So you think the systems at your employer can actually use a little bit more security? Or what about your own system to gain more privacy? In this talk, we discuss the reasons for Linux server and system hardening. First we learn why we should protect our crown jewels, and what can wrong if we ignore information security. Next is getting a better understanding of the possible resources we can use. And since system hardening can be time-consuming, we discuss some tools to help in the system hardening quest.
So you think the systems at your employer can actually use a little bit more security? Or what about your own system to gain more privacy? In this talk, we discuss the reasons for Linux server and system hardening. First we learn why we should protect our crown jewels, and what can wrong if we ignore information security. Next is getting a better understanding of the possible resources we can use. And since system hardening can be time-consuming, we discuss some tools to help in the system hardening quest.
A File Structure should be according to a required format that the operating system can understand.
A file has a certain defined structure according to its type.
A text file is a sequence of characters organized into lines.
A source file is a sequence of procedures and functions.
An object file is a sequence of bytes organized into blocks that are understandable by the machine.
File Type
File type refers to the ability of the operating system to distinguish different types of file such as text files source files and binary files etc. Many operating systems support many types of files. Operating system like MS-DOS and UNIX have the following types of files −
Ordinary files
These are the files that contain user information.
These may have text, databases or executable program.
The user can apply various operations on such files like add, modify, delete or even remove the entire file.
Directory files
These files contain list of file names and other information related to these files.
Special files
These files are also known as device files.
These files represent physical device like disks, terminals, printers, networks, tape drive etc.
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMIAnne Nicolas
As the name would suggest, a Non-Maskable Interrupt (NMI) is an interrupt-like feature that is unaffected by the disabling of classic interrupts. In Linux, NMIs are involved in some features such as performance event monitoring, hard-lockup detector, on demand state dumping, etc… Their potential to fire when least expected can fill the most seasoned kernel hackers with dread.
AArch64 (aka arm64 in the Linux tree) does not provide architected NMIs, a consequence being that features benefiting from NMIs see their use limited on AArch64. However, the Arm Generic Interrupt Controller (GIC) supports interrupt prioritization and masking, which, among other things, provides a way to control whether or not a set of interrupts can be signaled to a CPU.
This talk will cover how, using the GIC interrupt priorities, we provide a way to configure some interrupts to behave in an NMI-like manner on AArch64. We’ll discuss the implementation, some of the complications that ensued and also some of the benefits obtained from it.
Julien Thierry
Someone deployed their application as a Docker container. Then another someone came along and hacked it. Then everyone starts looking at you asking, "How did this happen?"
This talk goes into how to extract the forensics artifacts of a Docker container, both if it was still running on a live system (easy) and if you must start from a cold disk image (harder).
A cheatsheet of the high points of this talk is also available here: https://www.didactic-security.com/resources/docker-forensics-cheatsheet.pdf
The video of this presentation at BSides RDU 2018 is online here: https://youtu.be/esj_NoTsywU?t=3667
Linux is considered to be a secure operating system by default. Still there is a lot to learn about system hardening and technical auditing. This 1-hour presentation explains the need for hardening and auditing of your systems. We discussed some additional documents and tools, to further help this endeavor.
This presentation is suitable for both beginners and those with experience in system hardening.
https://www.enoinstitute.com/training-tutorials-courses/cyber-threat-hunting-training-ccthp/ Learn how to find, assess, and remove threats from your organization in our Certified Cyber Threat Hunting Training (CCTHP) designed to prepare you for the Certified Cyber Threat Hunting Professional (CCTHP) exam.
In this Cyber Threat Hunting Training (CCTHP) course, we will deep dive into “Threat hunting” and searching for threats and mitigate before the bad guy pounce. And we will craft a series of attacks to check Enterprise security level and hunt for threats. An efficient Threat hunting approach towards Network, Web, Cloud, IoT Devices, Command & Control Channel(c2), Web shell, memory, OS, which will help you to gain a new level of knowledge and carry out all tasks with complete hands-on.
