Have you ever wondered how web applications do validation on forms? How does the app know when your input is really an email address? In most PHP applications, this is done using regular expressions (Regex).
I’ve previously posted about how to defend against XSS and SQL injection. Checking strings with a white list of allowed characters is one of the easiest changes a developer can make. Regex makes this easy in most programming languages.
In that post I linked to RegexOne. The site had a pretty good cheatsheet covering how regex is useful. This is only really helpful if you are familiar with how regex works.
This is my last post related to HTTP Public Key Pinning (HPKP). This is a post in response to Scott Helme’s latest post about him giving up on HPKP and how my blog is a perfect example of his concerns.
In the past I’ve written three articles about the HPKP header:
The point of each of these articles are pretty well summed up in their titles. For work, I was tasked with learning about HPKP and of course I made blog posts as I tired out the new header.
Starting with HPKP
While learning about HPKP, Helme’s posts were a great resource for me. Thanks to him, I was able to understand the process well enough to get some tests up online using this domain.
Everything worked fine until I had to renew my LetsEncrypt SSL certificate. Renewing caused the public key pin to not match the certificate and blocked all users who visited my blog with a browser that supported HPKP.
Running into issues
In Helme’s post, my issue is part of the “bad hygiene” that is warned against. HPKP requires that the best practices are used to key certificates up to date as well as the pins. Using LetsEncrypt certbot to auto-renew my domain’s certificate is not the best way to do this, since I can’t keep track of the pins, I was unable to properly support the header.
In order to “resolve” the issue, I had to strip the header from my site and ask all concerned clients to forget my domain from their browser’s saved history that remembered my old pin.
It is at this point that I agree with Helme’s conclusion that “One of the biggest concerns I have with HPKP right now is sites trying to use it and getting it wrong”. Especially that my blog is one of the sites that proves how easy it is to get wrong! It’s because of this difficulty and the massive impact a bad certificate/pin combination has on end users that I agree HPKP is not worth implementing.
Please go and read Helme’s post if HPKP is something you deal with or if you’re starting to look into it as well!
2016 has been a crazy year, and I’m not talking about celebrities, politics or world news. A lot of security related things have happened for me personally. I wanted to base this post chronologically on what I’ve done.
One of the first screenshots from 2016 is a constant reminder for me. What’s the first rule of infosec? Troll first, work later. I’ve come to realize that Twitter is the diving platform everyone needs. Twitter allows us to get lost in the world of meme’s, jokes, and sometimes useful rant’s from infosec’s favorite rockstars.
Bsides Indy was a lot of fun. I got to meet some great people and attempted a CTF. Even if the CTF bombed hard, the team I was on had fun trying to attempt to play. The takeaway that I remembered most is networking. I met a lot of people I had only seen mentioned on Twitter feeds before. I took some of the stuff I learned at Bsides and messed around at Spartan Hacker’s SpartaHack hackathon.
For most of the conferences I’ve been to, I’ll say networking is the most important. The people I meet, the conversations we have, and the advice I get are invaluable to me. Networking is the main reason to continue to attending conferences.
Circle City Con
This conference was my first attempt at volunteering for a security team. Circle City was good experience. I learned a lot while on the job and met some great people. However at the same time, it was at this conference I learned that it’s not always best to volunteer for every shift you can make. After Circle City, I started shifting from a “ALL THE SHIFTS!” mindset to “I’ll fill a shift or two”. Circle City is a fun conference and a lot of stuff happens, I’ll be happy to get to go next year without being “on the job” for the entire conference.
Over the wire
Jayson from CBI introduced me to the Over the Wire challenges this year as well. It’s great training and proof that basic linux commands is all you need to be a 1337 H4CK3R. I learned a lot and that information helps me to gain a competitive edge in CTFs and during ethical hacking exercises at work. So far I’ve tackled Bandit with Jayson and friends, and also Leviathan by myself. Check out those posts if you want to know more about Over the Wire.
The conference that started MiSec. I was happy to volunteer at this conference in our own backyard. There was a lot of great talks, I got to network with a lot of my favorite people and help out with Hak4Kidz all day Saturday.
I was lucky to get to play Jayon’s CTF-NG. Jayson has done an amazing job creating a new style of CTF. It’s far above any other CTF I’ve attempted. The point of the game is to get cards and use them to beat other players. Cards are distributed across customized VMs inside the game’s network. I was able to get into a few machines and find some annoyance cards. Not bad for my first attempt at the game. Since playing I’ve learned there’s a lot of networking and basic linux commands that I need to master.
Since my first attempt at Jayson’s CTF, I’ve had a few more chances to redeem myself. I’ve had a couple helpful hints. There’s been improvement in my network analysis and tool usage. In the latest attempt, I was able to find a legendary card.
