Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon

Author Posts - Security

13 Articles
article-image-how-to-use-tls-securely-in-flask-applications
Dr. Paul Duplys, Dr. Roland Schmitz
26 Nov 2024
10 min read
Save for later

How to Use TLS Securely in Flask Applications

Dr. Paul Duplys, Dr. Roland Schmitz
26 Nov 2024
10 min read
IntroductionThere is a lot of documentation and some books you can find on the TLS protocol and the theory behind it. But what do you do when you actually have to deploy TLS in a real-world application? For example, what do you do to enable TLS for your web application written in Flask? Securing web applications is more important than ever, and Transport Layer Security (TLS) plays a vital role in protecting data in transit. For developers using Flask, a popular Python web framework, implementing TLS might seem daunting. This article provides a practical guide to setting up TLS for Flask applications, focusing on Nginx as a reverse proxy, secure configurations, and avoiding common pitfalls. Whether you're a beginner or an experienced developer, you'll find actionable insights to ensure your application is both performant and secure.TLS and FlaskIf you want to write a web application, chances are you'll end up using Flask, a popular microweb framework written in Python. Flask is well-known for its simplicity, flexibility, performance, and beginner-friendly learning curve. Flask is a WSGI (Web Server Gateway Interface) application, where WSGI is a standard interface between web servers and Python web applications or frameworks. Finally, a WSGI application is a Python callable that accepts two arguments environment and start_response, and returns an iterable, allowing it to handle HTTP requests and responses in a standardized manner. In Flask, a WSGI server runs the application, converting incoming HTTP requests to the standard WSGI environment, and converting outgoing WSGI responses to HTTP responses. When deploying your Flask application to production, the Flask documentation strongly recommends using a dedicated WSGI server rather than the built-in development server.WSGI servers have HTTP servers built-in. However, when serving your application with a WSGI server, it is good practice — and might be even necessary depending on the desired configuration — to put a dedicated HTTP server in front of it. This so-called “reverse proxy” handles incoming requests, TLS, and other security and performance concerns better than the WSGI server.The Flask documentation describes how to set up Nginx as a reverse proxy. The documentation also provides the following example configuration, but the example does not include TLS support.  server { listen 80; server_name _; location / { proxy_pass http://127.0.0.1:8000/; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Prefix /; } } So, what do you have to do to enable TLS? In Nginx, TLS and, thus, HTTPS support is provided by a dedicated module called module ngx_http_ssl_module which itself relies on the well-known cryptography library OpenSSL.Here’s an example TLS configuration given in ngx_http_ssl_module documentation: worker_processes auto; http { ... server { listen 443 ssl; keepalive_timeout 70; ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5; ssl_certificate /usr/local/nginx/conf/cert.pem; ssl_certificate_key /usr/local/nginx/conf/cert.key; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ... } But wait, what about insecure TLS configurations? How do you know that your setup will hold off the bad guys?To help you with this task, we wrote a small script which you can download at https://github.com/TLS-Port/TLSAudit. The script reads TLS configuration options in a given Nginx configuration file and prints a warning for any weak or insecure TLS options. We believe the script is helpful because Flask documentation refers also to older OpenSSL versions down to 1.0.2, which reached its official end of life by the end of 2019. These old OpenSSL versions contain algorithms with known cryptographic weaknesses. In the remainder of the article, we want to highlight three important TLS parameters that are checked by the script.TLS CiphersThe ssl_ciphers ciphers directive specifies the enabled ciphers in a format understood by the OpenSSL library, for example:ssl_ciphers ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;The full list of available ciphers can be obtained using the openssl ciphers command. However, not all ciphers supported by OpenSSL are considered secure. Nginx documentation recommends the use of OpenSSL 1.0.2 or higher. Ciphers that should be avoided include:RC4: A stream cipher which is known to be vulnerable for a long time, irrespective of the key length. DES and 3DES: DES is very old cipher whose effective key length is way too short (56 Bit). The 3DES, or TripleDES applies the DES three times. It has a larger key space, but is quite ineffective.MD5-based Cipher Suites: MD5 is a broken hashing algorithm susceptible to collision attacks. Its use weakens the overall security of the whole cipher suite.Export-grade ciphers: Export-grade ciphers -- usually, they have an EXP in their name -- were intentionally weakened (to 40 or 56 bits) to comply with export restrictions from the 1990s. These ciphers are highly vulnerable to brute-force attacks.Early data in TLS 1.3The ssl_early_data directive enables or disables so-called early data in TLS 1.3. If two TLS endpoints share a secret key (this is called a pre-shared key, or PSK), TLS 1.3 allows them to communicate over a secure channel right from the start. This is referred to as zero round-trip time (0-RTT) mode which was added in TLS 1.3. It reduces TLS latency by allowing client Bob to send data to server Alice in the first round-trip, without waiting for Alice’s response. Bob uses the shared key to authenticate the server and to establish a secure channel for the early data which is simply added to the standard 1-RTT handshake. The downside is that 0-RTT data is less protected. First, forward secrecy does not hold for this data because it is encrypted using keys derived from the PSK rather than fresh, randomly generated key shares. This means that if the PSK gets stolen, earlier recorded TLS session can be decrypted by the attacker.Second, 0-RTT data is not protected against replay attacks, where legitimately encrypted and authenticated data are recorded by an attacker and replayed into the communication channel. Regular TLS data is protected against this type of attack by the server’s random variable. 0-RTT data, in contrast, does not depend on the ServerHello message and therefore lacks fresh randomness from the server. Enabling early data can, therefore, decrease TLS security. Elliptic CurvesThe ssl_ecdh_curve directive specifies one or more so-called elliptic curves used in Elliptic Curve Diffie Hellman ephemeral (ECDHE) key agreement. Unfortunately, there are some elliptic curves in OpenSSL 1.0.2 which are insecure according to today's standards:SECP192R1 (prime192v1 or P-192)SECP224R1 (P-224)SECP160R1 and SECP160K1Brainpool curves with a number less than 256TLS versionThe ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2] [TLSv1.3] directive specifies the TLS versions supported by the reverse proxy.  As already discussed, SSLv2 and SSLv3 versions contain serious known security weaknesses and must not be used. But also for TLS versions 1.0 and 1.1 there are known attacks that were shown to work in practice. So, only TLS versions 1.2 and 1.3 should be used (and the former with care).Naming: SSL or TLS?Let's get things straight. Practically everybody surfing the web today uses web addresses starting with https, which stands for Hypertext Transport Protocol Secure. The Secure part is realized by a cryptographic protocol called Transport Layer Security, or TLS for short. SSL, on the other hand, refers to initial TLS versions dating back to early 1990s.To address security needs of the upcoming e-commerce, Netscape Communications started designing a new protocol they named Secure Sockets Layer (SSL) for establishing a secure channel between a web server and a web browser. SSLv1, the first version of the SSL protocol, had severe security issues and Netscape never released its specification or implementation. In November 1994, Netscape publicly released SSLv2, the second version of the SSL protocol, and integrated into Netscape Navigator 1.1 in March 1995. Soon after its release, however, a number of further security weaknesses were discovered in SSLv2. Learning from these flaws, Netscape re-designed SSL from scratch and released SSLv3 in late 1995.In May 1996, the Internet Engineering Task Force (IETF) formed a working group to standardize an SSL-like protocol. The standardization process took around three years and the TLS 1.0 standard was published as RFC 2246 in January 1999. While TLS 1.0 closely resembled SSLv3, it had no backward compatibility to SSLv3. Almost seven years later, in April 2006, IETF published RFC 4346 defining the successor TLS version 1.1. Publication of RFC 5246 and with it a new version TLS 1.2 followed in 2008. Finally, in August 2018, IETF published RFC 8446 which specifies the newest TLS version, TLS 1.3.ConclusionSecuring your Flask application with TLS is essential for protecting sensitive data and building user trust. By following the best practices outlined in this article—such as configuring strong ciphers, enabling secure TLS versions, and leveraging tools like TLSAudit—you can ensure a robust, production-ready setup. For a deeper dive into the intricacies of TLS and advanced cryptographic concepts, consider exploring the book TLS Cryptography in Depth, by Dr. Paul Duplys, Dr. Roland Schmitz. TLS is the most important and widely used security protocol in the world. This book takes you on a journey through modern cryptography with TLS as the guiding light. It explains all necessary cryptographic primitives and how they are used within TLS. You’ll explore the inner workings of TLS and its design structure.Author BioDr. Paul Duplys is chief expert for cybersecurity at the department for technical strategies and enabling within the Mobility sector of Robert Bosch GmbH, a Tier-1 automotive supplier and manufacturer of industrial, residential, and consumer goods. Previous to this position, he spent over 12 years with Bosch Corporate Research, where he led the security and privacy research program and conducted applied research in various fields of information security. Paul's research interests include security automation, software security, security economics, software engineering, and AI. Paul holds a PhD degree in computer science from the University of Tuebingen, Germany.Dr. Roland Schmitz has been a professor of internet security at the Stuttgart Media University (HdM) since 2001. Prior to joining HdM, from 1995 to 2001, he worked as a research engineer at Deutsche Telekom, with a focus on mobile security and digital signature standardization. At HdM, Roland teaches courses on internet security, system security, security engineering, digital rights management, theoretical computer science, discrete mathematics, and game physics. He has published numerous scientific papers in the fields of internet and multimedia security. Moreover, he has authored and co-authored several books. Roland holds a PhD degree in mathematics from Technical University Braunschweig, Germany.
Read more
  • 0
  • 0
  • 1499

