AppSec & OWASP Top 10 Primer
By Matt Scheurer (@c3rkah)
Cincinnati, Ohio
Date: 03/21/2019
Momentum Developer Conference
Sharonville Convention Center
#momentumdevcon
Abstract:
Are you testing the security of your web applications, web sites, and web servers? The malicious threat actors on the Internet almost certainly are. We will cover AppSec along with a brief review of the 2017 OWASP Top 10 List. The focus of the presentation is how to get started with AppSec and where to continue learning more. Accompanying the presentation are live demos of Nikto and the OWASP Zed Attack Proxy (ZAP).
Bio:
Matt Scheurer serves as Chair of the Cincinnati Networking Professionals Association Security Special Interest Group (CiNPA Security SIG) and works as a Systems Security Engineer in the Financial Services industry. He holds a CompTIA Security+ Certification and possesses multiple Microsoft Certifications including MCP, MCPS, MCTS, MCSA, and MCITP. He has presented on numerous Information Security topics as a featured speaker at many local area technology groups and large Information Security conferences all over the Ohio, Indiana, and Kentucky Tri-State. Matt maintains active memberships in a number of professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), and Information Systems Security Association (ISSA).
OWASP WTE, or OWASP Web Testing Environment, is a collection of application security tools and documentation available in multiple formats such as VMs, Linux distribution packages, Cloud-based installations and ISO images.
This presentation provides an overview and history of OWASP WTE. Additionally, it shows new OWASP WTE developments including the the ability to use WTE remotely by installing it on a cloud-based server.
Visual version of http://blog.anantshri.info/forgotten_disclosure_dom_xss_prettyphoto The presentation talks about how a disclsoure was forgotten and what we can do to prevent such issues and how to keep a track on Vulnerable components
OWASP WTE, or OWASP Web Testing Environment, is a collection of application security tools and documentation available in multiple formats such as VMs, Linux distribution packages, Cloud-based installations and ISO images.
This presentation provides an overview and history of OWASP WTE. Additionally, it shows new OWASP WTE developments including the the ability to use WTE remotely by installing it on a cloud-based server.
Visual version of http://blog.anantshri.info/forgotten_disclosure_dom_xss_prettyphoto The presentation talks about how a disclsoure was forgotten and what we can do to prevent such issues and how to keep a track on Vulnerable components
A 50 min talk at OWASP AppSec USA including demos Zest (a new security scripting language from Mozilla) and Plug-n-Hack (including fuzzing postMessages in the browser to find DOM XSS vulnerabilities). A video of this talk is available here: http://www.youtube.com/watch?v=pYFtLA2yTR8
Slides from a talk given at DevSecCon on 206h October 2016 http://www.devseccon.com/blog/session/automating-owasp-zap/
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular and best maintained free security tools. In this workshop you will learn how to automate security tests using ZAP. These tests can then be included in your continuous integration / delivery pipeline. Simon will cover the range of integration options available and then walk you through automating ZAP against a test application. The ZAP UI will be used to explain the concepts and python scripting used to drive ZAP via its API – this can then also be used to drive ZAP in daemon mode.
This workshop is aimed at anyone interested in automating ZAP for security testing, including developers, functional testers (QA) and security/pentesters.
Slides from my 'Introduction to the OWASP Zed Attack Proxy' presentation at AppSec Dublin 2012.
For more info about ZAP see: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Tomasz Fajks gives short intro about Security Tests as well as guide how to start. He goes through comparison of two security scanners Burp Suite and OWASP Zed Attack Proxy (ZAP), trying to answer "which one is better".
A talk on ZAP Automation in CI/CD given remotely to OWASP Switzerland on 9th Febrary 2021 by Simon Bennetts.
Full video: https://www.youtube.com/watch?v=5oMp5O9CeSg
These slides provide instructions on how to setup a virtual security training lab that uses OWASP Broken Web Apps, OWASP WebGoat, and OWASP ZAP running on top of Virtual Box.
Technology First
16th Annual Ohio Information Security Conference
OISC 2019
#OISC19
The OWASP Top 10 & AppSec Primer
By Matt Scheurer (@c3rkah)
Dayton, Ohio
Date: 03/13/2019
Abstract:
Are you testing the security of your web applications, web sites, and web servers? The malicious threat actors on the Internet almost certainly are. We will cover AppSec along with a brief review of the 2017 OWASP Top 10 List. The focus of the presentation is how to get started with AppSec and where to continue learning more. Accompanying the presentation are live demos of Nikto and the OWASP Zed Attack Proxy (ZAP).
