Table of contents
Please support this book: buy it (PDF, EPUB, MOBI)



Bruce Schneier Sensible Security Model (SSM)


Also being a Telnet replacement

The PSExec utility requires a few things on the target system. Details on rapid7

With this attack you will have had to have obtained the targets username and password or password hash

Kali Linux also has the “Pass the Hash toolkit”






Native Windows tool “vssadmin” visible in the source


WMI Providers provide interfaces for configuring and monitoring Windows services, along with programming interfaces for consumption via custom built tools

We use the WMI Command-line (WMIC) command to start a Remote Procedure Call

Then create a ReverseListenerComm to tunnel traffic through that session

By default PowerShell is installed on Windows Server 2008 R2 and Windows 7 onwards

psmsf is licensed with BSD License


Upstream of unicorn is Invoke-Shellcode.ps1 of the PowerShellMafia PowerSploit project

Matt blog posted on this technique in 2011

Veil-Framework’s Veil-Evasion has a similar set of payloads

@harmj0y blog posted on

Kevin Dick also wrote a decent blog post

Nishang has a collection of scripts which can create office documents such as Word, Excel, CHM and a handful of others

Metasploit had a Meterpreter script called persistence.rb

Now the exploit/windows/local/persistence module is recommended for persistence. AV picks this up on reboot though

PowerSploit has a module called Persistence

Nishang Add-Persistence.ps1 script

The Windows computer is considered to be idle if


Its source code on github

LinEnum is also very good at host reconnaissance

There are also many other options to use for providing a reverse shell

Level 3 Threat Research Labs published a blog post on this port mapper DoS attack and how it has become very popular since the beginning of August 2015

US-CERT also published an alert on UDP-Based Amplification Attacks outlining the Protocols, Bandwidth Amplification Factor, etc.

The very front page of the Exim website states “All versions of Exim previous to version 4.87 are now obsolete and everyone is very strongly recommended to upgrade to a current release.”.

Lax authentication while querying of NIS maps (easy for a compromised client to take advantage of), as well as the various daemons each having their own individual issues. Not to mention that misconfiguration of NIS or netgroups can also provide easy holes that can be exploited. NIS databases can also be easily accessed by someone who doesn’t belong on your network. How? They simply can guess the name of your NIS domain, bind their client to that domain, and run a ypcat command to get the information they are after.

FTP protocol was not designed with security in mind

By default, when a user enters their password on the authentication window, it is stored in memory and reused for all subsequent authentications during the same session.

These passwords are stored obfuscated, as the documentation puts it “stored in a manner that they can easily be recovered”.

Check the EncryptPassword function on github

Although this option exists, it is recommended against

The exploit decrypt_password consumed by the winscp metasploit module

Additional details on the cosine-security blog

This appears to use a custom implementation of the AES256 block cipher, with a hard-coded 1000 rounds of SHA1

Any attacker worth their weight will try to cover their tracks as they progress

Taking things further, an attacker may load a kernel module that modifies the readdir() call

Without visibility, an attacker can access your system(s) and, alter, copy

As noted by banyan
and the morning paper

The Docker overview says: “Docker provides the ability to package and run an application in a loosely isolated environment

The Docker Registry project is an open-source server side application that lets you store and distribute Docker images

Considering these processes run as root, and have indirect access to most of the Linux Kernel

All before any security is added on top in the form of LXC, or libcontainer (now opencontainers/runc)

The first place to read for solid background on Linux kernel namespaces is the man-page

The hosts mounted host-path is shared with all others that mount host-path

If you omit the host-path you can see the host path that was mounted

Further details can be found at the dockervolumes documentation

PID namespaces are hierarchically nested in ancestor-descendant relationships to a depth of up to 32 levels

The default behaviour can however be overridden to allow a container to be able to access processes within a sibling container, or the hosts PID namespace—pid

As an aside, PID namespaces give us the functionality of “suspending/resuming the set of processes in the container and migrating the container to a new host while the processes inside the container maintain the same PIDs.
with a handful of commands

A UTS namespace is the set of identifiers returned by uname

When a container is created, a UTS namespace is copied (CLONE_NEWUTS is set)

When a container is created with --uts="host" a UTS namespace is inherited from the host—uts

According to the namespaces man pageObjects created in an IPC namespace are visible to all other processes that are members of that namespace, but are not visible to processes in other IPC namespaces.

