blog trackingRealtime Web Statistics Basics Archives - Gregory D. Evans | Worlds No. 1 Security Consultant

Posts Tagged ‘Basics’

TACTICAL TRAINING/ 13 VIP PROTECTION/ BASICS

VIP PROTECTION TRAINING” “LAW ENFORCEMENT TRAINING” “TACTICAL TRAINING” “ANTI TERRORISM TRAINING” “SECURITY TRAINING/ Close Combat Self Defense. Read More….

View full post on Hip Hop Security

CQC/CQB BODYGUARD TACTICAL SHOOTING BASICS – by Luke Holloway

(See instructor certification details below) NEW ONLINE LEARNING CENTER: http://www.raw-combat-international.com/online/ Raw Combat Instructor Certification … Read More….

View full post on Hip Hop Security

Minecraft Tutorials – E33 Branch Mining Basics (Survive and Thrive II)

How to Survive and Thrive in Minecraft! In this episode, we do some “branch mining” which is a simple but efficient method of finding lots of precious gems (lapis, redstone, diamonds) and metals (iron and gold)! Check the Wiki for more Mining Strategy/Theory: www.minecraftwiki.net Download this tutorial world: paulsoaresjr.com or create it from scratch: www.youtube.com BLOG: paulsoaresjr.com TWITTER twitter.com FACEBOOK: www.facebook.com YOUTUBE: www.youtube.com FAQ: www.youtube.com Get Minecraft here: minecraft.net In this episode you will learn – how to utilize the branch mining method – how to tame lava pools – how to make an infinite water spring Want more Minecraft Secrets? Get the “Survival Guide”! www.minecraftsurvivalkit.com Tags yt:quality=high minecraft “minecraft beta” “minecraft 1.0″ “minecraft survival” “minecraft tutorial” “minecraft help” “pc gaming” paulsoaresjr tutorial gameplay commentary tips secrets gaming computer retro help beginners survival guide how to survive “survive and thrive” “minecraft branch mining” “minecraft finding diamonds”

Article source: http://video.hackerjournals.com/?p=6241&utm_source=rss&utm_medium=rss&utm_campaign=minecraft-tutorials-e33-branch-mining-basics-survive-and-thrive-ii-2

View full post on National Cyber Security » Announcements

Minecraft Tutorials – E29 Home Decorating Basics (Survive and Thrive II)

How to Survive and Thrive in Minecraft! In this episode, we return home from our adventure and spruce up the cottage with some basic home decoration and furniture. We’ll craft a cauldron (sink), books, bookshelves, and paintings. We’ll also make creative use of dirt, trap doors, stairs, and signs to make a flower pot and a sofa! Download this tutorial world: paulsoaresjr.com or create it from scratch: www.youtube.com BLOG: paulsoaresjr.com TWITTER twitter.com FACEBOOK: www.facebook.com YOUTUBE: www.youtube.com FAQ: www.youtube.com Get Minecraft here: minecraft.net In this episode you will learn – how to decorate your home – how to make books – how to make bookshelves – how to make paintings – how to make a flower pot – how to make a sofa – how to make a cauldron Want more Minecraft Secrets? Get the “Survival Guide”! www.minecraftsurvivalkit.com Tags yt:quality=high minecraft “minecraft beta” “minecraft 1.0″ “minecraft survival” “minecraft tutorial” “minecraft help” “pc gaming” paulsoaresjr tutorial gameplay commentary tips secrets gaming computer retro help beginners survival guide how to survive “survive and thrive” “minecraft bookshelf” “minecraft paintings” “minecraft decorating”

Article source: http://video.hackerjournals.com/?p=6096&utm_source=rss&utm_medium=rss&utm_campaign=minecraft-tutorials-e29-home-decorating-basics-survive-and-thrive-ii

View full post on National Cyber Security » Announcements

Security 101 : Security Basics in 140 Characters Or Less, (Mon, Oct 3rd)

It was one of THOSE gigs: an internal penetration test against a client that, considering the amount of personal information they held on their customers, should have been well prepared.  And yet, we went from “you-can-plug-your-laptop-in-over-there” to “Domain Admin” in… well, let’s just say a “shockingly small” number of hours.  And it just went downhill from there…

For me, writing up the resulting report, triggered what I could only describe as a “crisis of faith.” While, as a security community, I don’t fool myself that we have it all “figured out,” I had – up until now – strongly believed that we were making progress.  And yet, I had just spent a week immersed in a corporate culture that seemed to have focused itself on so many higher-level security issues that the basics – the “Security 101″ stuff – was just plain overlooked.