School’s out for summer!
In May I graduated from MSU with a major in Media and information and a minor in Computer Science. I continue to learn what I can about information security, but I’m hesitant to sign up for more another degree. At the same time I moved from an internship to a full time position at Vertafore where I get to work with application security and vulnerability management.
Misec Panel – Path to the dark side
MiSec had a really cool panel in May where some experienced infosec professionals shared their journey of getting to where they are today. There was a lot of great tips and live tweeting so check out the post I did to follow up on that.
TLS research & talks
One of the first projects I did while working full time at Vertafore was researching TLS. The goal was to find how it worked, why it was required and what standards are the most important to secure connections. I drafted some standards, locked down this website by using Let’s Encrypt, and gave a lightning talk at MiSec Jackson about some of my research.
Hacker Summer Camp
Hackers and DefCon go together like PB&J. Add BsidesLV, guns, and black hat parties and there’s a whole week of fun, training, and more in Vegas. I met so many people while volunteering, standing in lines for talks, or visiting work shops. Hacker summer camp was a great experience and I’m pumped for 2017. DefCon 25 is going to be huge, being the 25th anniversary of the original DefCon means they’re going all out. A new location, more villages and workshops, there’s going to be something for everyone. I hope to see you there!
The next research project I worked on at work that I also brought over into my personal websites was enabling Public Key Pinning. It’s a header that compares the TLS certificate to a pin that client’s browsers saves after the first visit to a website. I wrote a post about it and if you frequently visit this blog, you may have had a issue when my TLS certificate expired and I failed to correctly renew it. A few readers were blocked from seeing the blog because the HPKP pins didn’t match. I’m just happy I learned this lesson (and what’s required to fix it) on my personal websites and not while one of work’s applications!
I’ve done a little more for work that was based in application authentication. Specifically, I looked at 2FA, salted hashes, and other factors that goes into a securing login process. There’s blog posts on that research but those posts haven’t moved from drafts to something publishable. There will be a few time traveling posts appearing in 2016 next year.
September 14th was the first meeting of a new chapter of MiSec. Tek Systems hosted the first meeting in Lansing for MiSec and we have since moved on campus so students have a better chance of attending. It’d be great to have students and infosec professionals working together to improve the community.
Kyle and I had the idea to start another location. Since Kyle organizes the Jackson meetings, I’m the coordinator for the Lansing chapter. I get to be the guy that finds speakers for each month and organizes other events in the area. If anyone wants to give a talk or is interested in another event for MiSec Lansing, please reach out to me about it.
Other MiSec projects I contributed to this year is the MiSec slack channel and the wordpress redesign for the website. If you want to join us on slack, there’s an invite app that just requires an email. The wordpress redesign is something @taco_pirate and I worked on.
GrrCon 2015 was one of the jumping points of my security career. I can’t believe it’s already been a year since then. Going back to GrrCon, (having my employer pay for it), was really different this year. I wasn’t working behind the scenes but the organizers and team leads remembered me from last year. I played hacker Jeopardy (and somehow survived the aftermath), I was able to attend talks and still got a chance to network.
My journey into infosec is still just beginning and I’m excited to see where it goes from here! I plan on attending more conferences, be active in the community and continue to learn as much as I can. I hope you’ll join me!
2015 has been quite the year for me! For one, I started blogging about information security and software development. I added a category for hardware, but I haven’t been able to dive very deep into those projects (yet). This blog post will be a review of all of the content I’ve blogged about, hopefully it’ll be a good collection of how much I’ve grown. To prove I really am what my tag line says; that I’m better than I was a year ago.
The Start of 2015
Last January, I started this blog for a class. I was required to write weekly posts about a interesting topic. This blog started out on tumblr and I’m not to proud of some of the early posts. Forget the fact that I new nothing about SEO when writing a blog post, the content was not what you’d expect from your run of the mill InfoSec blog. My blog would’ve suffered if it wasn’t for Lesley Carhart, thanks to some conversations on twitter, she pointed me in the right direction and gave me some awesome ideas for better topics for future posts. I learned about Shmoocon for the first time and the Kill Chain. This was the starting point to my blogging days
Borrowing from Hacking Exposed
After I struggled to find new content for each week. I started to use my blog posts as a “spark notes” for what I’ve learned from reading Hacking Exposed. For each chapter or section I read, I’d write a blog post about what I learned. Honestly, I didn’t do the book justice, I still haven’t read the book all the way through and the note book style posts gave way when the class ended and I was no longer required to write a post every week for a grade.
