Thursday, December 12, 2013

12 Days of Christmas w/ Hacker Claus

Ok builders, breakers and defenders.... gather around the FIREwire and sing with me;

On the 1st day of Christmas a malicious hacker faxed to Johnny <pause> poof of SQLi in his production website (database using SELECT * FROM members WHERE username = 'admin'--' AND password = 'password') with a username list

On the 2nd of Christmas the hackers gave to Johnny Cross Site Scripting vuln in his high risk web application <IMG SRC="javascript:alert('XSS');"> that his automated scanner missed and a link to OWASP Cheat Sheets and Core Rule Set  suggestions for monitoring and potentially blocking the input, output, or system service calls. 

On the 3rd day of Christmas the hackers gave to Johnny Insecure Direct Object Reference on a critical system that provided full admin access to the application because....  Johnny made a mistake and forget to add a rule to deny any to a obscure management port

On the 4th day of Christmas the hackers gave to Johnny.... A FREE .PDF Book on how to find application security flaws and the NEW video series from AppSecUSA 2013 (43) Videos and 32 hrs of content

On the 5th day of Christmas the malicious hackers parked in front of Johnnies favorite coffee shop and conducted a man-in-the-middle hot-spot honeypot -- then proved to Johnny that "Password1" is not a good password and how quickly a hash can be cracked

On the 6th day of Christmas the hackers gave to Johnny code snips of critical system code on the new secret internal project that they picked up from PasteBin

On the 7th day of Christmas a hacker breached Johnnies door using a "9999" cut bump key on door #1, a shim on the padlock that secured important information and placed a "boom" sign inside my top right desk draw that was locked to prove a point about my lame physical security... --- seems they also drank his 18 year old scotch too!

On the 8th day of Christmas the hackers returned to Johnny a bag of dumpster diving treasure to point out lack of cross-cut shreder  that included bills from trusted vendors with account info, credit card carbons, internal printed emails, customer data and more...

On the 9th day of Christmas hackers hacked Johnny via an email aimed at his wife concerning a refund of a holiday purchase with targeted malware using a custom packer that bypassed my installed and updated corporate AV investment.  After getting a remote shell they then popped Johnnies work laptop that was also connected to my home network that was unpatched due to the holiday freeze then exported the cert on the VPN client installed a keystroke logger on the computer that I use for business to capture the password....  ouch..

On the 10th day of Christmas the hackers gave to Johnnie a FREE audio blog to help educate him

On the 11th day of Christmas the hackers knocked down my e-commerce website during the busy online shopping season with a Denial of Service Tool 

On the 12th day of Christmas hackers mailed a link... Johnny noticed his company was on the list of incidents involving the breach of personally identifying information (PII) and his information may have been in a dump of over 2M users due to his machine was infected with malware from Day #1

...... as a result he reached out to the LOCAL OWASP Chapter and started to ask questions, review the OWASP Foundation website and intresting projects including the  Enterprise Security API (ESAPI), Free Videos, Guidance on Mobile Security, Jobs Postings from around the world and over 100+ other projects:

May all your Christmases be