Interview with Joseph Muniz Co-Author of Web Penetration Testing with Kali Linux
Joseph Muniz is a technical solutions architect and security researcher. He started his career in software development and later managed networks as a contracted technical resource. Joseph moved into consulting and found a passion for security while meeting with a variety of customers. He has been involved with the design and implementation of multiple projects ranging from Fortune 500 corporations to large federal networks.
Joseph runs TheSecurityBlogger.com website, a popular resources regarding security and product implementation. You can also find Joseph speaking at live events as well as involved with other publications. Recent events include speaker for Social Media Deception at the 2013 ASIS International conference, speaker for Eliminate Network Blind Spots with Data Center Security webinar, speaker for Making Bring Your Own Device (BYOD) Work at the Government Solutions Forum, Washington DC, and an article on Compromising Passwords in PenTest Magazine – Backtrack Compendium, July 2013.
Outside of work, he can be found behind turntables scratching classic vinyl or on the soccer pitch hacking away at the local club teams.
Web Penetration Testing with Kali Linux
Web Penetration Testing with Kali Linux
A practical guide to implementing penetration testing strategies on websites, web applications, and standard web protocols with Kali Linux.
Click here for a sample of the book.
BlackHat Student Scholarship Program
This year, we are pleased to announce the launch of the Black Hat Student Scholarship Program. As a way to introduce the next generation of security professionals to the Black Hat community, we will be awarding a limited number of complimentary Academic Passes for Black Hat USA 2014. Each pass allows full access to all Briefings and has a value of $895.
If you or someone you know has the skills to become a future thought leader in the information security community, we hope you’ll take a moment to review the simple application requirements and details here.
Black Hat USA provides an outstanding opportunity for students to further their learning, skill building and networking. It’s a chance to experience the bleeding edge of InfoSec research and to meet and interact with some of the most brilliant minds in the field today.
The deadline for all Student Scholarship applications is June 30, 2014 — but the sooner we receive your application, the better.
Don’t miss your chance — Apply Now: http://blackhat.com/us-14/student-scholarship-program.html
Operation Irongeek – Adrian Crenshaw gets Censored by Google #opirongeek
Facts:
On Thursday June 5 it was learned that Google has suspended the YouTube account of Adrian Crenshaw, also known as Irongeek, who travels to conferences across the country to video presentations at hacker conferences for educational purposes. He does this at his own expense as a service of the community. It appears that Google suspended this account for TOS reasons that are based on the subject of his videos.
Censorship:
This is direct censorship of hacking content by Google. This cannot stand. It is an affront to free speech.
Call to Action:
We ask that all members of the information security community join us in urging Google to restore Irongeek account.
The hastag for this op is #opirongeek. Please use the hashtag when Tweeting about this issue. We ask that you use social media to spread the word about this attack on free speech.
Homomorphic Encryption in the Real World
For those following developments in cryptography, homomorphic encryption has been a hot topic in the last few years. Well, most practitioners are only interested in cryptography for what it can provide: data encryption, secure networking protocol, authentication and the ever controversial Digital Rights Management. It turns out that homomorphic encryption (HE) holds a big practical promise: when HE is finally available with good performance, people will be able to farm out CPU-intensive loads to the cloud, without having to share their actual data with the servers that process the data. So, when that happy day comes, we’ll be able to benefit from the infinite scalability of the cloud, without paying the price in security.
To give a completely made up example, suppose I had wanted to calculate the sum of a few numbers (3, 4, and 9), but did not want to expend my own resources on this heavy computation. Instead, I would like a cloud service to do it for me. I could multiply each one of them by a secret value (say, 7), send them over to the cloud to be summed up, and when I get the answer back (112, in case you were wondering), “decode” the response – divide by 7 – to get the answer to my original query, which happens to be 16.
In reality of course, I would like the cloud computer to perform much more complicated computations for me. One common example is video transcoding. Can I send a video to the cloud to have it converted from HD to something that’ll fit on my smartphone, without the cloud service getting to know my video preferences? The answer today is an emphatic No.
The Cryptography Research group at IBM has been instrumental in proving that fully homomorphic encryption (FHE) is possible; that is, a cloud service can be built to implement any arbitrary function over encrypted data. Since then, they have been continuously optimizing their implementation. However efficient FHE is still not here. As one data point, a single AES block encryption (a few nanoseconds on your favorite desktop), will take something like 24 hours (!) using FHE techniques.
So while fully homomorphic encryption is not yet possible, we are starting to see examples of practical partially homomorphic solutions. These are solutions that use cryptographic functions that allow the cloud service to evaluate some functions of the input, but not others. For example, it may be able to compute an average of the given inputs, but not their product. While obviously much more limited than FHE, there are already some good applications of “partial homomorphic encryption”. Here are a few:
- CryptDB is a database privacy layer that adaptively encrypts some of the data, so as to minimize the amount of plaintext data available on the database server, while maintaining the ability of the server to perform useful operations (e.g. the SQL “select” and “join” commands) on the data. This project has been developed by a research group at MIT, led by Raluca Ada Popa.
- The Microsoft Cryptography Research Group led by Kristin Lauter has been working on different uses of HE for the last few years. This includes a Healthcare Privacy project with the notion of Patient Controlled Encryption, where patients encrypt their medical data with their private keys, while still retaining the ability of medical organizations to search their records for telltale statistical indicators. This was later extended into novel machine learning algorithms that manage to extract trends and correlations from collections of encrypted patient data sets.
- Porticor is using partially homomorphic encryption as part of its cloud key management protocol. This is actually the first commercial implementation of HE.
To summarize, homomorphic encryption promises to one day allow large scale cloud computations on encrypted data. While several research labs are busily working to bring that day closer, there are already a few implementations that utilize partially homomorphic (or “somewhat homomorphic”) encryption to achieve many of the benefits, using technology available today.
About the Author
Gilad Parann-Nissany is the founder and CEO of Porticor Cloud Security. He is a pioneer in the field of cloud computing who has built SaaS clouds, contributed to SAP products and created a cloud operating system.
Gilad has written extensively on the importance of cloud encryption and encryption key management for PCI and HIPAA compliance.
Half of American adults hacked this year
Hackers have exposed the personal information of 110 million Americans — roughly half of the nation’s adults — in the last 12 months alone.
That massive number, tallied for CNNMoney by Ponemon Institute researchers, is made even more mind-boggling by the amount of hacked accounts: up to 432 million.
The exact number of exposed accounts is hard to pin down, because some companies — such as AOL (AOL) and eBay (EBAY, Fortune 500) — aren’t fully transparent about the details of their cyber breaches. But that’s the best estimate available with the data tracked by the Identity Theft Resource Center and CNNMoney’s own review of corporate disclosures.
The damage is real. Each record typically includes personal information, such as your name, debit or credit card, email, phone number, birthday, password, security questions and physical address.
Read more here.
