Troy Hunt and Scott Helme have spoken about all the exciting security things, so let’s talk about the boring bits! When we think about application and infrastructure security, we often think about the big shiny things and forget the boring bits. In this talk, we’ll look at the security of our package dependencies, CI/CD tools, how we send email and even resolve hostnames. Over the last few months, hackers have managed to inject cryptocurrency miners into all these places. Security incidents in these components might not result in an entry in Have I Been Pwned?, but they'll result in a bad day.
Troy Hunt and Scott Helme have spoken about all the exciting security things, so let’s talk about the boring bits! When we think about application and infrastructure security, we often think about the big shiny things and forget the boring bits. In this talk, we’ll look at the security of our package dependencies, CI/CD tools, how we send email and even resolve hostnames. Over the last few months, hackers have managed to inject cryptocurrency miners into all these places. Security incidents in these components might not result in an entry in Have I Been Pwned?, but they'll result in a bad day.
This was presented at DDD Melbourne, which is a shortened version of this presentation.
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019kieranjacobsen
Troy Hunt and Scott Helme have spoken about all the exciting security things, so let’s talk about the boring bits! When we think about application and infrastructure security, we often think about the big shiny things and forget the boring bits. In this talk, we’ll look at the security of our package dependencies, CI/CD tools, how we send email and even resolve hostnames. Over the last few months, hackers have managed to inject cryptocurrency miners into all these places. Security incidents in these components might not result in an entry in Have I Been Pwned?, but they'll result in a bad day.
Troy Hunt and Scott Helme have spoken about all the exciting security things, so let’s talk about the boring bits! When we think about application and infrastructure security, we often think about the big shiny things and forget the boring bits. In this talk, we’ll look at the security of our package dependencies, CI/CD tools, how we send email and even resolve hostnames. Over the last few months, hackers have managed to inject cryptocurrency miners into all these places. Security incidents in these components might not result in an entry in Have I Been Pwned?, but they'll result in a bad day.
Having been a Penetration Tester for the last 15+ years I have seen many environments and technologies. I have had the pleasure / hell of testing systems I’ve never even heard of and the agony of defeat on a major scale. Instead of just going over the what we used to work our way in, I want to go over the tricks the BLUE team used to keep us out! We will go over the technologies and techniques that have turned our traditional paths to root from minutes to months and the tricks that got us “caught” along the way. Not all pentests are a dream and the nightmares CAN / DO happen. So, let’s talk about how YOUR environment can become an attackers worst nightmare instead of their favorite playground
Troy Hunt and Scott Helme have spoken about all the exciting security things, so let’s talk about the boring bits! When we think about application and infrastructure security, we often think about the big shiny things and forget the boring bits. In this talk, we’ll look at the security of our package dependencies, CI/CD tools, how we send email and even resolve hostnames. Over the last few months, hackers have managed to inject cryptocurrency miners into all these places. Security incidents in these components might not result in an entry in Have I Been Pwned?, but they'll result in a bad day.
This was presented at DDD Melbourne, which is a shortened version of this presentation.
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019kieranjacobsen
Troy Hunt and Scott Helme have spoken about all the exciting security things, so let’s talk about the boring bits! When we think about application and infrastructure security, we often think about the big shiny things and forget the boring bits. In this talk, we’ll look at the security of our package dependencies, CI/CD tools, how we send email and even resolve hostnames. Over the last few months, hackers have managed to inject cryptocurrency miners into all these places. Security incidents in these components might not result in an entry in Have I Been Pwned?, but they'll result in a bad day.
Troy Hunt and Scott Helme have spoken about all the exciting security things, so let’s talk about the boring bits! When we think about application and infrastructure security, we often think about the big shiny things and forget the boring bits. In this talk, we’ll look at the security of our package dependencies, CI/CD tools, how we send email and even resolve hostnames. Over the last few months, hackers have managed to inject cryptocurrency miners into all these places. Security incidents in these components might not result in an entry in Have I Been Pwned?, but they'll result in a bad day.
Having been a Penetration Tester for the last 15+ years I have seen many environments and technologies. I have had the pleasure / hell of testing systems I’ve never even heard of and the agony of defeat on a major scale. Instead of just going over the what we used to work our way in, I want to go over the tricks the BLUE team used to keep us out! We will go over the technologies and techniques that have turned our traditional paths to root from minutes to months and the tricks that got us “caught” along the way. Not all pentests are a dream and the nightmares CAN / DO happen. So, let’s talk about how YOUR environment can become an attackers worst nightmare instead of their favorite playground
Eradicate the Bots in the Belfry - Information Security Summit - Eric VanderburgEric Vanderburg
Eric Vanderburg, Director of Information Systems and Security at JurInnov, presents "Eradicate the Bots in the Belfry" at the Information Security Summit.
HKG15-407: EME implementation in Chromium: Linaro Clear Key Linaro
HKG15-407: EME implementation in Chromium: Linaro Clear Key
---------------------------------------------------
Speaker: Matt Snoby
Date: February 12, 2015
---------------------------------------------------
★ Session Summary ★
An example of a key system from a Clear Key point of view. Linaro implemented a sample CDM plugin for Chromium capable to exercise the EME implementation of the browser. The presentation gives an insight to the EME/CDM implementation in Chromium and the guidelines to integrating various DRM systems. We will present call flows with example classes, experiences learned, and example of things to watch out for.
--------------------------------------------------
★ Resources ★
Pathable: https://hkg15.pathable.com/meetings/250835
Video: https://www.youtube.com/watch?v=dJqCbTfKrMk
Etherpad: http://pad.linaro.org/p/hkg15-407
Also see: http://www.slideshare.net/linaroorg/hkg15407-eme-implementation-in-chromium-linaro-clear-key
---------------------------------------------------
★ Event Details ★
Linaro Connect Hong Kong 2015 - #HKG15
February 9-13th, 2015
Regal Airport Hotel Hong Kong Airport
---------------------------------------------------
http://www.linaro.org
http://connect.linaro.org
Security Vulnerabilities: How to Defend Against ThemMartin Vigo
In recent years it became the norm to wake up to news about hackers, cyber attacks, ransom campaigns and NSA. Since 2003 the Open Web Application Security Project (OWASP) is the go-to reference to learn more about security vulnerabilities. OWASP published a list of the Top 10 most common security issues for Web.
