This document provides an overview of Python for security professionals. It discusses Python history and installation. It then covers debugging Python files, using Python for web crawling, and some Python tools like PyLint and PyDoc. Examples are provided on running Python programs, reading URLs, and line-by-line debugging. Python frameworks for games and 3D like Pygame and Panda3D are also mentioned. The document aims to introduce Python concepts and capabilities relevant for security work.
The document discusses setting up Python development for Android. It describes downloading the Android SDK and creating an Android Virtual Device for testing. The steps include installing SL4A and Python for Android to enable scripting. A simple "Hello World" Python script is run to confirm the environment is working. The document ends with instructions for writing a small greeting script and running it on the virtual device.
The document discusses Android development. It describes how Android is an open-source software stack based on Linux that includes APIs for developing mobile apps using Java. It outlines the steps to set up an Android development environment, including installing the Java Development Kit, Eclipse IDE, and Android SDK to then create Android Virtual Devices for app testing.
The document discusses Spring Framework, Aspect Oriented Programming (AOP), Inversion of Control (IoC), Spring MVC, Spring Web Flow, JavaServer Faces, Tomcat, Maven, and Spring Roo. Key points include:
- Spring introduces AOP and IoC to separate cross-cutting concerns and manage application components.
- Spring MVC and Web Flow provide frameworks for building web applications.
- JavaServer Faces is used to develop rich user interfaces.
- Tomcat is a servlet container that runs Java code to serve web requests.
- Maven and Apache are used for project build automation and management.
- Spring Roo provides rapid application development tools for
The document summarizes a presentation on advanced mobile penetration testing. It discusses attacking three surfaces: the client software on mobile devices, the communications channel, and server-side infrastructure. It provides examples of exploiting iOS and Android applications, such as decompiling code, intercepting traffic with proxies, and accessing embedded data and databases. The presentation emphasizes fast, hands-on techniques and tools for assessing mobile application security.
Java & The Android Stack: A Security AnalysisPragati Rai
The document summarizes the security models of Java and Android. It describes how Java uses bytecode verification, digital signatures, and a security manager to enforce fine-grained access control within a sandbox. It then explains how Android uses permissions, signatures, and Linux process isolation to secure app interactions and define app identities, but replaces the Java virtual machine with Dalvik which is not itself a security boundary. The document emphasizes that Android focuses security decisions like permissions at install time rather than runtime.
Mobile Application Security – Effective methodology, efficient testing!espheresecurity
The document discusses security issues related to mobile applications. It notes that mobile applications now store and process data both on the client and server sides, exposing them to vulnerabilities on both ends. Common vulnerabilities include insecure storage of sensitive data like credentials on the device, and insecure network communication that allows man-in-the-middle attacks when mobile devices use untrusted networks. The document advocates for effective security testing of mobile applications to identify and address such risks.
Video at http://mrkn.co/andsec
With Android activations reaching a million devices per day, it is no surprise that security threats against our favorite mobile platform have been on the rise.
In this session, you will learn all about Android's security model, including application isolation (sandboxing) and provenance (signing), its permission system and enforcement, data protection features and encryption, as well as enterprise device administration.
Together, we will dig into Android's own internals to see how its security model is applied through the entire Android stack - from the Linux kernel, to the native layers, to the Application Framework services, and to the applications themselves.
Finally, you’ll learn about some of the weaknesses in the Android's model (including rooting, tap-jacking, malware, social-engineering) as well as what can be done to mitigate those threats, such as SE-Linux, memory protection, anti-malware, firewall, and developer best practices.
By the end of this session you will have a better understanding of what it takes to make Android a more trusted component of our personal and professional lives.
The document discusses setting up Python development for Android. It describes downloading the Android SDK and creating an Android Virtual Device for testing. The steps include installing SL4A and Python for Android to enable scripting. A simple "Hello World" Python script is run to confirm the environment is working. The document ends with instructions for writing a small greeting script and running it on the virtual device.
The document discusses Android development. It describes how Android is an open-source software stack based on Linux that includes APIs for developing mobile apps using Java. It outlines the steps to set up an Android development environment, including installing the Java Development Kit, Eclipse IDE, and Android SDK to then create Android Virtual Devices for app testing.
The document discusses Spring Framework, Aspect Oriented Programming (AOP), Inversion of Control (IoC), Spring MVC, Spring Web Flow, JavaServer Faces, Tomcat, Maven, and Spring Roo. Key points include:
- Spring introduces AOP and IoC to separate cross-cutting concerns and manage application components.
- Spring MVC and Web Flow provide frameworks for building web applications.
- JavaServer Faces is used to develop rich user interfaces.
- Tomcat is a servlet container that runs Java code to serve web requests.
- Maven and Apache are used for project build automation and management.
- Spring Roo provides rapid application development tools for
The document summarizes a presentation on advanced mobile penetration testing. It discusses attacking three surfaces: the client software on mobile devices, the communications channel, and server-side infrastructure. It provides examples of exploiting iOS and Android applications, such as decompiling code, intercepting traffic with proxies, and accessing embedded data and databases. The presentation emphasizes fast, hands-on techniques and tools for assessing mobile application security.
Java & The Android Stack: A Security AnalysisPragati Rai
The document summarizes the security models of Java and Android. It describes how Java uses bytecode verification, digital signatures, and a security manager to enforce fine-grained access control within a sandbox. It then explains how Android uses permissions, signatures, and Linux process isolation to secure app interactions and define app identities, but replaces the Java virtual machine with Dalvik which is not itself a security boundary. The document emphasizes that Android focuses security decisions like permissions at install time rather than runtime.
Mobile Application Security – Effective methodology, efficient testing!espheresecurity
The document discusses security issues related to mobile applications. It notes that mobile applications now store and process data both on the client and server sides, exposing them to vulnerabilities on both ends. Common vulnerabilities include insecure storage of sensitive data like credentials on the device, and insecure network communication that allows man-in-the-middle attacks when mobile devices use untrusted networks. The document advocates for effective security testing of mobile applications to identify and address such risks.
Video at http://mrkn.co/andsec
With Android activations reaching a million devices per day, it is no surprise that security threats against our favorite mobile platform have been on the rise.
In this session, you will learn all about Android's security model, including application isolation (sandboxing) and provenance (signing), its permission system and enforcement, data protection features and encryption, as well as enterprise device administration.
Together, we will dig into Android's own internals to see how its security model is applied through the entire Android stack - from the Linux kernel, to the native layers, to the Application Framework services, and to the applications themselves.
Finally, you’ll learn about some of the weaknesses in the Android's model (including rooting, tap-jacking, malware, social-engineering) as well as what can be done to mitigate those threats, such as SE-Linux, memory protection, anti-malware, firewall, and developer best practices.
By the end of this session you will have a better understanding of what it takes to make Android a more trusted component of our personal and professional lives.
From app sec to malsec malware hooked, criminal crooked alok guptaowaspindia
The document announces the OWASP InfoSec India Conference 2012 to be held on August 24-25, 2012 at the Hotel Crowne Plaza in Gurgaon, India. It includes an abstract and agenda for a presentation by Alok Gupta on the topic of malware trends. The presentation will discuss how malware has evolved over time and become more sophisticated, the different types of malware, trends in targeted malware and industrial espionage, and strategies for detection and mitigation.
Seminar on October 10, 2017
General overview of android security from hacker's perspective. Android security mostly seen as only "exploiting the device with RAT" and some of it. Here, I want to show that there are more than that.
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Márcio Rosa
Nessa apresentação falamos do estudo de caso da fintech VC+, abordamos o que fizemos para nos proteger e as principais lições aprendidas, assim como abordaremos o que não fazer. Demonstraremos também um Account Hijacking em um dos aplicativos mais conhecidos do mercado (anonimizado)
Improving Mobile Authentication for Public Safety and First RespondersPriyanka Aash
William Fisher presented on improving mobile authentication for public safety and first responders. He discussed challenges with password management and outlined requirements for an effective authentication solution, including being flexible, efficient, interoperable, and improving credential management. He then demonstrated a solution using standards-based multifactor authentication and single sign-on to provide benefits like reducing authentication time and the number of credentials needed. Finally, he highlighted new NIST guidance on implementing mobile single sign-on solutions.
The document discusses various security threats related to Android applications. It begins by introducing the OWASP Mobile Top 10 risks framework for categorizing common mobile vulnerabilities. It then provides more details on each of the top 10 risk categories, including examples, impacts, and tips for prevention. It also discusses techniques for protecting Android apps from reverse engineering and tampering, such as code obfuscation, anti-debugging, and license verification.
AWS provides certifications and reports on standards like ISO 27001, SOC 1/2/3,
PCI DSS, HIPAA, FISMA. AWS performs regular internal/external audits and penetration
tests by 3rd parties and publishes results in the reports. AWS also offers penetration testing
services for customer applications and networks through AWS Security services.
