lnav the log file navigator

This is a recommendation to a tool that I am using since months – the log file navigator.

Who does not know the issue, you have to look at logs from various places and you start with stuff like more, grep, cat etc. or upload it to your ELK, Splunk, QRadar – you name it.

While those tools have their good reason, log files usually have a specific set of requirements to handle effectively. And for that reason use lnav. The tool enables you to work with your log file(s) locally, offline and effective.

Some quotes:

Just point lnav to a directory and it will take care of the rest.  File formats are automatically detected and compressed files are unpacked on the fly.

The log message format is automatically determined by lnav while scanning your files.   The following formats are built in by default:

More features on the project website.

The best part? The tool is free! Yes free as free, so no data is shared with the developer, no shareware, it is free!

It runs on Apple OSX and linux – I am waiting for a Windows version as there is Linux subsystem support on Windows 10.

CVE-2018-5559 my first CVE

TLDR

CVE-2018-5559 is a information disclosure security vulnerability in Komand Security Orchestrator (v0.40.2) that has been disclosed responsibly to Rapid 7 and has been mitigated and patched within days (version >0.42.0). The vulnerability itself is not worth to have a logo.

Introduction

Being a security professional I happen to hear a lot of people complaining about companies handling responsible disclosure in a way that is not appreciated by customers (by sitting on patches to long) or by the disclosure (by not reacting etc). The following blog post is report about a very positive case that I happen to have by disclosing my very first security vulnerability. I really hope this one is being shared and that companies adopt some of the positive aspects. At the very end of the post I will also try to lead to further points where either researchers or companies can read further about the topic.

The stage

Being interested in various APIs that are interesting to security people (eventually turning into dedicated list of APIs on Github) I stumbled across Komand Security Orchestrator. As there was no documentation available (heads up Rapid 7, that fact needs some love!) I spent some time to reverse engineer and discover APIs with Google Chrome developer tools and Python and actively sharing my results on github.

One of the API endpoints was /connections:

https://komandurl/v2/connections 

Connections

Komand Security Orchestrator is made to interact with various (security related) tools to interact and create so called workflows. To achieve that goal, Komand needs credentials to those tools. Every set of credentials is stored in a central keychain that is accessible for workflows. Most connections store some kind of URL, Username and password.

Given this nature, credentials stored in this keychain have either higher Privileges to accomplish tasks or are able to see more than the regular user.

Every Plugin can have it’s own set of credentials, so let’s say you have the LDAP plugin to connect to Active directory, there could be a dedicated set of credentials for prod and qual active directory.

Surprise

After my first GET request to the connection API endpoint something got my attention. While most of the connections have the password field *****ed out, some did not – WTH?
Most look like the following:

"name":"VT Private API","type":"plugin","parameters":{"api_key":"********","url":"https://www.virustotal.com/vtapi/v2/"} 

But OTRS looks like the following:

{"connection_id":36,"plugin_id":75,"name":"OTRS Dev User:komand_test","type":"plugin","parameters":{"server":"https://`EDUCTED","credentials":{"password":"REDUCTED","username":"komand_test"}},"created_at":"2018-08-08T10:56:54Z","updated_at":"2018-08-08T10:56:54Z","deleted_at":null,"deleted_by_id":null} 

And LDAP:

{"connection_id":39,"plugin_id":72,"name":"ÀD","type":"plugin","parameters":{"host":"ldaps://LDAPURL","port":636,"use_ssl":true,"username_password":{"password":"CLEARTEXTPASSWORD","username":"AD\\USER"}},"created_at":"2018-10-05T11:53:47Z","updated_at":"2018-10-05T11:53:47Z","deleted_at":null,"deleted_by_id":null} 

Scope – pre-requisite

To get the above mentioned list of connections you need to have a to be an authenticated admin, so it is not open to everyone.