article-image-automate-your-microsoft-intune-tasks-with-graph-api
Andrew Taylor
19 Nov 2024
10 min read
Save for later

Automate Your Microsoft Intune Tasks with Graph API

Andrew Taylor
19 Nov 2024
10 min read
Why now is the time to start your automating journey with Intune and GraphWith more and more organizations moving to Microsoft Intune and IT departments under constant strain, automating your regular tasks is an excellent way to free up time to concentrate on your many other important tasks.When dealing with Microsoft Intune and the related Microsoft Entra tasks, everything clicked within the portal UI is sending API requests to Microsoft Graph which sits underneath everything and controls exactly what is happening and where.Fortunately, Microsoft Graph is a public API, therefore anything being carried out within the portal, can be scripted and automated.Imagine a world where by using automation, you log in to your machine in the morning, and there waiting for you is an email, or Teams message that ran overnight containing everything you need to know about your environment.  You can take this information to quickly resolve any new issues and be extra proactive with your user base, calling them to resolve issues before they have even noticed themselves.This is just the tip of the iceberg of what can be done with Microsoft Graph, the possibilities are endless.Microsoft Graph is a web API that can be accessed and manipulated via most programming and scripting languages, so if you have a preferred language, you can get started extremely quickly.  For those starting out, PowerShell is an excellent choice as the Microsoft Graph SDK includes modules that take the effort out of the initial connection and help write the requests.For those more experienced, switching to the C# SDK opens up more scalability and quicker performance, but ultimately it is the same web requests underneath so once you have the basic knowledge of the API, moving these skills between languages is much easier.When looking to learn the API, an excellent starting point is to use the F12 browser tools and select Network.  Then click around in the portal and have a look at the network traffic.This will be in the form of GET, POST, PUT, DELETE, and BATCH requests depending on what action is being performed.  Get is used to retrieve information and is one-way traffic, retrieving from Graph and returning to the client.POST and PUT are used to send data to Graph.DELETE is fairly self-explanatory and is used to delete records.BATCH is used to increase performance in more complex tasks.  This groups multiple Graph API calls into one command which reduces the calls and improves the performance.  It works extremely well, but starting with the more basic commands is always recommended.Once you have mastered Graph calls from a local device with interactive authentication, the next step is to create Entra App Registrations and run locally, but with non-interactive authentication.This will feed into true automation where tasks can be set to run without any user involvement, at this point learning about Azure Automation accounts and Azure Function and Logic Apps will prove incredibly useful.For larger environments, you can take it a step further and use Azure DevOps pipelines to trigger tasks and even implement approval processes.Some real-world examples of automation with Graph include new environment configuration, policy management, and application management, right through to documenting and monitoring policies. Once you have the basic knowledge of Graph API and PowerShell, it is simply a case of slotting them together and watching where the process takes you.  The learning never stops, before you know it you will be creating tools for your other IT staff to use to quickly retrieve passwords on the go, or do standard tasks without needing elevated privileges.Now, I know what you are thinking, this all sounds fantastic and exactly what I need, but how do I get started and how do I find the time to learn a new skill like this?We can start with time management.  I am sure throughout your career you have had to learn new software, systems, and technologies without any formal training and the best way to do that is by learning by doing.  The same can apply here, when you are completing your normal tasks, simply have the F12 network tools open and have a quick look at the URLs and requests being sent.If you can, try and find a few minutes per day to do so some practice scripts, ideally in a development environment, but if not, start with GET requests which cannot do any damage.To take it further and learn more about PowerShell, Graph, and Intune, check out my “Microsoft Intune Cookbook” which runs through creating a tenant from scratch, both in the portal and via Graph, including code samples for everything possible within the Intune portal.  You can use these samples to expand upon and meet your needs while learning about both Intune and Graph.Author BioAndrew Taylor is an End-User Compute architect with 20 years IT experience across industries and a particular interest in Microsoft Cloud technologies, PowerShell and Microsoft Graph. Andrew graduated with a degree in Business Studies in 2004 from Lancaster University and since then has obtained numerous Microsoft certifications including Microsoft 365 Enterprise Administrator Expert, Azure Solutions Architect Expert and Cybersecurity Architect Expert amongst others. He currently working as an EUC Architect for an IT Company in the United Kingdom, planning and automating the products across the EUC space. Andrew lives on the coast in the North East of England with his wife and two daughters.
Read more
  • 0
  • 0
  • 832

article-image-scripting-with-postman-a-practical-guide-to-postman-scripting-and-security
Confidence Staveley
11 Nov 2024
15 min read
Save for later