Bio:
Matt Scheurer serves as Chair of the Cincinnati Networking Professionals Association Security Special Interest Group (CiNPA Security SIG) and works as a Systems Security Engineer in the Financial Services industry. He holds a CompTIA Security+ Certification and possesses multiple Microsoft Certifications including MCP, MCPS, MCTS, MCSA, and MCITP. He has presented on numerous Information Security topics as a featured speaker at many local area technology groups and large Information Security conferences all over the Ohio, Indiana, and Kentucky Tri-State. Matt maintains active memberships in a number of professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), and Information Systems Security Association (ISSA).
AppSec & OWASP Primer
By Matt Scheurer (@c3rkah)
Cincinnati, Ohio
Date: 09/17/2019
Cincinnati Tri-State (ISC)2 Chapter
September Meeting
Abstract:
Are you testing the security of your web applications, web sites, and web servers? The malicious threat actors on the Internet almost certainly are. We will cover AppSec along with a brief review of the 2017 OWASP Top 10 List. The focus of the presentation is how to get started with AppSec and where to continue learning more. Accompanying the presentation are live demos of Nikto and the OWASP Zed Attack Proxy (ZAP).
Bio:
Matt Scheurer serves as Chair of the Cincinnati Networking Professionals Association Security Special Interest Group (CiNPA Security SIG), an Ambassador for Bugcrowd, and works as a Systems Security Engineer in the Financial Services industry. He holds a CompTIA Security+ Certification and possesses multiple Microsoft Certifications including MCP, MCPS, MCTS, MCSA, and MCITP. He has presented on numerous Information Security topics as a featured speaker at many local area technology groups and large Information Security conferences. Matt maintains active memberships in a number of professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), Information Systems Security Association (ISSA), and InfraGard.
A 50 min talk at OWASP AppSec USA including demos Zest (a new security scripting language from Mozilla) and Plug-n-Hack (including fuzzing postMessages in the browser to find DOM XSS vulnerabilities). A video of this talk is available here: http://www.youtube.com/watch?v=pYFtLA2yTR8
Slides from a talk given at DevSecCon on 206h October 2016 http://www.devseccon.com/blog/session/automating-owasp-zap/
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular and best maintained free security tools. In this workshop you will learn how to automate security tests using ZAP. These tests can then be included in your continuous integration / delivery pipeline. Simon will cover the range of integration options available and then walk you through automating ZAP against a test application. The ZAP UI will be used to explain the concepts and python scripting used to drive ZAP via its API – this can then also be used to drive ZAP in daemon mode.
This workshop is aimed at anyone interested in automating ZAP for security testing, including developers, functional testers (QA) and security/pentesters.
Slides from my 'Introduction to the OWASP Zed Attack Proxy' presentation at AppSec Dublin 2012.
For more info about ZAP see: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Tomasz Fajks gives short intro about Security Tests as well as guide how to start. He goes through comparison of two security scanners Burp Suite and OWASP Zed Attack Proxy (ZAP), trying to answer "which one is better".
A talk on ZAP Automation in CI/CD given remotely to OWASP Switzerland on 9th Febrary 2021 by Simon Bennetts.
Full video: https://www.youtube.com/watch?v=5oMp5O9CeSg
These slides provide instructions on how to setup a virtual security training lab that uses OWASP Broken Web Apps, OWASP WebGoat, and OWASP ZAP running on top of Virtual Box.
Technology First
16th Annual Ohio Information Security Conference
OISC 2019
#OISC19
The OWASP Top 10 & AppSec Primer
By Matt Scheurer (@c3rkah)
Dayton, Ohio
Date: 03/13/2019
Abstract:
Are you testing the security of your web applications, web sites, and web servers? The malicious threat actors on the Internet almost certainly are. We will cover AppSec along with a brief review of the 2017 OWASP Top 10 List. The focus of the presentation is how to get started with AppSec and where to continue learning more. Accompanying the presentation are live demos of Nikto and the OWASP Zed Attack Proxy (ZAP).
Bio:
Matt Scheurer serves as Chair of the Cincinnati Networking Professionals Association Security Special Interest Group (CiNPA Security SIG) and works as a Systems Security Engineer in the Financial Services industry. He holds a CompTIA Security+ Certification and possesses multiple Microsoft Certifications including MCP, MCPS, MCTS, MCSA, and MCITP. He has presented on numerous Information Security topics as a featured speaker at many local area technology groups and large Information Security conferences all over the Ohio, Indiana, and Kentucky Tri-State. Matt maintains active memberships in a number of professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), and Information Systems Security Association (ISSA).
AppSec & OWASP Primer
By Matt Scheurer (@c3rkah)
Cincinnati, Ohio
Date: 09/17/2019
Cincinnati Tri-State (ISC)2 Chapter
September Meeting
Abstract:
Are you testing the security of your web applications, web sites, and web servers? The malicious threat actors on the Internet almost certainly are. We will cover AppSec along with a brief review of the 2017 OWASP Top 10 List. The focus of the presentation is how to get started with AppSec and where to continue learning more. Accompanying the presentation are live demos of Nikto and the OWASP Zed Attack Proxy (ZAP).
Bio:
Matt Scheurer serves as Chair of the Cincinnati Networking Professionals Association Security Special Interest Group (CiNPA Security SIG), an Ambassador for Bugcrowd, and works as a Systems Security Engineer in the Financial Services industry. He holds a CompTIA Security+ Certification and possesses multiple Microsoft Certifications including MCP, MCPS, MCTS, MCSA, and MCITP. He has presented on numerous Information Security topics as a featured speaker at many local area technology groups and large Information Security conferences. Matt maintains active memberships in a number of professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), Information Systems Security Association (ISSA), and InfraGard.
Cincinnati Networking Professionals Association Security Special Interest Group (CiNPA Security SIG)
AppSec Night & OWASP Top 10 2017 Review
By Matt Scheurer (@c3rkah)
From: 02/15/2018
With exponential growth of internet usage and impact it has for our lives nowadays the importance of security becomes extremely more and more valuable, especially if we take into account number of users with closed to zero experience in IT and with limited knowledge in security.
That means we’re as engineers who create modern applications should take responsibility to make them more robust and secure.
In this talk I’m going to explore security topic for broader developers audience and share simple but yet useful strategies, tactics and techniques to help to make applications we create more secure.
Misconfiguration is define as configuration mistakes that results in unintended application behavior that includes misuse of default passwords, privileges, and excessive debugging information disclosure
Analysis of the quality of libraries in the Packagist universe. Introduction to some tools for assessing package quality. Concepts associated with quality.
Topic: Exploiting Web APIs
Speaker: Matt Scheurer
https://twitter.com/c3rkah
Abstract:
This talk features live demos of Web API exploits against the “Tiredful API”, which is an intentionally broken web app. The objectives are to teach developers, QA, or security professionals about flaws present in a Web Services (REST API) due to insecure coding practices. Examples include: Information Disclosure, Insecure Direct Object Reference (IDOR), Access Control, Throttling, SQL Injection (SQLi), and Cross Site Scripting (XSS). Many of these vulnerabilities are found in the OWASP Top 10 list.
Bio:
Matt Scheurer works on a Computer Security Incident Response Team (CSIRT) performing Digital Forensics and Incident Response (DFIR). Matt has more than twenty years of combined experience in Information Technology and Information Security. He is the Security Director for the Cincinnati Networking Professionals Association (CiNPA) and a 2019 comSpark “Rising Tech Stars Award” winner. He has presented on numerous Information Security topics at many local area technology groups and large Information Security conferences across the country. Matt maintains active memberships in several professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Information Systems Security Association (ISSA), and InfraGard.
Topic: Exploiting Web APIs
Speaker: Matt Scheurer
https://twitter.com/c3rkah
Abstract:
This talk features live demos of Web API exploits against the “Tiredful API”, which is an intentionally broken web app. The objectives are to teach developers, QA, or security professionals about flaws present in a Web Services (REST API) due to insecure coding practices. Examples include: Information Disclosure, Insecure Direct Object Reference (IDOR), Access Control, Throttling, SQL Injection (SQLite), and Cross Site Scripting (XSS). Many of these vulnerabilities are contained in the OWASP Top 10 list.
Bio:
Matt Scheurer works on a Computer Security Incident Response Team (CSIRT) performing Digital Forensics and Incident Response (DFIR). Matt has more than twenty years of combined experience in Information Technology and Information Security. He is the Security Director for the Cincinnati Networking Professionals Association (CiNPA) and a 2019 comSpark “Rising Tech Stars Award” winner. He has presented on numerous Information Security topics at many local area technology groups and large Information Security conferences across the country. Matt maintains active memberships in several professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), Information Systems Security Association (ISSA), and InfraGard.
Lend me your IR's!
