Category: Books

Cyberjutsu Review

Posted on by haxez

Hello friends and welcome to haxez where today I will be giving my opinions on the book Cyberjutsu. It’s written by Ben McCarty and published by no starch press. As as soon as I learned of its existence, I had to purchase it. I found it used on eBay for around £10 which isn’t bad considering it’s a recent publication.

I’ll be honest, the main reason I wanted to purchase this book was because of its association with ninjas. Ancient Japan and the Samurai and Shinobis is a fascinating subject. However, I thought Cyberjutsu was going to be a novelty read with no real relation between Cybersecurity and Shinobi. I genuinely thought It was going to be a gimmick used to sell a book. I was very wrong!

Cyberjutsu Initial Thoughts

Ben McCarty does an incredible job of demonstrating how modern cybersecurity tactics can be compared with ancient Shinobi. Whether you’re a feudal lord of a medieval castle trying to prevent shinobi infiltrations. Or a computer hacker trying to compromise an evil organization’s computer network. This book does an excellent job of helping you visualize how to approach offensive and defensive security.

Times To Attack

This book covers a vast number of scenarios including situations like knowing what time to attack. The author explains how the ancient Shinobi scrolls categorize the different times of the day. The Hour of the Hare is between 05:00 am and 07:00 am and is when users first log on. Furthermore, the Hour of the Horse is between 11:00 am and 01:00 pm and is when users take their lunch. It explains how the Hour of the Tiger (03:00 am and 05:00 am) is when batch jobs are running and most users are logged off. The ancient scrolls would detail the best times to attempt infiltrating the enemy castle and the risks associated with each time.

Cyberjutsu Time To Attack

Cyberjutsu Tools

The author explains how Shinobi used specific tools for the task that they have been assigned. It wouldn’t be feasible for them to carry a huge tool kit with them on their infiltration missions so they would have to live off the land. This could involve utilizing farming tools as weapons. This is then compared to a computer hacker infiltrating a computer network and only having the built-in tools of the operating system at their disposal. He explains how hackers could utilize tools like PowerShell to elevate their privileges and slowly take over the network.

Cyberjutsu Tools

Sensors

Chapter 9 discusses how ancient castle lords would use sensors such as smelling scouts, listening scouts, and outdoor foot scouts to try and catch Shinobi that were attempting to infiltrate the castle. Furthermore, it explains how Shinobi would employ tactics and techniques to evade and defeat these sensors. These ancient sensory techniques were used to describe modern network sensors and how threat actors can evade them.

Sensors

Cyberjutsu Social Engineering

According to Ben McCarty, Shinobi used social engineering tactics much like today’s hackers. Hackers use social engineering to trick users into providing the hacker access to sensitive information. Shinobi would do the same. They would impersonate different people in order to bypass castle defenses. They would disguise themselves as merchants or presents, people who wouldn’t draw much attention. This would allow them to slip through the first-line defenses.

Fire Attack

The Shinobi would use so-called fire attacks to distract guards. This could allow the Shinobi to then perform some other nefarious task like breaking into a restricted building. It could also be used as a distraction before the Shinobi’s allies attack the castle. For example, there was one method where they would attach a fire stick to a horse and set the horse free. The horse would round around the castle setting everything on fire. The author compares this distraction method to how malicious threat actors attack computer networks. Hackers use attacks like denial of service attacks to distract system administrators. While their denial of service attack is targeting one system and keeping the administrators busy, the threat actor would exploit another target.

Command and Control

In Cybersecurity, Command and Control or C2’s are applications that allow the threat actor to control multiple machines. Furthermore, It allows them to send instructions to these machines and can be done in a number of different ways. Some examples given in the book were C2’s that used public forums like the Microsoft forum, or Twitter to send instructions to the affected machines. This is then compared to the way in which Shinobi’s communicated with the outside world. The Shinobi would listen out for signals from the outside world. These signals could have been drums in the distance. The drum beats would allow the Shinobi to receive instructions.

Command and Control

Hiring Shinobi

One chapter of the book discusses the best methods of hiring people in the cybersecurity industry and how it can be compared dot how Shinobi were recruited. It explains that rather than recruiting for talent, the focus should be on hiring people with certain character attributes. These attributes include intelligence, patience, capability, loyalty, and eloquentness. The TTPs of the Shinobi could then be taught to the individual later. As with cybersecurity, it is important to employ people with certain character traits rather than recruiting the most skilled hackers. You never know, you could be recruiting a spy for a nation-state.

