β€‹β€‹β€‹πŸ•˜β€‹ Day of Shecurity 2018

​
​Jun 16, 2018

​
​Agenda

  • ​​9:30-12 Burp Suite Workshop
  • ​​12-1 Lunch
  • ​​?? - Robert Fly, Nicole Fish - Oh, the Humanity: Using Behavioral Science To Improve Security
  • ​​3:30-4:15pm Heather Eggers:  How to Communicate Information Security Risks and Drive Meaningful Action

​
​Keynote

​​Deidre Diamond - CyberSN/Brainbabe, Vijaya Kaza - Lookout, Astha Singhal - OWASP
  • ​​Lookout report on how data including numbers, names, addresses, bank passcodes, PIN numbers, how many times each contact was dialed, and the last time the contact was called.
  • β€‹β€‹β€œWe’re dealing with cyberwars amongst nations”

​
​Burp Suite Workshop

​​Jason Haddix (@Jhaddix)
  • ​​Don’t leak your creds. If you use Chrome for your day-to-day make sure you have a specific Chrome profile or use a different browser.
  • ​​Useful Chrome Extensions
  • ​​LinkClump - right click and drag over any link to open all links associated with a menu
  • ​​good for β€œspidering pages”
  • ​​copy and paste a bunch of links at once
​
​Scoping 
  • ​​You can scope requests by Target β†’ Scope and entering regex/keywords to only target specific domains
  • ​​The filter ribbon allows you to define what kind of requests will appear in the HTTP history
  • ​​Context menu on requests allow you to do several Send To actions
  • ​​Send to intruder
  • ​​Send to repeater
  • ​​allows you to manipulate a request and replay it.
  • ​​It’s more useful to sort requests in descending order to see the most recent at the top.
​​
​
​Spidering
  • ​​Allows you to do intentional crawling of a site and find pages that aren’t evident at first glance (basically build a full site map)
  • ​​Can even attempt to log in to or submit things that look like forms
  • ​​You can set how many links deep you want to crawl
  • ​​You should turn off automatic form submissions and passive spidering as you browse (it’s kind of workflow disruptive).
  • ​​You may also want to throttle requests to avoid getting banned.
  • ​​Captchas can be tricky - image selection ones are not possible to bypass automatically.
  • ​​You can use burp to resolve a list of common words like admin​ to find pages (Content Discovery) that would not be linked to anywhere on the site.
​​
​​
​
​Content Discovery
  • ​​DirSearch is actually a better tool for this. It’s a CLI equivalent.
  • ​​has a better content short list for discovery
  • ​​Will do a full dump of files and directories in a site map.
  • ​​May turn a site over if it can’t handle the requests
​​
​
​Intruder
  • ​​Probably the most useful tool in Burp.
  • ​​Allows you to load in payloads and brute force them into different areas of the application
  • ​​Sniper attack
  • ​​Battering ram
  • ​​Pitchfork
  • ​​Snipe common short directories to do a manual content discovery using GET Requests
  • ​​Burp Pro includes general fuzzing lists for usernames, directories, passwords, etc. that have been aggregated from general web bugs. 
  • ​​SecList is an open source resource for these lists for the poor man’s scanning toolbelt
  • ​​fuzzdb is a better option
  • ​​Each request has at least 13 injection points you can fuzz like HTTP method, referrer, content-types
​​
​​
​
​Automated Scanning
  • ​​Burp is a cost effective solution for automated web app vulnerability scanning. Most professionals that pay for $30k+ tools just haven’t set up Burp correctly
​
​Useful Labs/Excercises
​​
​
​Sequencer
  • ​​Allows you to test a cookie for its complexity.  Using live capture you can make the same request over and over (which generates a new cookie) and analyze the total entropy of the cookie over time.
  • ​​Burp includes decoding tools for common hashing algorithms 
​​

​
​Behavioral Science in Security

  • ​​Security has a high barrier to entry
  • ​​Least diverse group of people blaming employees for being dumb and being the first point of insecurity 
  • ​​Needs more involvment from other roles (e.g. game design, marketing, design, etc.)
  • ​​Caring about security is a hard sell when the mentality of β€œoh you possibly wouldn’t understand” is around
​
​BJ Fogg Behavior Model
  • ​​Motivation: β€œI didn’t want to”
  • ​​gameify it with β€œRed Team events” and simulated breaches
  • ​​recommendation to share learnings from red team events broadly
  • ​​add positive incentives: personalization
  • ​​add positive communication: don’t be finger waving in your educational messaging
  • ​​Ability: β€œI don’t know what to do about it”
  • ​​Make it easy to train up and transfer knowledge
  • ​​90% success retention rate around learning is via teaching others (lectures are the least to be retained).
  • ​​When you can personalize and give content context, the retention rate increases even more!
  • ​​Triggers: β€œI forgot β€‹β˜ΉοΈβ€‹β€
  • ​​useful, realtime, contextual reminders (e.g. activity monitors use haptic feedback to get you to take a short walk)
​​

​
​Jyothsna Lekkala - Threat Modeling Overview & Pro-Tips

  • ​​Remember to check all the actors in your system including the physical ones. β€‹πŸ β€‹
​​