From Security Weekly Wiki
Jump to navigationJump to search

Paul's Security Weekly - Episode 463 - 6:00PM

Episode Audio

Recorded April 28th, 2016

First segment 6:00PM-7:00PM

Ferruh Mavituna has been working in the application security industry for well over a decade and his ambition to ease the process of automatically detecting web application vulnerabilities led him to build Netsparker, and pursued it to the point of commercial reality. Ferruh is also the Netsparker’s Product Architect.

  1. SDLC - 1) Threat modeling / training 2) static analysis / training 3) QA active scanning 4) RASP / WAF
  2. PHP / Wordpress - Tips and tricks for scanning and security?
  3. https://www.netsparker.com/blog/docs-and-faqs/generate-modsecurity-web-application-firewall-rules/
  4. http://software-security.sans.org/blog/2016/04/26/securing-the-sdlc-dynamic-testing-java-web-apps
  5. http://feedproxy.google.com/~r/nakedsecurity/~3/a-OC16aZZLc/

Our guest on the show will be Ferruh Mavituna.

  1. Three words to describe yourself.
  2. If you were a serial killer, what would be your weapon of choice?
  3. If you wrote a book about yourself, what would the title be?
  4. In the popular game of ass grabby-grabby, do you prefer to go first or second?
  5. Choose two celebrities to be your parents.

Tech Segment

Apollo did the Tech Segment for this week. User Access

  1. http://blogs.aws.amazon.com/security/post/Tx2OB7YGHMB7WCM/Adhere-to-IAM-Best-Practices-in-2016

1. Record all AWS CLI Actions, Cloudtrail 2. Use IAM Users, not Root User 3. Grant Least Privs 4. Use IAM Groups 5. Use IAM Policies 6. Enable a strong password policy 7. Rotate Creds 8. Enable MFA 9. Remove Old Creds

Servers, Monitoring

  1. http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-best-practices.html
  2. http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitoring_best_practices.html

10. Enumerate All Servers 11. Tag instances (deployment, role) 12. Setup a VPN, use SSH to a Bastion Host 13. Enable system resource monitoring, Cloudwatch Metrics 14. Enable system log aggreation, Cloudwatch Logs 15. Enable Alerts, email, SMS 16. Automate patching, updates, Ansible / Puppet / Chef 17. Backup databases, cron


  1. http://harish11g.blogspot.com/2014/01/Amazon-Virtual-Private-Cloud-VPC-best-practices-tips-for-architecture-migration.html
  2. http://blog.flux7.com/blogs/aws/vpc-best-configuration-practices
  3. http://blog.celingest.com/en/2013/04/19/aws-virtual-private-cloud-vpc-security/

18. Configure all Servers to use a VPC 19. Restrict IP based on Use Case 20. Use strict firewall rules 21. Use Auto-scaling Groups 22. Scale across Availability Zones 23. Use Elastic IPs 24. Use Load Balancers 25. Do Stress Testing

  1. Install


  1. https://github.com/aws/aws-cli
  2. https://github.com/aws/aws-cli/releases

sudo pip install awscli sudo pip install --upgrade awscli ```

  1. AWS CLI Basics
  1. list all instances, as json

aws ec2 describe-instances aws ec2 describe-instances --output json

  1. list all instances, as text

aws ec2 describe-instances --output table

  1. list all instances, as text

aws ec2 describe-instances --output text

  1. list all instances, that are running

aws ec2 describe-instances \ --filters "Name=instance-state-name,Values=running"

  1. list all instnaces, instance id, using query

aws ec2 describe-instances \ --query 'Reservations[*].Instances[*].InstanceId'

  1. list all instances, public dns, using query

aws ec2 describe-instances \ --query 'Reservations[*].Instances[*].PublicDnsName'

  1. list all instances, public dns, using jq

aws ec2 describe-instances | \ jq '.Reservations[].Instances[].InstanceId'

aws ec2 describe-instances | \ jq '.Reservations[].Instances[] | {InstanceId}'

  1. list all instances, InstanceId and PublicDnsName, using jq

aws ec2 describe-instances | \ jq '.Reservations[].Instances[] | {InstanceId, PublicDnsName}'