In this talk, we will review the list to learn the details and discuss how to harden and defend our Web applications from those vulnerabilities. If you care about your product and customer's data, want to become a better developer or are simply interested in the kind of cyber attacks delinquents use to compromise websites, this talk is for you.
The Ultimate Administrator’s Guide to HCL Nomad Webpanagenda
Webinar Recording: https://www.panagenda.com/webinars/the-ultimate-administrators-guide-to-hcl-nomad-web/
HCL Nomad Web is THE talk around the watercooler. More and more companies are looking into supplementing or outright replacing their Notes clients with this new browser based HCL solution. But doing so is a daunting prospect, given the many new technologies in play. To help you out, we went and collected everything you need to know in one place. Getting HCL Nomad Web up and running – start to finish, with live demos – only here!
Join HCL Ambassador Christoph Adler in this unmissable event for HCL administrators. Everything you see here you can put to good use immediately, as all tools are available with your HCL CCB license or are even free to use. Whether you already are using it, have just decided to start your HCL Nomad journey, or only want to see what it would mean to go down this path: if you don’t want to be left in the past, you must not miss this webinar!
What you will learn
- Understanding requirements, benefits, and limitations of HCL Nomad Web
- Installing HCL Nomad Web on the server (with or without HCL SafeLinx)
- Performing initial setup for end-users while preserving the workspace from their Notes clients
- Dealing with virtual infrastructures such as Citrix, VMWare, TS, and VDI
- Operating, optimizing, and troubleshooting on servers and clients
Domino Fitness. Time for a Health CheckJared Roberts
Here we explore your Domino ’fitness’ - that is - how well your Domino environment is performing, and show you how to execute a comprehensive health check including performance, security, database health, new features, and much more. Are you Domino fit?
Security Information and Event Management with Kafka, Kafka Connect, KSQL and...confluent
Security Information and Event Management with Kafka, Kafka Connect, KSQL and Logstash, Jason Bell, Kafka DevOps Engineer at Digitalis
Meetup Link: https://www.meetup.com/Amsterdam-Kafka-Meetup/events/276716115/
InSecure Remote Operations - NullCon 2023 by Yossi SassiYossi Sassi
Every admin tool is an attack tool, yet there are no good or bad shells - that part is up to you. Coming from dozens of engagements consulting various role-based remote operations architectures & Red Team assessments for organizations in 4 continents, with a fresh research hijacking full tokens from network logon-type sessions - we’ll dive into a technical, hands-on set of examples for both Offensive and Defensive teams, of what SUCKS and what ROCKS on the Windows ‘Living off the land’ remote admin operations, Protocols, and APIs. We'll talk about the Pros and Cons of jump server architectures, as well as role-based shells, limiting PowerShell in creative ways. We'll also introduce fresh research to achieve Full Token hijack from network logon-type sessions, without any hash and/or TGT!
Die ultimative Anleitung für HCL Nomad Web Administratorenpanagenda
Webinar Recording: https://www.panagenda.com/webinars/die-ultimative-anleitung-fur-hcl-nomad-web-administratoren/
HCL Nomad Web ist DAS heiße Thema in der Notes-Welt. Immer mehr Unternehmen erwägen, ihre HCL Notes-Landschaft mit Nomad Web zu ergänzen oder sogar komplett zu ersetzen. Es ist verständlich, dass die Veränderungen und neuen Technologien überwältigend wirken können. Um dem entgegenzuwirken, erfahren Sie in diesem Webinar alles, was Sie über Nomad wissen müssen – angefangen von den ersten Schritten bis hin zum endgültigen Rollout bei den Anwendern. Alles praxisnah und leicht verständlich erklärt.
Verpassen Sie auf keinen Fall dieses aufschlussreiche Webinar mit dem renommierten HCL Ambassador Marc Thomas. Gewinnen Sie wertvolle Erkenntnisse, die Sie sofort in die Tat umsetzen können, denn alles, was Sie brauchen, ist in Ihrer HCL CCB-Lizenz bereits enthalten oder kostenlos erhältlich. Egal, ob Sie bereits in die Welt von HCL Nomad Web eingetaucht sind, den Einstieg planen oder einfach nur neugierig sind, ob die Lösung auch für Sie geeignet ist – wenn Sie nicht in der Vergangenheit stecken bleiben wollen, sollten Sie dieses Webinar nicht verpassen!
Was Sie lernen werden
- Anforderungen, Vorteile, und Beschränkungen von HCL Nomad Web
- Installation auf dem Server (mit und ohne HCL SafeLinx)
- Initiales Setup für Endbenutzer inkl. Übernahme des bestehenden Notes Client Arbeitsbereiches
- Umgang mit virtuellen Infrastrukturen wie Citrix, VMWare, TS und VDI
- Betrieb, Optimierung und Fehlerbehebung auf Server und Client
Percona Live 2021 - MongoDB Security FeaturesJean Da Silva
When we speak about security, the actual reality is that companies need to comply with multiples frameworks and regulations, and assessing which rules apply to each organization is no easy feat.
Over the talk, we will revisit the security feature we can implement in the #MongoDB environment. The aim is to provide further information on what you can use to help your company with future security implementations.
The topics presented will be:
* Authentication
* Authorization
* TLS/SSL
* External Authentication
* Auditing
* Log Redaction
* Encryption – Data at Rest and Client Field Encryption.
Speaker: Jean da Silva – Percona
Microsoft has provided an almost unlimited number of ways for you to securely deploy Azure resources; but people continue to make simple mistakes. In 2017 many organisations had breaches due to poor cloud deployment practices.
In this session, you’ll learn how to use Azure Resource Manager (ARM) templates to deploy resources in a secure manner. This session will look at Azure Storage, App Services, SQL, Virtual Machines and Virtual Networks. I'll discuss the costs, benefits and trade-offs of different design patterns and how you can secure your deployment pipelines.