-Matt Scheurer
BSides Columbus
August 21, 2020
Abstract:
Have you ever felt compelled to tip your cap to a malicious threat actor? Protecting systems and networks as a tech defender means withstanding a constant barrage of unsophisticated attacks from automated tools, botnets, crawlers, exploit kits, phish kits, and script kiddies; oh my! Once in a while we encounter attacks worthy of style points for creativity or new twists on old attack techniques. This talk features live demo reenactments from some advanced attacks investigated by the presenter. The live demos showcase technical deep dives of the underpinnings from both the attacker and investigator sides of these attacks. Attendee key takeaways are strategies, freely available tools, and techniques helpful during incident response investigations.
Bio:
Matt Scheurer serves as Chair of the Cincinnati Networking Professionals Association Security Special Interest Group (CiNPA Security SIG), a former Ambassador for Bugcrowd, and works as a Systems Security Engineer in the Financial Services industry. He holds a CompTIA Security+ Certification and possesses multiple Microsoft Certifications including MCP, MCPS, MCTS, MCSA, and MCITP. He has presented on numerous Information Security topics as a featured speaker at many local area technology groups and large Information Security conferences. Matt maintains active memberships in a number of professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), Information Systems Security Association (ISSA), and InfraGard.
Meeting Topic: Exploiting Web APIs
Speaker: Matt Scheurer
https://twitter.com/c3rkah
Abstract:
This talk features live demos of Web API exploits against the “Tiredful API”, which is an intentionally broken web app. The objectives are to teach developers, QA, or security professionals about flaws present in a Web Services (REST API) due to insecure coding practices. Examples include: Information Disclosure, Insecure Direct Object Reference, Access Control, Throttling, SQL Injection (SQLite), and Cross Site Scripting (XSS). Many of these vulnerabilities are contained in the OWASP Top 10.
Bio:
Matt Scheurer works on a Computer Security Incident Response Team (CSIRT) performing Digital Forensics and Incident Response (DFIR). Matt has more than twenty years of combined experience in Information Technology and Information Security. He is the Security Director for the Cincinnati Networking Professionals Association (CiNPA) and a 2019 comSpark “Rising Tech Stars Award” winner. He has presented on numerous Information Security topics at many local area technology groups and large Information Security conferences across the country. Matt maintains active memberships in several professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), Information Systems Security Association (ISSA), and InfraGard.
Exploiting the Tiredful API
Matt Scheurer
https://twitter.com/c3rkah
Abstract:
The "Tiredful API" is an intentionally designed broken app. The aim of this web app is to teach developers, QA, or security professionals about flaws present in a Web Services (REST API) due to insecure coding practices. This presentation features live demos exploiting some of the known vulnerabilities including: Information Disclosure, Insecure Direct Object Reference, Access Control, Throttling, SQL Injection (SQLite), and Cross Site Scripting (XSS).
Bio:
Matt Scheurer works on a Computer Security Incident Response Team (CSIRT) performing Digital Forensics and Incident Response (DFIR). Matt has more than twenty years of combined experience in Information Technology and Information Security. He is the Security Director for the Cincinnati Networking Professionals Association (CiNPA) and a 2019 comSpark “Rising Tech Stars Award” winner. Matt has presented on numerous Information Security topics at many local area technology groups and large Information Security conferences across the country. He maintains active memberships in several professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Information Systems Security Association (ISSA), and InfraGard.
Lend me your IR's!
-Matt Scheurer
Circle City Con
CircleCityCon 7.0 Apocalypse
June 13, 2020
Abstract:
Have you ever felt compelled to tip your cap to a malicious threat actor? Protecting systems and networks as a tech defender means withstanding a constant barrage of unsophisticated attacks from automated tools, botnets, crawlers, exploit kits, phish kits, and script kiddies; oh my! Once in a while we encounter attacks worthy of style points for creativity or new twists on old attack techniques. This talk features live demo reenactments from some advanced attacks investigated by the presenter. The live demos showcase technical deep dives of the underpinnings from both the attacker and investigator sides of these attacks. Attendee key takeaways are strategies, freely available tools, and techniques helpful during incident response investigations.
Bio:
Matt Scheurer serves as Chair of the Cincinnati Networking Professionals Association Security Special Interest Group (CiNPA Security SIG), an Ambassador for Bugcrowd, and works as a Systems Security Engineer in the Financial Services industry. He holds a CompTIA Security+ Certification and possesses multiple Microsoft Certifications including MCP, MCPS, MCTS, MCSA, and MCITP. He has presented on numerous Information Security topics as a featured speaker at many local area technology groups and large Information Security conferences. Matt maintains active memberships in a number of professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), Information Systems Security Association (ISSA), and InfraGard.