RESOURCES:
Cyber Threat Hunting Training: Cyber Threat Hunting A Complete Guide – 2020 Edition By Gerardus Blokdyk/vitalsource.com
Cyber Threat Hunting Training: Cyber Threat Hunting A Complete Guide – 2019 Edition By: Gerardus Blokdyk/vitalsource.com
Cyber Threat Hunting Training: Hunting Cyber Criminals: A Hacker’s Guide to Online Intelligence Gathering Tools and Techniques 1st Edition by Vinny Troia/Amazon.com
Cyber Threat Hunting Training: Investigating the Cyber Breach: The Digital Forensics Guide for the Network Engineer by Muniz Joseph and Lakhani Aamir/Amazon.com
CUSTOMIZE It:
We can adapt this Cyber Threat Hunting Training (CCTHP) course to your group’s background and work requirements at little to no added cost.
If you are familiar with some aspects of this Cyber Threat Hunting (CCTHP) course, we can omit or shorten their discussion.
We can adjust the emphasis placed on the various topics or build the Cyber Threat Hunting Training (CCTHP) around the mix of technologies of interest to you (including technologies other than those included in this outline).
If your background is nontechnical, we can exclude the more technical topics, include the topics that may be of special interest to you (e.g., as a manager or policy-maker), and present the Cyber Threat Hunting Training (CCTHP) course in manner understandable to lay audiences.
Securing Infrastructure with OpenScap The Automation Way !!Jaskaran Narula
Security Content Automation Protocol (SCAP) which is a collection of standards managed by National Institute of Standards and Technology (NIST). It was created to provide a standardized approach to maintaining the Security of enterprise system, such as automatically Verifying the presence of patched, checking system security configuration settings, and examining systems for signs of compromise. Along with this Audience will also have a good view of Foreman, how openscap can be integrated with foreman and become more useful and efficient to use.
The top 10 windows logs event id's used v1.0Michael Gough
How to catch malicious activity on Windows systems using properly configured audit logging and the Top 10 events and more you must have enable, configured and alerting.
LOG-MD
MalwareArchaeology.com
A File Structure should be according to a required format that the operating system can understand.
A file has a certain defined structure according to its type.
A text file is a sequence of characters organized into lines.
A source file is a sequence of procedures and functions.
An object file is a sequence of bytes organized into blocks that are understandable by the machine.
File Type
File type refers to the ability of the operating system to distinguish different types of file such as text files source files and binary files etc. Many operating systems support many types of files. Operating system like MS-DOS and UNIX have the following types of files −
Ordinary files
These are the files that contain user information.
These may have text, databases or executable program.
The user can apply various operations on such files like add, modify, delete or even remove the entire file.
Directory files
These files contain list of file names and other information related to these files.
Special files
These files are also known as device files.
These files represent physical device like disks, terminals, printers, networks, tape drive etc.
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMIAnne Nicolas
As the name would suggest, a Non-Maskable Interrupt (NMI) is an interrupt-like feature that is unaffected by the disabling of classic interrupts. In Linux, NMIs are involved in some features such as performance event monitoring, hard-lockup detector, on demand state dumping, etc… Their potential to fire when least expected can fill the most seasoned kernel hackers with dread.
AArch64 (aka arm64 in the Linux tree) does not provide architected NMIs, a consequence being that features benefiting from NMIs see their use limited on AArch64. However, the Arm Generic Interrupt Controller (GIC) supports interrupt prioritization and masking, which, among other things, provides a way to control whether or not a set of interrupts can be signaled to a CPU.
This talk will cover how, using the GIC interrupt priorities, we provide a way to configure some interrupts to behave in an NMI-like manner on AArch64. We’ll discuss the implementation, some of the complications that ensued and also some of the benefits obtained from it.
Julien Thierry
Someone deployed their application as a Docker container. Then another someone came along and hacked it. Then everyone starts looking at you asking, "How did this happen?"
This talk goes into how to extract the forensics artifacts of a Docker container, both if it was still running on a live system (easy) and if you must start from a cold disk image (harder).