This behaviour can be overridden to allow a (any) container to reuse another containers or the hosts message queues, semaphores, and shared memory via their IPC namespace—ipc

You can see using the command supplied from the CIS_Docker_1.13.0_Benchmark

There are currently some Docker features that are incompatible with using user namespaces

Docker engine reference provides additional details around known restrictions of user namespaces

Cgroups have been available in the Linux kernel since January 2008 (2.6.24)

According to the Linux man page for capabilitiesLinux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled

Dan Walsh who is one of the experts when it comes to applying least privilege to containers, also discusses these

Open Container Initiative (OCI) runC specification

As stated on the Docker Engine security pageOne primary risk with running Docker containers is that the default set of capabilities and mounts given to a container may provide incomplete isolation, either independently, or when used in combination with kernel vulnerabilities.

The core Unix security model which is a form of Discretionary Access Control (DAC) was inherited by Linux

The Unix DAC was designed in 1969

The first version of SecComp was merged into the Linux kernel mainline in version 2.6.12 (March 8 2005)

In order to enable SecComp for a given process, you would write a 1 to /proc/<PID>/seccomp

Then the addition of the seccomp() System call in 2014 to the kernel version 3.17 along with popular applications such as Chrome/Chromium, OpenSSH

Docker has disabled about 44 system calls in its default (seccomp) container profile

The keyctl System call was removed from the default Docker container profile after vulnerability CVE-2016-0728 was discovered, which allows privilege escalation or denial of service

These processes have indirect access to most of the Linux Kernel

Script Block Logging records and logs the original obfuscated (XOR, Base64, encryption, etc) script, transcripts, and de-obfuscated code

In most cases you will want to shadow your passwords

Crypt, crypt 3 or crypt(3) is the Unix C library function designed for password authentication

The default number of rounds have not changed in at least 9 years

The default number of rounds

The crypt 3 man page explains it all

How the rest of the substrings in this field are interpreted is determined by what is found in the id field

The salt can be augmented by prepending the rounds=<number of rounds you want, specified in /etc/pam.d/common-password>$ directive.

Consider changing to Bcrypt

Use bcrypt with slowpoke blowfish

There are a handful of files to check and/or modify in terms of disabling root logins

An alternative to the previous method

AES block cipher with either key sizes of 128, 192 or 256 bits
SSH, The Secure Shell: The Definitive Guide (book)

CAST-128/256 described in Request for Comments (RFC) 2144
(, as a DES-like substitution-permutation crypto algorithm
Designed in the early 1990s by Carlisle Adams and Stafford Tavares, available on a worldwide royalty-free basis
SSH, The Secure Shell: The Definitive Guide (book)

Blowfish Has received a fair amount of cryptanalytic scrutiny and has proved impervious to attack so far
SSH, The Secure Shell: The Definitive Guide (book)

Twofish block cipher invented by Bruce Schneier, with the help from a few others, submitted in 1998 to the NIST as a candidate for the AES, to replace DES. It was one of the five finalists in the AES selection process out of 15 submissions. Twofish has no patents and is free for all uses. Key lengths can be 128, 192 or 256 bits. Twofish is also designed to be more flexible than Blowfish.
SSH, The Secure Shell: The Definitive Guide (book)

IDEA (Bruce Schneier in 1996 pronounced it “the best and most secure block algorithm available to the public at this time”)

Diffie-Hellman key agreement was the first public-key system published in open literature
SSH, The Secure Shell: The Definitive Guide (book)

The parties engage in an exchange of messages, at the end of which they share a secret key. It is not feasible for an eavesdropper to determine the shared secret merely from observing the exchanged messages. SSH-2 uses the DH algorithm as it is required (and currently, its only defined) key-exchange method.
SSH, The Secure Shell: The Definitive Guide (book)

The MAC is the result of

Using md5 is less secure

Prior to OpenSSH 6.8 The fingerprint was provided as a hexadecimal md5 hash. Now it is displayed as base64 sha256

Consider installing and configuring denyhosts

Bitmask VPN client which does a lot more than traditional VPN clients

bitmask is sponsored by the LEAP Encryption Access Project

Set a BIOS password

The Linux File System Hierarchy (FSH)

Bind some target mounts onto existing directories

Enabling a read-only / mount

Also consider the pros and cons of increasing your shared memory

The portmap service converts RPC program numbers into TCP/IP (or UDP/IP) protocol port numbers

When a run level is entered

Portmapper returns port numbers of the server programs and rpcbind returns universal addresses

Less secure IPSec


Although Windows support is available, and easy enough to set-up, as I have done many times

Another example is using Rsync over SSH

NFSv4 pseudo-file system. This pseudo-file system is identified as a single, real file system, identified at export with the fsid=0 option.