Castle Theory

After each chapter, Ben McCarty includes excellent thought exercises where you play the role of a Daimyo or Lord of a castle. You’re given a scenario and are asked to come up with ideas on how best to defend the castle against such a scenario. While this is an excellent exercise for blue teams, I feel there is an opportunity for a second book that focuses specifically on offensive security. I had a lot of fun thinking about ways in which to attack the castle rather than defend it. I guess that was the author’s intention, getting the reader to visualize scenarios and how best to go about your role as either blue team or red team.

Cyberjutsu Conclusion

I had a lot of fun reading this book. It is by far one of the easiest technical books that I have read in a while. I’m not sure whether that was due to the comparisons to Shinobi holding my interest. Or whether it was due to the authors writing style that made it easy to read. Either way I blitzed through this book quickly and have recommended it to a few of my colleagues in the Cybersecurity industry. I wish I could do a better job of explaining why you should pick this book up but I don’t want to spoil the contents. I will leave you with an excellent quote from the book which can easily be reworded for the modern Cybersecurity professional.

Although there are millions of lessons for the shinobi, that are both subtle and ever-changing, you cant teach them in their entirety by tradition or passing them on. One of the most important things for you to do is always try to know everything you can of every place or province that is possible to know… If your mind is in total accordance with the way of things and it is working with perfect reason and logic, then you can pass through “the gateless gate”. The human mind is marvelous and flexible. It’s amazing. As time goes by, clearly or mysteriously, you will realize the essence of things and understanding will appear to you from nowhere… On (the path of shinobi) you should master everything and all that you can. You should use your imagination and insight to realize and grasp the way of all matters.

Unknown

Foundations of Information Security Review

Posted on by haxez

Hello friends and welcome to haxez, Foundations of Information Security is probably one of the first books I should have reviewed. This is a great book for anybody new to information security. It’s written by Jason Andress and published by no starch press. While there are many books out there that cover the material in this book, they can sometimes be too cold and factual to enjoy. The author of this book brings a great balance of warm humor and information. For example, the author quotes the phrase “With great power comes great responsibility” and even goes as far as referencing it to a particular Spiderman comic book. Furthermore, the author explains how hacking a heart rate monitor could be heart-breaking…

Foundations of Information Security

What Is Information Security?

This book is well written, it somehow manages to keep a lot of the droll information interesting. The subjects covered in this book can be found in other books such as books that cover the Security + certification. I’ve read many of those books but this one was by far the easiest read. It covers core concepts like the CIA (confidentially, integrity and availability) model of information security. It explains the defense-in-depth strategy that covers the external network, internal network, host, application, and data. The author also includes easy-to-understand diagrams that help to visualize these concepts.

Identification and Authentication

Identification and authentication are important factors of information security and are covered in detail in this book. In short, it’s explained how there are weaknesses in traditional authentication methods such as passwords. Ordinarily, users aren’t that good at remembering complex passwords and this could lead to them writing them down in places (such as the bottom of keyboards) that could be easily accessed. Furthermore, it covers the various attack types and additional mechanisms such as multifactor authentication that could be implemented to improve it.

Cryptography

One area of computing that really interests me is the history of cryptography. Specifically, the Enigma machine as it was one of the first mechanical encryption devices. While there were others such as the Jefferson Disk, the Enigma machine was an incredible device for the time. In effect, it helped to keep the Nazis’ communications secure for a long period of time until it was broken by Alan Turing and the Bletchley Park team. Beyond the history of cryptography, the author covers modern encryption technologies and explains their importance.

Conclusion — Foundations of Information Security

The author covers far more than what I’ve discussed above. Additional chapters include the Human Element in security, Physical Security, Network Security, Operating System Security, Mobile, Embedded and Internet of Things Security, and Application Security. To summarise each chapter and give my opinions would probably require a book worth of writing itself. However, if you’re new to info security or are looking to refresh your knowledge then this is an ideal book. It’s easy to read and makes the information fun to consume. My biggest takeaway from the book is that Cybersecurity is constantly evolving and growing. With new devices being added to the internet every day, new attacks are being developed, we too should continue to evolve and grow.

Real-World Bug Hunting Review

Posted on by haxez

Introduction

Hello Friends and welcome to HaXeZ. This week I’ve been reading Real-World Bug Hunting — A Field Guide to Web Hacking, written by Peter Yaworski and published by no starch press. I purchased this book from Amazon for around £20.00 which in my opinion is well worth the money.