Ransomware made headlines in 2017, with attacks shutting down the UK's NHS and costing Maersk shipping over $300m in lost revenue. Ransomware is a massive business for cybercriminals, driving the cost of bitcoin from $1200 to over $7000 per coin. We often see ransomware as some unbeatable force, however with some common sense controls and simple tricks, the damage can be reduced or even stopped. Join Kieran to learn some simple, free steps you can do to stop ransomware in its tracks.
More Related Content
Similar to CrikeyCon VI - The Boring Security Talk
Eradicate the Bots in the Belfry - Information Security Summit - Eric VanderburgEric Vanderburg
Eric Vanderburg, Director of Information Systems and Security at JurInnov, presents "Eradicate the Bots in the Belfry" at the Information Security Summit.
HKG15-407: EME implementation in Chromium: Linaro Clear Key Linaro
HKG15-407: EME implementation in Chromium: Linaro Clear Key
---------------------------------------------------
Speaker: Matt Snoby
Date: February 12, 2015
---------------------------------------------------
★ Session Summary ★
An example of a key system from a Clear Key point of view. Linaro implemented a sample CDM plugin for Chromium capable to exercise the EME implementation of the browser. The presentation gives an insight to the EME/CDM implementation in Chromium and the guidelines to integrating various DRM systems. We will present call flows with example classes, experiences learned, and example of things to watch out for.
--------------------------------------------------
★ Resources ★
Pathable: https://hkg15.pathable.com/meetings/250835
Video: https://www.youtube.com/watch?v=dJqCbTfKrMk
Etherpad: http://pad.linaro.org/p/hkg15-407
Also see: http://www.slideshare.net/linaroorg/hkg15407-eme-implementation-in-chromium-linaro-clear-key
---------------------------------------------------
★ Event Details ★
Linaro Connect Hong Kong 2015 - #HKG15
February 9-13th, 2015
Regal Airport Hotel Hong Kong Airport
---------------------------------------------------
http://www.linaro.org
http://connect.linaro.org
Security Vulnerabilities: How to Defend Against ThemMartin Vigo
In recent years it became the norm to wake up to news about hackers, cyber attacks, ransom campaigns and NSA. Since 2003 the Open Web Application Security Project (OWASP) is the go-to reference to learn more about security vulnerabilities. OWASP published a list of the Top 10 most common security issues for Web.
In this talk, we will review the list to learn the details and discuss how to harden and defend our Web applications from those vulnerabilities. If you care about your product and customer's data, want to become a better developer or are simply interested in the kind of cyber attacks delinquents use to compromise websites, this talk is for you.
The Ultimate Administrator’s Guide to HCL Nomad Webpanagenda
Webinar Recording: https://www.panagenda.com/webinars/the-ultimate-administrators-guide-to-hcl-nomad-web/
HCL Nomad Web is THE talk around the watercooler. More and more companies are looking into supplementing or outright replacing their Notes clients with this new browser based HCL solution. But doing so is a daunting prospect, given the many new technologies in play. To help you out, we went and collected everything you need to know in one place. Getting HCL Nomad Web up and running – start to finish, with live demos – only here!
Join HCL Ambassador Christoph Adler in this unmissable event for HCL administrators. Everything you see here you can put to good use immediately, as all tools are available with your HCL CCB license or are even free to use. Whether you already are using it, have just decided to start your HCL Nomad journey, or only want to see what it would mean to go down this path: if you don’t want to be left in the past, you must not miss this webinar!
What you will learn
- Understanding requirements, benefits, and limitations of HCL Nomad Web
- Installing HCL Nomad Web on the server (with or without HCL SafeLinx)
- Performing initial setup for end-users while preserving the workspace from their Notes clients
- Dealing with virtual infrastructures such as Citrix, VMWare, TS, and VDI
- Operating, optimizing, and troubleshooting on servers and clients
Domino Fitness. Time for a Health CheckJared Roberts
Here we explore your Domino ’fitness’ - that is - how well your Domino environment is performing, and show you how to execute a comprehensive health check including performance, security, database health, new features, and much more. Are you Domino fit?
Security Information and Event Management with Kafka, Kafka Connect, KSQL and...confluent
Security Information and Event Management with Kafka, Kafka Connect, KSQL and Logstash, Jason Bell, Kafka DevOps Engineer at Digitalis
Meetup Link: https://www.meetup.com/Amsterdam-Kafka-Meetup/events/276716115/
InSecure Remote Operations - NullCon 2023 by Yossi SassiYossi Sassi
Every admin tool is an attack tool, yet there are no good or bad shells - that part is up to you. Coming from dozens of engagements consulting various role-based remote operations architectures & Red Team assessments for organizations in 4 continents, with a fresh research hijacking full tokens from network logon-type sessions - we’ll dive into a technical, hands-on set of examples for both Offensive and Defensive teams, of what SUCKS and what ROCKS on the Windows ‘Living off the land’ remote admin operations, Protocols, and APIs. We'll talk about the Pros and Cons of jump server architectures, as well as role-based shells, limiting PowerShell in creative ways. We'll also introduce fresh research to achieve Full Token hijack from network logon-type sessions, without any hash and/or TGT!
Die ultimative Anleitung für HCL Nomad Web Administratorenpanagenda
Webinar Recording: https://www.panagenda.com/webinars/die-ultimative-anleitung-fur-hcl-nomad-web-administratoren/
HCL Nomad Web ist DAS heiße Thema in der Notes-Welt. Immer mehr Unternehmen erwägen, ihre HCL Notes-Landschaft mit Nomad Web zu ergänzen oder sogar komplett zu ersetzen. Es ist verständlich, dass die Veränderungen und neuen Technologien überwältigend wirken können. Um dem entgegenzuwirken, erfahren Sie in diesem Webinar alles, was Sie über Nomad wissen müssen – angefangen von den ersten Schritten bis hin zum endgültigen Rollout bei den Anwendern. Alles praxisnah und leicht verständlich erklärt.