NFSv4 has no interaction with these additional daemons

Simple Log Watcher

Use logrotate to make sure your logs will be around long enough to examine them

Rsyslog documentation

Rainer Gerhards wrote rsyslog and his blog provides many good insights into all things system logging

Simple Event Correlator (SEC)

Rainer Gerhards discusses why TCP is not as reliable as many think

Rainer Gerhards saidIn rsyslog, every action runs on its own queue and each queue can be set to buffer data if the action is not ready. Of course, you must be able to detect that the action is not ready, which means the remote server is off-line. This can be detected with plain TCP syslog and RELP

You can aggregate log files with rsyslog or by using papertrails remote_syslog daemon

Alerting is available, including for inactivity of events

If you still want to go down the papertrail path, to get started, work through

We need TLS, check papertrails “Encrypting with TLS” docs

Simple Event Correlator (SEC)

For all your graphical event correlation, you could use LogAnalyzer

Normalisation also from Rainer could be useful

Helpful info on the differences between Sysvinit and systemd

Comparison with Upstart, systemd, Runit and even Supervisor

list of commands that PM2 provides, most of this functionality can be performed by native tools

PM2 also seems to provide logging

To enable httpok the following lines have to be placed in supervisord.conf

Community provided docs are good

Features that stand out

Ability to monitor files, directories, disks, processes, programs

Can perform emergency logrotates

File Checksum Testing

Monitoring space of file-systems

Monit provides fine grained control over who/what can access the web interface

Source and links to other documentation

Adding Monit to systemd

Release Notes

There was an accepted answer on Stack Overflow that discussed a pretty good mix and approach to using the right tools for each job

Example of the Monit install

Passenger install

Unix Philosophy

The comment around “the Unix way” is interesting

The Handle more traffic marketing material looked similar to Monit resource testing but without the detail.

Reduce maintenance

Improve security

If Monit is run as the super user, you can optionally run the program as a different user and/or group

Phusion Passenger is a commercial product

NodeJS tutorial

Documentation and support portal

Design and Architecture

User Guide Index

Nginx specific User Guide

Standalone User Guide


Passenger is advertised as offering easily viewable statistics

But it still needs to be turned on and accessible by at least localhost

If you want to receive alerts via email, then you will need to configure that

All the arguments you can throw at Monit in the documentaion under Arguments

Monit is very stable, but if for some reason it dies, then it will not be automatically restarted

Systemd NetworkTarget documentation

Useful resources that I have used
killing processes
Unix signals
Terse guide of systemd commands

Official Monit Documentation

Monit Man page

Dead Mans Snitch

Simple Event Correlator

This is where collectd and graphite come to the party

AWS CloudWatch via a plugin


Can take inputs from a collection of data sources

AWS CloudWatch

Better solution

Collectd is capable of cryptographically signing or encrypting the network traffic it transmits

Graphite has excellent official and community provided documentation

Tools that can be integrated with graphite

Graphite can take some work to deploy

ansible-graphite playbook

Graphite on a single machine

How this looks

Install, configure, and run graphite










Read plugins from the list

Sends the statistics (name actual-value timestamp-in-epoch) to graphites listening service called carbon

Usually to port 2003

Carbon only accepts a single value per interval, which is 10 seconds by default

DigitalOcean had a tutorial on setting Tripwire up

Similar offering to Tripwire for POSIX compliant systems

The OSSEC team

Stealth user base

The main documentation is on github

Similar docs on

Mailing list on google groups!forum/ossec-list

Commercial Support


Package meta-data

Agent-less route

Agent-less scripts

Features in a nut-shell

Source on github

Cisecurity has an excellent resource for hardening docker images which the Docker Security team helped with

Docker Security Scanning is available as an add-on to Docker hosted private repositories on both Docker Cloud and Docker Hub.”, you also have to opt in and pay for it

Docker Security Scanning is also now available on the new Enterprise Edition

Whether un-official or official

Docker Content Trust


DOCKER_CONTENT_TRUST environment variable must be set to 1

DOCKER_CONTENT_TRUST_SERVER must be set to the URL of the Notary server you setup

They need to generate a key pair

Notary is based on a Go implementation of The Update Framework (TUF)

An example of the NodeGoat image

The space for tooling to help find vulnerabilities in code, packages, etc within your Docker images has been noted, and tools provided

These tools should form a part of your secure and trusted build pipeline / software supply-chain