Scope – affected plugins

As not every password was visible, several plugins have been tested (not every plugin!) and thus two Plugins seem to be affected:

LDAP plugin and OTRS plugin

Impact

To score the vulnerability, the best way to go for is leverage CVSS, and the rating for this vulnerability is a CVSS Score:3.1

CVSS Base Score:3.4
Impact Subscore:1.4
Exploitability Subscore:1.7
CVSS Temporal Score:3.1
CVSS Environmental Score:3.1
Modified Impact Subscore:1.4
Overall CVSS Score:3.1

Responsible disclosure process

October 25, 2018 14:42 created issue with Rapid 7 online portal / Mail to Circl.lu

So I found the issue and wanted to get it fixed as soon as possible and have a CVE assigned, my first reaction was to reach out to my friends from CIRCL.lu to assist and assign a CVE, so I sent them a pgp encrypted mail to info@circl.lu.

Side-note: By accident I had a local mail rule, filtering out all mails from info@circl.lu to a sub folder and marked them as read, that is a stupid thing to do if you expect an answer from them and caused some confusion afterwards, so for clarification, they were very responsive and their reaction time is in hours, so if you do not know who to disclosure with a 3rd party, CIRCL is a great way to get it started and they have a profound network of contact points.

Then I looked on rapid 7 webpage and found that they have a responsible disclosure statement and procedure in place as well so I gave it a shot with opening an issue there.

The portal is very well done and requesting information that are good for engineers to assess the impact as fast as possible, it is even possible to propose a CVSS rating (more to that later)

October 26, 2018 First reaction of Rapid7

Rapid7 gave a SYN / ACK to have received the issue and that Engineering and Support is working on scoping and verifying the issue.

October 26, 2018 Rapid7 verifies it is an issue

On the same day the designated person made a note in the online portal to verify it is an issue and that they are working on fixing it.

October 30,2018 Rapid7 case update

Note on the online portal, Rapid 7 team is working on a fix and providing a rough timeline that a patch should be available the same week and that assigning an CVE is in progress as well.

November 1,2018 Rapid 7 case update

Another note that fix is on the horizon

November 1,2018 Komand Release Notes

On that day a Mail was sent out announcing a new version „Komand Release Notes“. In the Bug fixes area this was mentioned:

v0.42.0: Certain endpoints that are able to list the always encrypted-at-rest connection data could return some configurations of connection data without obscuring sensitive data from the API response. We fixed this issue, and all configurations of connection data are now correctly obscured.

November 1,2018 Komand slack

Via Slack, Komand engineers are asking for my feedback if the patch is indeed fixing the issue I reported, after updating I was able to confirm that.

November 2,2018 pro assigned CVE

Rapid7 reached out to me and CIRCL (who seems to have reported the issue in parallel but I had no SYN ACK from them but told them that they did not need to further disclose as soon as I discovered the Rapid 7 portal.
In this mail I was told the pre assigned CVE for the issue and the CVSS rating their engineering team came up with. They also asked if I plan to write a blog post or other coverage (which you can read at the moment).

Affected?

All versions below 0.42.0 is affected. Afaik it is only the OTRS and the LDAP plugin.

Mitigation

Patch to Komand version 0.42.0 or later. I would recommend to reset the password to all accounts stored for LDAP and OTRS plugins.

Exploited?

Most people might ask – alright, so how can i find out if someone with bad intention has used this vulnerability. The only way to tell is to check the web logs of Komand and look for GET requests to /v2/connections from unusual source IPs.

Feedback

The way this issue was handled was straight forward, at any point I had the impression that my issue was treated on the right level, no over hyping and no „we don’t care“ just the right balance.
It is notably that the online form used by Rapid7 is supporting this process a lot, I assume it makes it easy to scope issues on engineering site as well as easy for the researcher who wants to know what the current status of the reported issue is.

It is also good to see that the work from the FIRST CVSS sig is adding value in such issues as it helps both sides to rate the vulnerability.