Scripting with Postman: A Practical Guide to Postman Scripting and Security

Confidence Staveley
11 Nov 2024
15 min read
IntroductionAPIs are everywhere these days. In fact, they’re responsible for a whopping 73% of internet traffic in 2023, according to the State of API Security in 2024 Report by Imperva. With this level of activity, especially in industries like banking and online retail, securing APIs isn’t just important—it’s essential. The average organization has around 613 API endpoints in production, and as the pressure to deliver faster mounts, that number is only growing. To keep up with this demand while ensuring security, adopting a ‘Shift-left’ approach is crucial. What does that mean? It means integrating security earlier in the development process—right from the design stage, all the way to deployment. By doing this, you’re not just patching up vulnerabilities at the end but embedding security into the very fabric of your API. Getting Started with API Testing API testing plays a huge role in this approach. You’re essentially poking and prodding at the logic layer of your application, checking how it responds, how fast it does so, how accurately it handles data, and whether it can fend off security threats. This is where Postman shines. It’s a widely used tool that’s loved for its ease of use and versatility, making it a perfect fit for your shift-left strategy. With Postman, you can simulate attack scenarios, test for security issues, and validate security measures, all within the same space where you build your APIs. But before we dive into scripting in Postman, let’s get it installed. Installing Postman and Setting Up First things first, if you don’t already have a Postman account, head over to their website to create one. You can sign up using Google if you prefer. Once that’s done, download the version that suits your operating system and get it installed. We’ll need a vulnerable API to test our scripts, and the BreachMe API in my book (API Security For White Hat Hackers) is perfect for this. You can find it here. Follow the documentation to set it up, and don’t forget to import the BreachMe collection into Postman. Just click the import button in the collections tab, and you’re good to go. Postman Scripting Basics Scripts in Postman are where things get really interesting. They allow you to add dynamic behavior to your API requests, mimicking complex workflows and writing test assertions that simulate real-world scenarios. Postman’s sandbox execution environment is written in JavaScript, This means that in order to make a script executable in Postman, it has to be written in Javascript. So, If you’re familiar with Javascript, you’re already halfway there. There are two main types of scripts in postman. The first, pre-request script which is run before a request is rendered to Postman. The second, post-response scripts are scripts that are run after Postman gives a response to a sent request. The order of script execution for a single request is as follows: There are two main types of scripts in Postman: Pre-request Scripts: These run before a request is sent to the API. Post-response Scripts: These kick in after the API responds. The order of script execution for a single request is as follows: Pre-request script You can run these scripts at three levels: the request level, folder level, and collection level. This flexibility means you can apply scripts to individual requests, a group of requests, or even an entire collection. The execution of these scripts will happen in the following order. Dynamic Variables and API Testing During API testing, you often need to work with various user inputs, which can be tedious to create manually each time. One of the coolest features of Postman scripting is the ability to add dynamic behavior to a request. Imagine trying to manually create user inputs for each test—it would be a nightmare. Postman allows you to automate this process, generating variables like random usernames, random IP addresses, email addresses, and passwords on the fly. For example, to generate a dynamic username you can use {{$randomUserName}}. Want a dynamic email? Just use {{$randomEmail}}. And for a password, {{$randomPassword}} has you covered. This makes it easy to send multiple requests to the register endpoint, effectively testing the API.  Postman provides everything and we can now send as many register requests as we need to effectively test the API. Dynamic variables can also be set using pre-request scripts. Post-Response Scripts for Functional Testing Postman can be used to perform essential API testing such as functional testing, this is testing to ensure that the API works/functions in the way it is intended to. When testing functionality, postman allows you to send requests to your API endpoints and validate the responses against expected outcomes. You can check if the API returns the correct data, handles inputs properly, and responds with appropriate status codes (e.g., 200 OK, 404 Not Found). Let’s try that in the above API to check if the login endpoint will return a 200 status code. Navigate to the login endpoint’s script tab and choose the post-response tab.  The script we will use will look like this… Let’s break down the snippet. We’ll use the pm.test() function. The first argument “Status code is 200” will be used as the description of the test. The second argument is a function that will contain the actual test. The pm.response refers to the response object. .to.have.status(200) evaluates whether the response status code is 200.Post-request scripts can be used to set tokens or variables that will be needed throughout the testing of the API. Imagine testing an API and manually copying and pasting variables between requests—tiring, right? This approach ensures the variable is accessible across all requests in the collection, making your testing workflow more efficient, less error-prone, and more secure. Some variables contain sensitive data and may require a bit more protection especially when working in a collaborative environment. Postman recommends using variables in such cases. Let’s take an example of an access token that is short-lived, used by most of the endpoints in the collection, and is set when the login request is successful. To streamline this, we could use a post-response script in the login endpoint to automatically set it. Navigate to the auth folder of the Breachme_API collection and select the login endpoint. Ensure that the username you are trying to log in as is a registered user but using the register login before the login endpoint. When logging in, you’ll require a correct username and password in the body of the request as shown below. The correct credentials will result in a response containing the token. To set it, we will need to get the response; take only the token and set it. The script will look like this: var theResponse =pm.response.json();  pm.collectionVariables.set("access_token", theResponse.token) The first line of code captures the response from the API request and converts it to a JSON object then stores it in a variable theResponse. The pm.response.json() is a Postman function that parses the response body as JSON, making it accessible as a JavaScript object. With the response accessible, we can then get the token using the theResponse.token and set it as a collection variable with the command pm.collectionVariables.set() function. The first parameter will specify the collection variable you want to save it as.  Postman scripts can also be used to validate whether the response contains the expected data. Let’s say you have created a post, you would expect it to have the ‘id’, ‘username’, ‘message’, and maybe an ‘image’. You can use Postman to check if every expected data is returned in the expected format. Let’s check if the register endpoint returns what we expect, with the body {    "username":"user2",    "email":"user2@email.com",    "password":"user2password"  } We expect the response to look like below {    "message": "user created successfully",    "user": {        "id": 2,        "email": "user2@email.com",        "username": "user2",        "is_admin": false,        "password": "#############",        "createdAt": "2024-08-28T22:13:30.000Z"    },    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MiwiZW1haWwiOiJ1c2VyMkBlbWFpbC5jb20iLCJ1c2VybmFtZSI6InVzZXIyIiwiaXNfYWRtaW4iOmZhbHNlLCJwYXNzd29yZCI6IiMjIyMjIyMjIyMjIyMiLCJjcmVhdGVkQXQiOiIyMDI0LTA4LTI4VDIyOjEzOjMwLjAwMFoiLCJpYXQiOjE3MjQ4ODMyMTAsImV4cCI6MTcyNTE0MjQxMH0.Z3fdfRXkePNFoWgX2gSqrTTtOy_AzsnG8yG_wKdnOz4"  } To automate it, we will use the script in the post-response tab of the register endpoint. pm.test("User object has id, email, username, is_admin, password", function () {    const responseData = pm.response.json();    pm.expect(responseData.user).to.have.property("id");    pm.expect(responseData.user).to.have.property("email");    pm.expect(responseData.user).to.have.property("username");    pm.expect(responseData.user).to.have.property("is_admin");    pm.expect(responseData.user).to.have.property("password");  }); To ensure that your API meets performance requirements, you can use a post-response script to measure the response time. The snippet we will use us as seen below: pm.test("Response time is less than 300ms", function () {  pm.expect(pm.response.responseTime).to.be.below(300);  }); The above script uses the pm.test() function with the test description as the first argument and an anonymous function that contains the actual test as the second argument. The pm.expect() function is a Postman function that is used to make assertions, it sets up an expectation for a certain condition. In this case, it expects that the pm.response,responseTime will be below 300 milliseconds. Not meeting this expectation makes the test fail. Conclusion Scripting in Postman isn’t just about convenience—it’s about transforming your testing into a proactive, security-focused process. By using these scripts, you’re not only automating repetitive tasks but also fortifying your API against potential threats. Combine this with other security measures, and you’ll have an API that’s ready to hold its own in the fast-paced world of software development. "As you continue to deepen your understanding of API security and testing, consider exploring "API Security for White Hat Hackers" written by Confidence Staveley. This book is a comprehensive guide that simplifies API security by showing you how to identify and fix vulnerabilities. From emerging threats to best practices, this book helps you defend and safeguard your APIs.Author BioConfidence Staveley is a multi-award-winning cybersecurity leader with a background in software engineering, specializing in application security and cybersecurity strategy. Confidence excels in translating cybersecurity concepts into digestible insights for diverse audiences. Her YouTube series, “API Kitchen,” explains API security using culinary metaphors.nConfidence holds an advanced diploma in software engineering, a bachelor’s degree in IT and business information systems, and a master’s degree in IT management from the University of Bradford, as well as numerous industry certifications such as CISSP, CSSLP, and CCISO. In addition to her advisory roles on many boards, Confidence is the founder of CyberSafe Foundation and MerkleFence.
Read more
  • 0
  • 0
  • 1276
Unlock access to the largest independent learning library in Tech for FREE!
Get unlimited access to 7500+ expert-authored eBooks and video courses covering every tech area you can think of.
Renews at €18.99/month. Cancel anytime
article-image-glen-singh-on-why-kali-linux-is-an-arsenal-for-any-cybersecurity-professional-interview
Savia Lobo
15 Nov 2019
12 min read
Save for later

Glen Singh on why Kali Linux is an arsenal for any cybersecurity professional [Interview]

