Security for Web Developers: 02: What Determines Your Website’s Security?

Security Padlock

Relatively speaking, your security is:

  • Higher if you hold little or no financial information, or have few network resources,
  • Higher if your server is vigorously patched and correctly configured,
  • Higher if your code is built to high standards and
  • Higher if the network connecting your site to the Internet has tight permissions.

You can employ formal measurement metrics, like this one from ISACA: http://www.isaca.org/Journal/archives/2011/Volume-4/Pages/Measure-and-Monitor-Application-Security.aspx

Or you can employ an “alternative” methodology like this one from White Hat Security: https://www.whitehatsec.com/blog/if-you-want-to-improve-something-measure-it/

Next: https://schoolforhackers.com/security-web-developers-makes-website-insecure/

Security for Web Developers: 01

Blue Security Goddess

With Glenn Norman

Get a basic understanding of how servers and security play a key role in the overall functioning of websites. This course will introduce you to the concepts of storing content, such as the basic programming of a website to the design elements, and ways to keep your website and your users safe in the sometimes dangerous world of the Internet.

Objectives

You will learn to recognize the risk factors your particular web applications face, and how to determine the specific vulnerabilities within your site, app and code.

You will try out some of the web-app security-testing tools that will be used against you. Often these will identify the most obvious vulnerabilities you should address.

Then we will discuss the most common code and configuration issues, as well as plugins and services for monitoring your site.

Next: https://schoolforhackers.com/determines-websites-security/

Get Certified! Pearson’s A+ Video Courses: A Serious Alternative to Classroom Training

Glenn Norman

Video training has become a really big business. I’m a classroom teacher myself, and teach the A+ certification and several others, so the question of whether video training can replace classroom time is pretty personal, and I come at it a little skeptically. I’ve endured some truly painful online and video training courses, and I’m betting my gentle reader has too. Do they have to be awful? Or can they truly be good enough to replace “live” teachers? And more important, are they a good bargain relative to live classes?

No, they don’t have to be awful. Some are definitely better than others. Twenty years ago the user interfaces were mish-mashes, a situation that has hugely improved. Today they’ve almost all settled toward uniform layouts, which honestly improves the user experience across the board. It’s great to have a course outline with links to lessons down one side of the workspace or the other, for instance. Live classes often have a separate area for text material and another column for chat. Sometimes there’s a panel for downloadable materials, and sometimes all of these are wrapped up in one tabbed column (my favorite). What really matters is, which of these elements are included in a given course? And far more critical, how good is the actual presentation material?

In this case the material is quite good. The video pane alternates between Powerpoint-like slides, detailed video close-ups of hardware and actual assembly, and the presenter (whom I presume is David Prowse himself) talking and using a white board. This last is kind of classroom-like, complete with quick-and-dirty sketches. David has a good physical presence and a good speaking voice, so it works well. The frequent change of visual layout keeps things interesting, which is critical for recorded trainings. And the level of detail is really quite good; at 20+ hours for the 901 video course and 40+ for both 901 and 902, it’s close to the number of hours most live classes will run. That’s a lot of material, but in small chunks running about five minutes each. This is a popular format length these days: most students like being able to “drop in” to the course when they have some free time without making an hour-long commitment. Plus, it’s not so painful if you have to repeat a lecture. Personally, I find myself reluctant to start hour-long lessons online, but I can devour a five-minute video almost any time.

Lessons consist of Learning Objectives, lectures, Performance Based Exercises (very much like the ones you’ll find on the actual test) and PC Build demonstrations. The Learning Objectives aren’t a boring list of topics; instead, David gives a brief but much more informative talk about the lesson. Some Performance Based Exercises are classic drag-and-drop matching tasks, but some require you to demonstrate actual familiarity with Windows by, for instance, setting a static IP address, which is a highly relevant skill. The overall high-quality video production really shines in the PC Build walkthroughs, though these may be most useful for less experienced students. Modules are collections of Lessons, and include Module Quizzes (again, very similar to actual test questions). Most textbooks in this area include at least a couple of sample tests, whether on CD or by download. With this package you get a series of Module Quizzes, which as I’ve mentioned are pretty good, but you don’t get formal timed sample exams.