AWS provides ability to logically isolate and encrypt customer data using services like S3, EBS,
EFS, RDS, Redshift. AWS also offers data backup, recovery and deletion capabilities through
services like S3 Versioning, EBS Snapshots, Database Snapshots etc.
This document discusses mobile device management (MDM) from the perspective of bring your own device (BYOD) programs. It covers what employees and companies want from MDM as well as common MDM solutions and features. The document also examines known issues with MDM, including examples of threats that bypass MDM controls or gain root access on devices. Permissions models and activities are analyzed for BlackBerry and iOS platforms to evaluate the efficiency of MDM solutions.
This document provides an overview of Android application sandboxes and how they can be used for suspicious software detection. It discusses how Android uses a modified Linux kernel to run Java-based apps in an isolated environment. The document describes how an Android application sandbox called AASandbox works by hijacking system calls using a loadable kernel module and then performing both static analysis of app files and dynamic analysis by running apps in an Android emulator and monitoring system calls. It provides examples of analyzing self-written apps and experiments using over 150 popular apps from the Android Market.
This document discusses Android key management and cryptography. It covers symmetric and asymmetric encryption algorithms like AES and RSA. It describes using the Android Keystore to securely store cryptographic keys and how PBKDF2 can be used to derive keys from passwords. It also demonstrates how apps can be reversed to extract hardcoded keys and discusses more secure alternatives like storing keys on a server.
The document discusses mobile security and vulnerabilities. It begins with an introduction of the speaker, Dr. Ir. Stefaan Seys, and the agenda. It then covers topics like the relative security of Android, iOS, and Windows mobile platforms. Specific issues discussed include Android's challenges with updates, data storage vulnerabilities, jailbreaking/rooting risks, and threats involving insufficient transport layer protection and insecure data storage. Examples of past mobile vulnerabilities like Stagefright are provided.
This presentation done for my MSc studies @ UOM. The presentation is related to the paper "Understanding Android Security" by William Enck, Machigar Ongtang, and Patrick McDaniel. Pennsylvania State University on 2009
The document discusses mobile application security. It describes challenges in managing and securing mobile devices and applications. It introduces IBM's mobile security strategy and solutions that address these challenges, including managing mobile devices, protecting data and network access, and developing secure mobile applications. The solutions provide capabilities such as mobile device management, data encryption, identity and access management, and application testing.
Introduction to Android Application Security Testing - 2nd Sep 2017Satheesh Kumar V
This document provides an introduction to mobile application security with a focus on Android. It discusses Android architecture, application fundamentals, security model, and tools for reverse engineering Android apps. It also summarizes the top 10 mobile risks from the OWASP Mobile Top 10 including issues like insecure data storage, authentication, authorization, and code quality. Hands-on examples are provided for reverse engineering apps and analyzing the application permissions.
This document provides an overview of mobile device management (MDM) and mobile security across different mobile operating systems. It analyzes the native security features and permissions models of BlackBerry and iOS, identifying both controlled and uncontrolled activities. For both platforms, it shows the number of main and derived activities, and calculates the efficiency of each platform's permissions and controls. The analysis finds that the set of permitted activities is typically less than the set of all activities, indicating opportunities for improvement in granularity and unknown attacks.
The document summarizes an Android security workshop that took place on February 24th, 2016 in Poland. The workshop included sessions on Android fundamentals, application component security, and the OWASP top 10 mobile risks. It also covered reverse engineering and malware analysis. The document provides an agenda and summaries of the topics discussed in each session, including details on Android architecture, security features in Android 6.0, application permissions and components, and common mobile risks. It aims to provide attendees with a basic understanding of Android security concepts and methodologies for analyzing mobile applications for security issues.
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New AuthenticationPriyanka Aash
People use more passwords today than ever before. But with the advent of Apple’s latest iPhone releases and its TouchID and FaceID technologies, we’ll begin to see a wider acceptance of some biometrics methods like fingerprint and facial scanning. This session will assess the security of these methods compared to the tried and true password.
Learning Objectives:
1: Understand the password’s history and an overview of biometrics.
2: Understand the security pros and cons of passwords versus biometrics.
3: Obtain tips for creating a password/biometrics authentication stack.
(Source: RSA Conference USA 2018)
The document discusses secure coding practices for Android app development. It begins with an introduction that notes the growing number of Android users and prevalence of Android vulnerabilities reported in news headlines. The document then covers various categories of Android app security issues and explores examples of specific vulnerabilities, including unintended activity exposure, local servers accessible to other apps, and unintended content provider exposure. Root causes and solutions are provided for each vulnerability along with references for developers. The goal is to help developers learn from real-world examples and avoid common vulnerabilities through secure coding techniques.
Ways You Can Use Python For Cybersecurity - AppsDevPro SofiaCarter4
Python is a very versatile and powerful programming language that may be used for a variety of applications, especially those involving security. This guide will look different ways how Python for cybersecurity may be used to safeguard your organization's data and systems from possible attacks.
How is Python Useful for Cybersecurity in 2024riyak40
Python has solidified its position as a dominant and versatile programming language in the realm of cybersecurity. Through its flexible syntax, comprehensive libraries, open-source nature, and automation features, Python offers improved efficiency, precision, scalability, and cost-effectiveness in security endeavors.
From app sec to malsec malware hooked, criminal crooked alok guptaowaspindia
The document announces the OWASP InfoSec India Conference 2012 to be held on August 24-25, 2012 at the Hotel Crowne Plaza in Gurgaon, India. It includes an abstract and agenda for a presentation by Alok Gupta on the topic of malware trends. The presentation will discuss how malware has evolved over time and become more sophisticated, the different types of malware, trends in targeted malware and industrial espionage, and strategies for detection and mitigation.
Seminar on October 10, 2017
General overview of android security from hacker's perspective. Android security mostly seen as only "exploiting the device with RAT" and some of it. Here, I want to show that there are more than that.
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Márcio Rosa
Nessa apresentação falamos do estudo de caso da fintech VC+, abordamos o que fizemos para nos proteger e as principais lições aprendidas, assim como abordaremos o que não fazer. Demonstraremos também um Account Hijacking em um dos aplicativos mais conhecidos do mercado (anonimizado)
Improving Mobile Authentication for Public Safety and First RespondersPriyanka Aash
William Fisher presented on improving mobile authentication for public safety and first responders. He discussed challenges with password management and outlined requirements for an effective authentication solution, including being flexible, efficient, interoperable, and improving credential management. He then demonstrated a solution using standards-based multifactor authentication and single sign-on to provide benefits like reducing authentication time and the number of credentials needed. Finally, he highlighted new NIST guidance on implementing mobile single sign-on solutions.
The document discusses various security threats related to Android applications. It begins by introducing the OWASP Mobile Top 10 risks framework for categorizing common mobile vulnerabilities. It then provides more details on each of the top 10 risk categories, including examples, impacts, and tips for prevention. It also discusses techniques for protecting Android apps from reverse engineering and tampering, such as code obfuscation, anti-debugging, and license verification.
AWS provides certifications and reports on standards like ISO 27001, SOC 1/2/3,
PCI DSS, HIPAA, FISMA. AWS performs regular internal/external audits and penetration
tests by 3rd parties and publishes results in the reports. AWS also offers penetration testing
services for customer applications and networks through AWS Security services.
AWS provides ability to logically isolate and encrypt customer data using services like S3, EBS,
EFS, RDS, Redshift. AWS also offers data backup, recovery and deletion capabilities through
services like S3 Versioning, EBS Snapshots, Database Snapshots etc.
This document discusses mobile device management (MDM) from the perspective of bring your own device (BYOD) programs. It covers what employees and companies want from MDM as well as common MDM solutions and features. The document also examines known issues with MDM, including examples of threats that bypass MDM controls or gain root access on devices. Permissions models and activities are analyzed for BlackBerry and iOS platforms to evaluate the efficiency of MDM solutions.
This document provides an overview of Android application sandboxes and how they can be used for suspicious software detection. It discusses how Android uses a modified Linux kernel to run Java-based apps in an isolated environment. The document describes how an Android application sandbox called AASandbox works by hijacking system calls using a loadable kernel module and then performing both static analysis of app files and dynamic analysis by running apps in an Android emulator and monitoring system calls. It provides examples of analyzing self-written apps and experiments using over 150 popular apps from the Android Market.
This document discusses Android key management and cryptography. It covers symmetric and asymmetric encryption algorithms like AES and RSA. It describes using the Android Keystore to securely store cryptographic keys and how PBKDF2 can be used to derive keys from passwords. It also demonstrates how apps can be reversed to extract hardcoded keys and discusses more secure alternatives like storing keys on a server.
The document discusses mobile security and vulnerabilities. It begins with an introduction of the speaker, Dr. Ir. Stefaan Seys, and the agenda. It then covers topics like the relative security of Android, iOS, and Windows mobile platforms. Specific issues discussed include Android's challenges with updates, data storage vulnerabilities, jailbreaking/rooting risks, and threats involving insufficient transport layer protection and insecure data storage. Examples of past mobile vulnerabilities like Stagefright are provided.
