browser-based hex editing.
  • Hexinator – World’s finest (proprietary, commercial) Hex Editor.
  • Frhed – Binary file editor for Windows.
  • 0xED – Native macOS hex editor that supports plug-ins to display custom data types.
File Format Analysis Tools
  • Kaitai Struct – File formats and network protocols dissection language and web IDE, generating parsers in C++, C#, Java, JavaScript, Perl, PHP, Python, Ruby.
  • Veles – Binary data visualization and analysis tool.
  • Hachoir – Python library to view and edit a binary stream as tree of fields and tools for metadata extraction.
Defense Evasion Tools
  • Veil – Generate metasploit payloads that bypass common anti-virus solutions.
  • shellsploit – Generates custom shellcode, backdoors, injectors, optionally obfuscates every byte via encoders.
  • Hyperion – Runtime encryptor for 32-bit portable executables (“PE .exes”).
  • AntiVirus Evasion Tool (AVET) – Post-process exploits containing executable files targeted for Windows machines to avoid being recognized by antivirus software.
  • peCloak.py – Automates the process of hiding a malicious Windows executable from antivirus (AV) detection.
  • peCloakCapstone – Multi-platform fork of the peCloak.py automated malware antivirus evasion tool.
  • UniByAv – Simple obfuscator that takes raw shellcode and generates Anti-Virus friendly executables by using a brute-forcable, 32-bit XOR key.
Hash Cracking Tools
  • John the Ripper – Fast password cracker.
  • Hashcat – The more fast hash cracker.
  • CeWL – Generates custom wordlists by spidering a target’s website and collecting unique words.
  • JWT Cracker – Simple HS256 JWT token brute force cracker.
  • Rar Crack – RAR bruteforce cracker.
  • BruteForce Wallet – Find the password of an encrypted wallet file (i.e. wallet.dat).
Windows Utilities
  • Sysinternals Suite – The Sysinternals Troubleshooting Utilities.
  • Windows Credentials Editor – Inspect logon sessions and add, change, list, and delete associated credentials, including Kerberos tickets.
  • mimikatz – Credentials extraction tool for Windows operating system.
  • PowerSploit – PowerShell Post-Exploitation Framework.
  • Windows Exploit Suggester – Detects potential missing patches on the target.
  • Responder – LLMNR, NBT-NS and MDNS poisoner.
  • Bloodhound – Graphical Active Directory trust relationship explorer.
  • Empire – Pure PowerShell post-exploitation agent.
  • Fibratus – Tool for exploration and tracing of the Windows kernel.
  • wePWNise – Generates architecture independent VBA code to be used in Office documents or templates and automates bypassing application control and exploit mitigation software.
  • redsnarf – Post-exploitation tool for retrieving password hashes and credentials from Windows workstations, servers, and domain controllers.
  • Magic Unicorn – Shellcode generator for numerous attack vectors, including Microsoft Office macros, PowerShell, HTML applications (HTA), or certutil (using fake certificates).
  • DeathStar – Python script that uses Empire’s RESTful API to automate gaining Domain Admin rights in Active Directory environments.
GNU/Linux Utilities
macOS Utilities
  • Bella – Pure Python post-exploitation data mining and remote administration tool for macOS.
DDoS Tools
  • LOIC – Open source network stress tool for Windows.
  • JS LOIC – JavaScript in-browser version of LOIC.
  • SlowLoris – DoS tool that uses low bandwidth on the attacking side.
  • HOIC – Updated version of Low Orbit Ion Cannon, has ‘boosters’ to get around common counter measures.
  • T50 – Faster network stress tool.
  • UFONet – Abuses OSI layer 7 HTTP to create/manage ‘zombies’ and to conduct different attacks using; GET/POST, multithreading, proxies, origin spoofing methods, cache evasion techniques, etc.
Social Engineering Tools
  • Social Engineer Toolkit (SET) – Open source pentesting framework designed for social engineering featuring a number of custom attack vectors to make believable attacks quickly.
  • King Phisher – Phishing campaign toolkit used for creating and managing multiple simultaneous phishing attacks with custom email and server content.
  • Evilginx – MITM attack framework used for phishing credentials and session cookies from any Web service.
  • wifiphisher – Automated phishing attacks against WiFi networks.
  • Catphish – Tool for phishing and corporate espionage written in Ruby.
  • Beelogger – Tool for generating keylooger.
OSINT Tools
  • Maltego – Proprietary software for open source intelligence and forensics, from Paterva.
  • theHarvester – E-mail, subdomain and people names harvester.
  • creepy – Geolocation OSINT tool.
  • metagoofil – Metadata harvester.
