InfoSec matters

 Keeping up with industry news, and the latest research and developments from Information Security is no small task. Over the years I listened to many InfoSec podcasts. Some are great and I have stuck with them for many years, others have come and gone. In this post, I'm going list my personal favourites. Daily News Read all about it. Get the latest, up to date InfoSec news from around the world.  ISC Stormcast If you only have 5-10 mins to listen during your morning coffee then this is the one. I try to listen to this one every day. Chances are if something big is breaking you're going to hear about it here first.  Often the shows point the way to further information for interesting research and features the latest malware techniques you should be aware of.    Presented by the  Dr. Johannes Ullrich Dean of Research for SANS Technology Institute and SANS Faculty Fellow, and founder of the SANS Internet Storm Center (ISC),  with frequent contributions from the ISC Incident Hand

Recently I have been doing far more AppSec work in Agile, Lean environment. I also took the SANS SEC 540 course Cloud Security and DevSecOps Automation  which has lots of really great exercises but I like to try to create some of my own examples.  In this one I wanted to create a CI/CD (Continuous Integration/Delivery) pipeline that integrates Static Analysis Software Testing (SAST) and Software Composition Analysis (SCA) and finally some Postman testing of API endpoints that include negative test (more on this later). To start with I needed some example code so I found an example and adapted it to my own needs. The code along with the other supporting files like the Jenkinsfile can found on my GitHub under Planetary-API . Please note, I don't claim to be the best coder in the world :-) I chose an API partly for simplicity of the examples and partly because there are things I wanted to explore further later in terms of bearer authentication and the use of JWTs (for another project

Unsecured cloud storage are often the cause of breaches. It regularly makes the headlines when an Amazon S3 bucket is found with public access and contains tens of thousands or even  millions of records including PII (Personally Identifiable Information) such as addresses, phone numbers and email addresses. The same problem can beset Azure, or I guess, any cloud platform, and while defaults have improved it is still a common misconfiguration that can lead to a breach.  Recently I found myself needing to examine some Azure storage to check for misconfigured public access on some Azure storage accounts. A colleague suggested a script he'd come across Invoke-EnumerateAzureBlobs  (thanks Stephen). The PowerShell script can be used to find storage accounts and then enumerate files within that storage account if the permissions allow it. The original article can be found here and the github repo here . I would recommend reading the original post.  On this occasion I used the this to

The Modern Honey Network is an application for the deploying and collecting data from Honey Pots. Honey Pots can be a very useful detective control but they can also be useful for collecting threat intelligence.  There is great introductory blog post on Lenny Zeltser’s blog .  I use a popular cloud service to deploy my honeypots on the Internet.  I use it collect various Threat Intelligence such as scanning IPs and source addresses that are doing password brute force attacks. I feed the IP addresses into tools like Security Onion and SOF-ELK . As MHN can write to Elasticsearch via logstash installed locally it’s easy to query and extract the data from there. I wrote a small python program to extract either unique IP Addresses or a unique password list that can be used for checking passwords against to make sure you don’t use ones that appear in the attackers dictionaries.  Once extracted, the unique IP addresses can be used as threat intelligence in your SIEM or you could furt

Firstly, I’m happy to report that I received a SANS SEC530 Red Challenge Coin for submitting a blog post that builds upon the SEC530 course subject matter for Squid Proxy with SOF-ELK Part 1 . Thank you very much  Justin Henderson and Ismael Valenzuela for the coin. Analysis In this post I wanted to go a little deeper into how to analyse Squid logs collected in SOF-ELK and develop some potential security use cases.  In Part 1 we configured Squid to use OpenDNS Home edition to block access to sites that were undesirable such as Gambling site and sites known to serve Malware. We also configured Kibana to show meaningful block codes rather than just the IP address that OpenDNS redirected them to when a user visited a blocked site. From the users perspective they will see a blocked message from OpenDNS like this: On SOF-ELK we can see the details of the block browsing as shown here: We can use the block type to create a visualisation to examine which type of block is prevalent