Savia Lobo
15 Nov 2019
12 min read
Kali Linux is a popular term for anyone related to computer security. It is the most renowned tool for advanced Penetration Testing, Ethical Hacking and network security assessments.  To know more about Kali Linux more closely, we recently had a quick chat with Glen D. Singh, a cyber security instructor and an Infosec author with Learn Kali Linux 2019 being his latest book. In his book, Glen explains how Kali Linux can be used to detect vulnerabilities and secure your system by applying penetration testing techniques of varying complexity. Talking to us about Kali Linux, Glen said that the inclusion of 300 pre-installed tools makes Kali Linux an arsenal for any cybersecurity professional. In addition to talking about certification options for both novice and experienced cybersecurity professionals, Glen also shared his favorite features from the latest Kali Linux version 2019.3 among other things in this deeply informative discussion. On why the cybersecurity community loves Kali Linux and what’s new in Kali Linux 2019.3 What makes Kali Linux one of the most popular tools for penetration testing as well as for digital forensics? The Kali Linux operating system has over 300 pre-installed tools for both penetration testing and digital forensics engagements, making its single operating system an arsenal for any cybersecurity professional.  The developers of Kali Linux are continuously working to create rolling updates, new features and new upgrades to the existing operating system. Today, you can even deploy Kali Linux on various cloud platforms such as Microsoft Azure, Amazon AWS and Digital Ocean. This allows you to create a beast of a machine with any scale of computing resources, while allowing you access from anywhere. Furthermore, being a Linux-based operating system is one of the best things that makes Kali Linux popular. This is because Linux is a very powerful operating system with already built-in security, rolling updates, and security fixes, and is very light on computing resources as compared to other operating systems. Kali Linux can even be installed on a Raspberry Pi, making it a custom network implant device. Finally, what I love about Kali Linux is the fact that you can create a live USB with multiple persistence stores and apply the Linux Unified Key Setup (LUKS) Encryption Nuke, providing the options to wipe the stores using a Nuke password. What are the features that excited you in the latest Kali Linux version, 2019.3, and why? According to you, how will these additions help Kali Linux grow as a community and for individuals using it? One feature I’m definitely excited about in Kali Linux 2019.3 is the support for LXD Container Image. This feature will allow you to experience virtual machines on Kali Linux but instead of using a hypervisor, you’ll be using Linux containers instead. This provides some major benefits such as easy to scale containers, support for networking and storage management with security. Kali Linux 2019.3 has support for the new Raspberry Pi 4, which has an improved CPU and faster memory as compared to its predecessor. With the new upgrades to Kali Linux 2019.3, the pentesting operating system can take advantage of the 64-bit CPU on the new Raspberry Pi 4, thus maximizing the computing power in the tiny ARM device.  Definitely I can see cybersecurity enthusiasts having a lot more fun creating Linux-based containers in their Kali Linux 2019.3 version. Many will be excited to purchase a credit-sized computer, the Raspberry Pi, 4 for setting network implants and remote access configurations that are ready to be deployed. Glen’s journey in the cybersecurity sector and a few certification recommendations for a career upgrade Tell us about your evolution in cybersecurity. As a teenager, I was always fascinated by computers and how technologies work together. Upon completing my secondary level education, I began to pursue my first IT certification, this was CompTIA A+. During this certification, I was introduced to computer security and this had caught my attention a bit more than other topics. Later on, I pursued the CompTIA Network+ certification and this where network security caught my attention. Of course, I’m sure you can guess the next course of pursuit, the CompTIA Security+. This certification was the one which helped me realize my love for IT Security was growing and this is what I want to pursue as a career. After completing my studies in CompTIA Security+, I realized that I had to make a big decision in choosing the specialization. The decision was a bit tough at the time, I decided to enroll for the Certified Ethical Hacker (CEH) programme. This was it for me, my first major certification in IT, my love for cybersecurity grew even more as I wanted to specialize in offensive security tactics next.  There onwards, I have continued to harness my skills in discovering vulnerabilities and learning about new hacking techniques. I had often wondered to myself at the time - If I can hack, surely there must be methods a digital forensics professional can use to find the malicious user. I decided to pursue the Computer Hacking Forensics Investigator (CHFI) certification as a natural progression in my journey to understand everything there is about cybersecurity. This has taught many things about operating systems, network and email forensics and so on.  Additionally, I did a couple of firewall certifications and training such as CCNA Security, Check Point CCSA and Fortinet as I wanted to learn more about how firewalls operate to protect organizations and improve network security. During this time, I was working in an administrative position, however my certifications allowed me to gain employment within the IT industry as a security professional at various companies. However, growth was a bit challenging in some of my past positions while my pursuit to continuously expand my knowledge was growing. Eventually, I began lecturing Cisco certification programmes and gradually took over cybersecurity certifications and training programmes at various institutions. This opportunity allowed me to grow a lot while working with others, develop secure network designs and strategies, develop training programmes, train persons in both private and public sectors ranging from ISPs to government agencies in the field of cybersecurity.  In 2018, Packt Publishing had reached out to me to be a Technical Reviewer for the book, Penetration Testing with Shellcode. After this project was completed, Packt had reached out once again in the same year, this time to be the Lead Author for the CCNA Security 210-260 Certification Guide and before 2018 was completed, I had my second book CompTIA Network+ Certification Guide published. In early 2019, my third title Hands-On Penetration Testing with Kali NetHunter was also published. Finally, in November 2019, my fourth book Learn Kali Linux 2019 is now published.  Currently, I work as a Cybersecurity Instructor delivering training in offensive security, network security and enterprise networking. Additionally, I share my knowledge and guidance with others through various social media platforms, provide mentoring for anyone in the community within ICT, occasionally delivering speeches on cybersecurity awareness.  Following my dreams is what has led me to my career in cybersecurity, where I can help so many people in a lot of different ways, to secure their organizations or even safeguard their families from cyber-attacks and threats. I honestly love what I do, so I don't see it as “work” but my passion. Given the pace of change in tech and evolving threats, what role do certifications play, if any? What must-have certifications do you recommend for those starting their cybersecurity career and for those looking for a career boost?  Certifications will always play a vital role in the cybersecurity industry in both the present and future as technologies and threats evolve. Being a certified professional in the industry’s latest certifications helps with growth in your career. It also proves you have the necessary skills required for a job role and helps you specialize in technologies making you stand out from the rest of the crowd. Whether you’re starting a career in cybersecurity or simply looking for a career boost, there are some must-have certifications I would definitely recommend. If you’re new to the field of cybersecurity I would personally recommend starting with a networking certification such as Cisco Certified Network Associate (CCNA) as it will help you develop a solid foundation in understanding the functions of networking components and protocols, composition of network traffic as it’s passed along multiple networks, and how devices are interconnected and communicate. Networking knowledge will help you understand how cyber-attacks are delivered through the internet and corporate networks. Secondly, I would recommend both the Certified Ethical Hacker (CEH) certification from EC-Council and Offensive Security Certified Professional (OSCP) certification from Offensive Security. The CEH contains a lot of valuable information and will help you get through the doors of Human Resource (HR) and various national security agencies, however the OSCP is currently in higher demand in the cybersecurity industry due to its intensive hands-on training and practical testing, thus simulating a real-world penetration test. Additionally, if finances are a bit challenging in one’s life, take a look at the Junior Penetration Tester (eJPT) and the Certified Professional Penetration Tester v2 (eCPPTv2) from eLearnSecurity. Before choosing a cybersecurity certification to enroll, take a thorough look at the module each certification has to offer and ensure each new certification you decide to pursue either teaches you something new or expands your existing knowledge and skill-set as a professional. Last by not least, learn some Linux. On navigating the cybersecurity landscape by Learning Kali Linux How does your book, Learn Kali Linux 2019, help readers navigate the cybersecurity landscape in 2019? Are there any prerequisites? What are the top 5 key takeaways from your book? As each day goes by, new threats emerge while most are undetectable for long periods of time. My book, Learn Kali Linux 2019 is designed not only to teach you the role of being a penetration tester but also to help develop your mindset to be strategic when searching for security vulnerabilities that a hacker can exploit.  There are no formal prerequisites for this book, however, for anyone who is interested in pursuing their studies or a career in the cybersecurity industry, I would definitely recommend having a solid foundation in networking.  The top 5 key takeaways from my book are: Learn how to perform penetration testing starting from scratch while gradually moving on to intermediate and advanced topics while maintaining a student-centric approach for all learners. Upon completing this book, you will also gain essential skills in learning and understanding the Linux operating system. You will learn how to perform various stages of penetration testing using a very practical and real-world approach. Beginning a career in cybersecurity, you will learn how to design and build your very own penetration testing virtual lab environment, where you can sharpen your hacking skills safely. On completing this book, you will have the essential hands-on experience and knowledge to start a career in the field of cybersecurity. On Kali Linux’s future scope and applications   Recently, Kali Linux has been made available for the compact computer board, Raspberry Pi 4. How do you see Kali Linux’s evolution over time? Is IoT the new frontier for cybersecurity professionals and hackers alike? Where else do you see Kali Linux adapting to in the coming years?  Since its initial release in 2012, the Kali Linux operating system has had a lot of major upgrades, thus creating an awesome operating system simply built for penetration testing and security auditing for the IT professional. Currently, Kali Linux can be installed on mobile devices such as smartphones and tablets by using the Kali Nethunter edition and even installed on micro-computing devices with ARM processors such as the Raspberry Pi 4. Definitely, over the coming years, I can foresee that newer editions of Kali Linux will be supported on next-generation computing devices. The rise of IoT devices and networks, also brings about security concerns to both the home and corporate users. Imagine there are hundreds and thousands of IoT devices out there that are connected to the internet but they do not have any form of cyber protection. Imagine the possibilities of a hacker exploiting a security weakness on a medical device, or even a smart security system for homes, the hacker can monitor a person’s actions and much more. IoT can both make our lives easier but at the same time, open new doorways to cyber criminals. Definitely as time goes by, Kali Linux will continuously evolve and improve to fit the need for any cybersecurity professional.  In the coming updates, what additional features do you wish to see in Kali Linux? In the upcoming updates, I really wish to see better support and improvements for the Kali Nethunter edition for both current and future devices. Nethunter allows a cybersecurity professional to perform penetration testing tasks using their Android-based smartphone or tablet. Having Nethunter available on a pocket device provides the convenience when you are on-the-go. About the Author Glen D. Singh is a cyber-security instructor, consultant, entrepreneur and public speaker. He has been conducting multiple training exercises in offensive security, digital forensics, network security, enterprise networking and IT service management annually.  He also holds various information security certifications, such as the EC-Council's Certified Ethical Hacker (CEH), Computer Hacking Forensic Investigator (CHFI), Cisco's CCNA Security, CCNA Routing and Switching, and many others in the field of network security. Glen has been recognized for his passion and expertise by both the private and public sector organizations of Trinidad and Tobago and internationally. About the Book Simply upgrade your Kali Linux whereabouts with Learn Kali Linux 2019, which will help you understand how important it has become to pentest your environment, to ensure endpoint protection.  This book will take you through the latest version of Kali Linux to efficiently deal with various crucial security aspects such as confidentiality, integrity, access control and authentication. Kali Linux 2019.1 released with support for Metasploit 5.0 Implementing Web application vulnerability scanners with Kali Linux [Tutorial] Kali Linux 2018 for testing and maintaining Windows security – Wolf Halton and Bo Weaver [Interview]
Read more
  • 0
  • 0
  • 6639

