Ray Redacted on CryptoCousins Podcast

My buddy Gary runs the CryptoCousins podcast. I’ve been interviewed on his podcast previously. I saw Ray Redacted present at Dallas Hackers Association and thought he’d be excellent on their podcast. Not only did they interview him, he’s also going to be speaking at the Bit Block Boom conference on July 14th in Addison, TX.  Check it out!

Post-Tour Cool-Down

I survived the crazy 10 day, 6 city, 6 speaking engagement whirl-wind. Honestly, it really wasn’t that bad. I got to hang out with some really cool people. I got to see some really neat places, and I got to learn a bunch of crazy new things. You pick up a lot when you hang out at 6 different security conferences in rapid succession.

Here’s the PDF from the
LIVE HACKING DEMOS Presentation

One of the unfortunate things I struggle with is keeping a good work/home life balance. It’s a struggle I think I’ll honestly have to deal with my entire life. I tend to excel in one area of my life and drop the ball in others. I still struggle with this as I do have a tend to be pretty stubborn and I don’t accept failure in myself.  When I see this happening in other people, I tell them to check their priorities and to prioritize family over work. I tend to neglect my own advise. When that happens, I come back to this commencement speech from Shonda Rhimes. She’s a very strong and power-player in Hollywood. Her words in her commencement speech really struck a chord with me.

“Wherever you see me succeeding in one area of my life, that almost certainly means I’m failing in another area of my life.”

With all that said, I’m going to cut back a little on the travel, prioritize myself and my family and work on a few pet projects I’ve been thinking about. Looking forward to it.

April Showers Bring May InfoSec Talks!

Missed seeing me talk in Des Moines this month? Don’t worry!  May is shaping up to be a heck of a month for awesome speaking engagements!

5/8/18 – St. Louis Tech Summit – Insider Threat – St. Louis, MO
5/9/18 – Secure World – Insider Threat – Kansas City, MO
5/10/18 – Omaha Tech Summit – Insider Threat – Omaha, NE
5/11-12/18 – BSides Denver – Hacking Demos – Denver, CO
5/14/18 – Central Ohio Infosec Conference – Hacking Demos – Columbus, OH
5/15/18 – San Antonio ISSA – Hacking Demos – San Antonio, TX

I’m really looking forward to hitting the road again and meeting everyone on this wild and crazy journey. Hopefully I’ll see you at one of these events! Pretty sure this will be me afterwards.

Questions to Ask BEFORE a Public Speaking Engagement

Event/Audience Details

  • Date & time
  • Address and location
  • Name of the event.
  • Description of event.
  • Event agenda.
  • Talk duration (30/60 min?)
  • What the client want the speech to achieve
  • Who will introduce me?
    • Can I send them an intro or will they provide it?
  • If more information is needed, who is my point person? (get contact info)
  • How many people will be there?
    • Age
    • background
    • gender
    • occupation
    • etc
  • What’s their attitude toward my topic?
  • Will I be expected to mingle and socialize with audience before or after I speak?

Technical/Logistical Details

  • Will there be a podium? Is it solid or see-through (lucite/plexi-glass/etc)
  • Will there be a screen and projector? What video input (VGA, HDMI, etc)
  • How many video inputs are available (typical answer is 1)
  • Will I have a microphone?
    • What type? (lape, hand-help, attached to podium, mic-stand, etc)
  • May I arrive early to walk the stage and get comfortable about the equipment and venue?
  • Who is in charge of making sure things go smoothly before and during my speech (get contact info)

NTXISSA March 2018 Monthly Meeting – The Hackers Toolkit

I’m excited to announce that I’ll be speaking at the March 2018 North Texas ISSA chapter meeting. I’m planning on presenting the “Hacker Carpet Bomb” aka “Hacker’s Bag of Tricks” aka “Hackers Tooklit” presentation. This talk consists of nothing but live demos. Anyone who’s done IT presentations can tell you, live demos are dangerous. They rarely go right. Having a talk that consists of nothing but live demos is straight up insane. I’ve done this talk a handful of times. Not once has it ever gone perfectly, but that’s also the charm behind it. Exploits, even in perfect environments, sometimes fail. That’s part of it.  Here’s the demo’s I’m planning to present

Between now and then I need to find a device I can destroy on stage. If you have something you don’t mind literally going up in smoke, please let me know.

So please come out March 15th at 11:00AM. I’m sure it’ll be a fun and eye-opening event.

https://ntxissa.org/event/ntxissa-march-2018-monthly-meeting/

 

 

Q&A on SQL Injection ‘ or 1=1; —

from XKCD

Every once in a while I get an email from either a friend, client, mentor, etc that I really want to share with the community as a whole. Typically after I respond to the email, I try and get permission from the second party and include it on my blog (which I’m still fairly sure nobody actually reads).  Anyways, this was a really good question about SQL injection, so enjoy!

Hey Andy, I’ve got a question. In my courses I’ve been learning SQL. I’m trying to also look at it with a security perspective in defending from SQL injection attacks. Do you know of any good ways to actually practice or solid resources to learn. I’m half tempted to start running some queries on shoddy looking websites, but I really I wouldn’t do that. I’ve seen some Youtube videos and some stuff on W3, but thought I’d ask you what you think. How big of a vulnerability is SQL injection or how big of a priority is it to businesses now?