Verpassen Sie auf keinen Fall dieses aufschlussreiche Webinar mit dem renommierten HCL Ambassador Marc Thomas. Gewinnen Sie wertvolle Erkenntnisse, die Sie sofort in die Tat umsetzen können, denn alles, was Sie brauchen, ist in Ihrer HCL CCB-Lizenz bereits enthalten oder kostenlos erhältlich. Egal, ob Sie bereits in die Welt von HCL Nomad Web eingetaucht sind, den Einstieg planen oder einfach nur neugierig sind, ob die Lösung auch für Sie geeignet ist – wenn Sie nicht in der Vergangenheit stecken bleiben wollen, sollten Sie dieses Webinar nicht verpassen!
Was Sie lernen werden
- Anforderungen, Vorteile, und Beschränkungen von HCL Nomad Web
- Installation auf dem Server (mit und ohne HCL SafeLinx)
- Initiales Setup für Endbenutzer inkl. Übernahme des bestehenden Notes Client Arbeitsbereiches
- Umgang mit virtuellen Infrastrukturen wie Citrix, VMWare, TS und VDI
- Betrieb, Optimierung und Fehlerbehebung auf Server und Client
Percona Live 2021 - MongoDB Security FeaturesJean Da Silva
When we speak about security, the actual reality is that companies need to comply with multiples frameworks and regulations, and assessing which rules apply to each organization is no easy feat.
Over the talk, we will revisit the security feature we can implement in the #MongoDB environment. The aim is to provide further information on what you can use to help your company with future security implementations.
The topics presented will be:
* Authentication
* Authorization
* TLS/SSL
* External Authentication
* Auditing
* Log Redaction
* Encryption – Data at Rest and Client Field Encryption.
Speaker: Jean da Silva – Percona
Microsoft has provided an almost unlimited number of ways for you to securely deploy Azure resources; but people continue to make simple mistakes. In 2017 many organisations had breaches due to poor cloud deployment practices.
In this session, you’ll learn how to use Azure Resource Manager (ARM) templates to deploy resources in a secure manner. This session will look at Azure Storage, App Services, SQL, Virtual Machines and Virtual Networks. I'll discuss the costs, benefits and trade-offs of different design patterns and how you can secure your deployment pipelines.
Ransomware made headlines in 2017, with attacks shutting down the UK's NHS and costing Maersk shipping over $300m in lost revenue. Ransomware is a massive business for cybercriminals, driving the cost of bitcoin from $1200 to over $7000 per coin. We often see ransomware as some unbeatable force, however with some common sense controls and simple tricks, the damage can be reduced or even stopped. Join Kieran to learn some simple, free steps you can do to stop ransomware in its tracks.
The truth is that money can’t buy security just as it cannot buy happiness. Ransomware has become a cybercriminal’s most profitable enterprise, and something that IT professionals and even the general public now fear. Ransomware is actually pretty simple and unsophisticated code, and at times the damage can stopped with some simple tricks. Best of all, these are FREE!
DevSecOps, or SecDevOps has the ambitious goal of integrating development, security and operations teams together, encouraging faster decision making and reducing issue resolution times. This session will cover the current state of DevOps, how DevSecOps can help, integration pathways between teams and how to reduce fear, uncertainty and doubt. We will look at how to move to security as code, and integrating security into our infrastructure and software deployment processes.
DevSecOps, or SecDevOps has the ambitious goal of integrating development, security and operations teams together, encouraging faster decision making and reducing issue resolution times. This session will cover the current state of DevOps, how DevSecOps can help, integration pathways between teams and how to reduce fear, uncertainty and doubt. We will look at how to move to security as code, and integrating security into our infrastructure and software deployment processes.
Infrastructure Saturday - Level Up to DevSecOpskieranjacobsen
DevSecOps, or SecDevOps has the ambitious goal of integrating development, security and operations teams together, encouraging faster decision making and reducing issue resolution times. This session will cover the current state of DevOps, how DevSecOps can help, integration pathways between teams and how to reduce fear, uncertainty and doubt. We will look at how to move to security as code, and integrating security into our infrastructure and software deployment processes.
The IT industry has experienced rapid change and consolidation. The introduction of Cloud, Agile, DevOps and shortages in skilled staff have created immense pressure on enterprise IT teams. Organisations are concerned about the costs of data breaches, and need to act to ensure they do not become the next Yahoo, OPM or Target.
DevSecOps (or SecDevOps) integrates development, security and operations teams together to encourage faster decision making and reduce issue resolution times.
This session will cover the current state of DevOps, and how DevSecOps can help integrate pathways between teams to reduce fear, uncertainty and doubt. We will look at how to move to security as code, and integrate security into our infrastructure and software deployment processes.
DevSecOps, or SecDevOps has the ambitious goal of integrating development, security and operations teams together, encouraging faster decision making and reducing issue resolution times. This session will cover the current state of DevOps, how DevSecOps can help, integration pathways between teams and how to reduce fear, uncertainty and doubt. We will look at how to move to security as code, and integrating security into our infrastructure and software deployment processes.
Evolving your automation with hybrid workerskieranjacobsen
Azure Automation wants you to automate everything, everywhere. Hybrid Workers allow Azure Automation to reach new places within your infrastructure, allowing for more automation and less complexity. This session covers the basics of Hybrid Workers before looking at balancing workloads, managing resource dependencies, integrating with web hooks and monitoring job execution. The is a great session for anyone who is automating infrastructure or cloud resources.
Global Azure Bootcamp 2016 - Azure Automation Invades Your Data Centrekieranjacobsen
Azure Automation wants you to automate everything, everywhere. Hybrid Workers allow Azure Automation to reach new places within your infrastructure, allowing for more automation and less complexity. Learn how to deploy Hybrid Workers, balance automation workloads across groups of workers, trigger jobs off via web hooks, monitor jobs, remove scheduled tasks and much more.
Azure Automation wants you to automate everything, everywhere. Hybrid Workers allow Azure Automation to reach new places within your infrastructure, allowing for more automation and less complexity. Learn how to deploy Hybrid Workers, balance automation workloads across groups of workers, trigger jobs off via web hooks, monitor jobs, remove scheduled tasks and much more.