Dockerfile linter that helps you build best practice Docker images

Free and open source auditing tool for Linux/Unix based systems

Docker plugin available which allows one to audit Docker

Hashes of the CVE data sources

Collector has a pluggable, extensible architecture

Banyanops was the organisation that blogged about the high number of vulnerable packages on Docker Hub

Seen by running docker network ls

Docker network

Network drivers created by docker





nsenter command

Understand container communication

The username must exist in the /etc/passwd file, the sbin/nologin users are valid also

The UID/GID we want to remap to does not need to match the UID/GID of the username in /etc/passwd

Files will be populated with a contiguous 65536 length range of subordinate user and group Ids respectively

Check out the Docker engine reference

Check the Runtime constraints on resources

Limit a container’s resources Admin Guide for Docker Engine

By default Docker uses the cgroupfs cgroup driver to interface with the Linux kernel’s cgroups

docker stats command, which will give you a line with your containers CPU usage, Memory usage and Limit, Net I/O, Block I/O, Number of PIDs

Docker engine runtime metrics

With a little help from the CIS Docker Benchmark we can use the PIDs cgroup limit

There are several ways you can minimise your set of capabilities

First Linux kernel summit

It was decided to have the developers interested in security create a “generic interface which could be used by any security policy. The result was the Linux Security Modules (LSM)” API/framework, which provides many hooks at security critical points within the kernel

Selectable at build-time via CONFIG_DEFAULT_SECURITY

Overridden at boot-time via the security=... kernel command line argument

Most LSMs choose to extend the capabilities system, building their checks on top of the defined capability hooks.

AppArmor policy’s are created using the profile language

Apparmor page of Dockers Secure Engine

SELinux needs to be installed and configured on Debian

SELinux support for the Docker daemon is disabled by default and needs to be enabled

Docker daemon options can also be set within the daemon configuration file

Label confinement for the container can be configured using --security-opt

SELinux Labels for Docker consist of four parts

SELinux can be enabled in the container using setenforce 1

SELinux can operate in one of three modes

To persist on boot: In Debian

Kernel is configured with CONFIG_SECCOMP

Default seccomp profile for containers (default.json)

Apply the --tmpfs flag—tmpfs


containerd (daemon for Linux or Windows) is based on the Docker engine’s core container runtime

runC is the container runtime that runs containers

runC was created by the OCI

runC can be installed separately

Host independent config.json and host specific runtime.json files

You must also construct or export a root filesystem

The most common attack vectors are still attacks focussing on our weakest areas, such as people, password stealing, spear phishing, uploading and execution of web shells, compromising social media accounts, weaponised documents, and ultimately application security, as I have mentioned many times before

It is pretty clear that there are far more vulnerabilities affecting VMs than there are affecting containers

Bugs listed in the Xen CVEs

Show #7 Understanding Container Security

There are plenty of tools available to help

Snort can help with the Prevention also

Work through using the likes of
Lynis for your server
harden-surveillance for monitoring your network

Consider combining “Port Scan Attack Detector”

With fwsnort

Read up on the “Attacks and Threats”

These are some things you should consider

Safeguard your SSH access, like using ssh-cron for example


Check out the great Thinkst tools, also discussed near the end of the Network Security show I hosted for Software Enineering Radio with Haroon Meer:

IBM X-Force 2016 Cyber Security Intelligence Index provides the following information

The 2017 IBM X-Force Threat Intelligence Index provides the following information

Being commandeered by attackers to do their bidding

There are also on-line services that allow the sending of email and specifying any from address

DropboxC2C is one project

Advanced Penetration Testing by Wil Allsopp

Stub resolver

The query that the stub resolver sends to the recursive DNS resolver has a special flag called “Recursion Desired” (RD) in the DNS request header (see RFC 1035 for details)

There are 13 root server clusters from a-m, as you can see in the dig +trace output, with servers from over 380 locations

The TXT record is very flexible, useful for transferring arbitrary data, including code, commands (see section 3.3.14. TXT RDATA format of the specification)

The evolution of data exfiltration and infiltration started with OzymanDNS from Dan Kaminsky in 2004

Tadeusz Pietraszek created DNScat

Ron Bowes created the successor called dnscat2

Additional details are provided on Ron’s blog

Izhan created a howto document covering the authoritative name server set-up

An excellent resource for some of the prominent websites in New Zealand

Create a jail in FreeNAS, install OpenVPN in the jail

SyslogAppliance which is a turn-key VM for any VMware environment

SyslogAppliance is a purpose built slim Debian instance with no sshd installed

SyslogAppliance also supports TLS;u=29


Providing log analysis and alerting

There are many NTP pools you can choose from

Ntpdate has been deprecated for several years now

The standard NTP query program

The * in front of the remote means the server is getting its time successfully from the upstream NTP