article-image-five-reasons-to-begin-a-packt-subscription
Packt
12 Nov 2019
1 min read
Save for later

Five reasons to begin a Packt subscription

Packt
12 Nov 2019
1 min read
The Packt library provides you with all the tools you need to stay relevant in tech, whether you’re looking to brush up your PHP skills or take advantage of our learning paths to start from scratch. Here’s our top five reasons to begin a Packt subscription.
Read more
  • 0
  • 0
  • 351

article-image-devsecops-and-the-shift-left-in-security-how-semmle-is-supporting-software-developers-podcast
Richard Gall
11 Nov 2019
2 min read
Save for later

DevSecOps and the shift left in security: how Semmle is supporting software developers [Podcast]

Richard Gall
11 Nov 2019
2 min read
Software security has been 'shifting left' in recent years. Thanks to movements like Agile and Dev(Sec)Ops, software developers are finding that they have to take more responsibility for the security of their code. By moving performance and security testing earlier in the development lifecycle it's much easier to identify and capture defects and issues. The reasons for this are largely rooted in the utter dominance of open source software and the increasingly distributed nature of the systems we're building. To put it bluntly, if our software is open, and loosely connected, the opportunity for systems to be exploited by malignant actors grows vastly. To tackle this we're starting to see a wealth of platforms and tools emerge that are trying to support developers embrace security as a fundamental part of the development process. One such platform is Semmle, a code analysis platform designed to help developers and engineers identify issues quickly. To find out more about Semmle - and the wider DevSecOps movement - we spoke to Chief Security Officer Fermin Serna in an edition of the Packt Podcast. He explained how Semmle works, what its trying to achieve, and placed it in the broader context of this 'shift left' that's quickly becoming a new reality for many engineers. Listen to the episode: https://soundcloud.com/packt-podcasts/we-need-to-democratize-security-how-semmle-is-improving-open-source-security   To learn more about Semmle, visit its website here. You can also follow Fermin Serna on Twitter: @fjserna. Read next:  5 reasons poor communication can sink DevSecOps How Chaos Engineering can help predict and prevent cyber-attacks preemptively
Read more
  • 0
  • 0
  • 3019
article-image-developers-need-to-say-no-elliot-alderson-on-the-faceapp-controversy-in-a-bonus-podcast-episode-podcast
Richard Gall
12 Aug 2019
5 min read
Save for later

"Developers need to say no" - Elliot Alderson on the FaceApp controversy in a BONUS podcast episode [Podcast]

Richard Gall
12 Aug 2019
5 min read
Last month there was a huge furore around FaceApp, the mobile application that ages your photographs to show you what you might look like as you get older. This was caused by a rapid cycle of misinformation and conjecture. It was thanks to cybersecurity researcher Elliot Alderson - who you might remember from last week's podcast episode - that the world was able to get beyond speculation and find out what was really going on. We got in touch with Elliot shortly after the story broke. He was kind enough to speak to us about the FaceApp furore, and explained what caused the confusion and how he managed to get to the bottom of what was actually going on. You can listen to what he had to say in this special short bonus episode: https://soundcloud.com/packt-podcasts/bonus-security-researcher-elliot-alderson-on-the-faceapp-furore   Elliot says that although FaceApp is problematic, it isn't unique. It poses exactly the same threat to our privacy as the platforms and applications that millions of people use every day. "There is an issue with FaceApp, he tells us. "But there is an issue with Facebook, with SnapChat, with Twitter - it's never a good idea for someone to upload a photo of your face to a random application." This line of argument can be found elsewhere. Arguably the most important lesson we can learn. In this article from Wired, journalist Brian Barrett writes "should you be worried about FaceApp? Sure. But not necessarily more than any other app you let into your photo library." Should you use FaceApp? However, although you might assume that a security professional would simply warn everyone against using these sorts of applications, Elliot says "this application is really trendy. You can see a lot of stars using it on social media, so this is normal - you want to use this application." What you need to consider if want to use FaceApp However, if you do want to use it, you should be careful. "You have to step back a little bit before using it and ask yourself a question" about how money is being made. "this is a free application... there are developers behind this application, they need to live, they need to eat, they need to live, they need to eat - they need to earn money - and in general the answer is with your data." "You are the information." Elliot says. "You can decide to use it, and say okay, I'm ready to lose this part of my privacy in order to use this cool service... or you will... think no, it's not worth it. FaceApp seems to be cool, but my privacy is more important than something trendy like this." The key, then, is to check the terms and conditions of the application. "You have to know that you will have lost a part of your privacy, And if you're okay with that then - okay, go for it, and use the application." "Developers need to say no sometimes." Developer responsibility and code ethics There are clearly question marks for users about FaceApp, or, indeed, any other free application that has access to your data. But what about the developers building these applications? Do they have a part to play in ensuring that applications respect user consent and privacy? "It's complicated for a developer to say no to their project manager" says Elliot. However, this doesn't mean developers should be content to follow orders from management. "Developers need to raise their level... and say okay, but ethics is also important..." Elliot continues, "as a technical guy I need to spread the message internally in my company, and say to the project manager, to the business, to the marketing department okay this is a cool feature but no, we won't do that because this is against our user'." "Developers need to say no sometimes - and companies need to understand that it's not okay to dump as much data as possible from their users." How did Elliot Alderson uncover the truth about FaceApp? One thing that is often forgotten in these stories are the technical processes through which the truth is uncovered. Sure, that might be a little dry or complicated for some, but the fact that there is real detective work in understanding what's actually going on inside an application is incredibly interesting. It also highlights that while software might sometimes appear mysterious or even impenetrable, with the right skills and tools we can see how things actually work. That's not only useful from a technical perspective, it's also a way for all of us to retrieve a small sense of power back from applications built and owned by companies worth billions of dollars. "It's not that easy, but it's not super complicated too," says Elliot. Although he tells us that "the first time you want to do it you need to spend some time on it for sure," once you're set up and ready to go you can find things out remarkably fast. Using a tool called Burp Suite, the whole process was complete in a matter of moments. "Checking FaceApp took literally 5 minutes for me, because everything is already set up on my computer and I just have to install the application and look at the network request." Learn more about Burp Suite with Packt's selection of eBooks and videos here. Follow Elliot Alderson on Twitter: @fs0c131y
Read more
  • 0
  • 0
  • 3312

article-image-cybersecurity-researcher-elliot-alderson-talks-trump-and-facebook-google-and-huawei-and-teaching-kids-online-privacy-podcast
Richard Gall
08 Aug 2019
3 min read
Save for later

Cybersecurity researcher "Elliot Alderson" talks Trump and Facebook, Google and Huawei, and teaching kids online privacy [Podcast]