Join me for the presentation where a blue-screen of death, is the desired result! MS15-034 was a particularly interesting vulnerability that turned out to have more bark than bite. Using PowerShell to test for MS15-034 presents us with a number of unique challenges, the solution is to look at a lower level, with TCP connections. This presentation will discuss MS15-034, what the vulnerability was, and how we can exploit it. Learn about working directly with TCP connections in PowerShell and the ins and outs you need to know.
PowerShell, the must have tool and the long overlooked security challenge. Learn how PowerShell’s deep integration with the Microsoft platform can be utilized as a powerful attack platform within the enterprise space. Watch as a malicious actor moves from a compromised end user PC to the domain controllers and learn how we can begin to defend these types of attacks.
Since its release in 2010, the Hak5 Rubber Ducky has been an overlooked component to an attackers arsenal. With almost every computer on the planet accepting input via keyboards and the USB standard known as HID or Human Interface Device, the Ducky abuses one of the ultimate trust relationships within a computer. The Ducky makes use of an extremely simple scripting language for the development of payloads which can then be executed at speeds beyond 1000 words per minute. This presentation will cover off the creation of your very first through to advanced payloads as well as looking at some of the tools you can use to develop your own.
PowerShell, the must have tool for administrators, and the long overlooked security challenge. See Kieran Jacobsen present how PowerShell, with its deep Microsoft platform integration can be utilised by an attack to become a powerful attack tool. Learn how an attacker can move from a compromised workstation to a domain controller using PowerShell and WinRM whilst learning how to defend against these attacks.
Learn about the advances in Windows 8.1 and Windows Server 2012R2 that allow your users to work from anywhere in the world. Kieran Jacobsen will cover topics client seamless corporate connectivity with DirectAccess, managing BitLocker with MBAM, user document synchronization with Work Folders, addressing the needs of enterprise security and any performance requirements you might have.
CMDLets, scripts, functions, methods and modules all make PowerShell sound very complicated however with some simple guidelines you too can become a PowerShell automation Pro!
Infrastructure Saturday 2011 - Understanding PKI and Certificate Serviceskieranjacobsen
In every organization, there is a growing need for a strong well-designed public key infrastructure solution and in many of these; Active Directory Certificate Services will be used. This session will guide you through a solution based on best practice, shed some light on common issues encountered and some shortcuts to assist in management with PowerShell.
Are you considering deploying DirectAccess? DirectAccess is Microsoft’s next generation remote access solution providing a seamless corporate network connectivity experience. The session will cover a number of issues that IT professionals deploying DirectAccess should be aware of including load balancing, certificates, and IP Infrastructure requirements.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
2. Hello!
I am Kieran Jacobsen
Head of Information Technology @ Readify
Microsoft MVP, Cloud and Datacenter Management
You can find me at:
◇ @kjacobsen
◇ Poshsecurity.com
9. Restricting Access
◇ Does it need Internet access?
◇ Can we lock down by source IP address?
◇ Can we lock down to specific destination port
numbers?
10. Using SSO and MFA
◇ Enable and enforce HTTPS
◇ Enable SSO – Each user has an account
◇ MFA should be enabled for Internet exposed systems
11. Least Privilege
◇ Ensure CI/CD agents and processes run with least
privilege as possible
◇ Restrict who has admin access to CI/CD
◇ Audit privileges regularly
12. Patching
◇ Ensure servers are in regular patching process
◇ Plan for CI/CD patching and dependency tool
patching
19. Attacks Happen
◇ “DHS: Multiple US gov domains hit in serious DNS
hijacking wave”, Ars Technica, 2019-01-26
◇ “Advice on Mitigating DNS Infrastructure
Tampering”, Posh Security, 2019-02-12
◇ “A Deep Dive on the Recent Widespread DNS
Hijacking Attacks”, Krebs on Security, 2019-02-18
◇ “DNS Squatting with Azure App Services”, Posh
Security, 2017-08-27
20. DNS Control
◇ Open Source Software
◇ Developed and maintained by Stack Overflow
◇ Supports multiple registrars and DNS providers
◇ Can preview changes before pushing them
◇ https://stackexchange.github.io/dnscontrol/
31. From: "Have I Been Pwned“
<noreply@haveibeenpwned.com>
Return-Path: bounces+3489673-
b289-
myuser=mydomain.com@mail.haveibe
enpwned.com
32. Identifying Sources
◇ Your mail servers
◇ Applications
◇ Marketing campaign servers
◇ Bulk email services
◇ SaaS products
33. “
We can’t use SPF, DKIM or DMARC
because we don’t know who is
legitimately sending email as our
organisation‽
34. SPF
◇ Validates mail is coming from authorised IP
addresses
◇ Information stored in DNS
◇ Validates envelope-from address
◇ Can include other SPF records – Office 365 etc
◇ DNS query limitations
35. DKIM
◇ Uses digital signatures to validate mail
◇ Validates Message-From header address
◇ Public key(s) stored in DNS
36. DMARC
◇ SPF and/or DKIM
◇ Alignment checks
◇ Allows domains to specify action if checks fail
◇ Reporting
◇ Policy stored in DNS
39. Browsealoud
“UK ICO, USCourts.gov... Thousands of websites
hijacked by hidden crypto-mining code after popular
plugin pwned”, The Register, 2018-02-11
42. “
The maintainer whose account was
compromised had reused their npm
password on several other sites and
did not have two-factor authentication
enabled on their npm account.
Good afternoon everyone, my name is Kieran Jacobsen, this is my fourth time speaking at CrikeyCon. It is such a pleasure to be returning to speak to you all this year.
Last time I was at CrikeyCon I spoke about DevSecOps. That content was built upon my experiences with DevOps and DevSecOps. Today’s content is an extension of that in a lot of respects. I want to talk about topics that are often overlooked, protecting CI/CD infrastructure, email security practices, DNS management and understanding what goes on when dependencies go bad.
Let’s start with our continuous integration and delivery systems. In a DevOps world, these are at the heart of a smooth running organisation. They are mission critical. Has anyone here ever considered the chaos an attacker could get up to if they pwned this infrastructure?