See the NTP parameters

Survey of Current Network Intrusion Detection Techniques

NIDS can operate with Anomalies

Snort can be seen used in many different scenarios. Written in C, and version 3 which is supposed to be multi-threaded is still in its third alpha

1 Gbps speeds are well exceeded

SANS produced an Open Source IDS Performance Shootout document

Check the OWASP Failure to Restrict URL Access for countermeasures

Guide to authorisation

If the victims SMTP server does not perform reverse lookups on the hostname, an email from and reply-to fields can be successfully spoofed.

Sender Policy Framework (SPF)

Domain Keys Identified Mail (DKIM)

DKIM signature, which is comprised of a set of tag=value pairs such as d=<sending domain>, p=<public key>, and others

Block the cell phone signals, but in many countries this is illegal

Doppelganger Domains An old trick brought back to light by Peter Kim’s research
involving fortune 500 companies where they intercepted 20 GB of email from miss typed addresses.
Peter Kim discusses in “The Hacker PlayBook” about how he set-up SMTP and SSH doppelganger domains. This is an excellent book that I recommend reading.

Content Security Policy (CSP) Slide Deck from Francois Marier

Easy Reading OWASP CSP

OWASP CSP Cheat Sheet which also lists which directives are new in version 2

Evaluate the strength of a CSP policy by using the google CSP evaluator

MDN easily digestible help on using CSP

Easy, but more in-depth:

Sub-resource Integrity (SRI) W3C specification



Use helmetjs/hsts
to enforce Strict-Transport-Security in Express

Another Slide Deck from Francois Marier covering HTTP Strict Transport Security (HSTS), Content Security Policy (CSP), Sub-resource Integrity (SRI)

MDN easily digestible help on using HSTS

Easy Reading: OWASP

IETF specification

Most browsers currently have support. IE < 10 does not. 11 has back ported support for Windows 8.1 and 7

SSLStrip2 - dns2proxy attack demonstrated at BlackHat Asia in 2014 by LeonardoNve

Stackoverflow question and answer

Questions and definitive answers by Leonardo Nve

Security stackexchange questions and answers

Good write-up on how to compromise HSTS Including NTP vector.

All of the CAs now use intermediate certificates to sign your certificate, so that they can keep their root certificate off line. Similar to what I did with GPG in my blog post

This URL is known as the Certification Revocation List (CRL) distribution point.

The next stage of the evolution was Online Certificate Status Protocol (OCSP)
which came about in 1998


You can read more about pinning on the OWASP Certificate and Public Key Pinning page
and also the specification

Details of what An OCSP request should look like can be seen in 2.1 of the OCSP specification

Details of what the OCSP response will look like can be seen in 2.2 of the OCSP specification

OCSP Stapling

You can read the specification for OCSP stapling officially known as the TLS “Certificate Status Request” extension in the TLS Extensions: Extensions Definitions


ssl labs

OCSP Must-Staple

X.509 Certificate Revocation Evolution


Most of these questions were already part of my Cloud vs In-house talk at the Saturn Architects conference

Hosting providers can be, and in many cases are forced by governing authorities to give up your and your customers secrets

The attack and demise of Code Spaces

Discussed this with Haroon Meer on the Network Security show I hosted for Software Engineering Radio

The default on AWS EC2 instances is to have a single user (root)



Single default AWS account root user you are given when you first sign up to AWS

Has Lambda

Has Cloud Functions

Azure has Functions

Rich Jones demonstrated what can happen if you fail at the above three points in AWS in his talk “Gone in 60 Milliseconds”

Containers are used

Billing DoS
Is a real issue

AWS Lambda will by default allow any given function a concurrent execution of 1000 per region

CIS AWS Foundations document

AWS Shared Responsibility Model


AWS also provides Virtual Private Cloud

Including Serverless

AWS also offers four different types of VPN connections to your VPC

Some of the CSPs log aggregators could be flaky for example

As usual, AWS has good documentation around what sort of log events are captured

Plethora of services you can integrate with CloudTrail

Define AWS Lambda functions

AWS CloudWatch can be used to collect and track your resource and application metrics

Make sure you have an exit and/or migration strategy planned

CSPs proprietary API based technique for migrating your data


The less you depend on your CSPs proprietary services, the less benefit you will be getting from them