Links

https://nvd.nist.gov/vuln/detail/CVE-2018-5559

https://github.com/CVEProject/cvelist/pull/1303

Further reading

To lean more about best practices in responsible disclosure I would recommend:

https://titanous.com/posts/security-disclosure-policy-best-practices

 

timesketch-tools

Overview

I am happy to say that a new tool made it to github called „timesketch-tools“.
It is basically a way to interact with Timesketch via CLI. For those who don’t know Timesketch, it is an amazing opensource tool developed by Johan Berggren and is used to create timelines for forensic investigations as well as incident response cases.

Reason

Back in 2017, Johan tweeted:

Why is the WebUi not enough? Well in some cases you might want to automate stuff, have no browser or other reasons, so it is not „Why“ but „why not“.

So I did during the last few days and built a client for it: timesketch-tools

Capabilities

At the moment only two methods do work, but it should be enough to show the power of it.

List sketches

timesketch-tools.py -ls
     
         _______               __       __      __ 
        /_  __(_)_ _  ___ ___ / /_____ / /_____/ / 
         / / / /  ' \/ -_|_-</  '_/ -_) __/ __/ _          
        /_/ /_/_/_/_/\__/___/_/\_\__/\__/\__/_//_/-tools v0.1

            
+-----+-----------------------------+
|  id |             Name            |
+-----+-----------------------------+
| 130 |     test1Untitled sketch    |
|  3  | The Greendale investigation |
+-----+-----------------------------+

Add event

timesketch-tools.py --add_events
     
         _______               __       __      __ 
        /_  __(_)_ _  ___ ___ / /_____ / /_____/ / 
         / / / /  ' \/ -_|_-</  '_/ -_) __/ __/ _          
        /_/ /_/_/_/_/\__/___/_/\_\__/\__/\__/_//_/-tools v0.1

            
Please provide the sketch id you want to add events to as (an integer): 3
Please provide informations to the event you would like to add timestamp, timestamp_desc, message will be promted

Timestamp (use Format: YYYY-mm-ddTHH:MM:SS+00:00 2018-01-15T10:45:50+00:00) use c for current time c
timestamp_desc this is the description
message something was hacked
Event added, ID: 18 Date:2018-10-31T14:49:41+00:00 timestamp desc this is the description messagesomething was hacked
Add another event? (y/n)n

I have a lot of ideas to improve, so expect some more functionality added soon…

Komand-tools

Out of my attempt to reverse engineer the Komand API (a security orchestration tool) I found myself writing some python helper to use the API. Maybe it is useful for some people, so I decided to OpenSource it.

It is hard to understand why a tool, thats main purpose it to connect APIs does not have an API documentation / client itself.

Usage should be pretty simple, clone the repository and good to go:


usage: komand-tools.py [-h] [-v] [-wm] [-j JOB]

optional arguments:
-h, --help show this help message and exit
-v, --verbose increase output verbosity
-wm, --workflow_map show workflow map
-j JOB, --job JOB show job status

Feel free to open Issues or Make Pull Requests. The repository is hosted on Github: https://github.com/deralexxx/komand-tools/

100 days on the board of directors of FIRST

There is this thing looking back after 100 days of starting a new challenge. This post is doing the share my perspective on my 100 days on the board of directors of FIRST (Forum of Incident Response and Security Teams).
On June 28th, 2018 the annual general meeting of FIRST elected five people to serve on the board of directors for a two year term and I was one of the five individuals.
Still remember the day as it was yesterday, I was very nervous going into the AGM knowing that outstanding people throwing their hat into the ring. In my diary I wrote the great relieve I felt after the results where called out.

Kuala Lumpur

Right after the election the first board meeting was called to order from the chair Thomas Schreck and we had to elect the new officers and start think about different tasks to be taken by the new elected people. Been a guest to board meetings before, I thought I am use to the structure and Robert’s rules that are used to run the meeting – but it is a different story calling out „aye“ and „nay“ to reflect your position when a decision is needed. Being new on the board means you will get an adhoc bootcamp of „duties and obligations of the board of directors by the FIRST lawyer and also some organisational topics and infrastructure to get you up to speed, such as a @first.org mail address and access to various only tools, all within hours.

San Fransisco

This first physical board meeting was a new experience, so let me share it with you.