  1. list all instances, InstanceId, that are running

aws ec2 describe-instances \ --filters "Name=instance-state-name,Values=running" \ | jq -r ".Reservations[].Instances[].PublicDnsName"

    1. Trails
  1. list all trails

aws cloudtrail describe-trails

  1. list all S3 buckets

aws s3 ls

  1. create a new trail

aws cloudtrail create-subscription \

   --name awslog \
   --s3-new-bucket awslog2016
  1. list the TrailARN of all trails

aws cloudtrail describe-trails --output text | cut -f 8

  1. get the status of a trail

aws cloudtrail get-trail-status \

   --name awslog

Stories of the Week - 7:00PM-8:00PM

In the Press:

Paul's Stories

  1. Documenting the Chilling Effects of NSA Surveillance
  2. I'm Writing a Book on Security
  3. "Lean Threat Intelligence
  4. Bringing HTTPS to all blogspot domain blogs
  5. Practical Reverse Engineering Part 2 - Scouting the Firmware · Hack The World
  6. Economy of mechanism – The road to hell is paved with SAML Assertions
  7. Jailbreaking the Microsoft fitness band – b0n0n's cottage
  8. haxx.ml — Hacking Mattermost: From Unauthenticated to System...
  9. Building a Home Lab to Become a Malware Hunter - A Beginner’s Guide | AlienVault
  10. GitHub - reverse-shell/routersploit: The Router Exploitation Framework - More and more projects like this, aweso


  1. SAST vs PEN TESTING - yea, so. this will be interesting to debate: Static Analisys vs Pen Testing
  2. Snort Lab: Custom SCADA Protocol IDS Signatures - Good usage for network
IDS, modbus and its usage in your environment is custom and often not that complex. Take the whitelisting approach...
  1. IoT Security: Medical Devices Are the Next Target for Hackers - whoa Again, such a scenario is not hypothetical. TechTarget reports that two patients in a hospital in Austria figured out how to hack into their own medication infusion pumps because they felt their pain was not being managed properly. Frighteningly, to get in, the patients simply went online, looked up the hard-coded passwords for their pumps, then used them to log in and adjust their doses. The patients ended up overdosing and suffering respiratory problems.
  2. Why it would have been a relief to know who’s behind bitcoin
  3. 10-year-old Finnish boy uncovers Instagram comments vulnerability - In 3 years, he can use the site...
  4. Are Your Web Applications Vulnerable to ImageTragick? Scan Them with Netsparker - RCE through image uploads, hurray!
  5. Craig Wright Revealed As Bitcoin Creator Satoshi Nakamoto - But then, backs out.
  6. "I Am Craig Wright - This is just drama, and more drama. Who cares? Does it matter?
  7. Miniature Car Maker Drops Massive Malware - Popular die cast car manufacturer Maisto has been slinging the deadly Angler exploit kit which in turn installs the Cryptxxx ransomware on victim machines. The site appears to have been compromised through an outdated Joomla content management system
  8. How The Pwnedlist Got Pwned - uhm, does it matter that the information "leaked" was already pb

ulic? Loaded question...

  1. Instagram Hacked By 10-Year-Old Boy - awesome The boy, from Helsinki, told Finnish newspaper Iltalehti he planned to use the money to buy a new bike, football equipment and computers for his brothers.
  2. <200b>Two highly dangerous OpenSSL security bugs have been patched - Including a MiTM attack, I am not certain how feasible this attack is at the moment.

Larry's Stories

  1. Vulnerable Smart Home research from Microsoft and UMich found way in insert backdoor and PINs in to Samsun SmartThings home control stuff. "they analyzed 499 SmartThings and found that more than half of them had at least some level of privilege they considered overbroad, and that 68 actually used capabilities they weren’t meant to possess.” Out faults and bad apps abound...
  2. ImageMagick RCE - Damn. Just damn.
  3. Reverse engineering an ATM Skimmer - Well, at least part of it anyways. Pretty cool, but wonder how “legal”?
  4. Billions of credentials stolen? - and they were only sold for 50 rubles as a fire sale...

Joff's Stories

Kevin's Stories

Michael's (Santa) Stories

  1. Crooks Go Deep With ‘Deep Insert’ Skimmers