  • Google Hacking Database – Database of Google dorks; can be used for recon.
  • Google-dorks – Common Google dorks and others you probably don’t know.
  • GooDork – Command line Google dorking tool.
  • dork-cli – Command line Google dork tool.
  • Censys – Collects data on hosts and websites through daily ZMap and ZGrab scans.
  • Shodan – World’s first search engine for Internet-connected devices.
  • recon-ng – Full-featured Web Reconnaissance framework written in Python.
  • github-dorks – CLI tool to scan github repos/organizations for potential sensitive information leak.
  • vcsmap – Plugin-based tool to scan public version control systems for sensitive information.
  • Spiderfoot – Multi-source OSINT automation tool with a Web UI and report visualizations
  • BinGoo – GNU/Linux bash based Bing and Google Dorking Tool.
  • fast-recon – Perform Google dorks against a domain.
  • snitch – Information gathering via dorks.
  • Sn1per – Automated Pentest Recon Scanner.
  • Threat Crowd – Search engine for threats.
  • Virus Total – VirusTotal is a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware.
  • DataSploit – OSINT visualizer utilizing Shodan, Censys, Clearbit, EmailHunter, FullContact, and Zoomeye behind the scenes.
  • AQUATONE – Subdomain discovery tool utilizing various open sources producing a report that can be used as input to other tools.
  • Intrigue – Automated OSINT & Attack Surface discovery framework with powerful API, UI and CLI.
  • ZoomEye – Search engine for cyberspace that lets the user find specific network components.
Anonymity Tools
  • Tor – Free software and onion routed overlay network that helps you defend against traffic analysis.
  • OnionScan – Tool for investigating the Dark Web by finding operational security issues introduced by Tor hidden service operators.
  • I2P – The Invisible Internet Project.
  • Nipe – Script to redirect all traffic from the machine to the Tor network.
  • What Every Browser Knows About You – Comprehensive detection page to test your own Web browser’s configuration for privacy and identity leaks.
Reverse Engineering Tools
  • Interactive Disassembler (IDA Pro) – Proprietary multi-processor disassembler and debugger for Windows, GNU/Linux, or macOS; also has a free version, IDA Free.
  • WDK/WinDbg – Windows Driver Kit and WinDbg.
  • OllyDbg – x86 debugger for Windows binaries that emphasizes binary code analysis.
  • Radare2 – Open source, crossplatform reverse engineering framework.
  • x64dbg – Open source x64/x32 debugger for windows.
  • Immunity Debugger – Powerful way to write exploits and analyze malware.
  • Evan’s Debugger – OllyDbg-like debugger for GNU/Linux.
  • Medusa – Open source, cross-platform interactive disassembler.
  • plasma – Interactive disassembler for x86/ARM/MIPS. Generates indented pseudo-code with colored syntax code.
  • peda – Python Exploit Development Assistance for GDB.
  • dnSpy – Tool to reverse engineer .NET assemblies.
  • binwalk – Fast, easy to use tool for analyzing, reverse engineering, and extracting firmware images.
  • PyREBox – Python scriptable Reverse Engineering sandbox by Cisco-Talos.
  • Voltron – Extensible debugger UI toolkit written in Python.
  • Capstone – Lightweight multi-platform, multi-architecture disassembly framework.
  • rVMI – Debugger on steroids; inspect userspace processes, kernel drivers, and preboot environments in a single tool.
  • Frida – Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.
Physical Access Tools
  • LAN Turtle – Covert “USB Ethernet Adapter” that provides remote access, network intelligence gathering, and MITM capabilities when installed in a local network.
  • USB Rubber Ducky – Customizable keystroke injection attack platform masquerading as a USB thumbdrive.
  • Poisontap – Siphons cookies, exposes internal (LAN-side) router and installs web backdoor on locked computers.
  • WiFi Pineapple – Wireless auditing and penetration testing platform.
  • Proxmark3 – RFID/NFC cloning, replay, and spoofing toolkit often used for analyzing and attacking proximity cards/readers, wireless keys/keyfobs, and more.
Side-channel Tools
  • ChipWhisperer – Complete open-source toolchain for side-channel power analysis and glitching attacks.
CTF Tools
  • ctf-tools – Collection of setup scripts to install various security research tools easily and quickly deployable to new machines.
  • Pwntools – Rapid exploit development framework built for use in CTFs.
  • RsaCtfTool – Decrypt data enciphered using weak RSA keys, and recover private keys from public keys using a variety of automated attacks.
Penetration Testing Report Templates