Let’s look at some common issues.
People love to overshare on the Internet. It is common to see start-ups and smaller organisations operating entirely in the cloud and exposing management interfaces and API endpoints to the internet. This isn’t SaaS offerings like Azure DevOps or GitLab, this is TeamCity and Jenkins instances.
There are quite a few common authentication mistakes. The lack of HTTPS is a major issue, however it isn’t as likely to get you owned.
The use of shared accounts or generic accounts is very common. This isn’t just a licensing violation, but you are destroying your audit trail. You have no idea who is pushing code into production.
When named accounts are being used, stale accounts are common. Systems where developers who are long gone still have access. There are endless stories about disgruntled former employees.
The lack of MFA is another issue. MFA is one of the strongest defences against credential spraying attacks.
I am often contacted by consultants who are working in heavily locked down networks. Developers don’t have administrative rights on production, in some cases they don’t in development environments or their own workstations. The security teams are happy, everything is locked down. What they haven’t realised is that there is a large hole in this model. Devs have admin rights in the CI/CD systems, and these have administrator rights to prod. The developers actually have admin rights in prod.
How does this happen? Cloud access accounts and keys are often given far to much permissions, for instance AWS keys with access to far too many resources and actions.
How do I put this in a family friend way. I really don’t understand why patching is hard. Most organisations have OS patching plans, but are then running old version of their CI/CD tools, git and their compilers.
Jenkins had a rough year last year. If you have it running in your organisation, how sure are you all of your instances are updated?
In February last year, hackers exploited vulnerabilities in Jenkins to make over 3 million dollars by mining Monero. They were successful for the sheer fact that so many Jenkins servers are exposed to the internet and from experience, they have a lot of processing power. What shocks me is that no one seemed to notice their builds or deployments taking longer.
Would your AWS or Azure bill be the only way that you would detect these attacks?
So how do we protect against these attacks?
Network security 101 tells us that we should be restricting access where possible. Do you need to expose your CI/Cd systems to the internet?
If all of your development and production systems reside within your corporate network, then your CI/CD probably doesn’t need to be Internet accessible.
If it does need to be accessible, can you restrict access to a set of trusted IP addresses? Perhaps a set of IP addresses you know legitimate connections will come from?
If you can’t do that, then look at restricting what destination ports we can connect to. For instance, if the management interface is on HTTPS, and we use RDP or SSH to manage the server, then we really don’t need to make any other services like SMB Internet accessible.
Authentication and privileged access should not occur over plaintext protocols like HTTP. Certificates are very easy to obtain and don’t be lazy and use self-signed certificates.
Users should have their own accounts. No shared accounts. Personal preference is that these accounts be connected via Single Sign-On. I don’t care if it is Azure AD, AD, Open LDAP or Google Apps, just use a centralised identity provider. The benefits of SSO are better auditing, monitoring and user account deprovisioning.
If you are exposing your CI/CD system to the Internet, then you must use multi-factor authentication. My opinion is that this is mandatory requirement.
Side comment here. If you are an application vendor who doesn’t support SSO or MFA in 2019, or want to charge me for the right, I am going to look at another vendor. You obviously don’t care about security.
Your CI/CD agents and service accounts should use the least privileges as possible. Avoid using local system in Windows and root on Linux. If you are running within a Active Directory domain, do not use a domain admin account for CI/CD. Restrict your AWS keys to only the resources and actions you need to perform, and assign access to Azure at a resource or resource group level, not at a subscription level.
Restrict who has administrative access to your CI/CD. If a junior developer only needs to see the status of builds or deployments, then they should only have the privileges to do just that.
Finally review everything on a regular basis.
Build a patching plan that includes all of the parts of your developer tool chain. IDEs, developer tools, compilers, packaging software and your CI/CD platforms. You probably all have OS patching plans, include the rest of these in that same process.
Before I finish talking about CI/CD, I quickly wanted to talk about an interesting story I saw from 2017.
There were bot that would hunt for projects using CI for PR validation. These bots would replace the code of the project with bitcoin mining code that would then be automatically run as part of the PR validation process.
GitHub put controls in place to prevent this from occurring, but I want you to think about if you could detect this type of attack, but it is an interesting detection story.
DNS is one of those critical systems that never gets the attention it deserves. Every organization relies on DNS, yet, it's rarely considered as important as printing and email.
Let’s take a look at some of the challenges we have all seen with DNS Management.
I would say that in my experience, organizations struggle in understanding what DNS entries they have, why they are there and when they were created or modified. Was that entry added by one of your system administrators or an external attacker?
Now if you work in an environment where there are change management processes like ITIL, you might be feeling a bit smug. I have two challenges for you. Do you think your change process captures enough information? Second, how much time would it take you to find the appropriate change request for an entry I randomly point to in your DNS zone? Would it take 5 minutes? 30? An hour? A day?
The next challenge is the speed at which DNS changes are being made.
In the past, DNS changes happened infrequently. A system engineer or network engineer would perform DNS changes as part of a once or twice a year application upgrade cycle. Records would often remain unchanged for years at a time.
Things are changing. We want faster application release cycles, we want daily releases, we want DevOps, yet most teams haven’t changed how they approach DNS. Changes are still being performed manually by someone in the operations team.
If only I had a dollar for every outage caused by DNS, I would probably wouldn’t need to work!
Why do these issues occur? Often it is a simple issue of visibility, those impacted by a DNS change weren’t aware it was occurring. Change Management should have helped with this, yet from experience, it often hides these changes.
With the move to providers like CloudFlare, Azure and Route53, more organizations are outsourcing the hosting of their external DNS. This has improved uptime but introduces another source of problems. The main mechanism for management is often a web portal, and even with APIs I see a lot of teams drifting towards these GUIs.
The biggest issue I see is transposition errors, that is, copy and past errors leading to incorrect DNS entries. Confusing terminology and no standardization is also a contributing factor to DNS configuration errors. We need a method of working with DNS that is standardized across providers.
