Sunday, August 23, 2015

Free Security Books, Training, and Classes

A collection of free security training resources and books. Good places to start.


Metasploit Unleashed -

Technet Labs (Do search for PKI) -

VMware Labs -
(Concentrate on VMware NSX intro and advanced)


Security Engineering by Ross Anderson -

Learn python the hard way (Use the try it for free) -

Coursera Courses
Cybersecurity (All Courses below. Only $49 if you want the specialization cert) -

Cryptography 1 (Standford Course) -

Software Security -

Cybersecurity and its ten domains -

Cryptography (University of Maryland) -

Hardware Security -

Bitcoin and cryptocurrency technology -

Usable Security -

Cryptography 2 -

Information Security and Risk management in context -

Surveillance Law -
I highly recommend this one for counterintelligence purposes

Designing and executing information security strategies -

Kahn Academy

Computer Science -

Collection of Security Defense tactics

Privacy and security conscious browsing -

Best Practices on securing active directory -

Better Crypto hardening -

Mitigating pass the hash version 1 and 2 -

Getting Started with virtual smart cards -

Thursday, August 20, 2015

Best security caution you can take with a chromebook

Getting a chromebook? One of the best precautions you can take.

Sync while using a custom passphrase
Sign in to your Chromebook.
Enter your passphrase.
Click the status area, where your account picture appears.
Click Settings.
In the "People" section, click Advanced sync settings.
In the box that appears, choose what you want to sync:
To sync everything, select Sync everything from the dropdown menu.
To choose specific items to sync, select Choose what to sync from the dropdown menu, then check the items you want to sync.
Click OK.
Note: You'll need to enter the passphrase on each Chromebook you want to sync. If you've forgotten your passphrase, go to Google Dashboard and remove sync information from your Google Account, then set up sync again.

Why Would I do this?
hands-on experience shows that the default is only to encrypt the password and not necessarily the synced user data. If you put in custom password you can select to encrypt all your sync data... with your password.

Tuesday, August 4, 2015

Truecrypt Compromised?

An interesting article today on how the FBI cracked a hidden partition truecrypt volume that had a 30 character password.

So what happened and how is this possible? I personally don't think truecrypt has been broken or compromised. I think there are a few possible ways of how this hidden partition was cracked.

Option 1:
The feds more than likely had this guy under surveillance for months and since this could clearly be a national security issue they could have been authorized to compromise his pc using a zero day exploit like the ones recently exposed by the hacking team leak. Keyloggers more thank likely would have played a pivotal role in cracking the 30 character password so quickly.

Option 2:
He was using a password manager to manage all his passwords and had a weak master password and the feds managed to crack it.

Option 3:
To protect user data from compromise he obviously had to plug that hard disk into a system to remove the classified docs from the server that contained it. Users have no right to privacy on these types of systems. Maybe the FBI didn't crack anything at all. It is possible to have DLP software that quitely monitors all metadata transferred to removable mediums that offer no form of encryption to give the users the appearance that no file transfers are monitored when a simple query would be able to tell the feds exactly what was copied into the hidden partition.