A cheatsheet of the high points of this talk is also available here: https://www.didactic-security.com/resources/docker-forensics-cheatsheet.pdf
The video of this presentation at BSides RDU 2018 is online here: https://youtu.be/esj_NoTsywU?t=3667
Linux is considered to be a secure operating system by default. Still there is a lot to learn about system hardening and technical auditing. This 1-hour presentation explains the need for hardening and auditing of your systems. We discussed some additional documents and tools, to further help this endeavor.
This presentation is suitable for both beginners and those with experience in system hardening.
https://www.enoinstitute.com/training-tutorials-courses/cyber-threat-hunting-training-ccthp/ Learn how to find, assess, and remove threats from your organization in our Certified Cyber Threat Hunting Training (CCTHP) designed to prepare you for the Certified Cyber Threat Hunting Professional (CCTHP) exam.
In this Cyber Threat Hunting Training (CCTHP) course, we will deep dive into “Threat hunting” and searching for threats and mitigate before the bad guy pounce. And we will craft a series of attacks to check Enterprise security level and hunt for threats. An efficient Threat hunting approach towards Network, Web, Cloud, IoT Devices, Command & Control Channel(c2), Web shell, memory, OS, which will help you to gain a new level of knowledge and carry out all tasks with complete hands-on.
RESOURCES:
Cyber Threat Hunting Training: Cyber Threat Hunting A Complete Guide – 2020 Edition By Gerardus Blokdyk/vitalsource.com
Cyber Threat Hunting Training: Cyber Threat Hunting A Complete Guide – 2019 Edition By: Gerardus Blokdyk/vitalsource.com
Cyber Threat Hunting Training: Hunting Cyber Criminals: A Hacker’s Guide to Online Intelligence Gathering Tools and Techniques 1st Edition by Vinny Troia/Amazon.com
Cyber Threat Hunting Training: Investigating the Cyber Breach: The Digital Forensics Guide for the Network Engineer by Muniz Joseph and Lakhani Aamir/Amazon.com
CUSTOMIZE It:
We can adapt this Cyber Threat Hunting Training (CCTHP) course to your group’s background and work requirements at little to no added cost.
If you are familiar with some aspects of this Cyber Threat Hunting (CCTHP) course, we can omit or shorten their discussion.
We can adjust the emphasis placed on the various topics or build the Cyber Threat Hunting Training (CCTHP) around the mix of technologies of interest to you (including technologies other than those included in this outline).
If your background is nontechnical, we can exclude the more technical topics, include the topics that may be of special interest to you (e.g., as a manager or policy-maker), and present the Cyber Threat Hunting Training (CCTHP) course in manner understandable to lay audiences.
Securing Infrastructure with OpenScap The Automation Way !!Jaskaran Narula
Security Content Automation Protocol (SCAP) which is a collection of standards managed by National Institute of Standards and Technology (NIST). It was created to provide a standardized approach to maintaining the Security of enterprise system, such as automatically Verifying the presence of patched, checking system security configuration settings, and examining systems for signs of compromise. Along with this Audience will also have a good view of Foreman, how openscap can be integrated with foreman and become more useful and efficient to use.
The top 10 windows logs event id's used v1.0Michael Gough
How to catch malicious activity on Windows systems using properly configured audit logging and the Top 10 events and more you must have enable, configured and alerting.
LOG-MD
MalwareArchaeology.com
WordCamp Kansai 2014 登壇スライド。
コードのGit管理を前提とし、それを活かしたよりストレスフリーなデプロイメントを紹介しました。紹介したのはツール、サービス、そして最近海外では話題になりつつあるフルスタック系のツールキット。
Slide from my presentation at WordCamp Kansai 2014 (7 June 2014), titled "Considering WordPress Site Deployment - utilizing Git and Deployment Services-"
The Amazing Toolman - Mastering the tools and propose a hackable "Swiss Army ...SYUE-SIANG SU
The web technology has evolved from being a collection of simple and static pages to fully dynamic applications, and applications are getting more complex than they used to be. Besides, most big firms, such as Google, Facebook, etc, are still suffering from lots of attacks regarding web technology. Therefore, web security has increased in importance in this age.
Imagine being a well-trained expert in Web Security, there are still lots of dirty works have to be done manually when you are penetrating a website, something like finding potential entry points or probing possible attack vectors. Thus, an experienced export will then take advantage of some handy tools in order to deal with these works.