The more I thought about it, the more it bothered me.  It wasn’t some fancy-schmancy ‘leet h@x0r 0-day that let us take down this organization from the inside: it was stupid-simple low-hanging fruit.  I spent a bit of time chatting over Twitter with the ever-insightful Brian Honan (@BrianHonan) and came to the conclusion that the security community may have reached an awkward age at which we’re grown up enough to be focusing on the golly-gee/whiz-bang/cool stuff (vis-à-vis the “APTification” of all that passes for security discussion) and, as a result, we’re neglecting the basic, “Security 101″ stuff that raised the bar in the first place.

Think about it: Over the past year, how many high-profile hacks have been the result of awesome cutting edge skillz?  How many have happened because someone just flat-out did something dumb?  Take a quick gander at back issues of SANS NewsBites and I think you’ll be convinced as well: We truly are neglecting the basics.

Since October is “Security Awareness Month,” a few weeks back, I sent out a call on Twitter for folks to submit pithy, 140 character-long, chunks of Security 101 wisdom.  Below, I’ve compiled together the resulting list, along with the Twitter name of the submitter.

If you’re feeling a little shaky on your security knowledge, then heeding this advice might just save your behind.  Even if you’re confident that you “know it all,” a quick review might have you discovering stuff you’ve inadvertently overlooked.  Either way, I heartily recommend that you read (and heed) this advice.  Also, if something particularly strikes your fancy, you might consider following the author on Twitter… you never know – you might learn even more.

One last “housekeeping” note: I lightly edited these to remove some of the more blatant “Twitterisms” used to stuff big thoughts into limited character lengths.  If anything got messed up, I’ll take the blame.