I have never been to San Fransisco before, so that alone was mind blowing to be at the center of the digital revolution. Anyway the reason or that trip in September was to bring 8 people (two board members joined virtually) from around the globe together to meet, discuss and work on FIRST and for the community that FIRST is representing.

Let me say those meetings are intense, I am use to attend meetings – in most meetings you either need to concentrate for an hour or two and then the meeting is closed or it is a workshop setup where most of the content is already agreed / prepared in advance. For FIRST board meetings, you have to pay attention for eight hours straight, most coffee breaks are exploited with continuing the conversation and lunch is also about FIRST. As a non native speaker that is even more intense to follow. But we did get things done, we worked on topics that will enable FIRST to further grow and also using the resources we get from members and participants of our events even more targeted.

Even on the travel days, we managed to squeeze in some 1on1 meetings to brainstorm on topics on a detailed level that will sooner or later be proposed to the board of directors and the members.

That trip showed me how much enthusiasm every individual on the board has, they are truly committed which is great to see and also a prerequisite, as everyone has his tasks and duties to keep FIRST running.

Recognition of FIRST

Before joining the board, I truly believed the fact that FIRST is a key player in addressing some of the challenges global population is facing, e.g. fake news, cyber warfare and privacy. After 100 days, I can now say that it is a matter of fact that more and more organisations value FIRST by asking for our opinion, input or expertise by training policy makers and our efforts with our valued partner organisations. We are still on a long journey to prepare for that and be able to answer all that demand on a level that we feel comfortable with.

Secretary

If you read thus far and think serving on the board is a tough job, you are right, but I haven’t covered one particular aspect which is the central point of every meeting: Nora Duhig.

Every meeting has an agenda (obviously) and needs to have minutes. Imagine 10 adults who are experts in their professional area discussing and arguing on all aspects starting from finance over contracts to nifty details of infrastructure (hosting infrastructure on prem. or in the cloud, which technology to use…). For transparency reasons, every meeting has to have meetings, so someone must keep track of everything, and that is Nora. It is impressive to observe her ability to follow the discussions, writing minutes while keeping the ability to be pulled into the discussion out of the blue at any time – because she has been attending board meetings way longer then most current members combined and it is critical to get the reason a certain decision was taken in the past to make decisions for the future by either stick to that decisions or change the strategy, having that context is gold.

Conclusion

It is hard to imagine how complex an not-for-profit-organisation that „only“ enables a community is. This organisation has 30 years of history, that includes some small things that we as a board need to work on to transform things we have done in the past into a modern way to operate an organisation. FIRST is doing business with entities literally all around the globe because of the membership spreading and the events we host or co-host.

I am in no way saying I am now settled at the board as the planning phase for the FIRST conference 2019 and already 2020 and 2021 (yes not a typo!) are increasingly taking more time on board calls and the other communication channels that we use almost on a daily base. So I am looking forward to the challenges we have to tackle as a group and I am thankful for that opportunity.

Statistics last 100 days

– 2 board meetings in Kuala Lumpur
– 3 virtual board meetings
– 1 physical board meeting in San Fransisco (3 days + various side meetings).
– 2 virtual meetings with the membership committee
– 3 calls as the liaison for special interest groups (SIGs)
– was active on 16 of the last 30 days in our internal chat
– 50+ mails written to the board mailing list
– 300 mails received via board mailing list

Thanks to Serge Droz for the picture shown above.

curl -u in python

Problem

Sometimes you might want to authenticate against an API with username and password where examples are only listed with curl:


curl -u username:password https://127.0.0.1/foobar

Solution

If you want to implement the same in python you can use the following


import requests
from requests.auth import HTTPBasicAuth
username = "username"
password = "password"

request_url = "https://127.0.0.1/foobar"

result = requests.post(request_url, auth=HTTPBasicAuth(username, password))

Hope it helps, let me know

Preis: EUR 42,99
statt: EUR 44,63

Der Radladen Mannheim Erfahrungsbericht

„Der Radladen Feedback“ oder „wie können kleine Geschäfte mit den Online Riesen konkurrieren“

Vorwort

Das soll der Titel des heutigen Blog Beitrages sein. Wer mich kennt, weiß, dass ich quasi alles online einkaufe, von Kühlschank über Tesa Film bis zu Müsli, alles wird bei den bekannten online Riesen eingekauft. Nicht so jedoch bei meinem letzten Fahrrad. Daher möchte ich hier meine Gedanken und Erfahrungen teilen.