First off, I’m honored anyone emails me asking for my thoughts or opinions on a topic, so thank you. SQL injection has been an issue since it was first discussed around 1998 on Phrack.

Take a look at the OWASP Top 10 – 2017 (most recent copy at the time of writing this). The ten most critical web application security risks demonstrate that SQL Injection has been the top dog risks for quite some time. Things like cross-site-scripting, and cross-site forgery are up-and coming risks, but SQL Injection is king.

As for running queries or something like SQLmap against any website, I strongly recommend you do NOT giving away free pen-tests. That’s a quick way to get in trouble with the feds. What you want to do is test in your home-lab or find a purposely vulnerable site to hone your SQL injection skills. There’s a lot of blog posts out there already covering this content so check out this article about 40+ Intentionally Vulnerable Websites to (legally) practice your Hacking Skills. Additionally, if you’re looking to focus specifically on SQL injection, you should also check out Hack.me. They have a whole section specifically focused on SQL injection. Also, I’d be remiss if I didn’t bring up Metasploitable too. This is an amazing VM that is purposely vulnerable in many different ways. I haven’t checked personally, but I’d be shocked if there wasn’t a SQL injection vuln somewhere on there. Recently Rapid7 released Metasploitable 3. The setup is a pain. I’d recommend you check out the Metasploitable 2 VM first before embarking on MS3

Now the second question about how big of a priority is it to businesses is a very interesting question. I think it all depends on the business and the vertical. There are many exceptions to this, but many businesses that do not develop applications or websites, in my opinion, do not prioritize SQL injection as a viable risk to their organization. To them, the risk solely lies on the developer of the service, website, or software. They think they’re covered. To take this type of stance is foolish and irresponsible. Patches roll out monthly, if not more, remediating vulnerabilities in production code all the time. The vendor shares partial responsibility, but the client holds the majority of the risk relative to data breach. Solutions such as Web Application Firewalls do a good job in preventing and detection of SQL injections, however this is not enough. I’m personally fond of aggressive least privilege as well as heuristic behavior monitoring, risk-based policies, masking of sensitive information, and regular auditing of use and access…but yeah, that’s just me. 😉

Other industries and verticals that have more at stake with application development tend to rightfully prioritize SQL injection more so than others. To which degree however ranges from extremely aggressive to hardly not at all. The goal here is not to detect and respond but to prevent altogether. Several defence strategies would be to have multiple DB users and demonstrate the concept of Least Privilege. Also you would want to implement aggressive input validation and escaping all user-supplied input. If you’d like to know more, I strongly recommend you check out the OWASP recommendations for SQL prevention cheat sheet.

Oh yeah, be sure to check out Bobby-Tables.com. It’s a great resource for learning more and how to prevent SQL Injection.

A Blast from the Past

This weekend, I took the wife and kids to my parents house to visit. They’re in the middle of a large home remodel. As part of the remodel, the construction crew had knocked down a wall in one of the bedrooms and found a small altoid tin stashed in the wall. My parents had no idea what to make of the contents. Simply a piece of paper with some notes scribbled on it. My father (bless his heart) asked me if it had something to do with drugs (LOL). He told me the story and asked me what the paper was all about. I took the box, opened it up and smelled it (just in case…). I opened the note and was instantly hit with a wave of 90’s IT nostalgia. Back before the internet, parents had no real idea what sort of trouble someone could get into with simply a computer and a modem. This was my BBS list! At the time, you had to be 18 years old to sign up and participate on Bulletin Board Systems. This was my 13-year-old boy attempt to create a fake persona and keep my late night shenanigans with my friends hidden from my parents. It’s funny to look back at a time before the Internet had taken over daily life. A time before you could summon a car or a bag of groceries to your door with a flick of your finger. It’s nice to look back and see phone number before the requirement to add the area code.

This took me back to a really cool point of my life when I would logon at 12:01am right when the timers to all the doors would reset. I would wait for my friend Lu to logon and we’d play Legend of the Red Dragon till 2-3am. I remember once, a bunch of people (whom some I still keep in touch with) all met at the Parks Mall to hang out. It was probably one of the first times I realized it was okay to be a bit geeky and to be yourself. There’s other folks out there just like me!

I wonder if any of these still exist. I guess it’s time to find out.

Rainmaker’s Book Recommendations

So before sobering up and leaving Dallas Hackers last night, I did a quick (and inebriated) firetalk on some of the books I’ve read recently and my thoughts. I will update this blog post with a summary of each book and my thoughts on them. However I wanted to get this post up before I hop this flight to Tel Aviv, Israel for a week. Here’s the list. Enjoy!

Read more “Rainmaker’s Book Recommendations”

Upcoming Speaking Engagements!

It’s that time of year again! Andy’s running around like crazy. In the course of 8 days I’ll be doing 4 different talks in 3 different states. Looks like we’re closing out the year with a bang!

I’ve got some surprises in store for everyone. Stay tuned!