Wednesday, December 24, 2014

Moving to Google Domains from 1and1.com

Well I am moving some of my domains to the Beta Google Domains, away from 1and1.com hosting. It has not been completely the easiest thing to do, I have unlocked my domains and disabled private registration. However, I have several sites that were still be locked an hour of changing their status. All of them finally were released to allow me to request the transfer to Google.
One main reason I am moving from 1and1.com is they continually raise their prices, and I am not a business so I do not make money from any of my sites. The other is that their mail services have become awful, unless you want move to their newer exchange mail service for a $5 per account/per month fee.
I have used them for about eight years, and originally started with their beginner package for $2.99 per month, but it is now up to $4.99 per month. While They do add some features, it seems that they make others worse for the older subscribers who do not upgrade to a better package.
The new MyWebsite package is $6.99 a month, with a few more options then I currently have, and I am guessing that my account will soon receive a price update to be closer to that price. Along with the price updates to all domain names I have registered, they use to cost me between $6.99 to $8.99, and are now all $14.99 per domain. Since I have 17 domains, that has made a drastic price increase to my costs to host websites. Another thing they pissed me off about was they sent a notice that they were discontinuing the use of PHP 5.2, so I migrated all of my systems to 5.4 or 5.5. They forgot to mention that I needed to discontinue the support for 5.2 in my billing, and billed me $4.99 for a month of support. They never mentioned that I had to do this or that it was added to my billing and I have to remove it.
Had always had an issue with the 1and1.com limited MySQL DB support, only allowing 100MB of data in one database is a little crappy. Especially when I can have a bunch of DB instances but only 100MB on each one, it makes it a pain to have to program to use multiple DB instances on a web site.
Transferred nine domains and was notified that it takes 5 days for 1and1.com to transfer the domain to the new provider, they stat that: "1&1 will release the domain after five(5) days as required by ICANN if there are no restrictions, disputes, etc." I guess I will have to wait and see how things will be at Google, and will give me sometime to figure out what I want to point the domain names to. I have moved one to Bitbucket repo already, and will just keep it pointed there once it is moved.
Will see how things go, and will need to move six more domains, but they are all used for email, and am not sure how long the outage will be on them. I will have to test one to see how things go, and what the outage on email will be. Then I have one that is tied to the main account for 1and1.com, and not sure how that will work to transfer it since it is tied to the hosting package. It is also the domain that is hosting this blog, so I will need to figure out where to host this site that will have access to PHP and MySQL, to allow me to host a couple web applications.

Friday, December 19, 2014

SANS SEC 542 - Washington DC CDI

Attended SANS SEC 542 Web App Penetration Testing and Ethical Hacking class in Washington DC at the Grand Hyatt from December 12 - 17 2014.
The instructor was Eric Conrad, and the class was fairly decent, and is a good start for anyone wanting to learn web application pentesting. I already had some extensive knowledge of web app testing, but decide to take the course anyways to see what SANS course were like.
Learned a few things, but primarily new most of the course material, most of the new things I learned are tool related. I do not usually use ZAP or W3AF, and since we used them in class I learned a few things about them and their capabilities.
There was a wide variety of people in the class, with about 30 students in the class room and about 15 online students. We had some that had no pentesting abilities, and some with a couple years experience.
The class was a six day course:
      DAY 1 : Attacker's View, Pentesting and Scoping
      DAY 2 : Recon & Mapping
      DAY 3 : Discovery
      DAY 4 : Discovery Continued
      DAY 5 : Exploitation
          DAY 6 : Capture the Flag
My team completed the CTF first, but Eric Conrad could not decide who yelled out first so he called it a tie with the team sitting just behind us.
The biggest things I learned from the class was actually not taught in the class room, it was talking to the people there who are doing pentesting and works in the security community. Plus the additional talks that were held after classes were well worth staying up late and not going sight seeing around DC.
Now I just need to figure out how to get my boss to allow me to attend another one next year.

Saturday, October 4, 2014

Derbycon 4.0

Well Derbycon 4.0 is over, and now things have to go back to normal.
My boss has already scheduled me 3 new projects, and I have not finished last weeks projects because I was too excited to get to Derbycon.
Completed the Urban Bourbon Trail (all in half a day, which I do not recommend unless you have the full day). Started at 2pm on Thursday after arriving at the Hyatt in Louisville KY. and was done by 8pm that night. Felt terrible most of Friday morning but did not stop me from getting in on the CTF.
Had a blast at Derbycon, spent most of my time playing CTF and hanging out with friends.
Team nanerpwn came in 2nd place in the CTF, and we had a good lead for most of the time on Friday and Saturday. Could not hold on to the lead towards the end, had a few people drop off to head back home early. So maybe next year we will come in 1st, if we can get everyone to stay until Sunday afternoon.
Ready for Derbycon 5.0