This presentation done for my MSc studies @ UOM. The presentation is related to the paper "Understanding Android Security" by William Enck, Machigar Ongtang, and Patrick McDaniel. Pennsylvania State University on 2009
The document discusses mobile application security. It describes challenges in managing and securing mobile devices and applications. It introduces IBM's mobile security strategy and solutions that address these challenges, including managing mobile devices, protecting data and network access, and developing secure mobile applications. The solutions provide capabilities such as mobile device management, data encryption, identity and access management, and application testing.
Introduction to Android Application Security Testing - 2nd Sep 2017Satheesh Kumar V
This document provides an introduction to mobile application security with a focus on Android. It discusses Android architecture, application fundamentals, security model, and tools for reverse engineering Android apps. It also summarizes the top 10 mobile risks from the OWASP Mobile Top 10 including issues like insecure data storage, authentication, authorization, and code quality. Hands-on examples are provided for reverse engineering apps and analyzing the application permissions.
This document provides an overview of mobile device management (MDM) and mobile security across different mobile operating systems. It analyzes the native security features and permissions models of BlackBerry and iOS, identifying both controlled and uncontrolled activities. For both platforms, it shows the number of main and derived activities, and calculates the efficiency of each platform's permissions and controls. The analysis finds that the set of permitted activities is typically less than the set of all activities, indicating opportunities for improvement in granularity and unknown attacks.
The document summarizes an Android security workshop that took place on February 24th, 2016 in Poland. The workshop included sessions on Android fundamentals, application component security, and the OWASP top 10 mobile risks. It also covered reverse engineering and malware analysis. The document provides an agenda and summaries of the topics discussed in each session, including details on Android architecture, security features in Android 6.0, application permissions and components, and common mobile risks. It aims to provide attendees with a basic understanding of Android security concepts and methodologies for analyzing mobile applications for security issues.
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New AuthenticationPriyanka Aash
People use more passwords today than ever before. But with the advent of Apple’s latest iPhone releases and its TouchID and FaceID technologies, we’ll begin to see a wider acceptance of some biometrics methods like fingerprint and facial scanning. This session will assess the security of these methods compared to the tried and true password.
Learning Objectives:
1: Understand the password’s history and an overview of biometrics.
2: Understand the security pros and cons of passwords versus biometrics.
3: Obtain tips for creating a password/biometrics authentication stack.
(Source: RSA Conference USA 2018)
The document discusses secure coding practices for Android app development. It begins with an introduction that notes the growing number of Android users and prevalence of Android vulnerabilities reported in news headlines. The document then covers various categories of Android app security issues and explores examples of specific vulnerabilities, including unintended activity exposure, local servers accessible to other apps, and unintended content provider exposure. Root causes and solutions are provided for each vulnerability along with references for developers. The goal is to help developers learn from real-world examples and avoid common vulnerabilities through secure coding techniques.
Ways You Can Use Python For Cybersecurity - AppsDevPro SofiaCarter4
Python is a very versatile and powerful programming language that may be used for a variety of applications, especially those involving security. This guide will look different ways how Python for cybersecurity may be used to safeguard your organization's data and systems from possible attacks.
How is Python Useful for Cybersecurity in 2024riyak40
Python has solidified its position as a dominant and versatile programming language in the realm of cybersecurity. Through its flexible syntax, comprehensive libraries, open-source nature, and automation features, Python offers improved efficiency, precision, scalability, and cost-effectiveness in security endeavors.
Introduction to python for cybersecurity pythonminnaTopeAbdulgafar
In this talk, I will introduce you to the core concepts of chosen python as your programming language as a cybersecurity professional, how it can improve your agility and performance. The core concept of cybersecurity involves protecting information and systems from major cyberthreats, these cyberthreat takes many forms (e.g web application attacks, malware, ransomware, phishing, exploit kits)
Internet of Things (IoT) Security using stream cipher.pptAliSalman110
This document outlines a presentation on Internet of Things (IoT) security using stream ciphers. It discusses defining IoT and related challenges, key security technologies like encryption, and cryptography methods like the one-time pad. It proposes using a linear feedback shift register as a pseudo-random number generator for a one-time pad stream cipher combined with DNA computing. The implementation would encrypt and decrypt messages between Raspberry Pi IoT nodes over the MQTT protocol as a case study for a vehicle network.
The Internet of Things: We've Got to ChatDuo Security
BSides SF, February 2014: http://www.securitybsides.com/w/page/70849271/BSidesSF2014
Duo's Zach Lanier (@quine) & Mark Stanislav (@markstanislav) on IoT (Internet of Things) security, announcing http://BuildItSecure.ly
An overview of security and privacy challenges that must be faced and solved when creating new Things for the Internet of Things. We discussed why are Things inherently insecure together with examples of attack vectors and learned some risk mitigation strategies. We realized why should users be wary of Things violating their privacy and gained awareness of upcoming EU privacy legislation that affects providers of IoT-based solutions. Talk given at Pixels Camp 2017, Lisbon.
Python for IoT: Building Smart Devices and Applicationspriyanka rajput
Python has emerged as a pivotal tool in the world of IoT, simplifying the development of both smart devices and applications. Its versatility, rich ecosystem, and ease of use have made it a top choice for IoT projects of all sizes. As IoT continues to expand into various industries and domains, Python’s influence is set to grow, shaping the future of smart devices and applications in an increasingly connected world.
Fixing the Last Missing Piece in Securing IoTNUS-ISS
By Mr Ng Kok Leong, Senior Lecturer & Consultant, Digital Strategy & Leadership Practice, NUS-ISS for the NUS-ISS SkillsFuture Series Seminar: Cybersecurity in Smart Nation (26 June 2019)
NXP's portfolio addresses IoT security across the entire device lifecycle from edge to cloud. [NXP's portfolio includes] secure elements, microcontrollers, application processors, device management software, and solutions that provide security from device procurement through decommissioning. NXP products offer hardware-protected keys, secure boot, tamper resistance, and cryptographic accelerators to establish trust from the edge to the cloud.
Applications of Python in Different Fields.pptxnaughtybabu52
This document is a student presentation on the applications of Python. It discusses how Python is used in fields like data science, web development, and automation. Specifically, it mentions how Python and libraries like Pandas, Scikit-Learn, Django, and BeautifulSoup help with tasks like data analysis, machine learning, web applications, web scraping, and automation. The presentation concludes that Python's versatility will help drive future technology advances.
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerAbhinav Biswas
With the advent of IOT, Every 'Thing' is getting Smart, starting from the range of smartwatches, smart refrigerators, smart bulbs to smart car, smart healthcare, smart agriculture, smart retail, smart city and what not, even smart planet. But why is every thing getting smart? People are trying to bridge the gap between Digital World & Physical World by means of ubiquitous connectivity to Internet, and when digital things become physical, digital threats also become physical threats. Security & Privacy issues are rising as never before. What if the microphone in your smart TV can be used to eavesdrop the private communications in your bed room? What if a smart driverless car deliberately crashes itself into an accident? What if you want to be Anonymous over Internet and don't want anybody to track you?
This talk will focus on answering the above questions with a view on 'What are we currently doing to protect ourselves' and 'What we need to do'. What are the new security challenges that are coming up and how privacy & anonymity is taking the lead over security. The talk will also sensitive the audience about the paradigm shift that is happening in IOT DevOps, with help of Docker Containers and how they can be anonymised using TOR.
This document discusses peer-to-peer (P2P) security threats and countermeasures. It begins by outlining common P2P applications like BitTorrent, DC++, and torrents. It then examines security gaps in P2P networks like attacks from malicious peers, poisoning of indexes, and free riding. The document also covers potential attacks on P2P like Sybil attacks and traffic eavesdropping. It proposes countermeasures such as P2P traffic control, NAT traversal, and privacy-aware P2P classification. Finally, it outlines a testbed at BITS Hyderabad for generating P2P botnet traffic and detecting botnets using techniques like Bayesian regularized neural networks and distributed data collection
This document discusses peer-to-peer (P2P) security threats and countermeasures. It begins by outlining common P2P applications like BitTorrent, DC++, and torrents. It then discusses security gaps in P2P networks like attacks from malicious peers, poisoning of indexes, and free riding. The document also covers potential attacks on P2P like Sybil attacks and traffic eavesdropping. It proposes countermeasures like P2P traffic control, privacy-aware classification, and botnet detection using machine learning. It outlines experiments on its P2P testbed at BITS Hyderabad to generate botnet traces and evaluate detection techniques.