EC2 Instance Store Encryption

Elastic File System (EFS) encryption

Ben Humphreys spoke about this at CHCon

AWS has a list of their compliance certificates

AWS allow customers to submit requests to penetration test

GCP does not require penetration testers to contact them before beginning testing of their GCP hosted services

Heroku are happy for you to penetration test your applications running on their PaaS

Azure allows penetration testing of your applications and services running in Azure

AWS has a bug bounty program

Heroku offer a bug bounty program

Azure offer a bug bounty program

Physical and People chapters in Fascicle 0 of this book series

I have blogged
Spoken and run workshops on the topic of testability

Liskov Substitution Principle

Docker restart policy

You need to keep a close watch on which permissions
Are assigned to policies

Enable Multi Factor Authentication

AWS DelegateManagementofMFA_policydocument template

AWS has documentation on the process

The Access Advisor tab

IAM Policy Simulator

AWS Trusted Advisor

Accessible from the Console

Have solid change control in place. AWS Config can assist with this
AWS Config continuously monitors and records

As part of the VPS and container builds, there should be specific users created

Drive a least privilege policy

Configuring a strong password policy for your users

Implement multi-factor authentication

As usual, AWS has plenty of documentation

Set-up monitoring and notifications on activity of your AWS account root user. AWS documentation explains how to do this


Also wrote a blog post on the thinkst blog

AWS EC2 for example provide auto-expire, auto-renew

Storage of Secrets wing-cause-concern/analysis/2015/01/05

Github provides guidance on removing sensitive data from a repository

Consider using git-crypt

Temporary security credentials

Lack of knowledge, desire and a dysfunctional culture in the work place

Create a key pair using EC2
Or you can provide your own

Every user should have their own key-pair

Plesant Password Server
Password Manager Pro

Even if it is in a group password manager. As AWS have already stated

There should be almost no reason to create an access key for the root user

Configure strong password policies

Check the Secret Backends for integrations

Docker secrets

Ansible Vault

Ansible is an Open Source

AWS Key Management Service

AWS has Parameter Store


SOLID principles

Serverless goes a long way to forcing us to write testable code**

Open/closed principle

There are no maintenance windows or scheduled downtimes

Permissions Model

Snyk has a Serverless offering

AWS Lambda function access to other AWS resources

Create an IAM execution role of type AWS Service Roles

Other AWS resources access to AWS Lambda

An API key

AWS Lambda allows you to throttle the concurrent execution count

Set Cloudwatch alarms
On duration and invocations

Drive the creation of your functions the same way you would drive any other production quality code… with unit tests (TDD)

You can mock, stub, pass spies in the AWS


Centralised logging of AWS Lambda Functions

AWS Elasticsearch which may or may not be stable enough

Along with a large collection of awesome-serverless resources on github



Software Engineering Radio ran an excellent podcast on Terraform

Continuous integration

Security Monkey Monitors AWS and GCP accounts for policy changes

Simian Army tools from Netflix

Chaos Monkey
Janitor Monkey
Conformity Monkey

Amazon Inspector
Awesome AWS

Tools that can break password databases

Commonly known as the secret zero problem

Tools set-up so that they are continually auditing your infrastructure

Tunnel RDP through your SSH tunnel as I have blogged about

Documentation around setting up the bastion host in AWS

AWS provide some Best Practices for security on bastion hosts

Also discuss recording the SSH sessions that your users establish through a bastion host

Culture and techniques for bringing change in various talks
Blog posts

Web Applications

MS Application Threats and Countermeasures

OWASP has the RSnake donated seminal XSS cheat sheet
which has many tests you can use to check your vulnerability stance to XSS exploitation.

XSS attack
Good resource on what XSS actually is:

Dam Vulnerable Web Application (DVWA) from the OWASP Broken Web Applications VM

Code can be found at

NodeGoat tutorial for CSRF

Defects can range from trivial to complete system compromise

OWASP Broken Web Applications VM

Over 225 types of NoSQL data stores

The MongoDB $gt comparison operator

JavaScript eval function

JavaScript setTimeout and setInterval functions

JavaScript Function constructor

NodeGoat, provides some simple examples in the form of executable code

Tutorial with videos of exploiting Command Injection

OWASP Top 10 A10 Underprotected APIs

Attempting to create invalid XML document by injecting various XML metacharacters

XML External Entity (XXE) exploitation

Tag injections

Adam Bell also presented on the following XML Injection attack types at the OWASP New Zealand Day conference in 2017

Adams slide-deck

XSLT Injection

XPath has no provision for commenting out tails of expressions

A query can access every part of the XML document

Blind injection is a technique used in many types of injection

OWASP XML Crawling documentation

XPath functions and XSLT specific additions to XPath

XQuery also has an extension

Called the XML Data Modification Language (DML)

Successful LDAP injection attacks

LDAP search filter metacharacters can be injected

Polish notation

LDAP true filter

Only the first filter is processed by the LDAP server

The New Zealand Intelligence Service recently told Prime Minister John Key that this was one of the 6 top threats facing New Zealand. “Cyber attack or loss of information and data, which poses financial and reputational risks.

