#30DaysOfSecurityTesting – Task VII

screen-shot-2017-02-09-at-01-55-17

All previous posts in this series: I, II, IV, V, X, XXX

Task: Learn one or more things about Penetration testing.

First thing what I learned today about the topic is the difference according to vulnerability scanning. During scanning you identify and prioritise possible vulnerabilities, but during penetration testing you actively explore those vulnerabilities with the aim to break in.

Second, very important thing what I learned: in Germany all penetration testing without permission of an owner is illegal. So if you will scan somebodies system in the Germany, try to use the vulnerability and report it to the owner with hope to get a reward, you may land in the jail.

#30DaysOfSecurityTesting – Task IV

vulnerability

All previous posts in this series: I, II, X, XXX

Task: Learn anything about Vulnerability Scanning

I looked for the answer in “How To Break Web Software” – book, which I chose in task II. In the index, the only page selected for “vulnerabilities, searching for” is page 107. You can see it in the image above.

It was not enough for me. So I checked the source, which, as I learned from my son, has many answers:

Than I found the list of vulnerability scanners. The experts will LOL about my comparison of Nessus and Nmap, but that is what works for me:

  • Nmap is free, the website from 90’s and tool is difficult to configure.
  • Price of Nessus single user licence is “$2,190 USD/year” (funny that they use both: $ and USD for the price), modern website and the tool seems to be very user-friendly (according to demonstration above).

I consider to download Nessus and scan my home network. Curious what it will say about my internet radio. Download starts with filling out the form, even if you want try-out for single user licence you have to select your job position. In the list you will find all kind of people, except software testers.

screen-shot-2017-02-04-at-23-58-53

The more I think about web security, the more it reminds me birth control. Some of us blindly trust a protection of their choice, some think that nothing will happen anyway and use none and there are some of us, who choose to walk on the edge. Negative consequences of some of those decisions are AIDS, fertility treatments or teen mums.

I am quite a sceptic – if we cannot handle issues of our own bodies and health, then such abstract thing as web security has no chance to get our attention before something really bad happened.

#30DaysOfSecurityTesting – Task X

screen-shot-2017-02-04-at-11-14-00

All previous posts in this series: I, II, XXX

The task for today: Read and Learn about Ethical hacking

My way to learn about the topic was to read the story how Troy Hunt started his career in web security and how he became a content creator for ethical hacking certifications. After reading the story you may want to browse other articles written by him.

Another great thing (even I do not agree to everything, it is still very good) created by Troy: Internet Security Basics for those, not so much into security.

#30DaysOfSecurityTesting – Task XXX

30 Discover the difference between White, Grey, and Black Hat Hacking

This task is not a real challenge for me, but challenge is a challenge, so here is a summary:

Black Hats see hacking as an intellectual challenge, they have drive to outsmart others and see stolen money as a reward for their skills.

White Hats are called also as ethical hackers. They use the same methods of hacking as black hats, but they do it with permission of the owners. For example, @mikko is a white hat hacker.

Grey Hats in my understanding are kids, who have skills, like to play with those, but behave careless or are not aware of law or ethical issues.

So far so good. Now time for one of my learning sources – YouTube :)

“wild pleasure of exploration”, “the pope is currently not available”

 

#30DaysOfSecurityTesting – Task I

screen-shot-2017-02-01-at-19-28-12

Ministry of testing organizes another challenge: 30 days of security testing. I like challenges in general and even I am not a security tester, I am privately interested in the topic. In my opinion, everybody should be. Week ago I bet with my colleague that in less than five years, a health of individual digital privacy will be a standard. …or robots will rule the world and we will have no privacy at all.

Today is the first day of the challenge: Read a security blog

Here is my very short list of security blogs:

What I read today? Since I learned a lesson do not to click a button, I am aware of ransomware. This week on news on local radio I heard that in Germany hackers attack companies who are looking for new employees. They send application with CV in the attachment, which is not readable at first. And then there is the button. The rest you can imagine. Stories about attacked hospital, police offices and here is a new ransomware story about a locked in hotel guests.

At the end, some ideas how to protect yourself from ransomware. And of course: do NOT click the button!

 

~UPDATE with another links to web security related blogs~

Testing Guidelines For Junior Tester

This is a very short visual guide for a junior tester.

screen-shot-2017-01-21-at-09-54-08

  1. Do exploratory testing. That means: be curious, attentive and organized.

come1   come2

2. Try mindmaps to get the testing ideas and cheatsheets to try different inputs and watch carefully for side effects.

screen-shot-2017-01-21-at-09-44-25

3. Trust your intuition, see what others do not see and make it visible. How? Use different personas, ask strange questions, like: “can this application kill a person”, and read stories how others test.

screen-shot-2017-01-21-at-09-53-16

4. Report findings properly, describe the beauty harm in simple reproducible steps and do not forget to mention, why it is important to fix the bug in next iteration. I think it is bad style to write in bug report something like this: “unless you remove the “border=0” attribute“.

Show respect = get respect.

 

Enjoy the video, which inspired me to write the guidelines:

 

 

Web Security: The Line Of Death

thelineofdeath

I always had an interest in web security, but because I have so many interests, this one was pending somewhere in the background. I prefer to apply knowledge what I gain and it seemed that web security is too abstract, too difficult and not applicable in daily actions. In the same time, I try not to fall in the obvious traps.

Since I watched on youtube Nordic Testing Days 2016 keynote “State of The Net” by Mikko Hypponen. Starting that moment I look for simple ways how to keep my webbing secure and my privacy private. For example, I search for information on DuckDuckGo  instead of Google, and rethink my home network.

My todays read is The Line Of Death written by Eric Lawrence. Known things with more depth and background story and there is more to explore on his blog!

30DayChallenge – part III

KristinesTeam2

11. TAKE A PICTURE OF YOUR TEAM

It is July. Most of my team is on vacation. I am counting days till I go on my summer vacation. Difficult time to make team photo. But I decided that two members of team is also a team. My colleague agreed that photo of us will be uploaded on web. As we went for a walk after lunch I asked someone to take a picture. Funny that the person found feature on my phone, which I did not know existed: one click = 40 photos.

2. TAKE A PHOTO OF SOMETHING YOU ARE DOING AT WORK

I really like my workspace, that is why I wanted to make photo of it. I share the office with other three of my colleagues. We have a lot of greens and pictures of our vacations on the walls.

KristinesWorkplace

This is hybris backend view – my daily screen to check how system is working.

2016-07-04_16h05_55

4. SHARE A TESTING BLOG POST WITH A NON-TESTER

I shared with my frontend developer blog post about Chrome extensions. We did lately a lot of element scripting together and really like how handy is CSS Viewer.