terça-feira, setembro 05, 2017

The Emperor Had the Boy Locked Up: "Mastering Kali Linux for Web Penetration Testing” by Michael McPhee



“As applications have become more complex, and their importance has skyrocketed, bolt-on security approaches are no longer cutting it.”

In “Mastering Kali Linux for Web Penetration Testing” by Michael McPhee.


Hah... memories of a rather expensive inter-bank trading system we were offered one time to test. Examining the executable revealed a few plain text strings, one of which (the name of a biscuit in upper case) stood out as dubious, and turned out to be the encryption key for all communications (“super-duper unbreakable encryption" was one of their selling points) ... With that, and a little bit of poking around, we reached the stage where we could send a message to another counterpart offering them a product at a certain price, and then we could send a message that told the server they'd accepted it (forming a legally binding contract - notional values for these goods were of the order of millions and tens of millions of dollars). Being nice guys, we didn't do this for real (the above was done on the QA rig), but rejected the software. When we explained why, the vendors told us what we did would be "a breach of the license terms", and couldn't understand why we fell about laughing... especially after the way they "patched" the holes (obscured the encryption key with, I kid you not, ROT13.)

Names above withheld to protect the incompetent...

The thing you can usefully pick up in a day or two is more the mindset involved in trying to find and exploit a weakness rather than all the techniques involved (e.g., spend the day with a reformed burglar who can show you which properties and vulnerable where, ditto shoplifters etc.) - the tools and techniques change over time, but the attitude less so... We are cannibalizing our youngest and brightest citizens (worldwide). Aaron Schwartz, Manning and Snowden have all empowered themselves to listen to their consciences and act on information about security and safety breaches or unfair protocols, acts which are no mean feat given that the political noise and threats for being engaged and concerned have never been set at higher decibels. Even if your privacy has already been breached, notification still gives you the option to act: change your password, check your credit card purchases (or freeze them), etc. etc.

Or - where possible - take your business elsewhere, to somebody who protects their clients' data as they ought. It's like the US situation where restaurants that fail a health inspection are obliged to put a notice in their window for potential customers to see; the risk of having to do that gives them an incentive to keep the place clean.

It sounds like a real head-fuck, dealing with all the shit every single time one of the multiple companies that has any of your info has what may turn out to be a minor, insignificant breach. When nearly everyone has opted out or opted for the apparent safety of silence, a few continue to stand up and point out wrongdoing. That we are targeting them instead of the true threats is so insane it points to a societal death wish.


And in the real world someone said "The Emperor has no cloths". Hearing of this, the Emperor had the boy locked up.

Sem comentários: