As some of you may have seen on Twitter I have been working on a new project this summer called upSploit. I am due to be giving a lightning talk at BruCON 2010 about the project and hopefully will be talking at AppSEC Ireland in September about it too CFP permitting.

The project is my brainchild and the beta version (date of which will be announced early next month) is due the hard work of both myself and Duncan Alderson – @Webantix.

Without reaviling any information now I hope to get you readers on edge for what is going to be a great project to work on in the future and something I hope will help alot of people.

The official annoucement is going to be given on the 1st July 2010 both with a number of blog posts describing the service and hopefully a couple of interviews on some better known security podcasts. Please keep you eye on my blog for more information about upSploit and if you want to get involved once the announcement has been made contact us at info [AT] upsploit [DOT] com

the beta logo

Last night I performed a new talk that I have been working on called, Web Application Security using DVWA.

The aim of the talk was to get the user familiar with the DVWA project and how it can be using not to learn how to exploit, but how to stop attackers compromising the web application.

The consisted of three parts, I talked about myself slightly and introduced what I did. I then went on to talk about the DVWA project, what it was, what was happening to it, what it does, how it works and who created it. Then finally I talked about the command execution vulnerability and the cross site scripting reflected and how low, medium and high security can help a web developer secure the web app and understand how applications can be vulnerable to attack.

There were some good questions asked at the end and thankfully I could answer them all.

All in all I thought the talk went really well, there are a few things that I need to tweak slightly for future talks but apart from that I now have my first talk that I can give at other conferences/user groups. So if anyone is reading this and would like to hear the talk at their conference or user group drop me a tweet @tmacuk or an email at tmac<—@—>tmacuk.co.uk and we can arrange me coming and giving the talk.

The talk was recorded and I will upload it as soon as possible.

Cheers,

Preamble

First of all please allow me to apologize for my lack of updating to the blog. I have been super busy, what with work/university/small project I haven’t had time to think about anything else.

The aim of this post is to try and hopefully let you know what I have been up to, what I am getting up to soon and plans for the future up until September. After this blog post, I will aim to try and get a more technical one released by Friday at the latest.

RandomStorm

Back on the 23rd of February I post this blog post http://tmacuk.co.uk/?p=204. I started work on the 1st of March and have been super busy with work. It has been a great first month, I have really enjoyed myself. The company is amazing always there to give you a hand when you need it and the employees are just as great. So thanks guys for a great first month, and I am looking forward to next month, after my exams, when I can begin to work full time over the the summer.

University

So recently University has got a whole lot harder. I have an assignment due in on Wednesday for Networking Technology. An assignment that we have to compare the results of a wired and wireless network both simulated and real life. The problem isn’t comparing the results, or even creating these networks, the problem is the simulation package. The university have apprently spent 100k on a piece of software name ITGURU. ITGURU is shit. Well actually let me rephrase that, ITGURU is good, if we were told how to use it. I feel at the moment we have just been chucked the software and told there you go make me something at the end of the month. It isn’t just me the class are feeling the strain, the problem is that we cannot ask for an extension because it is the end of term!

I also have another two assignments due in for the end of April. Which seems stupid as we break up for easter on Thursday. Come back for a week at the end of April, and then that is it, unless we have exams. ONE WEEK where I have to go into University, where instead I could be earning myself some money for the places I am planning on going, which I will talk about next.

Traveling/Conferences

• So starting from this month up until September it looks like I will getting over my fear of flying. I am planning on going to a few local meetings and then starting to branch out starting from the 16th of April.

• Tomorrow I will be attending SuperMonday’s http://www.supermondays.org – Here John Lunn from paypal will be coming to talk about mobile payments. John has worked within fraud systems for over 15 years and I hope to be learning some things about the security paypal incorporate into their mobile payment systems.

• I will be spending a week with my girlfriend in the peak district (where she lives) from the 1st April.

• On April 8th I will be heading to Dundee to go and speak at a LUG and possibly at the University, but that is still being decided. More information further down.

• On the 16th of April I will be flying out to Dublin, Ireland. I am going the LiveCD training there.

“This CD collects some of the best open source security projects in a single environment. Web developers, testers and security professionals can
boot from this Live CD and have access to a full security testing suite. This presentation aims to provide a showcase for the great OWASP tools and documentation materials available in the CD, tips and tricks, and also some introductory stuff regarding code review and penetration testing. Training is aimed at introductory /intermediate level in terms of pen testing, code review and tools. “

• On April 21st I will be attending NEBytes http://www.nebytes.net/ for a presentation on Office 2010 and SQL injection attacks and defense.

• I may be heading off to London on the 28th/29th of April for the last day of InfoSec http://www.infosec.co.uk/, that all really depends if work say it is worth me going.