Many tools are out there, however, are actually doing the same thing, or even just a clone of another project, but with a little modification. Hence, we have to wisely choose those best tools out of them. In addition, we have no way using these tools comfortably at once. We often have to open these tools everywhere in every corner and toggle them respectively.
In this slide, I will introduce some handy tools, and then propose a hackable "Swiss Army Knife" security framework for the 21st century. This framework can be used in conjunction with existing tools like Burp, Docker, etc, and also a plenty of web extensions you often used on Chrome and Firefox. In addition, we can control and manage the WebExtension APIs as well, and therefore we can catch the snitch inside web extensions more easily.
1. TS SURUGI Linux
the sharpest weapon in your DFIR arsenal
最高に切れ味の良いDFIRツール
TLP WHITE tsurugi-linux.org
Giovanni 'sug4r' Rattaro
@tsurugi_linux
2. $WHOAMI プロフィール
GIOVANNI 'sug4r' RATTARO
• IT SECURITY CONSULTANT @
ITセキュリティコンサルタント
• Italian staff member old << back|track Linux project
back|track Linux projectのイタリア人古参スタッフ
• Ex developer DEFT Linux
DEFT Linuxの元開発者
• DFIR teacher for fun & profit
DFIRの講師
• TSURUGI Linux core developer
TSURUGI Linuxのコア開発者
• (…)
11. TSURUGI LINUX [LAB]
• For educational and/or
professional use
教育用/業務用
• DFIR / OSINT / Malware Analysis
DFIR / OSINT /マルウェア分析
• 64 bits Linux distribution
64ビットLinuxディストリビューション
• Based on UBUNTU 16.04 LTS
UBUNTU16.04 LTSベース
• Last stable kernel 4.18.5
安定版kernel 4.18.5
24. KERNEL WRITE BLOCKER
tsurugi-linux.org
At present, there are no universal ways to mount
a file system truly read-only in [vanilla]
Linux. 現状、「素」のLinuxにread-onlyのファイルシステムをマウ
ントする普遍的な方法は存在しない。
For example, mounting a file system with the
"ro" option doesn't guarantee that a kernel
driver will not write to a corresponding block
device (according to the mount man page)
例えば、”ro”オプションでファイルシステムをマウントすることは、必ずし
もkernelドライバーがブロックデバイスへの書き込みをしないことを保証し
てるわけではない。
mount -o ro /dev/sda1 /mnt/sda1/
25. KERNEL WRITE BLOCKER
tsurugi-linux.org
To mount a truly ro locked device with a
corrupted file system it’s possible to use the
“mount noload” option to disable recovery and/or
journaling operation:
壊 れたファイルシステムでroロックされたデバイスをマウントするため
に、”mount noload”オプションを使って復元機能や操作記録を無効化する
ことができる。
mount -o ro,noload /dev/sda1 /mnt/sda1/
36. TSURUGI ACQUIRE
• 32 bits Linux distribution
32 bits Linuxディストリビューション
• Live minimal version
Live minimalバージョン
• Only for “disk acquisition”
“disk acquisition”専用
• KERNEL WRITE BLOCKER
KERNEL書込み制限
• Autoscaling for Retina/4K display
43. NEXT STEPS & OUR ROADMAP
次の展開とロードマップ
tsurugi-linux.org
• Push ready to download Virtual Machines
(please we need your feedback!)
VM版のダウンロード準備(感想お寄せください!)
• Put online last developement build
開発ビルド最終版のオンライン化
• Create documentation about Tsurugi Linux
project and free training courses
Tsurugi Linuxのドキュメント作成と無償のトレーニングコース
• System upgrade to 18 LTS version
18 LTS版へのシステムアップグレード
• Build an official repository to push custom
updates
カスタムアップデートのための公式レポジトリの準備
• New Amazing feature! (Use Tsurugi Linux and try
to find the hint…)
驚くような新機能!(Tsurugi Linuxを使ってヒントを探して…)
• Sleep… ☺
眠ること…☺