Vor ca. einem halben Jahr, nach langen Monaten der Recherche im Internet, lesen zahllosen Blogs und Foren war die Entscheidung getroffen, ein neues Fahrrad wird den Fuhrpark erweitern. Die nächste Entscheidung war Online vs. Stationärer Handel. Viele der Fahrradgeschäfte in der Umgebung fallen aufgrund der begrenzten Kompetenz oder Willen, auch mal ein Fahrrad zu bauen, welches nicht Schema-F entspricht aus dem Raster. Durch eine Suche nach Händlern, die den gewünschten Hersteller (Surly) führen kam ich dann auf das Fachgeschäft „der Radladen“ in Mannheim.

Die Facebook Seite und der Blog werden rudimentär geführt, was aber ersichtlich ist, viele der aufgebauten Fahrräder sind nicht von der Stange, sehr vielversprechend. Also kurzentschlossen eine Mail mit meinen Wünschen und Teile-Listen rausgehauen um zu sehen ob und welche Antwort kommt. Es hat nur ein paar Stunden gedauert bis als Antwort sinngemäß kam „hört sich cool an, aber komm doch besser mal vorbei das wir drüber reden können“.

Planung

An dieser Stelle sei gesagt das ich durchaus Ahnung von Fahrrädern habe, jedoch meine Zeit lieber mit fahren als schrauben verbringe. Einige Teile des Fahrrades waren quasi fix, wie z.b. der Scheinwerfer oder der Rahmen, andere Dinge wie der Lenker oder Antrieb ware nur grob umrissen (Rennrad Lenker, 11 Gänge).

Gesagt getan, ein paar Tage später nach Mannheim gefahren und nach Betreten des Ladens die erste positive Überraschung. Was im Ausstellungsraum / Werkstatt an Fahrrädern steht, wäre in den meisten anderen Geschäften in der Ecke als „Spezial“ mit viel Staub, hier jedoch dreht sich alles um das spezielle. Cyclocross, Gravel, Randonneur, Lastenräder, Falträder – alles Alltag und keine Ausnahme – herrlich.

Beratung

Also dann los, Lars (Geschäftsführer) kurz erklärt, dass die Mail von mir kam „Ah ja, Projekt Ogre“ und wir begannen, jeden einzelnen Aspekt des Fahrrades zu besprechen. Ich beschrieb wozu ich das Fahrrad nutzen will und was ich mir vorstellen könnte, er fügte seine Erfahrung zu einzelnen Komponenten aus den zig Rädern die er schon aufgebaut hatte zu dem Gesamtkunstwerk hinzu, so dass wir nach ca. einer geschlagenen Stunde eine ausgewogenen Liste hatten, aus was das Fahrrad entstehen sollte. Da einige der Teile nicht so schnell zu liefern waren (in der Natur der Sache darf man da nicht erwarten alles auf Lager vorfinden zu können“ wurde als Zeitrahmen ca. vier Wochen vereinbart, bei dem aber Zwischenschritte vorgesehen waren, bei denen dann z.b. der Sattel und die Sattelstütze und Lenker am finalen Rahmen angepasst wird.

Übergabe

Diese Anpassungen wurden dann auch gemacht und nach vier Wochen konnte ich das Fahrrad in Empfang nehmen. Bei Übergabe wird eine Probefahrt gemacht und Sattel und Lenker nochmal genau an den Fahrer angepasst. Das Fahrrad war genau nach meinen Wünschen aufgebaut und die Teile passen perfekt zusammen, es ist jedoch zu beachten, dass kein Rad den Radladen verlässt ohne den Hinweis auf eine im Preis enthaltenen Inspektion ca. 4 Wochen später. Dort werden dann nochmal Schrauben nach gezogen, der Sitz der Speichen kontrolliert und einfach sicher gestellt, dass das Fahrrad weiterhin Freude bereitet.