• Hopefully sometime in between this and the next con I will be going away somewhere Spanish with my girlfriend.

• On the 3rd of September I am going to Ireland again, this time for a couple of days to attend Ireland AppSec – http://www.owasp.org/index.php/Ireland

• Then the best one BRUCON!!!! http://2010.brucon.org – I AM SO EXCITED! 24-25th of September.

Projects

So recently I have been spending a lot more time on DVWA, reasons to follow below. I today in fact found a small bug in one of the vulnerabilities and fixed that and that will be released in the net version. I have also, with the help of Robin Wood, written a sign up script for DVWA which Ryan and myself are talking about if that could be included as a vulnerability.

I have been working a lot on tracsec recently, yesterday being a great interview with JanisSharp – Gary Mckinnon’s mother.

Speaking

As mentioned above I will be traveling up to Dundee on the 8th April to go and speak at a LUG. My talk is called Web Application Security using DVWA and contains the following: -

“Web Application Security with DVWA – Thomas MacKenzie

The talk is going to consist of three sections.

The first section is going to be a brief introduction about myself, my background and how I first got into this line of work.

The second section is going to look at DVWA which is an open source web application created by Ryan Dewhurst and has been recently acquired by RandomStorm LTD. DVWA stand for Damn Vulnerable Web Application and was created as an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

The third section is going to look at specific web application vulnerabilities i.e. SQL Injection and Cross Site Scripting, how they work and how they can be prevented. DVWA incorporates a high security level which will be used here to present what security should be in place in that particular environment.”

I maybe giving a similar talk at Abertay Dundee University to the third year students however as said above this is still being decided.

If anyone is interested in hearing the talk, or would like me to do the same talk somewhere drop me an email at tmac<~~@~~>tmacuk.co.uk

Cheers

tmAcUK

p.s. if someone can suggest some where else to travel to for a con etc. that is relatively cheap. let me know.

So after blogging about all of the speakers that came to the University I thought would conclude. To be honest the only reason I am doing this is because the other posts are just notes, I thought I would give you something to read. Each speaker that came to the University interested in a different way. Dave Kennedy interested me because it was about the police, and anything with the police involved is interesting – I think every boy thinks that because I believe at some stage in their lives they wanted to be one or pretended to be one, I did both.

Phil Byrne interested me because he was talking more about the physical things that a company can do to protect information instead of just talking about the technological safeguards that a company can take. He was very eager to answer my questions even though may have seemed confronting, and most of all he let me in on a few secrets which again I am sorry but I cannot say.

Finally Andrew Waite – I must say I was really excited for his talk A) I know him B) What he was taking about was interesting. The talk he gave was great, at first I thought it was directed straight to the Ethical Hackers although listening back the Forensics student would have defiantly got a lot out of it. I learned a lot more about his honey potting and what research he is currently getting into. It was also good to have beer afterwards with him. His website is here http://www.infosanity.co.uk/ and to follow him on twitter it is @infoSanity.

Overall the talks that were given on that day were very good, and I enjoyed myself, the day went surprisingly quick I learnt a lot about my chosen path, but not just technology defences but just simple things that unless you really sat down and though would just pass straight over your head.

The final person to talk to us was Andrew Waite better known to all you twitterheads as @infoSanity. I won’t tell you much about his talk because I want you to listen to the download. He talks about the experience that he has gained from the job that he is at the moment and common problems with computers that are security related. Click the link below to listen to the talk.

Not amazing quality and I didn’t record it, it was a friend and you can hear him breathing really heavy

DOWNLOAD

The second man to give a talk was Phil Byrne and he is an audit manager for HMRC. The talk was very focused on the loss of data back in 2007 and what they had done since then to stop it from happening again. He at first tried to stick up for the HMRC, saying that they are not the only people to lose data mention the Guardian losing half a million CV’s and the MOD losing 66 laptops since January 2009. He said that at least they had the decency to tell the public that the disks had gone missing, unlike Zurich insurance losing 500,000 pieces of information last year and only saying something now.

The focus then switched to talking about information assurance and information security and how they are both important. He used the following definitions (I quote the powerpoint presentation that he used): “Information Assurance is the confidence that information systems will protect the information they handle,” and “Information Security is the preservation of confidentiality, integrity and availability of information.”

The importance of these is that if you don’t fulfil them you can lose trust and go out of business. He went on to talk about the models that the company now use – ISO20001 and the COBIT model which is USA law.