Learn the Basic Concepts of Python Programming Language?Techourse
Are you searching for the best course to learn python? Techourse is the right e-learning space for you. Get continuous python training by top industry experts and soar high with certifications.
apidays LIVE London 2021 - API Security in Highly Volatile Threat Landscapes ...apidays
apidays LIVE London 2021 - Reaching Maximum Potential in Banking & Insurance with API Mindset
October 27 & 28, 2021
APIs in Finance: The Next Evolution
API Security in Highly Volatile Threat Landscapes
Xenia Bogomolec, Information Security Specialist at Quant-X Security & Coding GmbH
전력 계통망에 있어서 보안일반 및 이슈와 기술 그리고 정책 방향-소셜 네트워크 서비스 등 차세대 기술 환경 맥락으로-JM code group
주최 : 한국전기연구원 전문가 자문 발표
발표장소 : 한국전기연구원
발표주제 :전력 계통망에 있어서 보안일반 및 이슈와 기술 그리고 정책 방향-소셜 네트워크 서비스 등 차세대 기술 환경 맥락으로-
발표일:2009년 10월 20일
발표자 : 강장묵(세종대학교 정보통신공학과 BK사업단 소속 교수)
redsea@sejong.ac.kr
mooknc@gmail.com
What is Python…?
Differences between program and scripting language
History of Python
Scope of Python
What can I do with python
Who uses python today
Why do people use Python?
Installing Python IDE
A Sample Code
Python code execution
Running Python
Python Basic(Variable, Strings, Data types etc.)
This document describes a crypto vision bot project that uses RSA encryption to securely transmit images. The bot uses a Raspberry Pi 3B+ connected to a Pi camera, PIR sensor, DC motors controlled by an AVR board, and Bluetooth module. When the PIR sensor detects motion, the Pi camera captures an image that is encrypted using RSA and uploaded to Google Drive. An authorized user can then download and decrypt the images. The bot is controlled remotely via Bluetooth using an Android app. The project combines cryptography, embedded systems, wireless communication, and IoT to provide a surveillance solution with encrypted image transmission and storage.
This document discusses using Python for Android applications. It covers several options for running Python on Android like Android Scripting Engine, Py4a, and python-for-android. Python-for-android compiles Python code into native Android apps. It also discusses libraries and frameworks commonly used in Python Android apps like Twisted, Kivy, and using the Android APIs through a JNI bridge. The document advocates for Python as an easy yet powerful language for building diverse Android applications.
The document discusses Java programming concepts including:
- Java provides a common framework to handle strings, networks, and extended functions. It also handles garbage collection and can be cross-platform.
- The main() method is where every Java program begins execution. It must have a specific signature of public static void main(String[] args).
- There are 8 primitive data types in Java including int, short, long, float, double, char, boolean, and byte that are used to store basic values.
This document provides an overview of using the UICatalog sample code to learn about the user interface components available in UIKit. It discusses downloading and running the UICatalog sample, and how to capture screenshots of the user interface elements to create mockups and prototypes. It also includes background information on Objective-C, UIKit, the model-view-controller (MVC) pattern, and the basic structure of an iOS application.
This document discusses MongoDB and how to use it from C#. It covers what MongoDB is, installing and configuring MongoDB, connecting to MongoDB from a C# application, performing CRUD operations on MongoDB collections from C#, and some MongoDB administration tools.
NServiceBus (NSB) is a popular framework for implementing service-oriented architectures (SOA) using C#. It can integrate with Windows Communication Foundation (WCF) web services to allow them to leverage NSB's capabilities like message encryption, retries, and sagas. NSB simplifies the coding of WCF contracts and hosting, and treats WCF endpoints like any other NSB endpoint. This allows management of WCF services through NSB tools and the use of NSB features in WCF workflows.
This document provides an overview of ASP.NET MVC frameworks and how to get started with ASP.NET MVC 4. It discusses how ASP.NET MVC supports the MVC pattern and test-driven development. It also describes how to install ASP.NET MVC 4, create a basic MVC 4 project with different templates, add controllers and views, and connect to a database using Entity Framework.
This document provides an overview of Entity Frameworks (EF), an object-relational mapper (ORM) that allows mapping of objects to SQL databases in Visual Studio. It discusses benefits of EF like reduced development time and better object design. It also discusses how EF integrates with ASP.NET MVC and the process of creating an EF model, generating a database from the model, and populating tables.
Tumbleweed (Axway Secure Transport) is a managed file transfer system that uses a dynamic SFTP server to transfer files. It allows users to register and schedule file movements and program executions based on time or file conditions. Tumbleweed uses Tomcat as a front-end Java server, MySQL for database storage, and Cygwin to run external commands from a Unix-like environment on Windows. It provides encryption, active directory integration, and reporting on file transfers.
This document provides an overview of Microsoft Azure, including its core components and services. It describes Azure as a cloud service software that provides SDKs for web sites, virtual machines, and cloud services. It also discusses Platform as a Service (PaaS), Infrastructure as a Service (IaaS), Software as a Service (SaaS), Azure web sites, virtual machines, cloud services, SQL databases, storage, business analytics using Hadoop and SQL Reporting Services, AppFabric, Service Bus, caching, and managing Azure resources through the portal, Visual Studio, and PowerShell.
Salesforce began as a customer relationship management software and has grown into a cloud computing platform. It provides software as a service and platform as a service, including applications like Sales Cloud, Service Cloud, and Force.com for building custom applications. Salesforce uses a multi-tenant architecture allowing multiple customers to use a single instance of the software. It includes tools like Visualforce for customizing interfaces and Apex for adding business logic through code.
LEARNING iPAD STORYBOARDS IN OBJ-‐C LESSON 1Rich Helton
This document provides an introduction to using storyboards in Objective-C on iOS. It begins with a disclaimer and then defines some key concepts about storyboards, including that they provide a visual representation of an app's user interface and allow transitions between scenes. It discusses storyboard files, segues, the dock, and scenes. It then walks through adding elements to a sample master-detail app project in Xcode like a model class, data controller, and table view controller. It includes links to Apple documentation for additional reference. The overall purpose is to explain the basics of using storyboards for app development in Objective-C on iOS.
This document provides information about MonoDevelop, Mono, MonoTouch, and Model-View-Controller (MVC) patterns as they relate to iPad development. It defines key terms like MonoDevelop, Mono, MonoTouch and discusses how to install and set up MonoDevelop and Mono frameworks for iPad development. It also provides an overview of the MVC pattern and how it can be implemented using MonoTouch and iOS UIKit frameworks.
This document provides an overview of NServiceBus, an open source enterprise service bus (ESB) for .NET. It discusses the need for an ESB and some benefits they provide. It then describes NServiceBus specifically, how to get started with it, and some of the core components like endpoints, messages, transports, and serialization. It covers topics like building the message bus, sending vs publishing messages, unit testing, and deploying NServiceBus applications as Windows services. Overall, the document is an introduction and guide to understanding and working with the NServiceBus ESB framework.
This document discusses moving existing websites with security issues to the ASP.NET MVC framework using Entity Framework. It provides an overview of MVC and EF, how to set them up in Visual Studio, and examples of using them to improve security by removing direct SQL queries and moving more logic to the server. Key benefits highlighted include built-in features for validation and preventing cross-site request forgery attacks. Examples demonstrate querying databases and validating models without writing direct SQL or adding additional code.
This document provides an overview of Rich Internet Applications (RIA) and the Adobe Flex software development kit. It discusses how Flex uses MXML and ActionScript to create RIA applications that interact with the Flash plugin. It also covers related technologies like Adobe AIR, BlazeDS, and LifeCycle Data Services that allow Flex applications to communicate with backend services. Examples of MXML code and Flex application architecture are provided.
This document summarizes a C# web security class presentation from October 2010. It introduces various types of web attacks like SQL injection and cross-site scripting. It provides examples of vulnerable practice websites like Hackme Bank and Hackme Books to demonstrate SQL injection. It also lists resources for web security checklists, tools for scanning websites, and anonymization techniques. Common fixes for SQL injection like using stored procedures and parameterized queries are also discussed.
Jira is an issue tracking and project management tool built using open source Java frameworks like Apache Tomcat and OpenSymphony. It uses Tomcat as its web container to run JSPs and servlets that power the Jira interface and workflows. Jira's configuration files and classes are stored in directories that mirror Tomcat's structure, allowing it to leverage Tomcat while also adding its own functionality through plugins and customizations to files like jira-workflow.xml, which defines its workflow system.
The document discusses SQL injection, which occurs when malicious SQL commands are injected into a backend database. It provides examples of how SQL injection can be used to bypass authentication or retrieve sensitive data from a database. The document then discusses various techniques for preventing SQL injection, including using stored procedures, parameterized queries, and object-relational mappers like Entity Framework and NHibernate which help protect against injection attacks.
This document discusses various tools and techniques for security testing and debugging web applications developed in C#. It provides information on static analysis tools like FxCop and CAT.NET that can analyze source code. It also covers automated testing tools like NUnit, HTMLUnit, and Selenium that can test web applications without using a real browser. The document demonstrates how to integrate these tools into testing workflows and addresses related topics like logging, exception handling, and custom error pages.