4000 km später

Mittlerweile habe ich auf dem Fahrrad gute 4000 km verbracht und wage mein Fazit. Ich hätte zwar einige der Komponenten (nicht alle) online günstiger bekommen können. Womöglich hätte ich Komponenten auch schneller bekommen können, wenn ich die Auswahl der Online Händler darauf eingeschränkt hätte.
Was ich online jedoch nicht bekomme, ist die Beratung und Erfahrung in der Abstimmung der Komponenten untereinander. Das lässt sich auch schwerlich durch Foren und Blogs ersetzen, da es sich meist um Einzelstücke als Gesamtwerk handelt und der Teufel dann im Detail liegt, bei dem einen passt die ausgewählte Kurbel, der nächste hat vllt einen Rahmen eine Nummer größer und schon passt die Kurbel nicht mehr – schon hat man den Ärger und Frust. Da fahre ich doch lieber mit einem mit Sach-Kenntnis geplanten und aufgebauten Fahrrad.

Fazit

Der stationäre Handel kann also durchaus gegen Online punkten. Das geht vor allem durch Service und Alleinstellung auch Einzelwünsche bedienen zu wollen. Dieser Service muss natürlich auch eingepreist werden, wer ein Fahrrad für 499 Euro kaufen möchte, darf keinen solchen Service erwarten. Ich würde mir wünschen, dass mehr Geschäfte ihre Nische finden und sich dort zu Experten entwickeln, statt ein möglichst breites Publikum bedienen zu wollen. Auch verwechseln oder vermischen einige die Tätigkeit eines Händlers mit einem Mechaniker, beide Tätigkeiten erfordern unterschiedliche Fähigkeiten, und nicht jeder Händler ist ein guter Mechaniker und umgekehrt. Kunden, die jedoch einen fähigen Mechaniker suchen, der durch seine Fachkenntnis verkauft ist im Radladen in Mannheim bestens aufgehoben.

15 Must read books if you want to work on Cyber Security

Motivation

One of the most frequent questions I get asked by my students: What books should I read if I want to work in Cyber Security?

So I reviewed what I have read so far, talked to colleagues I trust to conduct the following list (as I have a lot of german readers, there is always a link to the german and the english version). The list is a mixture of educational books as well as books that will give an idea about mindset of hackers, defenders and other players in that field.

If you have other recommendations, opinions or comments, I would highly appreciate every feedback in the comments below.

I will try to update the post on a regular base as new trends are coming up e.g. machine learning, AI or blockchain (but I do not see any must-read-books in that areas).

It is fair to say, it is not the only way into the security area, a good amount of people learned by blogs, twitter, youtube and such and there is nothing wrong with it, it is quite the opposite, as the pace of change is so fast, it is hard to keep books up to date.

Every item has links to amazon.com, if you happen to buy the book using the links you support the blog, thank you for that.

1. The Art of War

by Sun Tzu

A relative short (and cheap) book that teaches various aspects of war that most experts agree can also be applied to cyber security. To be honest, there are also a good amount of people who think Art of war is not as important, so read it and make your own opinion.
At least it will be a good ice breaker for networking.

Englisch link / German link

2. Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker

by Kevin Mitnick

This was the first security related book I read after attending a conference talk of the author Kevin Mitnick. It is fair to say he is one of the most known hackers and reading his stories gives the reader first hand access to the mind and motivation of a hacker. The book is also very good to read.

English link / German link

3. The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage

by Cliff Stoll

What to say, a book about espionage, spies and many more. Good book that for sure must be read.

