The Security Maturity Checklist

A year ago I founded a conference, and this weekend was the fourth iteration of it, adaconf3 (the first was adaconf0).

I am really happy about the awesome lineup, and I also did a lightning talk, beta testing a small part of an upcoming talk called Why Penetration Testing Sucks – Finding a more efficient road to Security Maturity.

Continue reading “The Security Maturity Checklist”

Penetration Testing without Risk Analysis

A few years back, in a room full of practicing penetration testers. I am listening in to them talking about the problems they perceive in their working environment. I get a bit confused and asked an inconspicuous question:

“How much of your work is risk analysis?”

Ten pairs of eyes looking back at me, with the same look of confusion that I assume I display.

“What do you mean? We don’t do risk analysis.”

Continue reading “Penetration Testing without Risk Analysis”

Penetration Testing is a Bad Word

As a female penetration tester, I have had a fair deal of jokes thrown at me.

People outside the IT industry get shocked and confused.

People inside the industry try to quench their nervous laughs.

It’s gone to the point where I have formulated a number of scripted comebacks to common reactions. Most people are polite enough not to verbally say what they think, and get very relieved when I myself crack a stupid joke about the word.

Continue reading “Penetration Testing is a Bad Word”

3 “helpful” advice you should stop giving budding techies

Peers teach peers new tech skills at adaconf0.

Do you want to help your peers become better at IT? Great! People like yourself are an important asset to the tech world.

However, being a subject expert doesn’t make you a teaching expert. Want to help your fellow techie develop their skills? Here are some common pitfalls to avoid.

“You’re learning this? Why? You should learn this instead!”

The more senior person will have a better understanding of the big picture, and may get eager to talk about all the possible things there are to learn. What they don’t realize that they’re saying is: don’t learn in depth what you already started, but hop from subject to subject as fast as you can.

I failed my OSCP exam, and I am so proud of myself!

Two days ago I did my first attempt at the OSCP exam. I have not passed -YET.

The exam is a 24 hour exam where I was expected to gain reverse shell on three or four out of six machines that I’ve never had contact with before. It was a lot of fun mapping them, finding their weak spots and figuring out which one of the numerous weaknesses could be exploited. However, I wasn’t able to exploit any of them end to end.
Continue reading “I failed my OSCP exam, and I am so proud of myself!”

Unethical design by negligence

TL;DR: I take two examples of design choices that are problematic in terms of ethics and compliance with the GDPR. Reseplaneraren, a travel planner and FMTK, a fitness app. Both of these apps are from government controlled entities and both are tax funded.

Responsible disclosure note: Research was initiated September 2017, and by October 2017 both had acknowledged that they had received my report. A shorter version of this blog post was published on my Medium blog in September 2017.

Continue reading “Unethical design by negligence”

Penetration Testing – But Why?

I once again tried my sketchnoting skills. In blue are findings from the paper, red are my own remarks.

I am a penetration tester – a legal, ethical hacker. But I am more comfortable with calling myself a security tester or a security analyst, or a SecDevOps professional.

The most common distinction between vulnerability assessment and penetration testing is that the former is automated and the latter manual. However, that’s an over-simplification. Reading this excellent research paper (“Does penetration testing need standardisation?”, Knowles, Baron, McGarr, 2015), the delivery of penetration testing services are of varying type and quality. Specifically communicating and fixing the findings often fall short. And truly  – isn’t fixing the issues the whole point?

Continue reading “Penetration Testing – But Why?”

Sketchnoting – getting out of the comfort zone

In the beginning of this week I had the opportunity to attend and speak at Testing Cup in Poland! For the third time I did my talk about the GDPR and the 100 year old boat accident that almost killed my great grandfather, and it’s really interesting how I get all these different kinds of questions with different audiences. Continue reading “Sketchnoting – getting out of the comfort zone”

How does security testing differ from testing?

You guessed it from the title, but security testing is really just another type of testing. Secure development is not rocket science, but a mindset inside of the scope of any development.

Security is essentially to know your product, both how it’s designed to work (happy path) and how it can be broken (exception paths). If you build a skyscraper, you do not only build it for sunny weather but also for hurricanes. If you’re building software that you sell, the customer expects the software to enable their business, not to block it.

Security is to find bugs and be able to perform good triage on them.

Security is also to have a prestigeless, nonblaming working environment where found bugs actually can be fixed.

Continue reading “How does security testing differ from testing?”

Authentication and Authorization – what is it?