Before the breach, the company boasted about airtight data security but ironically, still proudly displays a graphic with the phrase “trusted security award” on its homepage.

Other notable data-store compromises were LinkedIn with 6.5 million user accounts compromised and 95% of the users passwords cracked in days. Why so fast? Because they used simple hashing, specifically SHA-1. Details provided here on the findings.

EBay with 145 million active buyers had a small number of employee log-in credentials compromised allowing unauthorised access to eBay’s corporate network.

The OWASP Top 10 risks No. 2 Broken Authentication and Session Management

Warning against using CBC

Exemptions have been granted so that OCB can be used in software licensed under the GNU General Public License

Background on OCB from the creator

There are some very sobering statistics, also detailed in “the morning paper” by Adrian Colyer, on how many defective libraries we are depending on

What the Insecure Direct Object References risk looks like in the NodeGoat web application
Check out the tutorial

the winston-syslog-posix package was inspired by blargh

There were also some other options for those using Papertrail as their off-site syslog and aggregation PaaS:

Monit Has excellent short documentation

Statsd then aggregates the statistics and flushes a single value for each statistic to its backends

The flushInterval needs to be the same as the retentions interval in the Carbon /etc/carbon/storage-schemas.conf file

Statistic is only being sampled 1/10th of the time

Statsd does quite a lot of work with timing data

Want to know if those changes are slowing it down

Like your cars fuel gauge

Sets allow you to send the number of unique occurrences of events between flushes


The server file must exist in the ./servers/ directory

statsd clients

Each Custom Element

Has a corresponding HTML Import

That provides the definition of the Custom Element

We have the webcomponents.js set of polyfills which means we can all use WebComponents

Custom Element authors can also expose Custom CSS properties that they think consumers may want to apply values to

Custom CSS mixin

This is done using the CSS @apply rule

Polymer also has a large collection of Custom Elements already created for you out of the box

Some of these Custom Elements are perfect for constraining and providing validation and filtering of input types, credit card details for example

Excellent resource for dealing with user input based on the execution contexts that it passes through


To enable this CSRF middleware, simply uncomment the CSRF fix in the NodeGoat server.js file

Play with all this at

Improve performance by 20 to 30 percent

OWASP SQLi Prevention Cheat Sheet



MongoDB attempts to address injection
by using Binary JSON (BSON)

MongoDB docs say

Untrusted data should never be inserted to eval, setTimeout, setInterval or as the last argument to Function

It is generally not good practise to use the Function constructor anyway

Written about this on several occasions

Minimal countermeasure example

use strict

MDN provides details of how it helps secure your JavaScirpt environment

XML Schemas

XML External Entity (XXE) Prevention Cheat Sheet

All mitigations discussed

OWASP XPath Injection Defences

For each semantic type of untrusted data, for any characters that pass the white list validation, define filters, and sanitise all of the following validated characters

Hackers halfway across the world might know your password, but they don’t know who your friends are

helping to digitise text for The New York Times and Google Books

Disqus tracks users activities from hosting website to website whether you have an account, are are logged in or not.

Any information they collect such as IP address, web browser details, installed add-ons, referring pages and exit links may be disclosed to any third party.

His (Matt Mullenweg) first attempt was a JavaScript plugin which modified the comment form and hid fields, but within hours of launching it, spammers downloaded it, figured out how it worked, and bypassed it. This is a common pitfall for anti-spam plugins: once they get traction

Given the fact that many clients count on conversions to make money, not receiving 3.2% of those conversions could put a dent in sales. Personally, I would rather sort through a few SPAM conversions instead of losing out on possible income.

Spam is not the user’s problem; it is the problem of the business that is providing the website. It is arrogant and lazy to try and push the problem onto a website’s visitors.

According to studies, captchas just do not cut it

If you have some CSS that hides a form field and especially if the CSS is not inline on the same page, they will usually fail at realising that the field is not supposed to be visible.