Richard Gall
08 Aug 2019
3 min read
For anyone that's watched Mr. Robot, the name Elliot Alderson will sound familiar. However, we're not talking about Rami Malek's hacker alter ego - instead, the name has been adopted as an alias by a real-life white-hat hacker who has been digging into the dark corners of the wild and often insecure web. Elliot's real name is Baptiste Robert (whisper it...) - he was kind enough to let us peak beneath the pseudonym, and spoke to us about his work as a cybersecurity researcher and what he sees as the biggest challenges in software security today. Listen: https://soundcloud.com/packt-podcasts/cybersecurity-researcher-elliot-alderson-on-fighting-the-good-fight-online "Elliot Alderson" on cybersecurity, politics, and regulation In the episode we discuss a huge range of topics, including: Security and global politics Is it evolving the type of politics we have? Is it eroding trust in established institutions? Google’s decision to remove its apps from Huawei devices The role of states and the role of corporations Who is accountable? Who should we trust? Regulation Technological solutions What Elliot Alderson has to say on the podcast episode... On Donald Trump's use of Facebook in the 2016 presidential election: “We saw that social networks have an impact on elections. Donald Trump was able to win the election because of Facebook - because he was very aggressive on Facebook and able to target a lot of people…”  On foreign interference in national elections: “We saw, also, that these tools… have been used by countries… in order to manipulate the elections of another country. So as a technician, as a security researcher, as an infosec professional, you need to ask yourself what is happening - can we do something against that? Can we create some tool? Can we fight this phenomenon?” How technology professionals and governing institutions should work together: “We should be together. This is the responsibility of government and countries to find vulnerabilities and to ensure the security of products used by its citizens - but it’s also the responsibility of infosec professionals and we need to work closely with governments to be sure that nobody abuses vulnerabilities out there…” On teaching the younger generation about privacy and protecting your data online: “I think government and countries should teach young people the value of personal data… personally, as a dad, this is something I’m trying to teach my kids - and say okay, this website is asking you your personal address, your personal number, but do they need it? ...In a lot of cases the answer is quite obvious: no, they don’t need it.” On Google banning Huawei: “My issue with the Huawei story and the Huawei ban is that as a user, as a citizen, we are only seeing the consequences. Okay, Google ban Huawei - Huawei is not able to use Google services. But we don’t have the technical information behind that.” On the the importance of engineering ethics: “If your boss is coming to you and saying ‘I would like to have an application which is tracking people during their day to day work’ what is your decision? As developers, we need to say ‘no: this is not okay. I will not do this kind of thing’”. Read next: Doteveryone report claims the absence of ethical frameworks and support mechanisms could lead to a ‘brain drain’ in the U.K. tech industry Follow Elliot Alderson on Twitter: @fs0c131y
Read more
  • 0
  • 0
  • 3707

article-image-listen-we-discuss-what-it-means-to-be-a-hacker-with-adrian-pruteanu-podcast
Richard Gall
26 Apr 2019
2 min read
Save for later

Listen: We discuss what it means to be a hacker with Adrian Pruteanu [Podcast]

Richard Gall
26 Apr 2019
2 min read
With numerous high profile security breaches in recent years, cybersecurity feels like a particularly urgent issue. But while the media - and, indeed, the wider world - loves stories of modern vulnerabilities and mischievous hackers, there's often very little attention paid to what causes insecurity and what can practically be done to solve such problems. To get a better understanding of cybersecurity in 2019, we spoke to Adrian Pruteanu, consultant and self-identifying hacker. He told us about what he actually does as a security consultant, what it's like working with in-house engineering teams, and how red team/blue team projects work in practice. Adrian is the author of Becoming the Hacker, a book that details everything you need to know to properly test your software using the latest pentesting techniques.          What does it really mean to be a hacker? In this podcast episode, we covered a diverse range of topics, all of which help to uncover the reality of working as a pentester. What it means to be a hacker - and how it's misrepresented in the media The biggest cybersecurity challenges in 2019 How a cybersecurity consultant actually works The most important skills needed to work in cybersecurity The difficulties people pose when it comes to security Listen here: https://soundcloud.com/packt-podcasts/a-hacker-is-somebody-driven-by-curiosity-adrian-pruteanu-on-cybersecurity-and-pentesting-tactics
Read more
  • 0
  • 0
  • 4534
article-image-wolf-halton-on-whats-changed-in-tech-and-where-we-are-headed
Guest Contributor
20 Jan 2019
4 min read
Save for later

Wolf Halton on what’s changed in tech and where we are headed

Guest Contributor
20 Jan 2019
4 min read
The tech industry is changing at a massive rate especially after the storage options moved to the cloud. However, this has also given rise to questions on security, data management, change in the work structure within an organization, and much more. Wolf Halton, an expert in Kali Linux, tells us about the security element in the cloud. He also touches upon the skills and knowledge that should be inculcated in your software development cycle in order to adjust to the dynamic tech changes at present and in the future. Following this, he juxtaposes the current software development landscape with the ideal one. Wolf, along with another Kali Linux expert Bo Weaver were also interviewed on why Kali Linux is the premier platform for testing and maintaining Windows security. They talked about the advantages and disadvantages for using Kali Linux for pentesting. We also asked them about what they think about pentesting in cybersecurity, in general. They have also talked about their stance on the role of pentesting in cybersecurity in their interview titled, “Security experts, Wolf Halton and Bo Weaver, discuss pentesting and cybersecurity” Security on Cloud The biggest change in the IT environment is how business leaders and others are implementing Cloud-Services agreements. It used to be a question of IF we would put some of our data or processes in the cloud, and now it is strictly a question of WHEN.  The Cloud is, first and foremost, a (failed) marketing term designed to obfuscate the actual relationship between the physical and logical networks.  The security protections cloud companies give you is very good from the cabling to the hypervisor, but above that, you are on your own in the realm of security.  You remain responsible for safeguarding your own data. The main difference between cloud architectures and on-premises architectures is that the cloud systems aren’t as front-loaded with hardware costs and software licensing costs. Why filling in the ‘skills gap’ is a must   The schools that teach the skills are often five or ten years behind in the technology they teach, and they tend to teach how to run tools rather than how to develop (and discard) approaches quickly.  Most businesses that can afford to have a security department want to hire senior-level security staff only. This makes a lot of sense, as the seniors are more likely to avoid beginner mistakes. If you only hire seniors, it forces apt junior security analysts to go through a lot of exploitative off-track employment before they are able to get into the field. Software development is not just about learning to code Development is difficult for a host of reasons – first off, there are only about 5% of the people who might want to learn to code, have access to the information, and can think abstractly enough to be able to code.  This was my experience in six years of teaching coding to college students majoring in computer networking (IT) and electrical engineering. It is about intelligence, yes, but of a group of equally intelligent people taught to code in an easy language like Python, only one in 20 will go past a first-year programming course. Security is an afterthought for IoT developers The internet if things (IoT) has created a huge security problem, which the manufacturers do not seem to be addressing responsibly.  IoT devices have a similar design flaw as that, which has informed all versions of Windows to this day. Windows was designed to be a personal plaything for technology-enthusiasts who couldn’t get time on the mainframes available at the time.  Windows was designed as a stand-alone, non-networked device. NT3.0 brought networking and “enterprise server” Windows, but the monolithic way that Windows is architected, along with the direct to kernel-space attachment of third-party services continues to give Windows more than its share of high and critical vulnerabilities. IoT devices are cheap for computers and since security is an afterthought for most developers, the IoT developers create marvelously useful devices with poor or nonexistent user authentication.  Expect it to get worse before it gets better (if it ever gets better). Author Bio Wolf Halton is an Authority on Computer and Internet Security, a best selling author on Computer Security, and the CEO of Atlanta Cloud Technology. He specializes in—business continuity, security engineering, open source consulting, marketing automation, virtualization and data center restructuring, network architecture, and Linux administration. Pentest tool in focus: Metasploit Kali Linux 2018.2 released How artificial intelligence can improve pentesting
Read more
  • 0
  • 0
  • 4144

article-image-bo-weaver-on-cloud-security-skills-gap-and-software-development-in-2019
Guest Contributor
19 Jan 2019
6 min read
Save for later