Can really hi-res video of motherboards and RAM and video cards replace the hands-on, pass-it-around of a live class? Put simply, yes, provided you’re already familiar with these things. But no, not if you’ve never handled them. How should you hold a stick of RAM? What part(s) should you never touch? If you picked up a module in a job interview would you be comfortable holding it? If these questions just make you laugh, you’re a good candidate for this course.

There were a couple of things I missed in the user interface package. There are no Supplementary Materials, which is a pretty small issue in a really complete package like this one, though I’ve run into some really valuable supplementary handouts from time to time. But the lack of student-teacher interaction might be a more serious issue. This is obviously the primary benefit of a live classroom or online class: you can say, Wait, I’m stuck on this, or I can’t make that work, or Mine doesn’t look like that. I’ve seen the chat window fill with questions, and I’ve found some of the most valuable material there when an instructor is provoked to a deeper explanation.

Some of the online course platforms use a hybrid method, where the course is recorded but the chat function is always available (and teachers are expected to respond to inquiries, even months or years later). Given the model of this video courseware, that’s not practical here. But this lack does take the course another big step away from the live classroom.

What really matters here is, can you take this video course and pass the A+ exam? There’s never a certain answer to that, because so much depends on the experience you bring. Some people are really successful at passing certification tests simply by reading a book or two; those people usually are already familiar with the topic and have advanced study skills. Most of us need more. If you can’t take a classroom course where you live, a video course is a very good alternative, at least if the course itself is high-quality, though I’d recommend spending some serious hands-on time with real hardware. The past few years have seen courses like this one dramatically improve, and at this point they’re certainly a viable alternative, especially if you’re relatively disciplined about your study – and like learning from videos rather than books.

Now for brass tacks: you can take two live courses for the 901 and 902 tests, with textbooks and test vouchers included, for about $2000 depending on your area. These two video courses list as a $499 package as I write this, much more expensive than a textbook and not including the tests, which will run you another $450. You could buy a text and some sample tests and spend barely more than half the price of classroom courses. If you’ve already got some experience with PCs, this could be a real steal for you.

Pearson IT Certification CompTIA A+ 220-901 Complete Video Course – January 22, 2016

By David L. Prowse

ISBN-13: 978-0-13-449930-7 / ISBN-10: 0-13-449930-1

Also see

Pearson IT Certification’s CompTIA A+ 220-901 and 220-902 Complete Video Course Library – April 18, 2016

Tech and Gamer Gear Galore: Massdrop

Daniel Clarke

Massdrop (www.massdrop.com) is a group-buy website located out of New Jersey where people commit to buying a product. Once enough people commit to buying the product, the price begins to drop. After the drop has ended, Massdrop will place an order with the manufacturer. Massdrop has several different “communities” that it uses to list like products in the same area. A few of these communities include: Everyday Carry for knives and useful tools that you can keep in your pocket, Audiophile to suit your listening needs, and Tech for gadgets like a Raspberry Pi or other devices. Those are just a few of the (currently) 13 communities that Massdrop has to offer.

As an example, we’ll look at the DXRacer OH/IS11 Iron Series Chair. The drop can be located at https://www.massdrop.com/buy/dxracer-oh-is11-iron-series-chair. You’ll need to authenticate with Facebook or create an account using an email address; we suggest anonymizing services like Mailinator.com.

Each product has different requirements for the total number of people needed in order to get the discounted price. When the chair first “dropped” or came available for purchase, it was listed for $399.99. As more people purchase the chair, the price drops by $10 with every five people until it reaches the lowest price available of $369.99.

Stages of a Drop
Gamer chairs!

If you are interested in the product but only want it if it reaches the maximum discount, you can commit to buy the product at the lowest price. IMAGE (Commit) To compare the requirements for purchase, we will look at some GMK QMX-Clip Sound Dampening Brackets (located at https://www.massdrop.com/buy/gmk-sound-dampening-brackets).

Stages of a Drop: 2
Stages of a Drop: 2

These brackets are used to dampen the sound coming from a mechanical keyboard and are much cheaper than the chair. In order for it to be cost effective for both Massdrop and GMK, more people need to purchase the clips in order to justify a group-buy discount. In this case, at least 50 people are needed to get a discount with 100 people needed to reach the maximum discount.

Now, before you rush onto the site and place a bunch of orders, there are a few issues to understand about Massdrop.

