Questions to Ask BEFORE a Public Speaking Engagement

Event/Audience Details

  • Date & time
  • Address and location
  • Name of the event.
  • Description of event.
  • Event agenda.
  • Talk duration (30/60 min?)
  • What the client want the speech to achieve
  • Who will introduce me?
    • Can I send them an intro or will they provide it?
  • If more information is needed, who is my point person? (get contact info)
  • How many people will be there?
    • Age
    • background
    • gender
    • occupation
    • etc
  • What’s their attitude toward my topic?
  • Will I be expected to mingle and socialize with audience before or after I speak?

Technical/Logistical Details

  • Will there be a podium? Is it solid or see-through (lucite/plexi-glass/etc)
  • Will there be a screen and projector? What video input (VGA, HDMI, etc)
  • How many video inputs are available (typical answer is 1)
  • Will I have a microphone?
    • What type? (lape, hand-help, attached to podium, mic-stand, etc)
  • May I arrive early to walk the stage and get comfortable about the equipment and venue?
  • Who is in charge of making sure things go smoothly before and during my speech (get contact info)

NTXISSA March 2018 Monthly Meeting – The Hackers Toolkit

I’m excited to announce that I’ll be speaking at the March 2018 North Texas ISSA chapter meeting. I’m planning on presenting the “Hacker Carpet Bomb” aka “Hacker’s Bag of Tricks” aka “Hackers Tooklit” presentation. This talk consists of nothing but live demos. Anyone who’s done IT presentations can tell you, live demos are dangerous. They rarely go right. Having a talk that consists of nothing but live demos is straight up insane. I’ve done this talk a handful of times. Not once has it ever gone perfectly, but that’s also the charm behind it. Exploits, even in perfect environments, sometimes fail. That’s part of it.  Here’s the demo’s I’m planning to present

Between now and then I need to find a device I can destroy on stage. If you have something you don’t mind literally going up in smoke, please let me know.

So please come out March 15th at 11:00AM. I’m sure it’ll be a fun and eye-opening event.

https://ntxissa.org/event/ntxissa-march-2018-monthly-meeting/

 

 

Q&A on SQL Injection ‘ or 1=1; —

from XKCD

Every once in a while I get an email from either a friend, client, mentor, etc that I really want to share with the community as a whole. Typically after I respond to the email, I try and get permission from the second party and include it on my blog (which I’m still fairly sure nobody actually reads).  Anyways, this was a really good question about SQL injection, so enjoy!

Hey Andy, I’ve got a question. In my courses I’ve been learning SQL. I’m trying to also look at it with a security perspective in defending from SQL injection attacks. Do you know of any good ways to actually practice or solid resources to learn. I’m half tempted to start running some queries on shoddy looking websites, but I really I wouldn’t do that. I’ve seen some Youtube videos and some stuff on W3, but thought I’d ask you what you think. How big of a vulnerability is SQL injection or how big of a priority is it to businesses now?

First off, I’m honored anyone emails me asking for my thoughts or opinions on a topic, so thank you. SQL injection has been an issue since it was first discussed around 1998 on Phrack.

Take a look at the OWASP Top 10 – 2017 (most recent copy at the time of writing this). The ten most critical web application security risks demonstrate that SQL Injection has been the top dog risks for quite some time. Things like cross-site-scripting, and cross-site forgery are up-and coming risks, but SQL Injection is king.

As for running queries or something like SQLmap against any website, I strongly recommend you do NOT giving away free pen-tests. That’s a quick way to get in trouble with the feds. What you want to do is test in your home-lab or find a purposely vulnerable site to hone your SQL injection skills. There’s a lot of blog posts out there already covering this content so check out this article about 40+ Intentionally Vulnerable Websites to (legally) practice your Hacking Skills. Additionally, if you’re looking to focus specifically on SQL injection, you should also check out Hack.me. They have a whole section specifically focused on SQL injection. Also, I’d be remiss if I didn’t bring up Metasploitable too. This is an amazing VM that is purposely vulnerable in many different ways. I haven’t checked personally, but I’d be shocked if there wasn’t a SQL injection vuln somewhere on there. Recently Rapid7 released Metasploitable 3. The setup is a pain. I’d recommend you check out the Metasploitable 2 VM first before embarking on MS3

Now the second question about how big of a priority is it to businesses is a very interesting question. I think it all depends on the business and the vertical. There are many exceptions to this, but many businesses that do not develop applications or websites, in my opinion, do not prioritize SQL injection as a viable risk to their organization. To them, the risk solely lies on the developer of the service, website, or software. They think they’re covered. To take this type of stance is foolish and irresponsible. Patches roll out monthly, if not more, remediating vulnerabilities in production code all the time. The vendor shares partial responsibility, but the client holds the majority of the risk relative to data breach. Solutions such as Web Application Firewalls do a good job in preventing and detection of SQL injections, however this is not enough. I’m personally fond of aggressive least privilege as well as heuristic behavior monitoring, risk-based policies, masking of sensitive information, and regular auditing of use and access…but yeah, that’s just me. 😉

Other industries and verticals that have more at stake with application development tend to rightfully prioritize SQL injection more so than others. To which degree however ranges from extremely aggressive to hardly not at all. The goal here is not to detect and respond but to prevent altogether. Several defence strategies would be to have multiple DB users and demonstrate the concept of Least Privilege. Also you would want to implement aggressive input validation and escaping all user-supplied input. If you’d like to know more, I strongly recommend you check out the OWASP recommendations for SQL prevention cheat sheet.