This document provides an introduction to using web application firewalls (WAFs) and demonstrates how to configure a WAF using ModSecurity on Apache. It discusses how a WAF works by intercepting HTTP traffic before it reaches the web server. The document shows how to install and configure ModSecurity and the Apache modules it requires. It also demonstrates how to test for and block common vulnerabilities like SQL injection and cross-site scripting using ModSecurity rule sets. Hands-on labs are provided to allow configuring ModSecurity logging and rules manipulation.
The document provides an overview of Java web security coding and open source tools that can be used for testing web application security. It discusses topics like SQL injection, cross-site scripting, web application scanners like Skipfish and WebScarab, and the importance of logging and error handling. Code examples are provided for tasks like logging in Java, using Log4j, and handling SQL injection vulnerabilities. Live sites and vulnerable applications like Hackme Books and HacmeBank are also referenced to demonstrate security issues.
1. CYBER SECURITY INFORMATION TECHNOLOGY
AppSec
CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
(By Rich Helton)
Python for
Security Professionals (September 21, 2011)
(with some Droid and Django)
State of Colorado
Office of Cyber Security
State of Colorado Office of Cyber Security
2. Class Introduction
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
My information, rich.helton@state.co.us
A good reference for an online Python class is
http://code.google.com/edu/languages/google-python-class/
introduction.html , PyQuick Python Class from Google University.
Another place for reference Python Documentation,
http://www.python.org/doc/
State of Colorado Office of Cyber Security
3. Python History
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
From
http://en.wikipedia.org/wiki/Python_(programming_language) ,
Python is an interpreted, general-purpose high-level programming
language whose design philosophy emphasizes code readability.
The reference implementation of Python (CPython) is free and open
source software and has a community-based development model, as
do nearly all of its alternative implementations.
Python interpreters are available for many operating systems, and
Python programs can be packaged into stand-alone executable code
for many systems using various tools.
Python’s implementation was started in December 1989 by Guido
van Rossum in the Netherlands as a successor to the ABD
programming language.
State of Colorado Office of Cyber Security
4. Installing Python
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Python can be downloaded and installed from
http://www.python.org/getit/
State of Colorado Office of Cyber Security
5. Just my 2 Cents,
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Referencing others, Python does not define types ahead of time,
but uses declaration at runtime. Many say the variable names in
Python have to be watched more closely due to this interpreted
runtime.
You need to be prepared to create modules and break apart lines
more often to keep readability more apparent, while a statement in
Java code could easily occupy three lines of text, Python works with
line breaks and indentation and cannot easily occupy multiple lines for
the one statement. This concept ensures Python as a more compact
language and the need to occupy less space.
This in turn makes Python able to get a lot more done with fewer
lines of code and to be great at utilities and tools. Python is concise.
Keep it simple,
State of Colorado Office of Cyber Security
6. Other Advantages
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Python does not require as much typing as Java and integrates
more into the Operating System as a scripting language.
While Java has many more frameworks than Python, Python does
have a Spring Framework (Middleware) and many Web Frameworks.
I like to work with Python for admin and 3D graphics integration:
If you do graphics programming, Python is a must have. There are packages
like Maya, that uses Python plugins, Blender 3D, and Disney’s original Panda3D
application is based on Python.
If you manage Linux systems and do network and system security, Python is a
language that many scanning tools are based on.
Python is a great language for incorporating modules from other languages and
applications.
For a list Python software, see
http://en.wikipedia.org/wiki/List_of_Python_software
State of Colorado Office of Cyber Security
7. Python Software
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
State of Colorado Office of Cyber Security
8. Java vs. Python
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
A simple “Hello World” (Python is concise, see left pane):
State of Colorado Office of Cyber Security
9. Panda3D (Free Python 3D Engine)
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Python can be powerful, see Disney’s game engine,
http://www.panda3d.org/
State of Colorado Office of Cyber Security
10. Panda3D (Free Python 3D Engine)
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Panda3D Boxing Program Sample, nothing but Python.
State of Colorado Office of Cyber Security
11. Pygame
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
One of the most well known frameworks regarding python is
pygames, found at http://www.pygame.org/ and information found at
http://en.wikipedia.org/wiki/Pygame
Pygame has been around 2004.
It has many tutorials and editors like a Tile and Level Editor, and
even a Map Maker:
State of Colorado Office of Cyber Security
12. Pygame Aliens game
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
State of Colorado Office of Cyber Security
13. Pygame
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Pygame has a subset for the Android, see
http://pygame.renpy.org/ .
To learn the code for Sprite animation for Aliens, simply go through
the code at
http://svn.pythonmac.org/py2app/py2app/trunk/examples/pygame/
aliens.py
State of Colorado Office of Cyber Security
14. My First Python Program
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Many of programs will be done in Windows and by installing
python. Linux can be used as well and python normally comes
standard in Linux.
State of Colorado Office of Cyber Security
15. My First Python Program (with Error)
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
State of Colorado Office of Cyber Security
16. Python, not just a Calculator
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Python can perform complex calculations with little effort. Don’t
forget to use numbers instead of literals, and note the # (comment
symbols):
State of Colorado Office of Cyber Security
17. Creating a py file
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Python files normally end with a “.py” extension.
Using a Open Source editor, you can write a Python program, like
http://geanyportable.org/ or http://www.pspad.com/ .
We create prog1.py:
State of Colorado Office of Cyber Security
18. Running a py file
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
We can run the “py” file from the IDLE GUI shown as the interpreter
to interactively run it.
Or at the command line:
State of Colorado Office of Cyber Security
19. Running a py file
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Other editors, like http://netbeans.org , a Java editor, have plugins
to run Python files. See also http://wiki.netbeans.org/Python .
A plugin for Python will have to be installed:
State of Colorado Office of Cyber Security
20. Running a py file
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Running in NetBeans:
State of Colorado Office of Cyber Security
21. Debugging a py file
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Debugging in NetBeans, here we are line by line debugging and
printing out the www.google.com webpage in the output window :
State of Colorado Office of Cyber Security
22. Debugging a py file
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Let’s break down the code:
State of Colorado Office of Cyber Security
23. Debugging a py file
(Reading a Google URL)
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
We can set the request name as a variable. The variable does not
require a type.
State of Colorado Office of Cyber Security
24. Using it across the WWW
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
In this example, we grab the page to www.google.com and read the
output.
We can now start to use this as a web crawler. A Web crawler will
grab the URL from the site and walk down it and then grab the next
URL, and walk down it, in many cases copying the pages into a local
directory to capture the web site structure.
Some even come with Linux operating systems, like wget.
Building your own crawler allows you to test other items as well,
such as putting a ‘ or “ in the forms to test for SQL Injection.
State of Colorado Office of Cyber Security
25. • Wget
• (Open Source Web downloaders)
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Open Source utilities, like wget, or VisualWget
http://www.bebits.com/app/299 , provide a means to download
all available URL’s on a Web Site:
State of Colorado Office of Cyber Security
26. • Wget
• (Open Source Web downloaders)
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Results:
State of Colorado Office of Cyber Security
27. Python Web Crawlers
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
I will discuss the Python implementations more at a later time, but
here are some links to some Python Web Crawlers.
There are many sites that discuss Python Web Crawlers, the
benefit is that you can add to look for specific patterns:
Simple Web Crawler
http://code.activestate.com/recipes/576551-simple-web-crawler/
http://ms4py.org/2010/04/27/python-search-engine-crawler-part-1/
http://blog.theanti9.com/2009/02/14/python-web-crawler-in-less-than-50-lines/
There are many sites that discuss Python ping.py implementation
that I will discuss in the network section, that may help in network
mapping:
http://stackoverflow.com/questions/316866/ping-a-site-in-python
http://www.g-loaded.eu/2009/10/30/python-ping/
State of Colorado Office of Cyber Security
28. CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Some Python Tools
State of Colorado Office of Cyber Security
29. PyLint
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
PyLint is a static source analysis tool, available by command line
or integrated into tools like PyDev and frameworks like Django
See http://en.wikipedia.org/wiki/Pylint
After downloading the PyLint package and unzipping it from
http://pypi.python.org/pypi/pylint#downloads , run the “python setup.py
install” in its root package to install it to the local Python application.
It will install it under the local PythonScripts directory, so make
sure that this directory is in the executable Path environment.
State of Colorado Office of Cyber Security
30. Running PyLint
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
For our “test.py” file, we simply run “pylint test.py”:
State of Colorado Office of Cyber Security
31. PyDoc
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
The pydoc module automatically generates documentation from
the Python modules. It can be presented as text in the console,
server to a Web browser, or saved to HTML files.
http://docs.python.org/library/pydoc.html
Running “python pydoc.py sys” from the PythonLib directory gives
us info on the sys module:
State of Colorado Office of Cyber Security
32. PyDoc
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Running “python pydoc.py –g” will bring up the Tkinter GUI
interface to search and a button to load a browser with all the
modules:
State of Colorado Office of Cyber Security
33. PyUnit
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
This is the Python version of Junit, http://pyunit.sourceforge.net/ ,
which is the standard unit testing framework.
