#30daysofsecuritytesting – Task XX

All previous posts in this series: I, II, IV, V, VII, IX, X, XII, XVIII, XXX

Task 20: Read about DOS/DDOS attacks. Share examples/stories via social media.

screen-shot-2017-02-28-at-17-19-30

I started the task by looking the definition of DOS/DDOS attacks, to be sure that we are on the same page, one of the first results in DuckDuckGo was this interesting website. Emergency readiness team, cool! DOS/DDOS attack they classify as security tip.
Security header check: D

If there is US CERT team, there should be EU CERT team, right?
screen-shot-2017-02-28-at-17-57-10
Yes! only Europeans call it Computer Emergency Response Team. The website is a collection of articles and I definitely weekly will check top stories, hall of fame or latest info from security vendors.
Security header check: F

Continue my research in German websites. Again very interesting first DuckDuckGo result. Cyber-Sicherheitsrat Deutschland in English “Cyber-Security Council Germany”. Cool name, but there is something strange. Founded by a “group of reputable individuals” and “the cost of an annual subscription is 2,500 Euros. There is also a one-off admission fee of 1,000 Euros”. What kind of security group is it? And is it only me or that home photo I have seen somewhere else?
Security header check: F.

The real institution in Germany is Bundesministerium des Innern (BMI)

screen-shot-2017-02-28-at-21-11-22
Security header check: D

And Bundesamt für Sicherheit in der Informationstechnik, which has listed “common sense” as one of the suggestions for internet security.

screen-shot-2017-02-28-at-21-53-06
Security header check: C

OK. It is very interesting but what was the subject? DOS/DDOS attacks.

You will find information about latest DOS attacks on EU page above, but I liked the story about possiblly first DOS attack. Especially interesting are the comments.

Security and WordPress

keytrust2

Week ago I learned about security headers  and found weaknesses of this blog. In my previous post I did not write, that beside mine I checked other websites, which I know are run by WordPress. All of them have the same problems. No matter where the WordPress page is hosted or stored. I contacted Happiness Engineers and got feedback that my question will be forwarded to Network Engineers. Still waiting for an answer from them.

One thing what made me especially concerned was the blog post “stopmullware-on-the-security-of-27-of-the-websites-on-the-internet” written by Scott Arciszewski, which got deleted shortly after I read it – the post was about priorities of Automattic, hint – security is not one of them. Here are some tweets which should explain why it was deleted:

Use Google and read yourself who is Scott and what he does. And make your own picture of the situation.

But Scott is not the only one who is alarmed. Here is another article about WordPress vulnerability. In fact I have a feeling that suddenly everyone writes about how insecure is WordPress. German media people seem to be little slow – they are informing about update bug just now.

Long story short – I spent whole week reading and understanding how it works all together – touched certificates and domains as well. My aim was to find out, what can I do to improve the security of my website. My current answer – as long as I use WordPress, I cannot fix security header issues. But optimist inside me is really looking forward to WordPress Network Engineer answer. May be there is a way.

#30daysofsecuritytesting – Task XII

screen-shot-2017-02-19-at-22-43-17

All previous posts in this series: I, II, IV, V, VII, IX, X, XVIII, XXX

Task 12: Read about security testing and discuss where it best fits in an SDLC

Here are some of sources who supported my learning about security testing.

Very good introduction in first 3min:

I have met Simon in TestBash Manchester and had nice chat. Unfortunally I could not attend his ZAP introdoction course, but definatly software development needs more people like Simon.

If you still are not convinced by this 30 days of security challenge and think it is too complicated, then read this article. Especially I liked arguments should you or should you not start security testing in your company and the link to The Big List of Naughty Strings.

#30daysofsecuritytesting – Task XVIII

screen-shot-2017-02-13-at-23-46-14

All previous posts in this series: I, II, IV, V, VII, IX, X, XXX

Task 15: Write and share ideas for security testing via twitter or a blog
Task 18: Learn about Security Headers

Oh, people, this challenge is a real challenge! I use to write one two blog posts a week, my wish to document my learnings is making me difficulties. I had the most beautiful weekend with my family on the hill and now I am missing several tasks. It is what it is. I move on and tick off two tasks.

So. Security Headers. The first thing I wanted to do was to scan my own website. I thought it will be short check and then I move on, but instead of that I happened this>

I started with scan on security headers – free website, which analyses headers, build and run by Scott Helme. The scan showed some problems with headers and I started to research – should I panic or not.