One major complaint is the amount of time that it takes to receive a package. For example, I ordered a wicked set of keycaps on September 30,2015 (https://www.massdrop.com/buy/danger-zone-sa-keycap-set). The keycaps (I know, they’re badass huh?) didn’t arrive until February 17, 2016. Four and a half months is almost unheard of to wait for a product to reach you, especially when Amazon Prime will ship me something in 2 days. One reason is that it was a custom set of keycaps that was made specifically for those who purchased it from Massdrop. The other reason is that your order doesn’t drop ship directly to your door. The manufacturer sends the entire order to Massdrop who then sorts the order and ships it to the customer. I have since purchased other products from Massdrop and both of those orders took about three weeks.

Another major complaint that I have seen, especially recently, is that for products that are not custom made (think knives, chairs, headphones, etc.) it is possible to find the exact same or very similar product for the same price (give or take $5-10) on a major online retailer like Amazon or eBay. In that case, is it worth a few dollars extra to have your product within a week, or are you ok waiting significantly longer to receive it from Massdrop?

Nevertheless, I have used and will continue to use Massdrop.com and watch for new drops that happen daily. If I feel that it is a good deal, I will do my research to make sure that I cannot find the same product for cheaper elsewhere, and if I can’t, I will buy from Massdrop. As a price-conscious consumer, it would be unwise to do differently. As a techie, how can I help myself?

[Daniel Clark is an up-and-coming IT and security consultant in Albuquerque, NM, USA. This is his first contribution to School for Hackers, with more articles on technology and related goodies to come.]

Hacking Tips from the Article, “How To Not Get Hacked, According To Expert Hackers”

Backlit keyboard

TV personality Kevin Roose asked for it, and he got it. He wanted to research how people get hacked, so he decided to invite some prominent hackers to hack him. And hack him they did, cracking into everything from his webcam (pictures every two minutes) to all his online accounts (including banks).
Personally, I wouldn’t do this. It’s all too apparent, to the hack-literate, how people get hacked; the harder part is figuring out how NOT to.
Some of the solutions he proposes are familiar, like using a password manager, which is unfortunately a sword sharp on both sides. Others were new to me: have you heard of an app called Little Snitch? It monitors your outgoing traffic for suspicious activity. (Why is my computer uploading my credit card statements to China?)
And some “solutions” are as effective for the cracker as for the person trying to protect themselves: using a VPN, for instance. You’ll see more on that subject in this space going forward.
In the mean time, give this article a look, prospective crackers, hackers and security professionals.
(Image courtesy of User:Colin at wikimedia.org)

Are you that very nice or emphasized of security?

are you that goodWhen your neighbor sees the hosport you broadcasted, the very first thought he has is “oh, look at it, I’ve got my neighbor’s wifi, I might get access it luckily” and click!
So what do you up to? Are you so nice to let everyone access your wifi, or want to have privacy or share with specific people? If you concern about network security, you have better off from public. Keep in your mind that everyone who comes into your network is not but willing to use the internet access you shared.
At the movie Cinderella, the King held a party for the price to choose the girl he loved and the royal prince’s invitation said “Every maid in the town was invited to the party.” despite the one who the prince actually awaited was Cinderella. Unfortunately, the step-sisters and step-mother of Cinderella enjoyed the party. Then, the step-mother got eavesdropped the Royal Guard’s conversations then she blackmailed the Royal Guard, shortly. So, we could be considerate as everyone who enjoyed the party had willing not but to have the party, to dig their own advantages.
Immediately, min mg mg steps up from the moments of he was at the movie and said “Grandpa, we should maintain a protection at our wifi, we haven’t better give access to everyone.” And the grandpa said “protection? Does it make sense if I keep this inside my iron cabinet?”. “No it doesn’t make any sense, we have to keep it outside to be able to access from your smart phone and my laptop to share the internet access but others.” min mg mg said. “Look, here are so many protection options to protect most of attacks and firewall settings as well” he said with getting access his small business wifi access device via a browser. And he continued “Here are the options WEP, WPA, WPA2”. “What the heaven?” Grandpa responded. The grandson said “chill up, I’m putting you down, grandpa, WEP is wired equivalent privacy, the security algorithm for IEEE 802.11. It was recognizable by the key of 10 (or) 16 hexadecimal digits. Its primary encryption method is; the encrypted ciper text are generated by doing the XOR Gates (Exclusive OR gate) of the keysteam by the combination of (IV) Initialization vector and keys, encrypted by the RC4, the encryption algorithm ciper (cyper) and the plaintext. It was 64-bit encryptions increased to 128-bit, yet Wi-Fi Alliance announced that the WEP had been superseded by WPA in 2003. So, immediate question is what is WPA? WPA is Wi-fi Protected Access, IEEE 802.11i sometime referred to as the draft standard IEEE 802.11. It’s anticipated to a yet securer, more complex WPA2. WPA2 was started in 2004. WEP provided data confidentiality comparable to the traditional wired network and WPA was developed by Wi-Fi Alliance to protect wireless computer network. WPA-PSK (pre-shared Key) is the common WPA configuration, used 256-bit key encryption. And it is associated with a system called message integrity check, determined if an attacker had captured or altered packets passed between the access point and client as well. The most significant change between WPA and WPA II is, Advanced Encryption Standard (AES) has to be used mandatorily.” And Grandpa spill his guts and said “Just do your thing ahead, oh my, headache, headache” and he continuously said “so, use WPA, a yet securer”. He looks slightly got the point. Of course, having a bright grandson like min mg mg is gratifying.
Young people have intelligent capabilities. We should provide them to be able to implement their imaginations. Rather than teaching them how to do, what we can do and what will be in order are the needs. If you keep blocking their inspirations by any mean, they can’t be able to realize “why”, much less great intelligence. That’s the reason Hacker High School is going for, they intend youths to be great by doing great things with great humility. In our environment, likewise we need to have someone like min mg mg who to help us to be able to understand the technologies well, at least, to be able to purchase the technology materials in fair-deal.
Well, now min mg mg is getting busy for a school conference. He is working on a presentation, based on a real world scamming matter to present. “The Scammed IT Guy” he just bannered it.are you that good

Social Engineering

SE

“Social Engineering can be known as psychological manipulating in shortly, a legitimate lie, but yelling ‘Fire!’ in a crowed movie-theater and in a public is unlawful”

“Yes, this is definitely an attack vector, almost relies on human interactions. Often involve tricking people, indirectly prompting people to spill their guts and take advantages on their crush or their craziness, let’s talk social engineering” Min Mg Mg talked to Grandpa.

“This is a con game. For instance, an attacker pretend to be a co-worker who has some kind of urgent problem that requires access to office and asking his/her colleague to let him/her in.” he continued. “That’s a cheating. What different from a liar? Grandpa asked.

“Unlike a liar, it’s is more than a liar it is about to get what you want indirectly, because it is gentle.  Ok, I’ll give you an remarkable example. In the video called “Catch Me If You Can” there are a lot of the social engineering topics. Sr Frank asked his Jr Frank that “You know why yankee always win, frank?” and Jr. Frank answered “Because, they have Mickey Mantle.” Sr Frank said “No, because of the other teams can’t stop staring at the pinstripes”.

Next more notable example is; by the time Jr. Frank started his business. He needed to have PAN AM airline’s pilot uniform to be able to successfully mimic as a PAN AM’s pilot. So, he called to PAN AM airline.

Receptionist: Pan Am, may I help you?

FRANK: Yeah, hello. I’m calling about a uniform.

Receptionist: Hold for Purchasing.

FRANK: Thank you.

WOMAN: Purchasing.

FRANK (Southern accent): Hi. I’m a copilot based out of San Francisco. I flew a flight into New York last night but I’m headed out to, uh, Paris in three hours. The problem is, I sent my uniform to be cleaned through the hotel and I… I guess they must have lost it.

WOMAN: They lost a uniform. It happens all the time. Don’t worry; go down to the Well-Built Uniform Companyat Ninth and Broadway. They’re our uniform supplier. I’ll tell Mr. Rosen you’re coming.

So, in the event he could have PAN AM’s uniform. That’s one of the social engineering methods, grandpa. Frenk is a confidence man. Of course, (con man) that’s the very important skill that a social engineer needs.” Min Mg Mg just gives an example to Grandpa. And.

“Frank Abagnale was one of the most famous back there. And Kevin Mitnick who is very famous within people who love and studying computer hacking and security awareness. I’d love to talk about some well-known methods of social engineering.” Min Mg Mg said when he started opening a presentation file.

“Popular types of social engineering attacks”…..