His talk consisted of him talking about what the HMRC has put in place to protect themselves and the questions asked, mostly from myself, focused on that too. I asked if the disks had not been lost and they implemented the protections would that have stopped this incident. He answered no, the procedures they now have in place a general and would not stop something like that because it has a human being involved, it is the human being that makes the mistakes. That reminded me slightly of Kevin Mitnick. We asked whether or not they did pen tests on their systems and he said that they do but that they did not include social engineering. I after all the talks asked about the social engineering and he told me a few things, but I am not allowed to say, SORRY!

This week at University we have had what is know as A and E week, not accident and emergency but assessment and enhancement week. It’s basically a time that we get off during the semester to do some reading and examinations. I just did a milestone exam in relational databasing where i got the equivalent of 84%.

Today we had four speakers from industry come and give us individual talks on what they did and gave a time for questions afterwards. I will post what the speaker talked about and also what questions I asked. Andrew Waite (infoSanity) has given me permission to post the audio file of his presentation. I am going to do a post per person, excluding the 3rd because I missed most of his talk.

PLEASE NOTE THAT THESE ARE NOT PROPERLY WRITTEN POSTS – THESE ARE JUST COPIES OF THE NOTES THAT I HAD TAKEN AND THE 4th POST MADE WILL BE A CONCLUSION.

First up was a man named Dave Kennedy and he was from the Durham Computer Crime Unit. He began talking about the crime unit itself and how the budget they have barely covers them for the jobs that need to do. They have 3 investigators and a budget of £18,000. Dave himself is retiring in 25 working days and he believes that they are not even going to replace him when he goes. He then went on to talk about the actual investigation process. Barristers and the CPS were explained to not be very intelligent when it came to computer crime and he said when he asked them what “a html file” was or “what is a webpage”  they were not 100% sure the second one being very hard to believe. The barristers also are now being payed per page of evidence, so digital medium is sometimes not accepted as a form of evidence. The first interview he believes to be the most important out of them all but he said that the officers who are interviewing do not have enough knowledge about computers so the interview itself is flawed to a certain extent. He said that because of how vast computer technology is there are a lot of scattergun defences that people can use to try and be found innocent. He then went on to talk about the stories of Dr Syed Amhad Husain and John Temple both stories can be found on the BBC website.

Due to the nature of most of the talk being about Child Pornography most of the questions were based on that for example “do you find it difficult to cope after watching material like that” or “how can you be sure who’s viewing it isn’t going to be using it for their own purposes.” I wanted to ask a more general question about computer crime and asked “the Durham police website was hacked recently are you currently dealing with that,” he said no because there is a likely terrorist involvement sot hat has been outsourced to people who can deal with that effectively.

96% of all cases they take on are on indecent images of children he stated.

http://www.owasp.org/index.php/Main_Page

If you had asked just shy of 2 months ago what OWASP was then I wouldn’t have been able to answer you. I now however have attended my first chapter meeting and I am really excited about the next one in around 3 months time I am guessing. OWASP stands for Open-source Web Application Security Project. It is a community of people who are focused on improving security in web applications.

A friend and myself decided to book our train tickets over  a month before the date of the conference. We then managed to rally together another two friends to join us. We received our tickets and were just awaiting the day.

On the day 2 other people off of our course joined us on the expedition to a far and distant land that is Leeds.

When we arrived in Leeds the mission then was to find the Novotel – and believe me the people in Yorkshire on this fine evening were very unhelpful two men completely ignoring me as I tried my hardest to put on my native tongue that is YORKSHIRE. We then found the venue had a cup of tea and went to sit down in the conference room (I am sure that the website said 50 people would be able to come, there must have been about 30 and we were near enough sitting on each others knees).

So the time came, we listened to two amazing speakers – Justin Clarke – www.gdsecurity.com and  Pete Finnigan – www.petefinnigan.com .

Justin Clarke talked about SQLi and how it is being used today as well as the SQLi in the past. He mentioned about asprox and how this was used to get WoW account details, something which apparently can be a very lucrative business. He went on to talk about different ways in which SQLi can be avoided. Overall his presentation was interesting.

Pete Finnigan then went on to talk about Oracle databases. He went through the different checklists that you can use to try and secure your database. He said that the checklists were not there to secure the data, and went on to show a demo in SQLplus on how he goes about finding tables and data within databases. He used a couple of his own SQL functions all of which can be found and downloaded at his website above.

We unfortunately booked early train tickets and had to leave early. Next time we will definitely book later trains. On the way back I fired up Broken Sword 1 – what a legendary game! And that was the end of the night!

To conclude, I have only just started the course, and the knowledge I have is very limited to what I know myself. I however understood around 60% of what was going on at the meeting and understood the concepts of the other 40%.  I would definitely recommend OWASP to anyone who was interested in computer security. I had a really good night and going along with friends and like minded folk definitely made the trip 10 times more worth while.