Attacks against DNS have become a bit more popular in the last few months. In January there were reports of multiple US government domains being hit by DNS hijacking, and things going so far as DHS and GCHQ releasing emergency directives warning about the risks. These two organisations don’t release directives very often, in fact for DHS this was their first emergency directive.
Dangling DNS entries are a major concern, particularly where public cloud services are in use. Situations where DNS records, specifically CNAME records are creating pointing to cloud services. At a later date, these cloud services are deleted but those CNAME records remain. They are left dangling. This happened to Microsoft in 2017. A research at Vulnerability lab discovered that resnet.Microsoft.com was a CNAME entry pointing to resnetportal-prod.azurewebsites.net. The only issue was that the website had been deleted. All an attacker would need to do is create a new app service with the address of resnetportal-prod.azurewebsites.net, and they would be able to take over the resnet.microsoft.com sub domain.
Can you imagine the effectiveness of a phishing attack using a page hosted on a Microsoft subdomain?
So, what tools and processes can we use to ensure we have streamlined DNS management?
DNSControl is open source, written in GO and maintained by the Stack Overflow team. It allows you to preview changes before pushing them to your DNS provider.
At Readify, we have been using DNSControl to manage our own domains for a bit over a year. Anyone in Readify can propose a DNS change, and our Platforms team can then review and approve those requests. This has empowered developers to propose changes and removed my team as a bottle neck for new projects.
So how does DNS Control help us solve some of our DNS management problems?
DNSControl uses JavaScript to define
We need to write our DNS zone in a simple format that can be understood by everyone. The format should be easy enough for anyone to propose, review and understand changes. With DNSControl, a zone is defined using JavaScript. You don’t need to be a JavaScript expert to make changes, I have no idea how to write JavaScript and haven’t had any issues. The screenshot is a small piece of the Planet PowerShell DNS zone, see how easily you can tell which records are A, TXT and CNAME entries. Planet PowerShell is a community PowerShell content aggregator I run. If you are interested, you can see this entire file up on GitHub.
Within the human readable format, we should be able to use comments to describe the contents of the zone. Comments allow us to answer the age-old question: “what’s this record for?”. We can also use comments to explain decisions within the zone.
Version control systems, like GIT, provide a core piece of this DNS puzzle. We store out DNSControl files in GIT as it gives us a history of all changes to our zone and who made those changes. Git branches are cheap and easy to merge, allowing for developers and engineers to make changes, verify them and them push them into production.
Git becomes our change tracking tool. With Git Log and Git Blame, we can easily determine what changes were made recently and by who.
Platforms like GitHub and Azure DevOps extend Git with Pull Requests. If you are not familiar with pull requests, they are much like change requests in ITIL, but they are easier to create, review and don’t need a meeting to have them approved.
Pull requests shine a light on changes in a way that ITIL was promised to organizations but didn’t deliver.
We can include teams and individuals who are required review a PR that represent groups who may be impacted. A change to MX records might require approval from email administrators and the security team.
The use of CI/CD is the final piece of puzzle. This reduces the risks of human generated errors.
With DNSControl, we can run our CI process for all pull requests. We use DNSControl’s preview function to validate the changes and report what actions it would take. This allows those reviewing the change to have confidence in the changes being made.
Next, once a PR is approved and the changes merged into master, our CD process can complete. This process will perform the push commands and actually perform the changes.
As you can see, we have a process for managing DNS that has change tracking, better visibility and is automated that doesn’t require sharing credentials with every developer and sysadmin in the company.
Before I finish up on DNS, lets look at one more example.
Here you can see a page on Dell’s website, it is talking about their hardware-based encryption. The page has links to white papers and case studies to encourage you to use their product. Let’s assume I am interested in the Trusted Computers guide that is in the bottom left corner.
Let’s hover over the link to see where it goes.
That is a weird address. Dell4slg.com? What is that?
Dell4SLG stands for Dell for State and Local Government. It was a website marketing Dell products and services towards those groups, and quite a bit of content was at one point hosted there.
What happens when I click on this link?
That’s not the Dell website, that is a plumbing supplies company in Turkey! It seems some Internet prankster has noticed the domain wasn’t renewed and decided to have some fun and setup a fun little traffic redirector.
Your domains and their associated entries are part of your organisations brand. You need to take steps to protect these as you would any other brand asset.
As an industry, we like to believe that the world is moving away from email. The truth is, even if you use Slack for al your internal communications, email will be used to communicate with your customers and suppliers. We also use email for activities like account confirmations and password resets.
Considering how sensitive email is to our business, it doesn’t appear that many businesses take the steps to ensure that recipients of our emails can verify them as legitimate.
Where do we start with what is wrong with email.
Pretty much all email based attacks are still increasing and the quality is improving year on year.
There are more stories of whaling style attacks against executives and high-profile targets. These emails come in the form of legal subpoenas or customer complaints, they are concerns that hook executives very effectively.
I think we have probably all heard about the various executive impersonation attacks. Attackers pose as senior executives and send requests to finance or admin teams or executive assistants. There is a request for an urgent money transfer to complete a deal or purchasing gift cards to secure a client. These attacks create a sense of urgency and posing as the CEO results in requests being rarely questions.
My frustration with all of this is that we can make these attacks harder, but most organisations seem hesitant to put the controls in place.
Before looking at these controls, lets touch on some email basics.
Here is an email that has been sent by Have I Been Pwned.
Every email message is made of two parts. Headers, which are key value pairs providing delivery and diagnostic information, and the message body, the bit we see in our mail client.
These are the headers for that email. There are 60 headers for this message alone.
IANA currently list 335 permanent and 56 provisional headers, however mail servers can add their own custom headers. In this example, more than half a specific to Office 365.
Let’s take a look at 2 of the more important headers.
The from header can be a source of confusion. The problem is that when we send a message using SMTP, we specify who the message is from twice.
When the SMTP connection is built, the sending SMTP client specifies the sender’s email address; this is often called the envelope from or SMTP from. Later on, in the mail headers, the client will specify who the sender is again. This we call the message or header from field. It is this that mail clients use to display who the message is from.