Dayton Microcomputer Association (DMA):
April 2020 - Online Meeting
Date: April 28, 2020
Topic: Stupid Cyber Criminal Tricks and How to Combat Them
Speaker: Matt Scheurer
This talk covers various techniques used by cyber criminals, and how to spot them. This is the accompanying slide deck for a presentation that covers live demos. Who does not love a good cyber-crime story?
Continuous Skills Improvement for Everyone
Ohio Information Security Forum (OISF)
2019 Anniversary Conference
Saturday July 13, 2019
Matt Scheurer
Twitter: https://twitter.com/c3rkah
This presentation strives to provide some ideas to attendees toward effective career guidance and self-empowerment. Whether attendees are looking for their first Information Security career opportunity, looking to take that next career step, or making impacts to safeguard their own job security. This talk also encourages attendees to help mentor others and offers different examples of how to give back to the InfoSec community. I cover freely available and low cost technical training resources, but also go beyond that to provide other takeaways that touch on goal setting and emotional intelligence. My ultimate objective is to inspire others to find a path leading toward a better and more rewarding future.
Central Ohio InfoSec Summit: Why Script Kiddies SucceedThreatReel Podcast
Title: Why Script Kiddies Succeed
Event: 12th Annual Central Ohio InfoSec Summit
Date: May 23, 2019
Speaker: Matt Scheurer
Abstract:
Some offensive security tools have become so user friendly and simple that the barrier to compromising vulnerable systems has become trivial. We will use Kali Linux, SPARTA, OWASP ZAP, and Armitage to demonstrate just how easy exploiting some vulnerabilities has become. The takeaways will be on vulnerability scanning systems in your environment and Proof-of-Concept those findings to help improve your overall security posture. Eliminating the low hanging fruit of vulnerabilities in an environment will help harden those systems against low-skill attackers and receive more mature and meaningful findings from penetration tests.
Bio:
Some offensive security tools have become so user friendly and simple that the barrier to compromising vulnerable systems has become trivial. We will use Kali Linux, SPARTA, OWASP ZAP, and Armitage to demonstrate just how easy exploiting some vulnerabilities has become. The takeaways will be on vulnerability scanning systems in your environment and Proof-of-Concept those findings to help improve your overall security posture. Eliminating the low hanging fruit of vulnerabilities in an environment will help harden those systems against low-skill attackers and receive more mature and meaningful findings from penetration tests.
Presentation: Working in Information Technology and Cybersecurity: Now and in the Future...
Date: 11/14/2018
Speaker: Matt Scheurer
Venue: Butler Tech
Location: Cincinnati, Ohio
Abstract: This presentation covers career options working in Information Technology or Information Security. The target audience was High School Juniors at Butler Tech in Cincinnati.
These are the slides from my "Active Defense - Helping threat actors hack themselves!" presentation at the 11th Annual Northern Kentucky University Cybersecurity Symposium on 10/12/2018.
Title: Active Defense - Helping threat actors hack themselves!
Abstract:
Have you ever received one of those data breach notification letters in the mail? The short-term amends provided for having your personal data compromised is typically in the form of free short-term credit monitoring services. An entire Information Security industry segment has sprung up around Data Loss Prevention (DLP) aimed at stopping confidential data from being "leaked" out of an organization's boundaries for unauthorized use. What if the data breach perpetrators got a healthy dose of their own medicine instead of your private data? We cannot "hack back" legally today, but perhaps we can lure these malicious threat actors into actually hacking themselves... This presentation covers "Active Defense" techniques designed to frustrate data bandits attempting to steal and ex-filtrate our data.
The focus of this presentation is on actively defending a live public facing website. We begin by covering methods to shield innocent users by protecting them from our active defenses. We take advantage of malicious visitor’s impulse to evade all the rules by setting traps designed to ensnare those attempting to steal our data. The techniques covered involve faking accidental exposure and baiting traps using fictitious files and data too irresistible for cyber thieves to ignore. I then demonstrate deployable techniques used to fight back without launching a single attack.
These are the slides from the physical security presentation at the Cincinnati Networking Professionals Association Security Special Interest Group (CiNPA Security SIG) meeting on 08/16/2018. Topics covered include physical security control types and methods.