Bo Weaver on Cloud security, skills gap, and software development in 2019

Guest Contributor
19 Jan 2019
6 min read
Bo Weaver, a Kali Linux expert shares his thoughts on the security landscape in the cloud. He also talks about the skills gap in the current industry and why hiring is a tedious process. He explains the pitfalls in software development and where the tech is heading currently. Bo, along with another Kali Linux expert Wolf Halton were also interviewed on why Kali Linux is the premier platform for testing and maintaining Windows security. They talked about advantages and disadvantages for using Kali Linux for pentesting. We also asked them about what they think about pentesting in cybersecurity, in general. They have also talked about their stance about the role of pentesting in cybersecurity in their interview titled, “Security experts, Wolf Halton and Bo Weaver, discuss pentesting and cybersecurity” First is “The Cloud”.   I laugh and cry at this term.  I have a sticker on my laptop that says “There is no Cloud….  Only other people’s computers.”  Your data is sitting on someone else’s system along with other people’s data.  These other people also have access to this system. Sure security controls are in place but the security of “physical access” has been bypassed. [box type="shadow" align="" class="" width=""]You’re “in the box”.  One layer of security is now gone.  [/box] Also, your vendor has “FULL ACCESS” to your data in some cases.  How can you be sure what is going on with your data when it is in an unknown box in an unknown data center?  The first rule of security is “Trust No One”. Do you really trust Microsoft, Amazon, or Google? I sure don’t!!!  Having your data physically out of your company’s control is not a good idea. Yes, it is cheaper but what are your company and its digital property worth? The ‘real’ skills and hiring gap in tech For the knowledge and skills gap, I see the hiring process in this industry as the biggest gap.  The knowledge is out there. We now have schools that teach this field. When I started, there were no school courses.  You learned on your own. Since there is training, there are a lot of skilled people out there. But go looking for a job, and it is a nightmare.  IT doesn’t do the actual hiring these days. Either HR or a headhunting agency does the hiring. [box type="shadow" align="" class="" width=""]The people you talk to have no clue of what you really do.  They have a list of acronyms to look for that they have no clue about to match to your resume.  If you don’t have the complete list, you’re booted.[/box] If you don’t have a certain certification, you’re booted even if you’ve worked with the technology for 10 years.  Once, with my skill level, it took sending out over a thousand resumes and took over a year for me to find a job in the security field. The people you talk to have no clue of what you really do.  They have a list of acronyms to look for that they have no clue about to match to your resume.  If you don’t have the complete list, you’re booted. Also, when working in security, you can’t really talk about what you exactly did in your last job due to the NDA agreements with HR or a headhunter.  Writing these books is the first time I have been able to talk about what I do in detail since the network being breached is a lab network owned by myself.  XYZ bank would be really mad if I published their vulnerabilities and rightly so. In the US, most major networks are not managed by actual engineers but are managed by people with an MBA degree.  The manager has no clue of what they are actually managing. These managers are more worried about their department’s P&L statement than the security of the network.  In Europe, you find that the IT managers are older engineers that WORKED for years in IT and then moved to management. They fully understand the needs of a network and security. The trouble with software development In software development, I see a dumbing down of user interfaces.  This may be good for my 6-year-old grandson, but someone like me may want more access to the system.  I see developers change things just for the reason of “change”. Take Microsoft’s Ribbon in Office. Even after all these years, I find the ribbon confusing and hard to use.  At least, with Libre Office, they give you a choice between a ribbon and an old school menu bar. The changes in Gnome 3 from Gnome 2. This dumbing down and attempting to make a desktop usable for a tablet and a mouse totally destroyed the usability of their desktop.  What used to take 1 click now takes 4 clicks to do. [box type="shadow" align="" class="" width=""] A lot of developers these days have an “I am God and you are an idiot” complex.  Developers should remember that without an engineer, there would be no system for their code to run on.  Listen and work with engineers.[/box] Where do I see tech going?   Well, it is in everything these days and I don’t see this changing.  I never thought I would see a Linux box running a refrigerator or controlling my car, yet we do have them today.   Today, we can buy a system the size of a pack of cigarettes for less than $30.00 (Raspberry Pi) that can do more than a full-size server could do 10 years ago.  This is amazing. However, this is a two-edged sword when it comes to small, “cheap” devices. When you build a cheap device, you have to keep the costs down. For most companies building these devices, security is either non-existent or is an afterthought.  Yes, your whole network can be owned by first accessing that $30.00 IP camera with no security and moving on from there to eventually your Domain Controller. I know this works; I’ve done it several times. If you wish to further learn about tools which can improve your average in password acquisition, from hash cracking, online attacks, offline attacks, and rainbow tables to social engineering, the book Kali Linux 2018: Windows Penetration Testing - Second Edition is the go-to option for you. Author Bio Bo Weaver is an old school, ponytailed geek. His first involvement with networks was in 1972 while in the US Navy working on an R&D project called ARPA NET. Bo has been working with and using Linux daily since the 1990s and a promoter of Open Source. (Yes, Bo runs on Linux.) He now works as the senior penetration tester and security researcher for CompliancePoint an Atlanta based security consulting company. Cloud Security Tips: Locking Your Account Down with AWS Identity Access Manager (IAM) Cloud computing trends in 2019 Jeff Weiner talks about technology implications on society, unconscious bias, and skill gaps: Wired 25
Read more
  • 0
  • 0
  • 4739

article-image-security-experts-wolf-halton-and-bo-weaver-discuss-pentesting-and-cybersecurity-interview
Guest Contributor
18 Jan 2019
4 min read
Save for later

Security experts, Wolf Halton and Bo Weaver, discuss pentesting and cybersecurity [Interview]

Guest Contributor
18 Jan 2019
4 min read
This is Part 2 of the interview with our two Kali Linux experts, Wolf Halton, and Bo Weaver, on using Kali Linux for pentesting. In their section, we talk about the role of pentesting in cybersecurity. Previously, the authors talked about why Kali Linux is the premier platform for testing and maintaining Windows security. They talked about the advantages and disadvantages for using Kali Linux for pentesting. There also talked about their love for the Kali platform. Wolf says, “Kali is a stable platform, based upon a major distribution with which I am very familiar.  There are over 400 security tools in the Kali repos, and it can also draw directly from the Debian Testing repos for even more tools.” Here are a few more questions, we asked them about what they think about pentesting in cybersecurity, in general. Can you tell us about the role of pentesting in cybersecurity? According to you, how has pentesting improved over the years? Bo Weaver: For one thing, pentesting has become an accepted and required practice in network security.  I do remember the day when the attitude was “It can’t happen here. so why should you break into my network?  Nobody else is going to.” Network security, in general, wasn’t even thought by most companies and spending money on network security was seen as a waste. The availability of tools has also grown in leaps and bounds.  Also, the availability of documentation on vulnerabilities and exploits has grown, and the awareness in the industry of the importance of network security has grown. Wolf Halton: The tools have gotten much more powerful and easier to use.  A pentester will still be more effective if they can craft their own exploits, but they can now craft it in an environment of shared libraries such as Metasploit, and there are stable pentesting platforms like Kali Linux Rolling (2018) that reduces the learning curve to being an effective pentester. Pentesting is rising as a profession along with many other computer-security roles.  There are compliance requirements to do penetration tests at least annually or when a network is changed appreciably. What aspects of pentesting do you feel are tricky to get past? What are the main challenges that anyone would face? Bo Weaver: Staying out of jail.  Laws can be tricky. You need to know and fully understand all laws pertaining to network intrusion for both, the State you are working in and the Federal laws.  In pen testing, you are walking right up to the line of right and wrong and hanging your toes over that line a little bit. You can hang your toes over the line but DON’T CROSS IT!  Not only will you go to jail but you will never work in the security field again unless it is in some dark corner of the NSA. [box type="shadow" align="" class="" width=""]Never work without a WRITTEN waiver that fully contains the “Rules of Engagement” and is signed by the owner or “C” level person of the company being tested.[/box] Don’t decide to test your bank’s website even if your intent is for good.  If you do find a flaw and report it, you will not get a pat on the back but will most likely be charged for hacking.  Especially banks get real upset when people poke at their networks. Yes, some companies offer Bug Bounty programs. These companies have Rules of Engagement posted on their site along with a waiver to take part in the program.  Print this and follow the rules laid out. Wolf Halton: Staying on the right side of the law.  Know the laws that govern your profession, and always know your customer.  Have a hard copy of an agreement that gives you permission to test a network.  Attacking a network without written permission is a felony and might reduce your available career paths. Author Bio Wolf Halton is an Authority on Computer and Internet Security, a best selling author on Computer Security, and the CEO of Atlanta Cloud Technology. He specializes in—business continuity, security engineering, open source consulting, marketing automation, virtualization and data center restructuring, network architecture, and Linux administration. Bo Weaver is an old school ponytailed geek. His first involvement with networks was in 1972 while in the US Navy working on a R&D project called ARPA NET. Bo has been working with and using Linux daily since the 1990's and a promoter of Open Source. (Yes, Bo runs on Linux.) He now works as the senior penetration tester and security researcher for CompliancePoint a Atlanta based security consulting company. Pentest tool in focus: Metasploit Kali Linux 2018.2 released How artificial intelligence can improve pentesting
Read more
  • 0
  • 0
  • 4864

article-image-kali-linux-2018-for-testing-and-maintaining-windows-security-wolf-halton-and-bo-weaver-interview
Guest Contributor
17 Jan 2019
9 min read
Save for later

