All posts tagged Security

deutschlandfunk

old time radio
At the end of last year a friend gave my contact information to a radio producer with an interesting project. She wanted to learn as much she could as you can from a person through different means:

  • Getting his writing analyzed
  • Getting his voice analyzed
  • Using a private detective to follow him for a couple of days
  • And of course the digital perspective (which is where I tried to pitch in)

Basically we had a target (which gave us written permission to hack him and his systems) and the idea was to go, collect all the information we could from his online presence, hack any of his accounts and / or his personal computer. One of the things we had in mind, was since “the Target” was one of the producers, is that we didn’t want to kill any of his devices.

Keep Reading →

Horizon and cookies

I’ve been working with the Havanna release of OpenStack the last couple of days and ran across a default setting that should be avoided in any deployment: using cookies as the session backend.

The source of the problems has been known at least since October 2013  in Django and other frameworks: clear-text client-side session management.
There is even OSVDB entry and Threatpost covered it in an article.

Keep Reading →

Launch of Practical security

This is a topic that I have been thinking about for a long time and finally started creating some content for it. The idea is to create a series of posts, workshops and presentations that will help create security awareness at many levels. The topics will go across the board but I will be starting with those I think will have a greater impact in reducing the amount of low-hanging fruit out there.

Keep Reading →

Do Reverse Proxies provide real security?

OSSTMM

Have you ever questioned the security best practices?

In the process of building / designing the infrastructure for a new project the following question was asked: “shouldn’t we use a reverse proxy to secure or protect the web servers?” Of course the first question I asked myself is “do reverse proxies provide real security?” or is this a best / common practice that has been adopted without foundation? Keep Reading →

IT-SA

So the last couple of days I was at the IT-SA a new security fair in Nürnberg (Germany).  This is / was the first edition but it is a attempt to make a security oriented fair out of the security section of the Systems in München which should take place 21-24th October 2009.

On Tuesday I was really disapointed with the fair, because I was expecting a conference RSA style.  But after taking the right perspective I think it was good,  most of the big players in the security field were there:  AV companies, the big firewall companies and of course your share of UTM and service providers.  They organized a speaking trend in each of the 2 exibition halls: a technical and a managment.  Most of the talks were short and white paper like and they had the usual “hacking live” talks that serve as “eye openers”.  They are fun to see but people should know that the pentesting or crackers job is normally not that easy, they don’t know exactlly what you are going to do in order to install a Trojan or what drivers you have install in oder to escalate privileges.

Today the BSI had it’s own embebed conference (3. BSI Grundschutztag) in the event.  The talks where OK, they presented the new changes that can be expected it in the next version of the IT-Grundschutz Katalog and their standards.

OWAP hat their share yesturday, I didn’t get the chance to attend but if someone got to go I would appreciate a link to the slides and/or the content of the sessions.

Changes to the data collection law in Germany

I’ve been living in Germany for a little more than a year now, and since then lots of things have really impressed me in the way privacy, digital rights, data collection, infomation security are managed in politics.

There have been some major attempts to create a state of surveillance protect the people and the institutions from hackers, terrorists in exchange for freedom and civil liberties.  Let’s take for example the Skype Trojan they intented to create and use out in the wild without warrants, the prohibition of “hacker tools” or the data collection law.

After giving a big fight, last week the court in Karlsruhe ruled that:

Data can only be collected when the stability or security of Germany or another country need to be defended and “life, limb, and freedom of German citizens” need to be protected (The Register)

I think this is a mayor advance, and I really hope this will be followed by action in the other controversial laws.

Certifications

Well after postponing it for quite a while I finally decided it was time to go down the certification path.  So there are a couple of questions that came to mind, I think I did my homework and these were my answers:

Why get certified?

Well it’s a way of proving that you know something to other people, in particular to potential new employers.  It is said that certs are a great way to boost your career or at least make a statement on where you want to steer yours to, i.e. if you take some CISCO certs, you probably what to pursue a the networking path; or if you take a security cert you’re showing that’s the way you want to go.

What certification should I get?

This was a hard one, there are lots of them out there.  So I took some notes and talked to people last year when I attended the RSA Conference 2007.  I also found a great website where they did some comparisons on with a lot of different variables.  After some thinking around I decided to start with Security+ and after that pursue OPSE and / or the well known CISSP.  So step 1 is done.

Other thoughts

A cert alone doesn’t make a good or complete professional, I know a couple of cert holders that don’t know squat and can’t solve a problem in their “area of expertise” even if their life depended on it.  One of those was and old colleague, he had a couple of the CISCO certs and said that he was an expert in networking but couldn’t understand the difference in the use of the POP3 (TCP 110) and webmail or HTTP (tcp 80), after that we just labeled him port 80.

Well officially as of last week I approved my Security+ exam and should continue down the cert road to get a couple more.