Download it from this website and install it with the “python setup.py
install” cmd.
State of Colorado Office of Cyber Security
34. PyUnit
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
PyUnit makes use of the “unittest” module from Python, so it must
be installed. See http://pyunit.sourceforge.net/unittest.html
The Python file will need an “import unittest” self using functions to
design a unit test. See http://docs.python.org/library/unittest.html
State of Colorado Office of Cyber Security
35. PyUnit
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Here we have “ArithTest” that will use “self.fail” functions to test the
cases:
State of Colorado Office of Cyber Security
36. CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Creating a Python
Executable
State of Colorado Office of Cyber Security
37. Download the py2exe.org
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Download the correct version from http://www.py2exe.org to match
the Python interpreter installed, i.e. 2.7.
In this case it will be installed in the 2.7 directory….
State of Colorado Office of Cyber Security
38. Quick test
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Let’s cd to the download sample directory and run the simple
sample. The directory can be viewed from the installation dialog.
The test will show an error. This is because there are multiple
Python versions and that’s why is didn’t compile. Panda3D was also
installed and installed 2.6.5, OOps:
State of Colorado Office of Cyber Security
39. To Compensate (Multiple Pythons)
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
When applications are installed with Python support, it may install
another copy of Python.
You can de-install down to one copy, and use a copy of Python that
is supported by all the local Python applications, likely not the most
current, or start compiling directly from the local directory.
In this case, we will call the correct python directly and copy the
simple samples over to the python directory.
Then we will run the local “python setup.py py2exe”. This setup.py
came with the sample and defines to compile a hello.py.
There will be several pages of compile information ending with:
State of Colorado Office of Cyber Security
40. Compiled
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
A “dist” directory will be created from the samples with the compiled
python scripts.
The hello.py is now hello.exe:
State of Colorado Office of Cyber Security
41. Non-Windows Multiple Pythons
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
You may notice that many Python files may have the first line with
something like “#!/usr/bin/python”. This means to use the python
under “/usr/bin” in Linux or MAC OSX.
You may even see “#!/usr/bin/env python2.6” that simply means to
use the first Python 2.6 binary found in the user’s environment.
Depending on what you put in this first line will control the Python
binary to use, if not used, it will find the default one in the current
environment. See
http://stackoverflow.com/questions/2429511/why-do-people-write-usr-
bin-env-python-on-the-first-line-of-a-python-script
State of Colorado Office of Cyber Security
42. CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
LET’S BREAK DOWN THE
PROGRAM
State of Colorado Office of Cyber Security
43. Components of a program…
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Comments
Reserved words
Statements
Blocks
Classes
Methods
The main method
State of Colorado Office of Cyber Security
44. Comments
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Comments are used to communicate the purpose of parts of the
program in the code.
Comments are not executed as part of the code and are ignored by
the compiler.
Using the (#) double slashes will tell the compiler to ignore the
entire line.
Using the (“ “ “) triple quote multiline comment to comment code it
meets the ending ending triple quote (“ “ “).
State of Colorado Office of Cyber Security
45. Reserved Words
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Reserved words, or keywords, are words with special meaning that
define how the program should behave in the compiler.
These are words will explain to the compiler how to construct the
program.
Being reserved to the compiler, these words cannot be duplicated
anywhere else in the code as class names, variable names, or
method names.
Words in the program, such as “assert” tells the compiler to asset
that a statement is true or it will return an exception.
State of Colorado Office of Cyber Security
46. Reserved Words
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Python reserved words:
State of Colorado Office of Cyber Security
47. Conditionals
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Conditionals, if/else clauses, are probably the most important
construct in programming.
It checks to see if a condition is true and executes its block,
otherwise it may execute a “else” if set.
http://docs.python.org/tutorial/controlflow.html
State of Colorado Office of Cyber Security
48. For Loop
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
A “For” loop will increment through a specified length. Length can
be used instead of the integer.
Remember to indent the code within conditions, loops, and
definitions, because the indentation defines the code within the
block.
State of Colorado Office of Cyber Security
49. For Loop 2
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Let’s create something more useful, like printing out the OS
environment
State of Colorado Office of Cyber Security
50. Operating System Commands
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Python has many Operating System (os) commands that are part of
the Python os module, see http://effbot.org/librarybook/os.htm
and http://docs.python.org/library/os.html
These commands can create and remove files, directories, get
current environment variables, get information on files and
directories, change permissions on files and directories, start
programs, end programs, start services and daemons and mush
more.
We will look at it more in a bit, back to loops.
State of Colorado Office of Cyber Security
51. While Loop
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
A While loop will continue until a condition is met, this is example
is in cygwin, like Linux, so it has a header “#!/usr/bin/python” :
State of Colorado Office of Cyber Security
52. Statements
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
A statement is line for a singe unit of work.
A line in Python is ended just at the end of line in the file.
State of Colorado Office of Cyber Security
53. Blocks
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
A block is a group of actions that is normally defined in a method,
condition, exception, loop or other area construct.
A block is started with the “:” in the section, defined by indentation
until another block is encountered.
State of Colorado Office of Cyber Security
54. Main method
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Python with multiple functions need to define a “main” method, it
defines the method in the “if __name__ == "__main__":” block.
State of Colorado Office of Cyber Security
55. Object Oriented Development
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Python supports Object Oriented Programming (OOP), here is an
example, see
http://www.zugiart.com/notes/programming/python/ :
State of Colorado Office of Cyber Security
56. What is a class?
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
A class is a definition of a group of methods, variables, state and
behavior.
In the sample, the class is MyClass.
As MyClass it can contain variables, methods, state and behavior
that are defined. In this case it simply prints “helloWorld” with an
argument.
The idea of a class is that is can define a car, a catalog, and another
group of a construct.
The class can create subgroups, like a car class can have sub classes
of itself like “blue car” or “compact car” to define the construct in
more detail.
When a class is created and started, called instantiation, it becomes
an object. A class can create many objects.
State of Colorado Office of Cyber Security
57. Creating a module
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Python statements are not very long compared to other languages,
and by that I simply mean that while I could easily write a
statement that takes 3 lines of code, Python delaminates on
indentation and end of line.
To compact the code, modules are used to break the code into
different libraries, just like functions and classes are used to break
the code up into different blocks in the file.
See http://docs.python.org/tutorial/modules.html
State of Colorado Office of Cyber Security
58. Creating a module
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Let’s create a Fibonacci numbers module with a “fib” function:
State of Colorado Office of Cyber Security
59. Creating a module
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Let’s call the fib.py module and “fib” function from a myFibo.py file
using the “import” keyword:
State of Colorado Office of Cyber Security
60. CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
OS Module
State of Colorado Office of Cyber Security
61. OS Module
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
We briefly touched the os module in the last chapter. We will walk
through a few programs (Getting File info, this was Windows):
State of Colorado Office of Cyber Security
62. OS Module
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Here we copy a file and give it the same info as the original:
State of Colorado Office of Cyber Security
63. OS Module
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Changing to a subdirectory called samples and back again:
State of Colorado Office of Cyber Security
64. CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Lists, Sets and Tuples
State of Colorado Office of Cyber Security
65. Lists
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
A list in Python is an ordered group of items or elements.
http://en.wikibooks.org/wiki/Python_Programming/Lists
They use “ ( … )” parenthesis and their data can be changed.
State of Colorado Office of Cyber Security
66. Tuples
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Tuples in Python are much like lists, except they are immutable,
meaning once it is created, it is never changed. See
http://en.wikibooks.org/wiki/Python_Programming/Tuples
Notice parenthesis are used instead of brackets.
State of Colorado Office of Cyber Security
67. Sets
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Sets in Python are a type of mathematical collection that supports
set operations like unions, intersections, differences and more. See
http://en.wikibooks.org/wiki/Python_Programming/Sets
State of Colorado Office of Cyber Security
68. CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Types of Web Hacking
State of Colorado Office of Cyber Security
69. • Web Attacks are the most common
• (from the 2010 ArcSight survey)
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
State of Colorado Office of Cyber Security
70. • There are many hacks….
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
And more are discovered every day. For 2010, the Open Web
Application Security Project (OWASP) published the top ten web
hacks,
http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project :
1) Injection Flaws
2) Cross Site Scripting (XSS)
3) Broken Authentication and Session Management
4) Insecure Direct Object Reference
5) Cross Site Request Forgery (CSRF)
6) Security Misconfiguration
7) Insecure Cryptographic Storage
8) Failure to Restrict URL Access
9) Insufficient Transport Layer Protection
10) Unvalidated Redirects and Forwards
State of Colorado Office of Cyber Security
71. • SANs 2010 Top Cyber Security Risks
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
State of Colorado Office of Cyber Security
72. There are many Checklists….
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Here are some checklists to help with the principles:
The ASP.NET Security Checklist
http://msdn.microsoft.com/en-us/library/ff648269.aspx
WebAppSec Excel checklist
http://img.a4apphack.com/dl/appsecchck-checklist.zip
SANs reading Web Security Checklist
http://www.sans.org/reading_room/whitepapers/
securecode/security-checklist-web-application-
design_1389
The Open Web Application Security Project Application
checklist is
http://www.sans.org/reading_room/whitepapers/
securecode/security-checklist-web-application-
design_1389
State of Colorado Office of Cyber Security
73. Checklists Principles seem the same…
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
All the checklists, regardless of programming languages, have
many of the same principles:
Find and validate all input. This includes URL’s,
JavaScript's, links, username and passwords, and
especially any field calling a database.