This presentation covers the history of one of Cincinnati's longest running technology meetup groups. The Cincinnati Networking Professionals Association (CiNPA) has roots going back to the heyday of Novell Netware and is still running strong today. This is a retrospective look back at the origins of CiNPA and the CiNPA Security Special Interest Group (CiNPA Security SIG). This slide deck also touches on the first CiNPA Hacker's Night meetings and concludes with places where the CiNPA Security SIG has met and presented to date.
These are the slides from my "Active Defense - Helping threat actors hack themselves!" presentation at the Ohio Information Security Forum (OISF) Anniversary Conference on 07/14/2018 in Dayton, Ohio.
Title: Active Defense - Helping threat actors hack themselves!
Abstract:
Have you ever received one of those data breach notification letters in the mail? The short-term amends provided for having your personal data compromised is typically in the form of free short-term credit monitoring services. An entire Information Security industry segment has sprung up around Data Loss Prevention (DLP) aimed at stopping confidential data from being "leaked" out of an organization's boundaries for unauthorized use. What if the data breach perpetrators got a healthy dose of their own medicine instead of your private data? We cannot "hack back" legally today, but perhaps we can lure these malicious threat actors into actually hacking themselves... This presentation covers "Active Defense" techniques designed to frustrate data bandits attempting to steal and ex-filtrate our data.
The focus of this presentation is on actively defending a live public facing website. We begin by covering methods to shield innocent users by protecting them from our active defenses. We take advantage of malicious visitor’s impulse to evade all the rules by setting traps designed to ensnare those attempting to steal our data. The techniques covered involve faking accidental exposure and baiting traps using fictitious files and data too irresistible for cyber thieves to ignore. I then demonstrate deployable techniques used to fight back without launching a single attack.
BSides Cleveland: Phishing Forensics - Is it just suspicious or is it malicious?ThreatReel Podcast
These are the slides from my "Phishing Forensics - Is it just suspicious or is it malicious?" presentation at the BSides Cleveland Information Security Conference on 06/23/2018 in Cleveland, Ohio.
Title: Phishing Forensics - Is it just suspicious or is it malicious?
Abstract:
What thoughts currently make tech defenders uneasy as they go to bed at night? Despite implementing and properly configuring the latest technological controls and security solutions into our environments, end users typically remain the most vulnerable point of entry into nearly any network. Unfortunately, only one misstep by a single user provides attackers with the foothold they need to begin compromising an entire enterprise network environment. The safety of our inboxes is a key initiative on the battlefront of protecting staff from the scourge of phishing and spear phishing attacks. We will perform a deep-dive look at the latest techniques used by criminals to bypass security products and traditional defense-in-depth strategies. We then focus heavily on conducting a digital forensic investigation on a sample phishing email message. Topics covered include technical analysis of message headers, message source code, message attachments, and malicious landing web pages even when a dedicated sandbox environment is unavailable.
These are the slides from my "Active Defense - Helping threat actors hack themselves!" presentation at the BSides Cleveland Information Security Conference on 06/23/2018 in Cleveland, Ohio.
Title: Active Defense - Helping threat actors hack themselves!
Abstract:
Have you ever received one of those data breach notification letters in the mail? The short-term amends provided for having your personal data compromised is typically in the form of free short-term credit monitoring services. An entire Information Security industry segment has sprung up around Data Loss Prevention (DLP) aimed at stopping confidential data from being "leaked" out of an organization's boundaries for unauthorized use. What if the data breach perpetrators got a healthy dose of their own medicine instead of your private data? We cannot "hack back" legally today, but perhaps we can lure these malicious threat actors into actually hacking themselves... This presentation covers "Active Defense" techniques designed to frustrate data bandits attempting to steal and ex-filtrate our data.
The focus of this presentation is on actively defending a live public facing website. We begin by covering methods to shield innocent users by protecting them from our active defenses. We take advantage of malicious visitor’s impulse to evade all the rules by setting traps designed to ensnare those attempting to steal our data. The techniques covered involve faking accidental exposure and baiting traps using fictitious files and data too irresistible for cyber thieves to ignore. I then demonstrate deployable techniques used to fight back without launching a single attack.
Circle City Con: Phishing Forensics - Is it just suspicious or is it malicious?ThreatReel Podcast
Circle City Con 5.0
Phishing Forensics - Is it just suspicious or is it malicious?
