ethicalhack3r

I had a security breach on the blog over the Christmas period. To cut a long story short two black hats named HcJ and cyb3r-1st compromised another site on the shared hosting server, they decided to deface my blogs for a short period of time while they were at it. After talking to both of them regarding the breach it turns out they are nice guys (a bit misguided), they told me how they breached the server so that I could pass the information on to the hosting provider for them to patch it.

At first I thought it may have been a WordPress 0day that they used to compromise my blogs, so I set about hardening my Wordpress installation. Changed all passwords, delete all files/reinstate files from backup, installed security plugins, revised file permissions, etc.

Security plugins installed:
Chap Secure Login
Log User Access
Wordpress Firewall
WP Security Scan

Here’s a great article by Wordpress on how to harden your installation:
http://codex.wordpress.org/Hardening_WordPress

The zone-h defacement mirror:
http://www.zone-h.org/mirror/id/10039957

In this instance there is very little I can do to protect the server as it is not owned by me, the best I can do is change/preasure the hosting provider and secure my web applications.

I recently upgraded to Windows 7 from Vista. I had planned to migrate fully to Ubuntu 9.10 Karmic however after nearly £100 investment in wireless equipment and none of the hardware working under Ubuntu I bit the bullet. I will now be running Ubuntu and other Linux distributions as Virtual Machines.

Here is a list (in no particular order) of essential (to me) Open Source and Free (as in beer) software (non-security) I installed on my shinny new Windows 7:

FileZilla FTP client – http://filezilla-project.org/ (Open Souce)
Mozilla Thunderbird – http://www.mozillamessaging.com (Open Source)
Inkscape – http://www.inkscape.org/ (Open Source)
BitTorrent – http://www.bittorrent.com/ (Open Source)
Wireshark – http://www.wireshark.org/ (Open Source)
7-Zip – http://www.7-zip.org/ (Open Source)
Notepad++ – http://notepad-plus.sourceforge.net/ (Open Source)
Mozilla Firefox – http://www.mozilla.com/firefox/ (Open Source)
OpenOffice – http://www.openoffice.org/ (Open Source)
Sun VirtualBox – http://www.virtualbox.org/ (Open Source)
Tortoise SVN – http://tortoisesvn.tigris.org/ (Open Source)
VLC – http://www.videolan.org/vlc/ (Open Source)
TrueCrypt – http://www.truecrypt.org/ (Open Source)
XAMPP – http://www.apachefriends.org/en/xampp.html (Open Source)
Zattoo – http://zattoo.com/ (Free)
Spotify – http://www.spotify.com/ (Free)
Skype – http://www.skype.com/ (Free)

It should now be easier than ever to pwn my box now that you all know what software and OS I’m running. ;) What Open Source/Free software can you not live without?

P.S. HAPPY NEW YEEAARRR!!!

RandomStorm have acquired Damn Vulnerable Web App (DVWA) :)

RandomStorm showed their interest in DVWA and wanted to help the project grow. After some weeks of talks we have settled on an agreement which I believe will benefit the DVWA project immensely.

What do RandomStorm do?

RandomStorm was formed in 2007 to provide a proactive vulnerability management service for companies and organisations that take network security seriously and need to demonstrate maximum due diligence in protecting personal and corporate information.

Without going into too much detail RandomStorm will help develop DVWA further, help with marketing, help with direction and overall make the project as good as it can be. DVWA will now be part of the RandomStorm Open Source Project and will be hosted with them in the near future. I will still play a strong role in the development and general overseeing of the project. The acquirement of DVWA has nothing but positives, the project will still be as great and even greater than it is, I still get to work on my baby, DVWA will still be open source and the project has the backing of a great company, RandomStorm.

Andrew Mason, Chief Technologist at RandomStorm says:

I see that combining efforts on this will really add value to this great tool and take it to the next step.

RandomStorm will be releasing an official press release in the near future. I would really like to hear everyones feedback so please comment.

In the meantime you can follow RandomStorm on Twitter: @RandomStorm

I wanted to start reading the RFC 2616 HTTP/1.1, because who knows more about how HTTP works than the inventors right?! The only problem was, is that I hate reading large documents from screens, I lose concentration after very little time and end up on Twitter or some other social networking site.

So I started looking for printed RFCs, someone must have put these in a book?! Well, it turns out that I couldn’t find any. I thought about printing the entire RFC from my university library (£0.10 a page) however RFC 2616 contains 176 pages (£17.60 total). I remembered that OWASP use lulu.com for printing their awesome books, so I decided to print my own RFC and make it into a book. After many hours of trying to fit the A4 RFC into a pocket-size (4.25″ x 6.88″) book, getting the font size right, aligning the page numbers and getting the formatting just right on all 176 pages, ‘rfc in your pocket’ was ready to upload! After lots of trial and error with reformatting and trying to get the whole thing to fit I decided to order one for myself.

I was really surprised with the quality of the finished product! It even fits in my pocket!

So now I figure why not sell it and let other people have their very own RFC in their pocket with out having to go through all the hassle I went through. It turns out that RFCs can be distributed etc, as long as you keep in the original copy-write notice intact. But I’m making money of other peoples work! That’s not very ethical.

Here’s how much the whole thing costs:

Manufacturing: £4.29

My Revenue: £0.57

Lulu’s Revenue: £0.14

Book selling price: £5

What I have decided to do is give 50% of my revenue per book sale to ihackcharities, that means that I earn £0.285 per book sale and so does ihackcharities. That way I get something for my hard work and the rest goes to a good cause.

You can buy the ‘RFC 2616 -HTTP/1.1′ rfc in your pocket book from here:

http://www.lulu.com/product/paperback/rfc-2616—http11/6007891

I plan to do more if this one sells enough and there is demand for other rfc’s in your pocket.

Today is exactly one year on after posting my first post on the blog. I had a premature celebration (couldn’t hold the excitement) by changing the design as you have all probably noticed. I am still working on he re-design so there may still be some glitches here and there, bear with me.

I have come a long way since that first post and learnt a great deal. In 12 months I have created and managed DVWA to the success it is now with lots of help from the community. I have done talks, written articles and been a guest on some great podcasts. I completed my first year at university with the grade I set out to achieve and I am now half way through my second year still going strong.

All this I could not have achieved with out my friends, family and the online security community. The infosec community is always there to lend a hand and has opened up great opportunity’s for me. If you are an Ethical Hacking student or security professional and your not involved in the community, I cant stress enough how beneficial it is to contribute and learn from the amazing people that our out there. I would like to name names however there’s so many of you that have helped me I’m afraid I might miss some one out.

With out you the reader there would be no point in me keeping the blog updated with new posts, so please comment, give feedback and let me know what you would like to see more of. Also, don’t forget to subscribe! Blue box on the right. ;) –>

Again a big thank you to you all.