Never trust data in files, the network or database to be
secure. Encrypt anything important, passwords, SSN’s,
configurations.
Never trust the source, be it customer or a service.
Authenticate, Authorize and validate.
Whenever a abnormal behavior occurs, error check and
log.
Keep testing, as people from all skills will be testing
anything on line and may try common threats.
State of Colorado Office of Cyber Security
74. CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
SQL Injection
(Most common Injection
Flaw)
State of Colorado Office of Cyber Security
75. Intro to SQL Injection…
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Many web pages communicate directly to a backend database for
processing.
For example, a username and password is asked for on the Web
page and the web page will pass it to the database to validate the
information.
Some applications will not validate the field adequately before
passing it to the database, and the database will process whatever it
will receive.
Hackers will pass SQL commands directly to the database, and in
some cases tables like “passwords” are returned because the SQL
commands are not being filtered adequately.
SQL may return errors in the web page that even lists the correct
tables to query so that the hacker may make more accurate attempts
to get data.
State of Colorado Office of Cyber Security
76. SQL Injection
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
SQL Injection is the ability to inject malicious SQL commands
into the backend code.
For example:
SELECT * FROM users WHERE username = ‘USRTEXT '
AND password = ‘PASSTEXT’
Passing ' OR 1=1-- in the USRTEXT field generates:
SELECT * FROM users WHERE username = ‘’ OR 1=1 -- '
AND password = ‘PASSTEXT’
The OR 1=1 returns true and the rest is commented out
State of Colorado Office of Cyber Security
77. • Live sites…
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
There are live web sites that simulate banks and other businesses to
practice web hacking and test hacking tools against. They include:
Spi Dynamics - http://zero.webappsecurity.com/
Cenzic - http://crackme.cenzic.com/Kelev/view/home.php
WatchFire - http://demo.testfire.net/
HackThisSite - http://www.hackthissite.org/
NTO - http://hackme.ntobjectives.com/
Accunetix - http://testaspnet.acunetix.com/login.aspx
State of Colorado Office of Cyber Security
78. SQL Inj with Python
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
We are going to http://demo.testfire.net/bank/login.aspx , and
looking at the site, we will see that Username is the field “uid” and
Password is the field “passw”:
State of Colorado Office of Cyber Security
79. SQL Inj with Python
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Running the following script will put a ‘ (tick) in uid and ‘ (tick) in
passw:
State of Colorado Office of Cyber Security
80. SQL Inj with Python
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
The results, OleDB errors
State of Colorado Office of Cyber Security
81. SQL Inj with Python
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
If we were to load the results in the browser:
State of Colorado Office of Cyber Security
82. SQL Inj with Python
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
The OleDB starts to give us enough information to start looking at
the database to see if we can get through. We can see that the field
in the database is “username”.
While Python simulates what we can do manually, automating the
process allows us to start looping though the website to find more
information faster.
State of Colorado Office of Cyber Security
83. CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Jython
State of Colorado Office of Cyber Security
84. Jython
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
If you installed NetBeans correctly, you would notice that Jython
was installed as well.
Jython, http://en.wikipedia.org/wiki/Jython , is Python for the Java
platform.
The language can be found at http://www.jython.org/ .
Python can run in a Java Virtual Machine (JVM) and call Java
Frameworks that will extend Python. Therefore, Python can run from
any machine that will run Java.
This also means that Java can be run from the Python Language.
Jython can be downloaded and installed from
http://www.jython.org/downloads.html
Installation Instructions are found at
http://wiki.python.org/jython/InstallationInstructions
State of Colorado Office of Cyber Security
85. Jython
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
After installing Jython by running the installation JAR, we run the
jython.bat (in XP) under the jythonbin directory.
It gives us a command prompt similar to Python, and now we can
run Java frameworks from the Python language, here we will call the
Java Util package’s Date class:
State of Colorado Office of Cyber Security
86. CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Strings
State of Colorado Office of Cyber Security
87. Strings
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
A String is just a form of representing text.
A link for various functions in types, including strings is
http://docs.python.org/library/stdtypes.html .
We can use the python command line interpreter to fill in a string
variable “fred”:
State of Colorado Office of Cyber Security
88. Cases
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
We can check and set fred to a lower case:
Now upper:
State of Colorado Office of Cyber Security
89. CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Regex
State of Colorado Office of Cyber Security
90. Regex
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Regex is short for Regular Expression, see
http://en.wikipedia.org/wiki/Regular_expression
Regex is simply a form pattern matching to strings or text, and a
method of strings for finding these patterns.
A large library of various Regex expressions can be found at
http://www.regxlib.com/
A pattern for finding SSNs can be found at Regex Lib for the
following:
State of Colorado Office of Cyber Security
91. Regex
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Let’s test the previous SSN Regex. It will show a “matched” string if
it matches (It matches):
Also see
http://www.tutorialspoint.com/python/python_reg_expressions.htm
State of Colorado Office of Cyber Security
92. Regex Cheatsheet
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
There are many Cheat Sheets to help people learning Regex, one
of my favorites is at http://regexlib.com/CheatSheet.aspx :
State of Colorado Office of Cyber Security
93. CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Secret Writing
(Encryption)
State of Colorado Office of Cyber Security
94. Who’s seeing your data?
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Data at rest and in transient can be at risk to prying eyes.
When a system is in production, and especially on the Internet,
there is no guarantee that you know who is watching the data
transmitted between the user and the server. This may also apply to
the Local Area Network as well.
Never take it for granted that access cannot be broken.
Always, use common algorithms that come with Python, Java or
C#.
Common algorithms are tested well and are vetted by millions.
Keep the keys as secure as the data, because they can unlock the
data.
Homemade encryptions algorithms may end up costing more than
standard encryptions because the algorithm may be broken.
State of Colorado Office of Cyber Security
95. One-way Hash Algorithms
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
There are two common types of one-way hash algorithms,
Message Digest 5 (md5), and Secure Hash Algorithm 1
(sha1).
The one-way hash generates a fixed size hash from some
given data of any size.
The data cannot be reversed engineered from the hash,
hence one-way.
The same data generates the same hash sum.
Different data generates different hash sums.
(Note: In rare cases, collisions, different data generates the
same sum).
State of Colorado Office of Cyber Security
96. Md5
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Message Digest 5 (md5) will take data input and generate
128 bit hash sum.
The 128 bit hash sum can be used to ensure if there has
been tampering of data or a file.
A common comparison is to store hashes in a table instead
of the original password. Instead of checking the
password, compare the hash of the password, so that the
password does not have to be stored, and only a hash is
used to check the original password. Therefore the
original password is never stored or seen, only the hash.
State of Colorado Office of Cyber Security
97. Md5
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Notice that the same values being hashed produce the
same hash:
State of Colorado Office of Cyber Security
98. Sha1
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Secure Hashing Algorithm 1 (Sha1) will take any size byte
array and produce a 160 bit hash sum, sometimes called a
message digest.
Other SHA’s are SHA224 (224 bits), SHA256 (256 bits),
SHA384 (384 bits), and SHA512 (512 bits), each one
denoting the size in bits of the message digest.
State of Colorado Office of Cyber Security
99. Sha1
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Only changed 2 lines of code from Md5:
State of Colorado Office of Cyber Security
100. AES
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
The National Security Agency (NSA) updated their algorithm in
2001 to the Advanced Encryption Algorithm (AES) for Top Secret
information from the Data Encryption Standard in 1975.
The Rijndael algorithm was selected, developed by two Belgian
cryptographers, Joan Daemen and Vincent Rijmen.
The NIST adapted the variable key space into 128, 192, or 256 bits
as FIPS 197 and called it AES.
AES is a symmetric key algorithm, meaning that the same key is
used to both encrypt and decrypt.
To use AES algorithm in Python, a library like the PyCrypto module
has to be installed, one can be found at
http://www.voidspace.org.uk/python/modules.shtml#pycrypto
State of Colorado Office of Cyber Security
101. Python Crypto Modules
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
There are several Crypto modules for Python, PyCrypto seems to
be very popular and supports many algorithms, but for a 2010
comparison of many of the popular modules, please see
http://mikeivanov.com/pc/python-crypto.pdf
State of Colorado Office of Cyber Security
102. AES Python Code
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Initialing an Initialization Vector for AES, and the password , Cipher
Mode, and Salt. They must match on both sides. :
State of Colorado Office of Cyber Security
103. RSA
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
The most important Asymmetric algorithm to understand is the
Rivest-Shamir-Adleman (RSA). So named after the MIT
mathematician inventors in 1978.