Doing talks in Germany this weekend was really fun! I had a blast and learned a lot. My talks can be found here and here.

The most inspiring talk was about Fairytale Protocols (in German) – describing different authentication schemes with help from Arabian Nights and the Grimm brothers. Security pedagogics is a field that still has a lot of room for improvement, and I think this was a great way of bettering the mental picture of different authentication schemes.

Continue reading “Authentication and Authorization – what is it?”

I’m going to GPN18!

 

Me at the last Chaos Communications Congress, 34c3.

Tomorrow I will head over to Germany to attend Gulaschprogrammiernacht and give one talk and one workshop. It’s going to be so much fun! I hope to meet so many awesome new people! Four times I’ve been to the Chaos Communications Congress, and I’ve been told GON is the same but smaller. I hope to learn tons of new stuff, and I will wear my LED wearables as much as I can 🙂

Continue reading “I’m going to GPN18!”

Designing systems with privacy in mind

Due to a malfunction a journalist got banned from using her work tool Google Docs. Reporting about wildlife crime, an automated process flagged her content as malicious and locked her out due to violation of the Terms of Service. This happened automatically without human intervention. The system performs analysis in real time of everything we write in our online documents – including this one, ironically (I usually write my drafts in Google Docs). This real-time inspection of my text in Google Docs cannot be turned off because it’s considered a core feature.

Continue reading “Designing systems with privacy in mind”

Under GDPR, the owner of your data is you

The new privacy law GDPR gives a very important change in perspective:

You own your data.

Does it mean that you have the right to force the bank to forget your data, and thus your debts? No, of course not. There are other laws that also come into play. There are laws about data retention at your broadband company, anti fraud laws at your bank, registries that your state keeps. But GDPR switches the basic premise: in the default case, data about you is yours. You loan your data to a company for a limited scope and a limited time.

This means that we who collect and process your data need to design systems that allows for pruning, purging and protection of all data regarding a person. And as we saw in the last article – data that can identify a person could be basically any data. That means the IT business have to step up our game, throw out legacy systems, build robust, predictable and secure systems.

Basically – GDPR forces us to create and use high quality systems.

But wait, does the law force companies to sell only good products? That sounds hard! Yes, it is if the company you’re dealing with doesn’t have a good overview of their assets, their architecture, their business value. If they don’t have smart processes and continuously work on their products, they will risk not complying with the GDPR.

 

The Air Conditioner Is Watching You

TL;DR: Using metadata, it is relatively easy to find out very intimate information about a person. Therefore it is good to assume that any data in a system is covered by the GDPR. (And if you want to see me go deeper into this, join the HoT69 conference on May 26th!)

GDPR is the new data privacy law that will come into force in the end of May 2018. It’s a neat law that in the best of worlds will help ordinary users to regain control over their data.

A central question for the GDPR is that all Personally Identifiable Information (PII) about a person is owned by that person, and must be protected. But what is PII?

Continue reading “The Air Conditioner Is Watching You”

Byt lösenord när du byter partner

This article in Swedish has previously been published on my Linkedin site.

Internetstiftelsen i Sverige gav i september ut en rapport om svenskars lösenordsvanor. Jag vet inte om jag vill rekommendera läsning eller ej. Tycker du som jag att lösenord och informationssäkerhet är intressant? Då är det en lättläst och matnyttig översikt för den intresserade. Tycker du att lösenord ett frustrerande gissel? Hoppa detta.

Continue reading “Byt lösenord när du byter partner”

The User Experience of a Watermelon — What secure design is all about

This article was previuosly published on my Medium blog.

Reading the UX of a Banana — What UX design is all about, I realized that user security has the user experience of a watermelon.

Mmm… watermelons! Tasty, but yet so hard to get.

I have a strong preference for watermelons, but due to their UX, the typical fruit I eat is a banana. (OT: botanically speaking, the watermelon is a berry, but so is the banana.)

Continue reading “The User Experience of a Watermelon — What secure design is all about”

Exploiting my own WordPress part 4 – Attack surface

TL;DR:
I rerun ZAP and wpscan online password attack against a presumably less defended target, and realize that sometimes just talking to people is the best trouble shooting methodology

Before leaving ZAP and trying out new tools, I do a scan of this blog, emalstm.tech.

My hypothesis is that ZAP will find more flags on this WordPress. The only protective measure I’ve implemented on this site is secure ssh connection, disallowing root login and putting up a firewall including fail2ban.
Continue reading “Exploiting my own WordPress part 4 – Attack surface”