@ChrisJohnRiley
If you can guess where PHPmyAdmin is installed, then so can attackers.
@DavidJBianco
You are already pwn3d. The question is, “What will you do about it?”
@Keldr1n
Don’t leave default passwords on the administrative interfaces of your 3rd party web applications.
@Keldr1n
Know your network – and all devices in it – well enough to spot unusual activity.
@Keldr1n
Users are almost always the weakest link. Make it a priority to educate them. Do most of yours even know what phishing is?
@averagesecguy
Security 101: If you don’t need it, turn it off.
@bowlesmatt
Passphrases are the new passwords. Make a sentence that is long, hard to guess, and easy to remember. ihatepasswordsseewhatididthere?
@bowlesmatt
Patch your systems and disable any unused services to reduce attack surface.
@bradshoop
Never trust a host you can’t trust.
@bradshoop
Computers remember a lot. Even more if you contact security personnel before you reboot.
@bradshoop
Dedicate personnel to prevention AND detection. Preferably the same personnel in rotation to breed familiarity and contempt.
@connellyuni
It’s more important to know what you don’t know than it is to know what you do know.
@cutaway
Try to avoid saying “We are investigating… why equipment that we have a destruction certificate for was… sold online” to the media.
@cutaway
Assets using secure authentication are directly and adversely impacted by your assets using plain text authentication.
@cutaway
Complacency: 1) Self-satisfaction especially when accompanied by unawareness of actual dangers or deficiencies. 2) You will be hacked.
@cutaway
Default SSL Certs for internal management interfaces should be replaced with valid certificates associated with the organization.
@cutaway
Don’t be afraid of your incident response plan. Conducting investigations will give your team experience and eventually reduce costs.
@cutaway
How do you “Find Evil” in your organization? Seriously, go “Find Evil” and report back to me.
@cutaway
IT environments are complex systems. They require a System Development Life Cycle to effectively manage AND secure.
@cutaway
If your product allows remote connections somebody WILL write a python/perl/ruby script to connect to it and send whatever THEY want.
@cutaway
Monitor and alert to new accounts and accounts being added to Domain Administrator, SUDO, or root groups.
@cutaway
Product certification does not mean it has been deployed correctly. Review placement, logging, access, input validation, etc…
@cutaway
Service accounts should adhere to corporate password policies and be monitored for modifications including lockout.
@eternalsecurity
Make sure you’re protecting the right thing. A belt AND suspenders doesn’t help if you’re not wearing pants.
@hal_pomeranz
“A backup is not a backup until you do a restore.” #sysadminkoan
@hy2jinx
Attack vectors and regulatory requirements change. “That’s how we’ve always done it” is a poor and lazy excuse.
@hy2jinx
Scanner “infos” can turn up bigger issues than you’d guess. Look at overall results, not just singles.
@hy2jinx
Five missing patches across 100 devices does not equal “five vulnerabilities.”
@hy2jinx
It’s cheaper to consult a security professional from conception than mere days before “go live.”
@hy2jinx
Security professionals should be empowered to point the business towards good decisions and reserve the power of “No” for a last resort.
@itinsecurity
In your encryption system, your key is the weakest link. If it isn’t, you’re doing it wrong.
@itinsecurity
Security is not a box you buy or an app you write. It’s an emergent property, a sum greater than its parts.
@jarocki
“Dear User: Millions of $$ of software won’t keep you from clicking that link. Only YOU can prevent link clicking.”
@jarocki
When it comes to security controls, Trust But Verify… nah, forget the Trust… just Verify.
@jimmyzatl
If you don’t log “accepts” in your FW logs for admin protocols you will have no way of knowing when those accounts are abused.
@jimmyzatl
An encryption algorithm that has to be hid from the public is by definition a weak algorithm…
@ken5m1th
That successful PCI DSS Report On Compliance will not save you from Zombies.
@kentonsmith
When setting up any new system, Step 1: Change default admin password.
@kill9core
Security through obscurity, or the practice of hiding flaws hoping they won’t be found, has proven time and time again not to work.
@mattdoterasmus
Just because your security teams work from 9-5, doesn’t mean attackers aren’t looking the rest of the time.
@omegadefence
The attitude that “it won’t or can’t happen to us” because “we’re too small/big/have nothing to offer” is dangerous.
@omegadefence
The attitude that “I can’t do anything about it so I won’t even bother with security or reporting” is also dangerous.
@omegadefence
Analyse your logs in detail, it is those with their heads buried in your logs that hold the key to prevent, detect and recover.
@omegadefence
Give only the permissions required to do the normal daily duties, nothing more. Special logons for special occasions.
@omegadefence
Best: using high-speed trend analysis with custom searches as well as automated reporting AND followup.
@rob_bainbridge
Security teams that work in isolation and without transparency will fail. Collaborate with other risk mgmt – audit, ops risk, etc…
@tccroninv
Those that store passwords in plain-text invite catastrophe.
@tliston
“We can’t implement strong passwords/two-factor authentication. Our users aren’t capable,” says more about your competence than theirs.
@tliston
Developers: Never roll your own encryption, authentication or session management schemes. You’re not that smart. Trust me.
@tliston
If you don’t have written authorization to perform security-type testing in your organization, don’t. You’re too pretty for prison.
@tliston
If you’re not putting as much thought into your outbound firewall rules as you are for your inbound rules, you’re doing it wrong.
@tliston
If you’re not supporting a legacy Windows OS, for the love of all that is Holy, turn off LANMAN hashes.
@tliston
If you’ve never tested restoring from your backups, then you don’t have backups – you have a crapload of data and hope.
@tliston
If your internal security posture is based on,”our employees wouldn’t know how to do that,” then you’re likely already 0wned.
@tliston
Remember: As an attacker, I exploit misplaced trust. There’s nothing mystical or magical about it.
@tliston
Run scans against your network. It’s the only way to really know what’s out there. I’ve yet to see a fully accurate network diagram.
@tliston
Sanity check security spending. A $500 lock on a cheap wood door doesn’t buy security. It just gives a thief something to laugh at.
@tliston
Security isn’t just about preventing compromise. It’s about maintaining confidentiality, integrity availability despite compromise.
@tliston
Security-through-obscurity doesn’t work against anything with intelligence, but there’s lots of dumb sh*t out on the ‘net.
@tliston
Taking nude photos of yourself? Don’t store them on an always-connected device with little-to-no security. #forscarlett
@tliston
Teach your users not to click on unknown links. DON’T send links to your users in email. More info: http://t.co/bdNTRI3O
@tliston
Web developers: Give the exact same answer whether you’re given a bogus username or password on logins. EXACT. SAME. ANSWER.
@tliston
WebApp Devs: Just because you have a SELECT with A, B, C, D as options doesn’t mean you’ll only ever get A, B, C, or D back.
@tliston
Webhosting Companies: Web servers shouldn’t be making many *outbound* connections. TCPDump is your friend.
@tliston
Your organization’s AUP should explicitly prohibit Copyright abuse. You do HAVE an Acceptable Use Policy, right?
@tliston
Centralize your logging – you have no idea how helpful it will be.
@tliston
Companies who use the same Windows Local Admin password on large numbers of machines are ripe for picking by malicious insiders
@tliston
Developers: Input, even data you think you control, can never be trusted. Consider all input a threat and process accordingly.
@tliston
Diligent change management practices have saved more asses than a Beverly Hills plastic surgeon.
@tliston
Ensure that user accounts are disabled as part of your termination process. Audit all accounts at least semi-annually for “misses.”
@tliston
High privilege level accounts should be used only for administrative functions, not for day-to-day activities.
@tliston
High privilege level accounts should have kick-ass passwords or two factor authentication. Or both.
@tliston
If at all possible, disable password authentication for SSH. SSH is a huge brute force target. Keys are your friend.
@tliston
If it plugs into your network, know why. The last thing you ever want to hear an admin say is, “That thing has a web interface?!?”
@tliston
Learn how to manipulate text files. Learn how to use sed, cut, wc, and grep as a minimum. Text is your friend.
@tliston
Logging authentication failures is NOT enough. Log successes and failures.
@tliston
Mr. CxO: Your employees are not a “family.” Some are untrustworthy. FYI: Some of the people in your real family are pretty sketchy too.
@tliston
Never rely on the fact that you “own” anything: data, a communication path, etc… If you do – I 0wn it, I 0wn you. Trust nothing.
@tliston
Nothing is more important to the long-term survivability of your organization than a fully functional backup process.
@tliston
Packets to or from RFC-1918 addresses should not be allowed to traverse your border firewall in either direction.
@tliston
Passwords are no longer security measures. They are merely speed-bumps. Treat them accordingly.
@tliston
Physical access trumps most security measures.
@tliston
Remember to always think in terms of “defense in depth.” A belt AND suspenders is always better than a belt OR suspenders.
@tliston
Shared accounts are never a good idea.
@tliston
Telnet, FTP, and any other clear-text protocol developed in simpler, more naive times has no business on a modern network.
@tliston
There is no excuse – NONE – not to use full disk encryption on laptops. Data breaches due to lost/stolen laptops are inexcusable.
@tliston
Unencrypted WiFi is never secure. WEP = Unencrypted WiFi. Trust me. Stop using it. Now. Really.
@tliston
Web Developers: Remove comments from your production website code. They serve NO purpose and can give away too much info.
@vaudajordan
Total loss of Sony Breach $171M, I wonder how many salaries, code reviews, software, hardware that could have bought.
@zanis1
Assign only those privileges that are required to do the job.