The Asymmetric algorithm can generate key pairs, one private key
for encrypting, and its pair is handed out for decryption to more
people, the public key.
The key pair are formulated from a pair of prime numbers using a
modulus equation that become linked to each other, therefore only
pieces of the formula need to be exchanged and not the complete
keys, and only their side that they use is calculated.
State of Colorado Office of Cyber Security
104. RSA Keys, a simple example
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
1) Choose two prime numbers p and q.
P = 61 and q = 53.
2) Compute n = pq, n = 61 * 53 = 3233.
3) Compute the totient φ(n) = (p – 1)(q – 1) =
(61 -1) * (53 – 1) = 3120.
4) Choose a coprime e (like 17) that is not a divisor of the totient.
5) Compute d such that e*d mod φ(n) = 1.
17 * 2753 (d) = 46801, 46801 mod 3120 = 1.
public key = (e, n) = (17, 3233)
private key = (d, n) = ( 2753, 3233)
State of Colorado Office of Cyber Security
105. RSA Keys, a simple encrypt/decrypt
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
public key = (e, n) = (17, 3233)
private key = (d, n) = ( 2753, 3233)
To compute the ciphertext we use
C = Pe (mod n).
For example, P = 65 and is the letter ‘H’.
C = 2790 = 6517 mod 3233.
Back to Plaintext, P = Cd mod n.
P = 65 = 27902753 mod 3233. Which returns 65 for ‘H’.
State of Colorado Office of Cyber Security
106. RSA
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Using a RSA Python program from
http://www.prasannatech.net/2008/09/rsa-encryption-algorithm-large-
integers.html, we can perform these complex calculations. The
program selected e = 7 as the quotient (Python helps with complex
calculations):
State of Colorado Office of Cyber Security
107. RSA
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Here’s a RSA example with PyCrypto, similar to the AES sample:
State of Colorado Office of Cyber Security
108. CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Files
State of Colorado Office of Cyber Security
109. Files
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Reading and writing files is a basic fundamental of a programming
language.
Many of the functions for File I/O will simply be a read or write
function using a File class.
Some of this can be referenced from the Python documentation at
http://docs.python.org/tutorial/inputoutput.html
State of Colorado Office of Cyber Security
110. Writing a File
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
State of Colorado Office of Cyber Security
111. Reading a File
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
State of Colorado Office of Cyber Security
112. Directory
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Python is really handy for doing directory structure traversal.
Some of the available file and directory routines can be seen at
http://docs.python.org/release/2.5.2/lib/os-file-dir.html
Here’s a quick program to list directories with an argument of the
directory, I used “.” for the current one, (used Notepad++) :
State of Colorado Office of Cyber Security
113. CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
XML
State of Colorado Office of Cyber Security
114. Extensible Markup Language (XML)
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
XML is a specification for creating custom markup languages.
An example of a language that XML can create is Hypertext Markup
Language (HTML). HTML is the markup language for displaying
web pages.
XML is very flexible because it uses tags to describe data elements:
<book>This is a book... </book>
An XML file is commonly use to transfer language elements over
HTTP in the form of Web Services or AJAX.
The XML file must also contain the proper header information to
state that the XML version and encoding scheme:
<?xml version="1.0" encoding="UTF-8"?>
There are several types of parsers for XML but the basic types are
Document Object Model (DOM) and Simple API for XML (SAX).
State of Colorado Office of Cyber Security
115. HTMLParser
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
HTML is one of the languages generated from XML. In other
words, HTML is a meta-language and a subset of XML.
XML creates the HTML grammar from its specific Document Type
Definition (DTD)
Python includes a HTMLParser, see
http://docs.python.org/library/htmlparser.html
Let’s parse (Looks like XML):
State of Colorado Office of Cyber Security
116. HTMLParser
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
This is why Python is powerful, not a lot of code:
State of Colorado Office of Cyber Security
117. Running HTMLParser
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Running it, the program prints the start and end tags:
State of Colorado Office of Cyber Security
118. SAX
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
SAX, Simple API for XML, see
http://docs.python.org/library/xml.sax.html, python will use the
xml.sax module.
It basically opens the XML file with an XML reader, and passes the
file to a handler.
The handler will traverse the XML file, parsing the tags for specific
input until it finishes with the file.
SAX operates on the individual tags where DOM operates on the
document as a whole,
http://en.wikipedia.org/wiki/Simple_API_for_XML
State of Colorado Office of Cyber Security
119. SAX
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Looking at a library.xml:
State of Colorado Office of Cyber Security
120. SAX
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
The file for parsing out the book and author tags:
State of Colorado Office of Cyber Security
121. SAX
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Running the file:
State of Colorado Office of Cyber Security
122. DOM
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Document Object Model (DOM) is the XML parsing technique used
by most browsers, see
http://en.wikipedia.org/wiki/Document_Object_Model
The DOM parser uses a Document Type Definition file that defines
the elements in the XML file that makes up the markup language.
The program loads the entire file into a structured hierarchy,
usually storing elements in tree collection.
DOM requires more RAM to load the files in the memory all at
once.
Python makes use of minidom, a lightweight DOM implementation
using the “xml.dom.minidom” module, see
http://docs.python.org/library/xml.dom.minidom.html
State of Colorado Office of Cyber Security
123. DOM
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Let’s parse out “books.xml”:
State of Colorado Office of Cyber Security
124. DOM
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
We will use “pprint”, Data pretty printer to print the data, see
http://docs.python.org/library/pprint.html .
The code to parse it may look something like:
State of Colorado Office of Cyber Security
125. DOM
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Running the program will produce the following, which is a
printout of the different elements:
State of Colorado Office of Cyber Security
126. CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Databases
State of Colorado Office of Cyber Security
127. Databases
Writing and reading from a database is a rudimentary skill of any
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
programming language, and Python works with most common
databases, see http://wiki.python.org/moin/DatabaseProgramming/
and http://wiki.python.org/moin/DatabaseInterfaces
State of Colorado Office of Cyber Security
128. SQLite3
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Whenever possible, I like to use SQLite3,
http://en.wikipedia.org/wiki/SQLite, simply because there is a lot of
iPhone and Android support if I want to make my App mobile.
The Python documentation for Sqlite3 can be found at
http://docs.python.org/py3k/library/sqlite3.html
State of Colorado Office of Cyber Security
129. SQLite3
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Here, we create a sample.db, add text, like one, and interger, like 1,
and read the rows:
State of Colorado Office of Cyber Security
130. SQLite3
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
It did create a sample.db file that is the database:
State of Colorado Office of Cyber Security
131. SQLite3
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Just reading the rows:
State of Colorado Office of Cyber Security
132. MySQL
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
We are going to install MySQL and the Python module for MySQL,
http://www.codegood.com/archives/4 .
A free Open Source database that can run as a service and is more
relational for production use is the MySQL database. See
http://en.wikipedia.org/wiki/MySQL .
Install MySQL from http://www.mysql.com/downloads/mysql/
Here is an example to create the myTestAppDB:
mysql> create database myTestAppDB character set utf8;
Here is an example to create user “myUser” password “XXXXXXXX”
• mysql> CREATE USER ‘myUser’@’localhost’ IDENTIFIED BY
‘XXXXXXXX’;
• mysql> GRANT ALL PRIVILEGES ON *.* TO ‘jirauser’@’localhost’
WITH GRANT OPTION;
State of Colorado Office of Cyber Security
133. MySQL
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
To test to see if the MySQLdb module is installed, we will check the
version of MySQL. An error will return if the library is not set up
correctly.
State of Colorado Office of Cyber Security
134. MySQL
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Now we are going to create an animal tabl and 4 rows of animals,
see http://www.kitebird.com/articles/pydbapi.html .
State of Colorado Office of Cyber Security
135. CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
Network Programming
State of Colorado Office of Cyber Security
136. Network Programming
CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE HOMELAND SECURITY MULTI-USER NETWORK CYBER SECURITY INFORMATION TECHNOLOGY CRITICAL INFRASTRUCTURE
A good Tutorial on Network programming in Python can be found
http://heather.cs.ucdavis.edu/~matloff/Python/PyNet.pdf .
Python uses sockets, very similar in convention to Windows and
Java socket programming.
Socket programming involves first creating a Socket server, that will
have a base port number to listen on and accept incoming
connections. This is a connection oriented socket, i.e. TCP.
A incoming connection is generated from the client that will create a
socket, connect to the Server’s host port number and address, and
send information to the server.
Sockets were originally derived from Berkeley sockets,
http://en.wikipedia.org/wiki/Berkeley_sockets .
State of Colorado Office of Cyber Security