Books

Penetration Testing Books
Hackers Handbook Series
Defensive Development
Network Analysis Books
Reverse Engineering Books
Malware Analysis Books
Windows Books
Social Engineering Books
Lock Picking Books
Defcon Suggested Reading

Vulnerability Databases

  • Common Vulnerabilities and Exposures (CVE) – Dictionary of common names (i.e., CVE Identifiers) for publicly known security vulnerabilities.
  • National Vulnerability Database (NVD) – United States government’s National Vulnerability Database provides additional meta-data (CPE, CVSS scoring) of the standard CVE List along with a fine-grained search engine.
  • US-CERT Vulnerability Notes Database – Summaries, technical details, remediation information, and lists of vendors affected by software vulnerabilities, aggregated by the United States Computer Emergency Response Team (US-CERT).
  • Full-Disclosure – Public, vendor-neutral forum for detailed discussion of vulnerabilities, often publishes details before many other sources.
  • Bugtraq (BID) – Software security bug identification database compiled from submissions to the SecurityFocus mailing list and other sources, operated by Symantec, Inc.
  • Exploit-DB – Non-profit project hosting exploits for software vulnerabilities, provided as a public service by Offensive Security.
  • Microsoft Security Bulletins – Announcements of security issues discovered in Microsoft software, published by the Microsoft Security Response Center (MSRC).
  • Microsoft Security Advisories – Archive of security advisories impacting Microsoft software.
  • Mozilla Foundation Security Advisories – Archive of security advisories impacting Mozilla software, including the Firefox Web Browser.
  • Packet Storm – Compendium of exploits, advisories, tools, and other security-related resources aggregated from across the industry.
  • CXSecurity – Archive of published CVE and Bugtraq software vulnerabilities cross-referenced with a Google dork database for discovering the listed vulnerability.
  • SecuriTeam – Independent source of software vulnerability information.
  • Vulnerability Lab – Open forum for security advisories organized by category of exploit target.
  • Zero Day Initiative – Bug bounty program with publicly accessible archive of published security advisories, operated by TippingPoint.
  • Vulners – Security database of software vulnerabilities.
  • Inj3ct0r (Onion service) – Exploit marketplace and vulnerability information aggregator.
  • Open Source Vulnerability Database (OSVDB) – Historical archive of security vulnerabilities in computerized equipment, no longer adding to its vulnerability database as of April, 2016.
  • HPI-VDB – Aggregator of cross-referenced software vulnerabilities offering free-of-charge API access, provided by the Hasso-Plattner Institute, Potsdam.

Security Courses

Information Security Conferences

  • DEF CON – Annual hacker convention in Las Vegas.
  • Black Hat – Annual security conference in Las Vegas.
  • BSides – Framework for organising and holding security conferences.
  • CCC – Annual meeting of the international hacker scene in Germany.
  • DerbyCon – Annual hacker conference based in Louisville.
  • PhreakNIC – Technology conference held annually in middle Tennessee.
  • ShmooCon – Annual US East coast hacker convention.
  • CarolinaCon – Infosec conference, held annually in North Carolina.
  • CHCon – Christchurch Hacker Con, Only South Island of New Zealand hacker con.
  • SummerCon – One of the oldest hacker conventions, held during Summer.
  • Hack.lu – Annual conference held in Luxembourg.
  • Hackfest – Largest hacking conference in Canada.
  • HITB – Deep-knowledge security conference held in Malaysia and The Netherlands.
  • Troopers – Annual international IT Security event with workshops held in Heidelberg, Germany.
  • Hack3rCon – Annual US hacker conference.
  • ThotCon – Annual US hacker conference held in Chicago.
  • LayerOne – Annual US security conference held every spring in Los Angeles.
  • DeepSec – Security Conference in Vienna, Austria.
  • SkyDogCon – Technology conference in Nashville.
  • SECUINSIDE – Security Conference in Seoul.
  • DefCamp – Largest Security Conference in Eastern Europe, held annually in Bucharest, Romania.
  • AppSecUSA – Annual conference organized by OWASP.
  • BruCON – Annual security conference in Belgium.
  • Infosecurity Europe – Europe’s number one information security event, held in London, UK.
  • Nullcon – Annual conference in Delhi and Goa, India.
  • RSA Conference USA – Annual security conference in San Francisco, California, USA.
  • Swiss Cyber Storm – Annual security conference in Lucerne, Switzerland.
  • Virus Bulletin Conference – Annual conference going to be held in Denver, USA for 2016.
  • Ekoparty – Largest Security Conference in Latin America, held annually in Buenos Aires, Argentina.
  • 44Con – Annual Security Conference held in London.
  • BalCCon – Balkan Computer Congress, annually held in Novi Sad, Serbia.
  • FSec – FSec – Croatian Information Security Gathering in Varaždin, Croatia.

Information Security Magazines

Awesome Lists

 

via:  techincidents

Security risks associated with web apps – Top 5

Raising awareness of these risks, identified by the Open Web Application Security Project, can help build a culture of secure code in your organization.

 

The Open Web Application Security Project (OWASP) puts out a regular list of the top 10 most critical web application security risks with the hopes of raising awareness and helping organizations develop a culture of more secure code.

With that in mind, let’s take a look at the top five:

1. Broken Access Control

This means that restrictions on authenticated users are not properly enforced, leading to one user able to see other users’ files or modify other users data.

2. XML External Entities

Fun to say, not fun when it happens. This occurs when older or badly configured XML processors evaluate external entity references within XML docs. That can expose internal files and allow for internal port scanning, remote code execution, and denial of service attacks.

3. Sensitive Data Exposure

This is where sensitive data is not encrypted in transit or at rest, leaving it exposed for attackers to steal or modify.

4. Broken Authentication

If authentication and session management is implemented wrong, attackers can compromise passwords, keys or session tokens and assume other users’ identities.

5. Injection

Whether it’s SQL, NoSQL, OS, or LDAP, an untrusted dataset gets sent to an interpreter tacked on to a command or query, tricking the interpreter into executing unintended commands or accessing data without authorization.

Those are just the top five. If you don’t want to be the next headline because of a data breach, get the full top 10 list from OWASP and use it to raise awareness in your team.

 

 

via:  techrepublic