Also, I want to extend a great big “thank you” to all of the people who submitted these tweets using the #sec101 hash tag.  I tried really hard to grab them all… If I missed anyone, I apologize.

Tom Liston
Senior Security Consultant, InGuardians, Inc.
Handler: SANS ISC

Note: Matt (@0xznb) has kindly made a fortune-mod zip file available here of the #sec101 wisdom.

 

Article source: http://isc.sans.edu/diary.html?storyid=11725&rss

View full post on National Cyber Security

Gergory Evans

Gregory Evans | LinkedIn

Interview With Gregory Evans

Gregory Evans Security Expert

Gregory Evans on Cyber Crime

Bash Basics: Ping, Date and While

Ping is one of the most handy and basic tools for network administration. Simply put a ping will test whether or not a host is reachable over IP. It does so by sending an echo request via the Internet Control Message Protocol or ICMP. ICMP is pretty neat, being a core protocol of the Internet Protocol or IP suite. Unline TCP or UDP it isn’t meant to be used for exchanging data, rather diagnosing problems and verifying connections.

Technically speaking the ICMP protocol is used for more than just pings or “echo requests” and “echo replies” — there are several control messages like time exceeded, address mask queries and traceroutes. But for right now we’re focusing on the practical with IPv4 and a little scripting to make our lives easier.

The basic ping command consists of just one value, the host. For example: ping 8.8.8.8. When a host responds we’ll get a message saying how many bytes were received along with the IP, an ICMP sequence number, a time to live and how long it took for the host to reply in milliseconds. On Linux this will go on forever so use the key combo CTRL+C to stop.

Now unfortunately the ping command doesn’t by default tell us when the replies, or lack there of, came in. To remedy this we’ll be using the date variable.

Issuing date will provide us with a date and time stamp. As such the date can be used as a variable by issuing echo $(date). There are many display options supported by date. Issue man date for a complete list. I’m a fan of %F and %T as they provide a nicely formated numeric date and time stamp. To use these display options we’ll echo $(date +%F_%T).

Now let’s bring it all together. We’ll start by issuing ping 8.8.8.8 then pipe | it to a loop using while and read the input into a variable that we’ll call pong using the command read. So far this will continue pinging our host and turning the ping replies into pong variables. We’ll separate the while statement with a semicolon ; and tell the loop what to do with the aptly named do command. In this case we want to echo the date “$(date +%F_%T), give it a separater, I’ll use two dashes and finally our newly created variable $pong”. Once again separate with a semicolon ; and end the loop with done. Your command should look like ping 8.8.8.8 | while read pong; do echo “$(date +%F_%T) — $pong”;done

There we go, a constant ping complete with the date and time — perfect for debugging all sorts of borked network bits.

Article source: http://revision3.com/haktip/icmpyouknowme

View full post on National Cyber Security

Gregory Evans | LinkedIn

Interview With Gregory Evans

Gregory Evans Security Expert

Gregory Evans on Cyber Crime

Get The New Book By Gregory Evans

Everyone Is Talking About!

Are You Hacker Proof?
$15.95

Find Out More, Click Here!