Bug Hunting

Real-World Bug Hunting Initial Thoughts

I bought this book because I wanted to improve my application penetration testing skills. At the present time, Web Application tests are a huge category in information security. Overall, I’ve probably done more Web Application tests than any other type of test since entering the industry. In short, there are so many different technologies and attack vectors to consider when testing web applications. It can be overwhelming if you’re new to the industry. For the most part, I wanted to read this book to expand my current knowledge and to improve my testing methodology. It did just that. The author covers a lot of areas in this book and gives real-world examples of bug bounties that have been submitted to Hacker One.

HTTP Parameter Pollution Bug Hunting

One of the first topics that the author covers is Server-Side and Client-Side HTTP Parameter Pollution. For instance, he talks about how adding additional parameters to the URL to see which one gets processed could lead to a vulnerability. Furthermore, he uses an example of performing a funds transfer on a banking website. He explains that adding an additional account parameter to the URL could result in a vulnerability. I won’t go into specifics but the way that the server processes the request determines which account the funds are removed from. The author also gives a real-world example of someone who was able to unsubscribe other users from Twitter notifications, which I thought was hilarious.

Cross-Site Request Forgery Bug Hunting

Cross-Site Request Forgery is when a threat actor tricks an unsuspecting user into opening a link. The link will direct the user to a malicious website that sends a request to a legitimate website. Provided that the user has session cookies stored in their browser, the request would be authenticated and succeed. The author uses an example of when a hacker discovered a CSRF attack that affected Twitter and Shopify. To clarify, the hacker was able to disconnect other users’ Twitter accounts from their Shopify store. While this seems mostly harmless, it is still a vulnerability and could cause users to miss important notifications.

Carriage Return Line Feed Injection

This type of attack vector requires the submission of encoded characters that have special meanings. As a result, these encoded characters may bypass traditional input sanitization facilitating unexpected actions. Specifically, the author uses are the %0D and %0A characters that represent a carriage return and a line feed. The author uses an example of how a hacker found an HTTP Response Splitting vulnerability on Twitter that allowed him to set cookies. The specific details of this vulnerability are beyond the scope of this review but it’s definitely worth reading.

Cross-Site Scripting

XSS, every penetration tester’s first exploit. Ok, maybe not but it is one of the first things I was taught when joining the industry. There are two types of Cross-Site Scripting and the author does a fantastic job of explaining both. For example, he talks about how it was possible to perform a persistent Cross-Site Scripting attack on Yahoo mail. This vulnerability was possible due to the way the sanitization handled malformed image tags. There are more examples including ones that affected Google image search, United Airlines, and Shopify.

SQL Injection

SQL Injection is apparently one of the most financially rewarding bugs to find. This is understandable since the impact of exploiting an SQL Injection could be huge. There have been loads of examples in the news (specifically mobile phone network providers) where their customer’s sensitive data was leaked. There are many different types of SQLi and the author provides examples such as a Blind SQLi bug found on Yahoo Sports. The hacker was able to discover this vulnerability by the way page was rendering pictures. Personally, I struggle with Blind SQLi, it seems like such a long process.

Finding Your Own Bug Bounties

The author covers many more attack types and gives real-world examples of where and how bug hunters have found them. The majority of the findings are well beyond my current technical capability, which only made me find them more fascinating. While this may be true for a lot of new penetration testers, the author does provide a testing methodology of sorts. This methodology alone is worth the price of admission. It discusses how you should approach a test and where you should focus your energy. It explains that you should target one specific vulnerability and not move on until you’ve popped it.

Conclusions

This book was a great read and while it didn’t make me a super hacker (no single book will), it has motivated me to learn more. The financial reward of bug bounties is great, but the knowledge of those performing the bug bounties is what was truly inspiring.

The author provides great real-life examples of many different attack types. To summarise them all in a blog post would take forever. The main takeaway from the book that I found was persistence! persistence in learning and persistence in testing. If you find a bug that looks like a bug then keep persisting until you exploit it. All of the examples in the book start with an initial discovery but then a great deal of persistence was required from the hacker in order to exploit it and claim their bounty.

Even reading the book took persistence on my part because technical books aren’t always the easiest reads. I really enjoyed this book though and would recommend it to anybody starting in the industry. Not so much for the technical details but more for the message behind it. Keep chipping away and being persistent with your goals.