It was right around the end of the semester that this blog was transferred from Tumblr. It became a wordpress site for a final project in a different class that semester. I got brownie points with my professor for hosting a blog and being able to maintain it along with my homepage and a side project called COGSS (yes that’s still under development…)
As the blog posts were exhausting my security knowledge, I was running out of ideas, and weekly pots became harder and harder. This was when I opened the site to other topics: hardware and projects. This was my escape goat to get in a few long posts about websites I’ve built and wanted to show off, or programs that I’ve found that helped to make the blog better. Over the summer, I worked a full time internship and I didn’t spend my nights writing blog posts. I went from once a week to once a month, but I feel like the content was improving.
Bringing back the InfoSec
I didn’t really start having strong hacking posts until I went to A2Y.ASM, a one-day mini-conference in Ypsilanti. I learned a lot that day and had a lot of new content to regurgitate into a blog post. Right around this time I was able to find Misec, GrrCon and a infosec mentor. It was the kick start I was looking for to get into the security community. Over the last few months I was able to have a nice mix of Infosec and Development posts where I could write down what I was learning as a hacker and I could rave about what I was doing as a developer.
The best of 2015
If I had to boil the best down to a paragraph. I’d have to say finding a infosec community, going to conventions, and giving my first talk was the highlights of my year. Without Twitter, Misec, or my mentor, I’d be doing everything from books and that’s not really how I learn, I’m more hands on then that. Volunteering at GrrCon was amazing, I learned a lot and met some awesome people. It’s something I’ll never forget. Mid-December, I gave a web hacking presentation to Spartan Hackers. It wasn’t bad for my first talk but I have a lot to learn about presenting. It’s good to know though that I can teach as I learn.
What’s next in 2016?
My goal for 2016 is to get back to weekly blog posts. I’d like to be able to do 2 infosec posts, and 1 dev project and hardware build each month. But we’ll see how that goes. I’d like to go to two conventions in 2016, GrrCon and ______. I went to two CTFs in 2015, so it’d be cool if I could go to 4 in 2016 or maybe help set one up. If you have any suggestions, please let me know! I also have a pile of hacking books stacking up, it’d be nice if I could read a book a month and be able to share some of what I’ve learned. My biggest goal though, since I’m graduating from college in May, is to get a full time job as a information security professional and absorb as much of the career, community, etc as I can because I really enjoy every second of it.
Ok, lets review, we know our basics. We know how to use a computer, we know how to write code, we know what unix systems like Linux are, and we know how to use Unix tools like those provided in Kali.
Wait, I still can’t get into my friends Facebook account, what are we really learning anyways? Well giant corporations like Google or Facebook are hard to hack, especially for people new to hacking like us. Not to mention it’s usually illegal to try to hack a company without permission.
So in the meantime, use the VMs we set up in step 3 to practice known vulnerabilities and learn basic hacking methods! Now, OWASP’s BWA isn’t something we fully understand; but the developers who wrote it also provided some awesome documentation! To become a hacker you need to explore how to gain information for yourselves. Here’s some links to get you started with OWASPs BWA.
Google and the internet is your friend. If you can’t take a class, there is a multitude of online resources you can use. Whether you’re trying to learn programming and use Stackoverflow or you’re learning about basic hacking skills and want to use Hacking Highschool; you really do need to have some understanding of how things work before you try to hack them.
Hello There I’m James, everyone calls me that and its probably the only name I respond to. However my name has one problem. Google it and you’ll find little about me.
That’s where my username came in. Greenjam94 is my alias for anything and everything on the internet from gaming to social media. I’ve used this username since the 8th grade when I first realized my Internet presence would stick with me throughout my life. Click the link and it’ll show you so many links, almost all of which are a part of my digital footprint.
If scrolling through a google search isn’t your thing and you’re still reading. Let me tell you why I started this blog. I spent two years at MSU as a computer science student. This is where my interest in hacking changed from wanting to do what you see in the movies to actual things like penetration testing and password cracking.
Who’s excited for the next Chris Hemsworth movie coming out Friday January 16th?!? He’s trading in his hammer for a laptop in this up and coming action packed thriller.
Now, granted, anyone who calls themselves a hacker would cringe to call Hemsworth a “black hat hacker”. But there’s one thing I love about movies like this one. It opens your minds to the endless wonders of what hacking can do. (Please note: it’s never as easy as movie magic makes it look)
In fact, a movie like this is what first got me interested in finding a job with computers. Watching people drain billionaires bank accounts in seconds, or controlling the traffic signals to get away.
My favorite hacking movie would be Live Free or Die Hard. I liked the idea of a “fire sale” attack. Remotely controlling utilities, communication, and the stock market. While this isn’t really doable in the real world. It’s fun to think about what really is possible!