The Offensive Web Testing Framework (OWTF) also has a plugin for testing captchas. While you are at it. Check out the OWTF. It’s a very useful tool for penetration testers and developers testing their own work. Focussed on making the process of penetration testing efficient with time. The main documentation is here.

The function used to protect stored credentials should balance attacker and defender verification. The defender needs an acceptable response time for verification of users’ credentials during peak use. However, the time required to map <credential> -> <protected form> must remain beyond threats’ hardware (GPU, FPGA) and technique (dictionary-based, brute force, etc) capabilities:

You may read in many places that having data-store passwords and other types of secrets in configuration files in clear text is an insecurity that must be addressed

There is a specific file loading order

Custom environment variables

Use a SqlServer connection string with Trusted_Connection=yes

Metasploits hashdump

Also discussed in my “0wn1ng The Web” presentation

Encrypt sections of a web, executable, machine-level, application-level or configuration files with Aspnet_regiis.exe:
SQL Authentication
Windows Authentication

Mimikatz will force an export from the key container to a .pvk file.
Which can then be read using OpenSSL or tools from the Mono.Security assembly.

Credential Guard

vSentry protects desktops without requiring patches or updates, defeating and automatically discarding all known and unknown malware, and eliminating the need for costly remediation.

Every user task is isolated into its own micro-VM

vSentry empowers users to access whatever information they need from any network, application or website, without risk to the enterprise

Traditional security solutions rely on detection and often fail to block targeted attacks which use unknown “zero day” exploits. Bromium uses hardware enforced isolation to stop even “undetectable” attacks without disrupting the user.


With Bromium micro-virtualization, we now have an answer: A desktop that is utterly secure and a joy to use


Remind your customers to always use unique passwords that are made up of alphanumeric, upper-case, lower-case and special characters

Using four AMD Radeon HD6990 graphics cards, I am able to make about 15.5 billion guesses per second using the SHA-1 algorithm.” _Per Thorsheim


bcrypt which uses the Eksblowfish cipher which was designed specifically for bcrypt from the blowfish cipher, to be very slow to initiate thus boosting protection against dictionary attacks which were often run on custom Application-specific Integrated Circuits (ASICs) with low gate counts.

far greater memory required for each hash, small and frequent pseudo-random memory accesses, making it harder to cache the data into faster memory.

bcrypt brute-forcing is becoming more accessible due to easily obtainable cheap hardware.

Xeon Phi

ZedBoard / Zynq 7020



Resource Owner Password Credentials

Resource Owner Password Credentials Grant

Security Considerations

Flows are detailed in the OAuth 2.0
OpenID Connect specifications

Reference for front-end, JWT for back-end it is on the road map

MembershipReboot Is a user identity management library with a similar name to the ASP.NET Membership Provider, inspired by it due to frustrations that Brock Allen (MembershipReboot creator) had from it

Going down the path of MembershipReboot
and IdentityServer3.MembershipReboot

Customise, out of the box. All you need to do is add the properties you require to the already provided CustomUser

Security focussed configuration

Password storage is addressed

0 means to automatically calculate the number based on the OWASP recommendations for the current year

The good, the bad and the ugly of ASP.NET Identity

Community provided OWIN OAuth middleware providers

MembershipReboot supports adding secret questions and answers along with the ability to update user account details. Details on how this can be done is in the sample code
kindly provided by Brock Allen and documentation on their github wiki

Set the Secure attribute

OWASP Session Management Cheat Sheet

Dibbe Edwards discusses some excellent initiatives on how they do it at IBM

There is an excellent paper by the SANS Institute on Security Concerns in Using Open Source Software for Enterprise Requirements that is well worth a read. It confirms what the likes of IBM are doing in regards to their consumption of free and open source libraries

As a developer, you are responsible for what you install and consume

The official way to install NodeJS. Do not do this.

Check to see if any package has hooks that will run scripts

Can define scripts to be run on specific NPM hooks:

People often miss-type what they want to install

For NodeJS developers Keep your eye on the nodesecurity advisories

There is an NPM package that can help us with this called precommit-hook which installs the git pre-commit

To install RetireJS locally to your project and run as a git precommit-hook

RequireSafe providesintentful auditing as a stream of intel for bithound

The Web Crypto API supported algorithms for Chromium (as of version 46) and Mozilla (as of July 2016)

Insecure Direct Object References was part of the OWASP Top 10 in 2013
which in 2017 was merged
into Insufficient Attack Protection