Sunday, August 17, 2014

Bahrain - Working for another manager is trying my patience

Well I am almost done with my small tour in Bahrain, and will be glad to be home. I will miss some of the people, they are great and were a joy to work with.
As for the project that my company is contracted on, I am a little pissed that nothing has really been done, since I last left from working over here. Well none of the projects that we were supposed to be working on. Many of the other vendors that had projects have finished, or are scheduled to finish their projects. It seems that the manager in charge has either not worried about the project or is clueless that his employees are lying to him.
The two people that were hired to come over here and work for the last year, which are not security minded people by the way, did almost nothing during the time they were over here. From what I can tell, it looks like they relied on other vendors to do most of the work and they took all of the credit for it. Most of the projects are not even actually started, but are marked as partially complete. I have been working on a Bit9 installation for a couple of weeks, there are 1200+ workstations in the environment, and only 130 systems have the software installed. There are no real policies defined, and  only two workstations are locked down. The manager believes that all systems have the software installed and they are completely protected, I tried to let him know, and he did not see to want to hear it. I dropped the conversations and began working on a solution to the issue.
I am ready to get back to pentesting, where I can actually do some good, well I will keep telling my self that. Many of my customers, just want a band-aid to cover over the problems, and not really work on fixing things, but I still get to have fun in the process.

Saturday, July 19, 2014

Heading back to Bahrain for my 3rd Trip

Heading out Monday July 21st to Bahrain for another 45 days of excitement in Bahrain. My company was renting an apartment since last year, but they let the lease lapse, so I will be staying in the Marriott for the stays. Which is fine with me, I like getting the points, and plus it has free breakfast. I guess they are expecting for me to look for another apartment to rent, not sure why the last person who was there did not do this, since he works on the project full time (or is supposed to).
No sure what I will be working on this time around, since I have not been involved with this project since last year when I was there. Have had little information given to me from the director of this project, and the employees assigned to the director of this project have been little help giving me information.
Did not really want to head back, but my boss sort of gave me a "you do not really have an option" speech. I was supposed to heading to Defcon during this time frame and told him I would prefer to that that then to Bahrain. I was then told that was not a good reason to not go on the trip, and something like "I cannot justify you going to training instead of this trip" or something similar to that. This did not really make me happy, and they originally wanted me to go for 90 days, but I had to do military duty so I could only squeeze in the 45 days to go (well that is what I told them). Not like they could really argue about me not being able to go, since it is the federal government and all.
I was surprised that they were expecting me to cover this time frame for the project, but it seems that one of the two people they hired does not want to go back over there anymore. I was a little pissed about that, and think they need to fire him since he was specifically hired to do this project. Sure that will not happen, since they have him doing training for Alien Vault software occasionally.
This is partly one reason I started researching penetration testing companies. Have found a few I like, but not sure if I will be looking for a new place to work just yet. Need to see if they are expecting me to make more trips back to Bahrain. I already told my director that I would not be heading back over already, so to not even ask me about it.

Tuesday, July 1, 2014

Pentesting Companies - Praetorian

I have been researching a few pentesting companies over the past few months, just to compare my current employer to others. I am happy at my current employer, I enjoy what I do, and most of the people I work with. I am just curious what other companies do for their employees, and what they require from them.
Through my research I noticed that many of them give fairly good benefits, and seem to have a relaxed work environment.
I was surprised that several require their employees to speak at conferences, write white-papers, and do research. While I am not against any of this, I am wondering how they would have time to accomplish any of this. I am booked solid usually weeks on end, with maybe a  day or less of down time a month. Many also require 25% or more travel, which I am not opposed to either, but I generally do most of my assessments remotely. I have complained to my boss that we do not travel to customers enough. I prefer to do some face-to-face conversations with my customers to get a better understanding of their needs. Plus it makes it easier to social engineer information from someone.
I was fairly impressed with Praetorian who is head quarters are in Austin, TX. They seem to have some very skilled and knowledgable consultants, who are involved in the security community and open-source projects. They seem to be involved with the local college (University of Texas), having career expos at UT. They also have some small puzzles that you can try to work. I will have to try these when I get some spare time.
A Job Posting for a "Senior Security Consultant (Software)"
Qualifications: Successful candidates should have:
  1. 2-5 years of information security experience
  2. 1-2 years of consulting experience
  3. Strong understanding of software and application security
  4. Experience with languages such as C, C++, Java, .NET, Ruby, and Python
  5. Strong oral and written communication skills
  6. Involvement in software community via OWASP, WASC, and/or open source development highly desirable
  7. Track record speaking at major security conferences such as OWASP Appsec, SANS Appsec, and Blackhat highly desirable
  8. Ability to travel 10% of the time
  9. Minimum 4-Year Bachelor of Science Degree in Computer Science, Engineering, or equivalent from a "top ten" institution.
While the travel is a lot less than many of the other companies, they require a person who is good a public speaking at large conferences and is involved in the security community.
Well I guess if  I wanted to go and work for them, I need to start speaking at conferences and get more involved in the security community. Not really going back to college to get a degree from a "Top Ten" institution unless some one else is willing to pay for it.