With help of developer tools, I checked network/headers on Safari, Chrome and FireFox. Every browser shows the header information differently. Chrome at the beginning appeared as the less valuable, but then I discovered tabs “security” and “audits” and it changed my top3.

With help of Chrome I learned tonight about also about Wildcard or Multi-Domain (SAN) Certificates and websites with whom I share it. Chrome audit showed that I have 2237 unused CSS rules. Will need to decide what to do with that…

All together this task was very useful. I learned a lot and got long to do list what to improve to my website.

At the end – Automattic has good humour:
screen-shot-2017-02-14-at-00-48-59

From the other side – my header has ad for Automattic and I am not OK with that.

#30daysofsecuritytesting – Task IX

Task: Discover the process and procedures around Security Auditing

This is hard one. I do my research already second day, but still did not managed to create my own picture of “what is Security Auditing?”

Confusion starts with Wikipedia, because there are two articles about the topic, both marked as no complete.

https://en.wikipedia.org/wiki/Information_security_audit

https://en.wikipedia.org/wiki/Information_technology_security_audit

Maybe someone wants to fix it?

Piece, what I found helpful and useful is this 10 step guide “if a security auditor isn’t in the budget”: http://www.itsecurity.com/features/it-security-audit-010407/

#30DaysOfSecurityTesting – Task VII

screen-shot-2017-02-09-at-01-55-17

All previous posts in this series: I, II, IV, V, X, XXX

Task: Learn one or more things about Penetration testing.

First thing what I learned today about the topic is the difference according to vulnerability scanning. During scanning you identify and prioritise possible vulnerabilities, but during penetration testing you actively explore those vulnerabilities with the aim to break in.

Second, very important thing what I learned: in Germany all penetration testing without permission of an owner is illegal. So if you will scan somebodies system in the Germany, try to use the vulnerability and report it to the owner with hope to get a reward, you may land in the jail.

#30DaysOfSecurityTesting – Task IV

vulnerability

All previous posts in this series: I, II, X, XXX

Task: Learn anything about Vulnerability Scanning

I looked for the answer in “How To Break Web Software” – book, which I chose in task II. In the index, the only page selected for “vulnerabilities, searching for” is page 107. You can see it in the image above.

It was not enough for me. So I checked the source, which, as I learned from my son, has many answers:

Than I found the list of vulnerability scanners. The experts will LOL about my comparison of Nessus and Nmap, but that is what works for me:

  • Nmap is free, the website from 90’s and tool is difficult to configure.
  • Price of Nessus single user licence is “$2,190 USD/year” (funny that they use both: $ and USD for the price), modern website and the tool seems to be very user-friendly (according to demonstration above).

I consider to download Nessus and scan my home network. Curious what it will say about my internet radio. Download starts with filling out the form, even if you want try-out for single user licence you have to select your job position. In the list you will find all kind of people, except software testers.

screen-shot-2017-02-04-at-23-58-53

The more I think about web security, the more it reminds me birth control. Some of us blindly trust a protection of their choice, some think that nothing will happen anyway and use none and there are some of us, who choose to walk on the edge. Negative consequences of some of those decisions are AIDS, fertility treatments or teen mums.

I am quite a sceptic – if we cannot handle issues of our own bodies and health, then such abstract thing as web security has no chance to get our attention before something really bad happened.

#30DaysOfSecurityTesting – Task X

screen-shot-2017-02-04-at-11-14-00

All previous posts in this series: I, II, XXX

The task for today: Read and Learn about Ethical hacking

My way to learn about the topic was to read the story how Troy Hunt started his career in web security and how he became a content creator for ethical hacking certifications. After reading the story you may want to browse other articles written by him.

Another great thing (even I do not agree to everything, it is still very good) created by Troy: Internet Security Basics for those, not so much into security.

#30DaysOfSecurityTesting – Task XXX

30 Discover the difference between White, Grey, and Black Hat Hacking

This task is not a real challenge for me, but challenge is a challenge, so here is a summary:

Black Hats see hacking as an intellectual challenge, they have drive to outsmart others and see stolen money as a reward for their skills.

White Hats are called also as ethical hackers. They use the same methods of hacking as black hats, but they do it with permission of the owners. For example, @mikko is a white hat hacker.

Grey Hats in my understanding are kids, who have skills, like to play with those, but behave careless or are not aware of law or ethical issues.

So far so good. Now time for one of my learning sources – YouTube :)

“wild pleasure of exploration”, “the pope is currently not available”