Monday, December 12, 2011

The 12 Days of INFOSEC


Ok script kiddies, gather around and sing with me;

 
On the 1st day of Christmas a malicious hacker faxed to me <pause> poof of SQLi in a production website (database using SELECT * FROM members WHERE username = 'admin'--' AND password = 'password') with a username list  -- it appeared they also taped the 4 pages of data to create a loop in the fax machine sending a unlimited amount of fax pages to me resulting in a denial of service on my office fax machine

 
On the 2nd of Christmas the hackers gave to me a Cross Site Scripting in my critical web application < IMG SRC="javascript:alert('XSS');" > and a link to cheat other sheets to at: https://www.owasp.org/index.php/Cheat_Sheets and WAF suggestions for monitoring and potentially blocking the input, output, or system service calls which do not meet the configured policy of the firewall


On the 3rd of Christmas the hackers gave to me Direct Object Reference on a critical system that provided full admin access to the application because I was stupid.... http://yourwebsite.com/secret/adminconsole:8050

 

On the 4th day of Christmas the hackers gave to me.... "A FREE .PDF Book on how to find application security flaws ( http://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf )”

 
On the 5th day of Christmas the malicious hackers drove by my office and used Aircrack to recovery my Wifi WEP password and changed my SSID to "Hacked"and left it as an Open AP

 
On the 6th day of Christmas the hackers gave to me code snips of critical system code on the new secret internal project that he trolled and picked up from PasteBin Ugh.

 
On the 7th day of Christmas a hacker breached my door using a "9999" cut bump key on door #1, a shim on door #2 and and placed a "boom" sign inside my desk draw that was locked to prove a point about my lame physical security... and they drank my 18 year old scotch too!

 
On the 8th day of Christmas the hackers returned to me a bag of dumpster diving treasure to point out lack of cross-cut shredding that included bills from trusted vendors with account info, credit card carbons, internal printed emails, customer data and more...

 
On the 9th day of Christmas the hackers hacked me via an email aimed at my wife concerning a refund of a holiday purchase with targeted malware using a custom packer that bypassed my installed and updated corporate AV investment, then after getting a remote shell he popped my work laptop that was also connected to my personal LAN that was unpatched due to the holiday freeze then exported the cert on the VPN client installed a keystroke logger on the computer that I use for business to capture the password.... damn


On the 10th day of Christmas the malicious hackers came back..... after it was updated and guessed my lame ass WPA password after being upgraded from WEP on Day 5 and changed it to "Hacked Again" and made it Open AP again

 
On the 11th day of Christmas the hackers knocked down my commerce website during the busy season with a Denial of Service https://www.owasp.org/index.php/OWASP_HTTP_Post_Tool -- and suggested I look at the OWASP CRS Mod_Security project https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project


On the 12th day of Christmas the hackers mailed to me a link to the breach report archives and state laws http://datalossdb.org/us_states

 
After getting my A$$ handed to me in 201x..... I started to read the OWASP Foundation website @ http://www.owasp.org and found things like a new Enterprise Security API (EASPI), Free Videos, Guidance on Mobile Security, Jobs Postings from around the world and over 140 other projects: https://www.owasp.org/index.php/Category:OWASP_Project that helped me. I planned to attend both Global and Local AppSec events value and I became a member in support of the community.

 

Happy Holidays

Tom Brennan
The 12 Days of INFOSEC Christmas
 

2 comments:

Mark Roxberry, OWASP said...

Awesome :)

Tom Brennan said...

Better than G33k Gangnam Style http://www.youtube.com/watch?v=IdREnF4Fxh4 that you can not unsee...