These two don’t have to match, they typically do, but in some cases, for instance when using platforms like Sendgrid, they may not match.
The RETURN-PATH header is created when a server accepts the email message and contains the enveloper from.
Now that we understand some basics, we can start to take control. The first step is to find out who is sending email.
There’s the obvious sources, corporate mail servers and your internal applications, but there are other sources that your IT team might not know about.
Your marketing, sales and development teams might be using services like Mailchip and SendGrid to send emails to your customers.
A big hurdle is SaaS products. A number of these platforms will want to send as your domain, for instance, an employee creates leave request, the HR system will send an email to their manager as the employee requesting approval.
In some organisations, the thought of determining all the sources is just too much.
Most organisations have policies around their use of their brand. What colours can be used, how their logo can be used. Your domain is part of your brand. You should be protecting it as you would any other brand asset.
If you don’t want to take steps to protect it, why should I believe you care about security? Don’t you want to record who is sending email as your brand?
The next step is implementing SPF.
SPF is a list of IP addresses that can send email as our domain. The list is maintained in our DNS zone. Receivers can check this list and reject unauthorised messages.
A common misconception is that SPF validates the message from header, it actually validates the envelope from.
SPF has some advantages and disadvantages. SPF allows us to link different records together. This removes the need for administrators to maintain lists when they use Office 365 of Google Apps. Here is also the major issue. There is a limitation on the number of DNS queries that can be performed.
In some organisations, care will need to be taken to ensure you are below this limit.
Once you are comfortable that your SPF record is correct, you can move onto DKIM.
DKIM uses digital signatures to validate authorised servers. It differs from end-to-end digital signatures like PGP or SMIME and doesn’t provide the same level of protection. These signatures are not visible to the recipient, they are added to the headers by the sending server and then validated by the receiving server. Validation is performed by through the publishing of the server’s public keys in the senders DNS.
Unlike SPF, DKIM validates the Message-From header.
DKIM is going to take more effort to implement than SPF. You need to ensure that each system that is sending email as your domain supports DKIM. With one vendor, we had to wait 6 months for them to implement DKIM. When reviewing SaaS products, particularly ones that send email, I always confirm DKIM support.
Once you have DKIM implemented, the next step is a DMARC policy.
A lot of organisations are terrified that creating a DMARC policy might result in their emails not being delivered to customers. Yes, you can shoot yourself in the foot with DMARC, but with care, you can ensure successful delivery.
DMARC is built upon SPF and DKIM, it also provides more validation that the message from and envelop from are aligned. The idea is that if the SPF and DKIM checks are successful, and the headers are aligned, then the message is valid.
Domains can specify different policies, that is, the actions receivers should take when a message fails verification. Senders can also specifie if recievers should provide reports on accepted and failed messages.
Your DMARC policy is stored within DNS, I suggest starting with the none policy them moving to quarantine and finally reject.
There is an interesting quirk with Office 365. Office 365 handles the reject policy as it would the quarantine policy. It ignores the senders wishes and will deliver failed messages to the users junk mail. I have no idea why they did this.
I want to finish up by talking about bank grade security, I realise that is an oxymoron. The site Phishing Score card tracks the SPF, DKIM and DMARC configuration of organisations world wide.
53 percent of banks and financial service providers here in Australia have no dmarc configuration.
38 percent have a policy of none, and just 9 percent have either a reject or quarantine policy.
How much do they really care about the security and privacy of their customers?
Almost all software projects depend upon other software. This could be JavaScript packages, Docker images or even libraries provided by software vendors.
The problem is, that we place a considerable amount of trust in the third-parties that write these dependencies. We often like to think that they are better people than we are. We like to believe that they will not introduce malicious code, and follow similar security practices as we do.
Unfortunately, that trust gets broken. In the last few minutes I want to look at some of these incidents.
February last year, the Javascript plugin, Browsealoud was compromised. The plugin’s source code was altered to inject Coinhive’s Monero miner. For several hours, anyone visiting the over 4 thousand impacted websites inadvertently ran the hidden mining code on their computer. Australian websites impacted included a number of government departments, city councils, charities and disability support service providers.
SRI or Sub Resource Integrity is the best defence here. SRI allows a website to tell a users browser to check the integrity of third party assets. If the check fails, the asset isn’t loaded.
In June last year, it was reported that 17 malicious Docker containers were removed from Docker Hub. Some of these images were mining Monero, while others created reverse shells or attempted to install backdoors onto the host machine. The images were available for over a year before Docker finally removed them. Estimates are that attackers made around 90 thousand from the mining.
How do we protect against this? Well Sarah yesterday covered off this very eloquently, private image repositories is one of the best defences.
Finally in July, an attacker compromised the NPM account of a maintainer of the popular ESLINT-SCOPE and ESLINT-CONFIG-ESLINT packages. They then published malicious versions of these packages that would send the contents of the user’s dot npmrc file to the attacker. This file typically contains access tokens for publishing to NPM. The belief is that they attackers wanted to gain access to the accounts of other package maintainers.
These packages see around three million downloads each week and have 31 other packages directly depending upon them, and over 20 thousand indirectly depending upon them.
How did the compromise occur? The official story is that a maintainer reused passwords and didn’t enable multi-factor authentication.
As I said earlier, not all maintainers follow the same security practices as the rest of us.
Just last week, attackers added a backdoor to the popular bootstrap-sass ruby gem. The great news about this one was that it took only a few hours between attackers posting the malicious version and it being detected and removed, unfortunately it was still downloaded around 12 thousand times. We don’t know how this one happened yet.
Also last week, Wordpress plugin developers Pipdig were accused of adding a number of suspicious or malicious features, including remote killswitch, remote password changes and DDoSing a competitors website. It appears they even talk active measures to erase the evidence when caught. As I said, people trust these autors not to be malicious, and sometimes it turns out the author’s are quite malicious.
I want to thank you all for listening to me today. I hope that you found something useful in today’s session and that it wasn’t too boring for you.
I hope you enjoy the rest of CrikeyCon.
Thank you all very much.
<pause for applause>
I believe we still have some time for questions, who has a question?