Kali Linux 2018 for testing and maintaining Windows security - Wolf Halton and Bo Weaver [Interview]

Guest Contributor
17 Jan 2019
9 min read
Microsoft Windows is one of the two most common OSes, and managing its security has spawned the discipline of Windows security. Kali Linux is the premier platform for testing and maintaining Windows security. Kali is built on the Debian distribution of Linux and shares the legendary stability of that OS. This lets you focus on network penetration, password cracking, and using forensics tools, and not the OS. In this interview, we talk to two experts, Wolf Halton and Bo Weaver, on using Kali Linux for pentesting. We also discuss their book Kali Linux 2018: Windows Penetration Testing - Second Edition. Read also: Kali Linux 2018 for testing and maintaining Windows security - Interview with Wolf Halton and Bo Weaver - Part 2 Kali Linux is the premier platform for testing and maintaining Windows security. According to you, what makes it ideal to use? Bo Weaver: First, it runs on Linux and is built on Debian Linux.  Second, the people at Offensive Security do a fantastic job of keeping it updated and stable with the latest tools to support not just pentesting but also forensics work or network analysis and diagnostics.  You can tell that this platform is built and maintained by real security experts and isn’t some distro thrown together by some marketing folks to make a buck. Wolf Halton: Kali is a very stable and extensible open source platform.  Offensive Security’s first security platform, BackTrack, was customised in a non-Posix way, breaking from UNIX or other Linux distros by putting the security tools in unexpected places in the filesystem.  Since Kali was first released, they used Debian Testing as a base, and adhered to the usual file locations. This made Kali Linux far easier to use. The normalization of the OS behind the Kali Linux distro makes it more productivity-friendly than most of the other “Security Distros,” which are usually too self-consciously different. Here, the developers are building their space in the mass of distros by how quirky the interface or how customizable the installation process has to be. Why do you love working with Kali Linux? Bo Weaver: I appreciate it’s stability.  In all the years I have used Kali on a daily basis, I have had only one failure to update properly.  Even with this one failure, I didn’t have any data loss. I run Kali as my “daily driver” on both my personal and company laptop, so one failure in all that time is nothing.  I even do my writing from my Kali machines. Yes I do all my normal computing from a normal user account and NOT root! I don’t have to go looking for a tool. Any tool that I need is either installed or is in the repo.  Since everything comes from the same repo, updates to all my tools and the system is just a simple command to keep everything updated. Wolf Halton: Kali is a stable platform, based upon a major distribution with which I am very familiar.  There are over 400 security tools in the Kali repos, and it can also draw directly from the Debian Testing repos for even more tools.  I always add a few applications on top of the installation default set of packages, but the menus work predictably, allowing me to install what I need without having to create a whole new menu system to get to them. Can you tell the readers about some advantages and disadvantages of using Kali Linux for pentesting? Bo Weaver: I really can’t think of a disadvantage. The biggest advantage is that all these tools are in one toolbox (Kali). I remember a time when building a pentesting machine would take a week, having to go out, and find and build the tools separately.  Most tools had to be manually compiled for the machine. Remember “make”, “make install”? Then to have it bork over a missing library file. In less than an hour, you can have a working pentesting machine running. As mentioned earlier, Kali has the tools to do any security job, not just pentesting, such as pulling evidence from a laptop for legal reasons,  analyzing a network, finding what is breaking your network, breaking into a machine because the passwords are lost. Also, it runs on anything from a high-end workstation to a Raspberry Pi or a USB drive with no problem. Wolf Halton: The biggest disadvantage is for Windows-Centric users who have never used any other operating system.  In our book, we try to ease these users into the exciting world of Linux. The biggest advantage is that the Kali Linux distro is in constant development.  I can be sure that there will be a Kali distro available even if I wander off for a year.  This is a great benefit for people who only use Linux when they want to run an ad hoc penetration test. Can you give us a specific example (real or fictional) of why Kali Linux is the ideal solution to go for? Bo Weaver: There are other distros out there for this use.  Most don’t have the completeness of toolsets. Most security distros are set up to be run from a DVD and only contain a few tools to do a couple of tasks and not all security tasks.  BlackArch Linux is the closest to Kali in comparison. BlackArch is built on Arch Linux which is a bleeding-edge distro which doesn’t have the stability of Debian.  Sometimes Arch will bork on an update due to bleeding-edge buggy code in an update. This is fine in a testing environment but when working in production, you need your system to run at the time of testing.  It’s embarrassing to call the customer and say you lost three hours on a test fixing your machine. I’m not knocking BlackArch. They did a fine job on the build and the toolsets included. I just don’t trust Arch to be stable enough for me.  This is not saying anything bad about Arch Linux. It does have its place in the distro world and does a fine job of filling its place in this world. Some people like bleeding edge, it’s just a personal choice. The great thing about Linux overall is that you have choices.  You’re not locked into one way a system looks or works. Kali comes with five different desktop environments, so you can choose which one is the best for you.  I personally like KDE. Wolf Halton: I have had to find tools for various purposes: Tools to recover data from failed hard-drives, Tools to stress-test hundreds of systems at a time, Tools to check whole networks at a time for vulnerabilities, Tools to check for weak passwords, Tools to perform Phishing tests on email users, Tools to break into Windows machines, security appliances and network devices. Kali Linux is the one platform where I could find multiple tools to perform all of these tasks and many more. Congratulations on your recent book, Kali Linux 2018: Windows Penetration Testing - Second Edition. Can you elaborate on the key takeaways for readers? Bo Weaver: I hope the readers come out with a greater understanding of system and network security and how easy it is to breach a system if simple and proper security rules are not followed.  By following simple no-cost rules like properly updating your systems and proper network segmentation, you can defeat most of the exploits in the book. Over the years, Wolf and I have been asked by a lot of Windows Administrators “How do you do a pentest?”  This person doesn’t want a simple glossed over answer. They are an engineer and understand their systems and how they work; they want a blow by blow description on actually how you broke it, so they can understand the problem and properly fix it.  The book is the perfect solution for them. It contains methods we use in our work on a daily basis, from scanning to post exploitation work. Also, I hope the readers find how easy Linux is to use as a desktop workstation and the advantages in security when using Linux as your workstation OS and do the switch from Windows to the Linux Desktop. I want to thank the readers of our book and hope they walk away with a greater understanding of system security. Wolf Halton: The main thing we tried to do with both the first and second edition of this book is to give a useful engineer-to-engineer overview of the possibilities of using Kali to test one’s own network, and including very specific approaches and methods to prove their network’s security.  We never write fictionalized, unworkable testing scenarios, as we believe our readers want to actually know how to improve their craft and make their networks safer, even though there is no budget for fancy-schmancy proprietary Windows-based security tools that make their non-techie managers feel safer. The world of pentesting is still edgy and interesting, and we try to infuse the book with our own keen interest in testing and developing attack models before the Red-Team hackers get there. Thanks Bo and Wolf for a very insightful perspective into the world of pentesting and on Kali Linux! Readers, if you are looking for help to quickly pentest your system and network using easy-to-follow instructions and support images, Kali Linux 2018: Windows Penetration Testing - Second Edition might just be the book for you. Author Bio Wolf Halton is an Authority on Computer and Internet Security, a best selling author on Computer Security, and the CEO of Atlanta Cloud Technology. He specializes in—business continuity, security engineering, open source consulting, marketing automation, virtualization and data center restructuring, network architecture, and Linux administration. Bo Weaver is an old school ponytailed geek. His first involvement with networks was in 1972 while in the US Navy working on a R&D project called ARPA NET. Bo has been working with and using Linux daily since the 1990's and a promoter of Open Source. (Yes, Bo runs on Linux.) He now works as the senior penetration tester and security researcher for CompliancePoint a Atlanta based security consulting company. Pentest tool in focus: Metasploit Kali Linux 2018.2 released How artificial intelligence can improve pentesting
Read more
  • 0
  • 0
  • 5989