Oh yeah, be sure to check out Bobby-Tables.com. It’s a great resource for learning more and how to prevent SQL Injection.

A Blast from the Past

This weekend, I took the wife and kids to my parents house to visit. They’re in the middle of a large home remodel. As part of the remodel, the construction crew had knocked down a wall in one of the bedrooms and found a small altoid tin stashed in the wall. My parents had no idea what to make of the contents. Simply a piece of paper with some notes scribbled on it. My father (bless his heart) asked me if it had something to do with drugs (LOL). He told me the story and asked me what the paper was all about. I took the box, opened it up and smelled it (just in case…). I opened the note and was instantly hit with a wave of 90’s IT nostalgia. Back before the internet, parents had no real idea what sort of trouble someone could get into with simply a computer and a modem. This was my BBS list! At the time, you had to be 18 years old to sign up and participate on Bulletin Board Systems. This was my 13-year-old boy attempt to create a fake persona and keep my late night shenanigans with my friends hidden from my parents. It’s funny to look back at a time before the Internet had taken over daily life. A time before you could summon a car or a bag of groceries to your door with a flick of your finger. It’s nice to look back and see phone number before the requirement to add the area code.

This took me back to a really cool point of my life when I would logon at 12:01am right when the timers to all the doors would reset. I would wait for my friend Lu to logon and we’d play Legend of the Red Dragon till 2-3am. I remember once, a bunch of people (whom some I still keep in touch with) all met at the Parks Mall to hang out. It was probably one of the first times I realized it was okay to be a bit geeky and to be yourself. There’s other folks out there just like me!

I wonder if any of these still exist. I guess it’s time to find out.

Rainmaker’s Book Recommendations

So before sobering up and leaving Dallas Hackers last night, I did a quick (and inebriated) firetalk on some of the books I’ve read recently and my thoughts. I will update this blog post with a summary of each book and my thoughts on them. However I wanted to get this post up before I hop this flight to Tel Aviv, Israel for a week. Here’s the list. Enjoy!

Read more “Rainmaker’s Book Recommendations”

Upcoming Speaking Engagements!

It’s that time of year again! Andy’s running around like crazy. In the course of 8 days I’ll be doing 4 different talks in 3 different states. Looks like we’re closing out the year with a bang!

I’ve got some surprises in store for everyone. Stay tuned!

Hacking RDP with a MitM Password Attack

The other day, my friend and co-worker clued me in on a new attack he found. It worked so well, we had to share it.
As it says on their GitHub page,

Seth is a tool written in Python and Bash to MitM RDP connections by attempting to downgrade the connection in order to extract clear text credentials. It was developed to raise awareness and educate about the importance of properly configured RDP connections in the context of pentests, workshops or talks. The author is Adrian Vollmer (SySS GmbH).

Take a look how simple it is to steal an RDP credential off the network without ever having to touch the victim’s machine. Things like certificates and network level access are important security controls you should implement to protect from attacks like this.

Business Travel (aka Road Warrior) Packing List.

So I’m about to embark on another trip across the US to discuss Cyber Security controls with a bunch of different companies across the West Coast. I’m looking forward to it. However, I absolutely hate packing for trips like this. You never know what exactly life has in store for you, if the weather will cooperate, or if you might spill a ramekin of cocktail sauce down the back of your last nice shirt (true story). So anyways, I’m trying to make it easier on myself by keeping a “living packing list”. I’ll continue to update this list as time goes on with whatever need-to-have items I require while traveling. Anyways, here’s the list so far.
Clothing
[ ] Dress Shirts
[ ] Slacks
[ ] Dress shoes
[ ] Belt
[ ] Underwear
[ ] Undershirts
[ ] Socks
[ ] Swimsuit
[ ] Shorts
[ ] T-Shirts
[ ] Running Shoes
[ ] Baseball Cap

Toiletries
[ ] Toothbrush/Toothpaste/Floss/Mouthwash
[ ] Shaving Razor/Shaving Cream/Blades
[ ] Comb/Hairbrush
[ ] Hair gel/hairspray
[ ] Nail Clippers
[ ] Deodorant
[ ] Talcum Powder
[ ] Ear Plugs
[ ] Sleep Mask
[ ] Tweezers
[ ] Hand Sanitizer
[ ] Aspirin/Tylenol
[ ] Afrin Nose Spray
[ ] Benadryl

Business
[ ] Pens & Notepad
[ ] Laptop Charger
[ ] Laptop
[ ] Hacking Toolkit
[ ] Business Cards
[ ] Breath Mints
[ ] Dry Erase Markers
[ ] Wireless Mouse (Purposely Vulnerable)
[ ] VGA to HDMI Adapter

Misc
[ ] Sunglasses
[ ] Phone Charger
[ ] HooToo Travel Mate
[ ] Roku Stick
[ ] Amazon Dot
[ ] VR Headset
[ ] WifI Hotspot
[ ] Noise-Canceling Headphones.
[ ] Wired Headphones
[ ] Kindle
[ ] iPad
[ ] Watch Charger
[ ] Flashlight
[ ] Umbrella
[ ] USB Battery Pack
[ ] HDMI Cable

It’s a lot, but I’m able to typically carry this all in an average carry on and a brief-case or backpack. Free free to print this packing list as a PDF out as well for your own use.