-Matt Scheurer
Abstract:
What thoughts currently make tech defenders uneasy as they go to bed at night? Despite implementing and properly configuring the latest technological controls and security solutions into our environments, end users typically remain the most vulnerable point of entry into nearly any network. Unfortunately, only one misstep by a single user provides attackers with the foothold they need to begin compromising an entire enterprise network environment. The safety of our inboxes is a key initiative on the battlefront of protecting staff from the scourge of phishing and spear phishing attacks. We will perform a deep-dive look at the latest techniques used by criminals to bypass security products and traditional defense-in-depth strategies. We then focus heavily on conducting a digital forensic investigation on a sample phishing email message. Topics covered include technical analysis of message headers, message source code, message attachments, and malicious landing web pages even when a dedicated sandbox environment is unavailable.
ISSA COISS: : Phishing Forensics - Is it just suspicious or is it malicious?ThreatReel Podcast
Slide deck from my presentation at the ISSA's 11th annual Central Ohio InfoSec Summit on 05/14/2018.
Abstract:
What thoughts currently make tech defenders uneasy as they go to bed at night? Despite implementing and properly configuring the latest technological controls and security solutions into our environments, end users typically remain the most vulnerable point of entry into nearly any network. Unfortunately, only one misstep by a single user provides attackers with the foothold they need to begin compromising an entire enterprise network environment. The safety of our inboxes is a key initiative on the battlefront of protecting staff from the scourge of phishing and spear phishing attacks. We will perform a deep-dive look at the latest techniques used by criminals to bypass security products and traditional defense-in-depth strategies. We then focus heavily on conducting a digital forensic investigation on a sample phishing email message. Topics covered include technical analysis of message headers, message source code, message attachments, and malicious landing web pages even when a dedicated sandbox environment is unavailable.
These are the slides from my "Active Defense - Helping threat actors hack themselves!" presentation at the BSides Cincinnati Information Security Conference on 05/10/2018 in Cincinnati, Ohio.
BSides Indianapolis: Phishing Forensics - Is it just suspicious or is it mali...ThreatReel Podcast
Slide deck from my presentation at the BSides Indy InfoSec Conference on 03/10/2018.
Abstract:
What thoughts currently make tech defenders uneasy as they go to bed at night? Despite implementing and properly configuring the latest technological controls and security solutions into our environments, end users typically remain the most vulnerable point of entry into nearly any network. Unfortunately, only one misstep by a single user provides attackers with the foothold they need to begin compromising an entire enterprise network environment. The safety of our inboxes is a key initiative on the battlefront of protecting staff from the scourge of phishing and spear phishing attacks. We will perform a deep-dive look at the latest techniques used by criminals to bypass security products and traditional defense-in-depth strategies. We then focus heavily on conducting a digital forensic investigation on a sample phishing email message. Topics covered include technical analysis of message headers, message source code, message attachments, and malicious landing web pages even when a dedicated sandbox environment is unavailable.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
1. March 21, 2019
Matt Scheurer
@c3rkah
Slides:
https://www.slideshare.net/cerkah
AppSec & OWASP Top 10 Primer
AppSecAppSec
--------------------------------
& OWASP& OWASP
Top 10Top 10
2. About Me...
●
Sr. Systems Security
Engineer in the
Financial Services
Industry
●
Frequent speaker at
Information Security
/ Hacker
conferences
●
Teacher at heart!
●
Chair of the
6. What is OWASP?
The Open Web Application Security Project (OWASP),
an online community, produces freely-available
articles, methodologies, documentation, tools, and
technologies in the field of web application security.
●
Web site - https://www.owasp.org/
7. OWASP History
●
Started in December, 2001
●
Obtained 501c3 (non-profit) Status in April 2004
●
OWASP Top Ten List
– The "Top Ten", first published in 2003, is regularly
updated. It aims to raise awareness about
application security by identifying some of the most
critical risks facing organizations
●
The OWASP foundation has produced many
guides, projects, and publications, since their
beginning
8. OWASP Top 10 List (2017)
●
A1:2017-Injection
●
A2:2017-Broken
Authentication
●
A3:2017-Sensitive Data
Exposure
●
A4:2017-XML External
Entities (XXE)
●
A5:2017-Broken Access
Control
●
A6:2017-Security
Misconfiguration
●
A7:2017-Cross-Site Scripting
(XSS)
●
A8:2017-Insecure
Deserialization
●
A9:2017-Using Components
with Known Vulnerabilities
●
A10:2017-Insufficient
Logging&Monitoring
●
Current Version
– https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
– https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
9. Recent OWASP Top 10 Changes
From 2013 to 2017...
●
"Cross-Site Scripting (XSS)" Down from A3 to A7
●
"Insecure Direct Object References" (A4) and "Missing
Function Level Access Control" (A7)
– Merged into "Broken Access Control" as A5
●
"Security Misconfiguration" Down from A5 to A6
●
"Sensitive Data Exposure" Up from A5 to A3
●
"Cross-Site Request Forgery (CSRF)" Removed
●
"Unvalidated Redirects and Forwards" Removed
10. Additions to the OWASP Top 10
From 2013 to 2017...
●
A4:2017-XML External Entities (XXE)
●
A8:2017-Insecure Deserialization
●
A10:2017-Insufficient Logging & Monitoring
11. Where and How to Learn AppSec
●
We will cover some basic resources to help get
you started on a path towards self-learning...
– Basic Vulnerability Scanners
– AppSec Testing Platforms
– Free places to learn AppDev
– Free places to learn AppSec
– Free Learning / Practice Platforms
NOTE: These are not exhaustive lists as there
are many more resources available!
12. Starting Out...
●
Advice my mother
would offer about how
to begin learning
AppSec and testing
web server, website
and web application
security...
13. Vulnerability Scanners
●
Core Security: Core Impact
●
Rapid7 products: Nexpose
●
Tenable: Nessus
●
Qualys: Web Application Scanning (WAS)
●
Open Source: OpenVAS
●
Open Source / Kali Linux: Sparta / Nikto
14. AppSec Testing Platforms
●
Start with: OWASP ZAP (Zed Attack Proxy)
– https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
●
Move to: Fiddler - Free Web Debugging Proxy
– https://www.telerik.com/fiddler
●
Graduate to: Burp Suite Scanner
– https://portswigger.net/burp
●
Honorable Mention: Nmap w/ NSE Scripts
●
Honorable Mention: Samurai Web Testing
Framework
18. Troy Hunt Resources
●
Hack Yourself First
– "Hack Yourself First" is all about developers building
up cyber-offense skills and proactively seeking out
security vulnerabilities in their own websites before
an attacker does
– There are 50 intentional very sloppy security
practices to be found
– http://hack-yourself-first.com/
●
Free Accompanying Pluralsight Course
– http://pluralsight.com/training/Courses/TableOfContents/hack-yourself-first
19. What about a WAF?
●
A Web Application Firewall (WAF) filters, monitors,
and blocks attack traffic to and from specific web
applications.
– Prevents attacks stemming from web application security
flaws, such as SQL injection, cross-site scripting (XSS),
file inclusion, and security misconfigurations, etc.
●
WAF’s are good as a compensating control and a
good defense-in-depth strategy, but...
– Nobody should rely solely on a WAF for web app security
●
WAF bypasses are continuously being researched, published,
and included in exploit kit updates
●
A WAF is not likely to stop all of the attacks
20. *** Live Demo Alert ***
This presentation features “Live Demos”, because
the speaker is...
21. *** Live Demo Alert ***
This presentation features “Live Demos”, because
the speaker is...
22. *** Live Demo Alert ***
This presentation features “Live Demos”, because
the speaker is...
23. *** Live Demo Alert ***
This presentation features “Live Demos”, because
the speaker is...
25. *** Live Demo Alert ***
Please pick 2…
So I am not just Crazy!
26. Scanning Demo w/ Nikto!
●
Nikto
– Nikto is an Open Source (GPL) web server scanner which
performs comprehensive tests against web servers for
multiple items, including over 6700 potentially dangerous
files/programs, checks for outdated versions of over 1250
servers, and version specific problems on over 270 servers.
It also checks for server configuration items such as the
presence of multiple index files, HTTP server options, and
will attempt to identify installed web servers and software.
Scan items and plugins are frequently updated and can be
automatically updated.
– https://cirt.net/Nikto2
●
Nikto is available as a free download and is also
included in Kali Linux
27. Accidental Exposure Demo w/ ZAP!
●
OWASP ZAP
– The Zed Attack Proxy (ZAP) is an easy to use
integrated penetration testing tool for finding
vulnerabilities in web applications. It is designed to
be used by people with a wide range of security
experience including developers and functional
testers who are new to penetration testing.
– https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
●
ZAP is available as a free download and is also
included in Kali Linux
28. Conclusion
The need for AppSec
practitioners is great…
●
Because there’s a whole lot
of horrible out there!
31. March 21, 2019
Matt Scheurer
@c3rkah
Slides:
https://www.slideshare.net/cerkah
Thank you for attending!
AppSecAppSec
--------------------------------
& OWASP& OWASP
Top 10Top 10