English link / German link

4. Practical Malware Analysis: A Hands-On Guide to Dissecting Malicious Software

by Michael Sikorski

Reading that book will equip you with all concepts and skills to analyse malicious files. This is even a very good skill if your goal is not to become the top notch malware reverse engineer, but the concepts outlined in the book will help to understand weaponizing files to target systems or users.

English link / German link

5. Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon by Kim Zetter

This book covers the maybe most prominent cyber security attack in history: Stuxnet. To understand motivation of companies to invest money in cyber security, knowing and trying to understand the Stuxnet case is so helpful and Kim Zetters book is the best to do so.

English link / German link

6. Rtfm: Red Team Field Manual

by Ben Clark

This list would be incomplete without at least one book covering the offensive aspect of cyber security professionals: red teaming. Even if you do not want to be payed to hack into companies, it is good to know what the people getting paid to hack into companies have read without a doubt.

English link / German link

7. Crafting the InfoSec Playbook: Security Monitoring and Incident Response Master Plan

by Jeff Bollinger, Brandon Enright, Matthew Valites

Legendary book outlining how to ramp up an Incident Response Plan to defend a network. If your goal is to go into red teaming, read that book to understand how defenders work.

English link / German link

8: 1984

by George Orwell

Fictional book but also a must read for making a career because it will sharpen your sensors for privacy more than any other book out there.

German link

9: Practical Unix & Internet Security

by by Simson Garfinkel, Gene Spafford, Alan Schwartz

Sooner or later everyone in the industry encounters Unix, that is why this book is on that list, because it is the bible for that area.

English link / German link

10: Computer Incident Response and Product Security

by Damir Rajnovic

Damir „Gaus“ Rajnovic created the standard to read to set up an Computer Security Incident Response Team (CSIRT / CIRT / CERT / CSIRT) or a Product Security Incident Response Team (P-SIRT).

German link

11: Applied Cryptography: Protocols, Algorithms and Source Code in C

by Bruce Schneier

A top x list in Cyber Security without a book from Bruce Schneier is not worth to listen to. Bruce Schneier is the rockstar in the area and his book the go to for cryptography.

English link / German link

12: Secure Coding: Principles and Practices

by Mark G. Graff, Kenneth R. van Wyk

You need to understand how to write secure code. Without that know how it is way harder to argue on basic security principles. This book is bootcamp for that purpose.

English link

13: Hacking: The Art of Exploitation

by Jon Erickson

Refered by a trusted friend as one of the go-to books for understanding exploitation.

English link

14: Cryptonomicon

by Neal Stephenson

Another fictional book on that list to understand motivation and boost your motivation in the field.

English link

Bonus: The Ultimate Hitchhiker’s Guide to the Galaxy

by Douglas Adams

When asking friends for opinions and recommendations for that list, the ultimate hitchhiker’s guide to the Galaxy was mentioned „because no security professional will take you seriously if you haven’t read it“ – nothing to add here.

English link / German link

Comment

You might have discovered, it is not yet 15 books, I am still on the journey to discover the remaining bricks. But rather prefer to let people read less books that have a big impact than more books with some that might not be the same caliber.

Have fun with reading.

(This post is inspired by 15 Must Read Books if You Want to Work on Wall Street)

Überwachungskamera worauf kommt es an

Ich werde immer wieder gefragt, wie man einfach eine Kameraüberwachung für das eigene Haus umsetzen kann. Viele bauen gerade ihr Haus oder renovieren, viele Gewerke sind mit Experten besetzt oder es gibt schon sehr sehr viel Material im Internet. Anscheinend jedoch nicht zu Videokameras im Außenbereich.

Um nicht immer das gleiche zu erzählen also hier eine schriftliche Variante meiner Antworten.

Disclaimer: Dieser Blogpost ist keine rechtliche Beratung, prüft also bitte erst, welche Regeln, Gesetze es gibt und respektiert die Privatsphäre von euren Nachbarn und anderen Personen in eurem Haushalt genauso wie Personen die euch ggf. besuchen (mehr dazu später)

Der Beitrag ist in verschiedene Fragen unterteilt, sollten noch weitere Fragen unter den Nägeln brennen, einfach die Kommentarfunktion nutzen.

