Wednesday, October 29, 2014

Update to Kali-Scripts

It has been a while but I updated the Kali update script I have on github and added an script. They can ben found here:

The script has minor changes. The biggest one is I changed to dist-upgrade from just upgrade. When I wrote the script there was no difference and a dist-upgrade burned me once on BT5 back in the day so I didn't use it. The dist-upgrade seems to be needed and fine now though.

I'm on the blue team again and I now don't run everything from my laptop and having Kali on a server made me want a script for a cron job. So I edited down the script and tweaked the dist-upgrade line so conf files wouldn't stop it and made If you have a Kali server and want to upgrade in cron, there you go. One warning, the script assumes things are there for the most part. The one time installs and checks are in the script, you should run it once with a -a before setting up this job.

Kali Dist-Upgrade Issues Fun:
One note on the dist-upgrade, I did run into an issue with it. But is was resolvable. I got an error saying it couldn't finish and to run apt-get -f install to fix it. So I did and that failed. It said it needed to overwrite a file that was owned by another package. At the end it gives the deb file that has an error. If you run into that what you need to do is:
dpkg -i --force-overwrite /the/path/defilegivingtheerror.deb
apt-get -f install

That will let the file be overwritten. After the apt-get -f install finished you need to run the apt-get dist-upgrade again. I had it fail again and had to do the same steps above a second time. Life has been good since then.

Friday, October 24, 2014

SecureCIO Chicago and John McAfee

So I got invited to this thing. I wasn't sure how or why and I almost deleted it until I noticed John McAfee was speaking. Then I clicked the hell yes button. I figured either the people running this thing must be pretty cool or totally clueless and were going to freak out and either way this was going to be fun. So I went. It was a bit odd and slow for me at first. The host started with a urban legend a few seconds on snoops on my phone confirmed my hunch. Not long after that he said to use the news about big attacks to scare the crap out of our leaders to get more budget. I don't think he was kidding, maybe half kidding. Another speaker worked for a secure email company and talked about how his product helped secure email, joy. I was starting to wonder what I got myself into. Then at the break I found an old friend of mine and that was good. Then I saw Wendy's blue hair and I recognized her from B-Sides Vegas and I knew McAfee must be close and he was, playing the piano. I went and hung out with him as much as I could. The cool kids all came out to talk to him and as long as I was close to him I found it easier to talk to other people, these were my people. After his talk @minossec came over to say hi to him and it was cool to he him again too. It turns out the director of this thing is a cool guy and has worked with John McAfee before and like me was tying to hang out with him as much as possible and it was nice meeting him too. Finally John McAfee spoke. It was a good talk, different tone than B-Sides he knew the audience was different. Mostly he talked about phone insecurity and how we are all idiots for letting our flashlight app or bible reading app access our microphone and record us without telling us and how he has a new Android app which tells you when that happens and if you try it you will see how stupid you have been and how you are being spied on. I ended up at the bar there but bailed before it got too late and somehow totally forgot to eat dinner. McAfee left shortly after his talk unfortunately but it was great seeing him and hearing him speak.

Like I said, the person running this thing seems cool. Most of the more technical security leaders I know weren't there. We should try to fix that going forward, this thing has potential if we can get the right people to start showing up by mixing a bunch of burbsec/chisec folks in.

Thursday, October 16, 2014

DerbyCon 4 Recap

I'm a bit late but here it is anyway. DerbyCon was good overall this year and still is my new favorite security con. I must say I felt the talks were overall not as strong as the last two years and I didn't walk away with as many good pieces of data and ideas. A feeling I confirmed with several other people. But it was still good and it isn't clear how much of that is based on the talks that were selected, or that the talks in 2014 just aren't as good as a whole, or it is a bullshit feeling and we are building old DerbyCon's up in our mind. But like I said, still my favorite, and I still plan to go next year. On a side note I explored more of Louisville this year than the years past and I'm starting to really love that city.

All the videos can be found here:

If you didn't get to go or missed some talks here are a few I liked:
Threat Modeling for Realz – Bruce Potter
Application Whitelisting: Be Careful Where The Silver Bullet Is Aimed – David McCartney
InfoSec – from the mouth of babes (or an 8 year old) – Reuben A. Paul (RAPstar) and Mano Paul
How to Secure and Sys Admin Windows like a Boss. – Jim Kennedy
Building a Modern Security Engineering Organization – Zane Lackey
Information Security Team Management: How to keep your edge while embracing the dark side – Stephen C Gay
RavenHID: Remote Badge Gathering -or- Why we sit in client bathrooms for hours – Lucas Morris – Adam Zamora
Building a Web Application Vulnerability Management Program – Jason Pubal

This list is far from complete, I haven't watched all the videos of talks I've missed and want to see yet. But it is taking a while and I wanted to get this out. So consider that list a starting point, there are a whole lot of good talks up there. Everyone should spend a few hours to watch the ones that applies to you the most.

So far I think the best piece of info I got was from Jason Pubal's talk that exposted me to ThreadFix. It was a pain for me to get it working on Debian but that is just because I'm too stubborn to use Windows I guess. I think that might be another blog post soon. But let me say, my developers already love the thing and I just got it working. If you have developers and have to give them scan data check this tool out.

Let me know what videos you think I should watch that I didn't link. I won't watch them all so let me know if you think I'm missing something cool.