Frage: Warum sollte ich eine Videoanlage / Videoüberwachung in meinem Haus installieren?

Am wichtigsten ist es zu verstehen, dass eine Videoanlage nichts verhindert. Wer sich vor Einrücken schützen möchte muss in Dinge wie Schlösser, Beschläge oder Riegel investieren (Stichwort passive Sicherheit) auch eine Alarmanlage verhindert keine Einbrüche.
Eine Videoanlage kann aber für ein Sicherheitsgefühl sorgen, sie kann helfen, Einbrüche oder Diebstähle aufzuklären.

Eine solche Anlage kann auch genutzt werden, um Personen, die im Haus sind und z.b. ihr Büro im Dach haben einen Überblick zu verschaffen, was um das Haus herum geschieht.

Was auch beachtet werden sollte, ist die Stromversorgung, zum einen die Stromversorgung der Kamera (Power over Ethernet vs. reguläre Steckdose vs. Batterie)

Steckdose: Super wenn sie schon da ist. Frage jedoch wie dann die Datenübertragung funktioniert, Wifi / WLAN kann teilweise etwas unzuverlässig sein.

Power over Ethernet: ggf. sinnvoll wenn am Ort der Kamera keine Steckdose ist und man damit nur ein Kabel ziehen muss

Batterien: Nutzbar wenn man überhaupt keine Kabel hat / keine Kabel legen kann. Es ist jedoch zu beachten, dass bei entsprechender Bewegung viele Bilder / Videos entstehen und die Laufzeit der Kamera deutlich verkürzen.

Frage: Wo sollte eine Kamera platziert werden?

Die Antwort ist schwer zu geben, es kommt darauf an. Zum einen sollte man interessante Punkte wie Eingänge, Parkplätze oder Nischen in Betracht ziehen.
Ein weiterer Aspekt ist die genaue Platzierung, es ist zum Beispiel unglücklich, eine Kamera so zu platzieren, dass sie ungesehen demontiert oder abgedeckt werden könnte.

Auch die Distanz ist relevant, was bringt eine Aufnahme von einer Person an der Eingangstür wenn jede Aufnahme maximal die Farbe der Mütze erkennen lässt.

Frage: Welche Anlage sollte ich nutzen?

Je nach Budget. Gute Erfahrung habe ich mit Reolink Anlagen gemacht, dort ist auch ein Controller erhältlich, der die Speicherung usw übernehmen kann und Kameras zum Beispiel per Power over Ethernet versorgt und eine Mail schicken kann, wenn die Verbindung zu einer Kamera unterbrochen wurde.
Auch die Qualität der Kameras ist sehr gut.

Frage: Wohin sollten die Aufnahmen gehen?

Sie sollten gespeichert werden, wenn Aufnahmen in der Cloud gespeichert werden oder die Anlage über das INternet steuerbar ist, hat das immer das Risiko, dass sich Dritte unberechtigten Zugang zu der Anlage verschaffen.

Wie kann ich meine Anlage von außen steuern / auf Aufnahmen zugreifen?

Ich würde nicht empfehlen, die Anlage aus dem Internet erreichbar zu machen, sondern per VPN z.b. auf die FritzBox zugreifen und dann auf die Anlage als ob man sich im Heimnetz befindet. Das verkleinert das Risiko dramatisch.

Frage: Warum nicht in die Cloud?

Siehe oben, in die Cloud bringt immer das Risiko mit, dass die Anlage von außen gesteuert werden kann.

Frage: Welche Bereiche sollte ich überwachen?

Alle wichtigen, aber auf die eigene Privatsphäre und die der Anwohner achten. Z.b. öffentliche Straßen dürfen nicht überwacht werden. Einen Balkon überwachen scheint erst mal sinnvoll, aber was wenn ihr euch dort mal hinlegen wollt, dann gibt es Bilder von euch auf dem Balkon. Es ist also Abwägungssache.

Ein komplettes System:

Kabellose Kamera ohne Stromversorgung: