Building Computer Security

Preface

This book

1. Goals
2. Release early, release often
3. 80/20 or Pareto Principle
4. Form follows function
5. All this said…

Structure of this book

1. Project phases and audience

Content

1. Background
2. Planning
3. Programming
4. Testing
5. Tools
6. Bolt-on security
7. Offense
8. Appendix
9. Background

Intro

Basics: Know your enemies

1. Hackers
2. University researchers
3. Script kiddies
4. Organized Crime
5. Nation state actors (NSA)
6. In house attackers

Attacker’s goals

1. Ransomware
2. Mining
3. Credential stealing
4. Injecting advertising
5. Banking
6. Wiping
7. Sending SPAM
8. DDOS for hire
9. Proxy for further attacks
10. Persistence
11. A trick: Living off the land
12. A common requirement: C&C server
13. Selecting victims

Principles

1. Bolt-on-security vs security-by-design
2. Threat modelling
3. Reduce Attack Surface
4. Compartmentalisation / Segmentation
5. Principle of “Least privilege”
6. Updates
7. Flexibility
8. Do not make mistakes
9. De-centralisation
10. Fail gracefully
11. Monitor / Incident Response
12. Educate users
13. Defense in Depth
14. Filter at the endpoint
15. Tripwires
16. Slow down the attacker
17. Security by Obscurity
18. Security Theater
19. Hollywood threats
20. Further reading
21. Planning

Intro

Software Design

1. Infrastructure aka “Establish a Standard Incident Response Process in SDL”
2. Complexity
3. System architecture
4. Set up a reliable build system
5. Further reading

Threat Modelling

1. Security cards
2. STRIDE
3. Attack tree
4. Persona non Grata
5. CVSS
6. Coffee machine chat style
7. MITRE attack checklist
8. OWASP (Open Web Application Security Project)
9. Threat Modeling using Threagile

Vulnerabilities

1. Vulnerability knowledge pools
2. Building bugs and flaws
3. CVSS Score
4. OWASP Risk Rating
5. Security process
6. Search engines for exploits and vulnerabilities
7. Fixing Bugs - tasks for management

Security process

1. Basics
2. Good and bad ways to find vulnerabilities
3. The three steps
4. Further Reading

Software Design Checklist

1. My secret source
2. Checklist
3. Further reading
4. Internationalisation

User interfaces

1. Things to do
2. Dangerous things - please avoid
3. Attacks
4. Details for “Things to do”
5. Secure setting is default
6. Details list of dangerous things

Updates

1. Things that a good update strategy covers
2. Things to avoid
3. Response Time
4. Update strategy details
5. Verify version - only upgrade
6. Track distribution
7. Be able to stop updates
8. Distributing the updates
9. Compress updates
10. Diff updates
11. Incentives
12. Plan for several channels
13. Automatic updates
14. Control the update infrastructure
15. Details for things to avoid
16. Break the update chain

Passwords

1. PINs
2. Passwords
3. Passphrases
4. Entropy matters
5. Password hints
6. Preventing copy & paste
7. Forgot password
8. TTL for passwords
9. Autofill trap
10. Stolen passwords
11. Cracking passwords
12. Web site scraping for wordlists
13. Keyloggers
14. IoT: Initial passwords
15. Salting
16. Pepper
17. Beyond passwords: “Two-factor authentication”

Browser security

1. Choosing the right browser
2. Harden your browser
3. Basic browser security philosophy
4. Ads/Malvertizing
5. Privacy
6. Exploit Kits
7. Cookies
8. Fingerprinting
9. TLS/SSL/HTTPS
10. Facebook
11. BeEF
12. Burp Suite
13. Attack on Routers
14. Phishing
15. Pseudonymity
16. Crypto mining
17. Pony / Fareit
18. URL block lists
19. Browser god modes
20. Special privacy browsers
21. Further reading

Censorship

1. Mapping censorship
2. Censorship countermeasures
3. Further reading

IoT security

1. Class break
2. Interfaces (UART, JTAG)

CAN Bus

1. can-utils
2. Python
3. Fuzzing the CAN bus with python
4. Further reading

Bluetooth LE

1. Basics
2. Potential attacks
3. BLE Security
4. Nordic Semiconductor: nRF Connect
5. Basic OS tools
6. Bleah - Bluetooth LE hacking
7. Deprecation
8. Bluepy - python library for Bluetooth le
9. BlueZ
10. Adafruit Bluetooth LE sniffer
11. Training: BLE CTF (Capture the Flag)
12. Further reading

TLS aka SSL aka HTTPS

1. TLS handshake
2. What to encrypt (for web pages)
3. Mozilla server side TLS config guide
4. Certificates
5. Let’s Encrypt chapter
6. Certificate content and structure
7. Revocation (OCSP = Online Certificate Status Protocol)
8. OCSP Stapling
9. Key/Certificate lifetime
10. Testing TLS
11. HSTS - HTTP Strict Transport Security
12. HPKP - HTTP Public Key Pinning
13. Certificate Transparency
14. UDP: DTLS
15. Weaknesses and catastrophes
16. Testing SSL
17. Further reading

Crypto algorithms

1. Hash functions
2. HMAC or MAC
3. Password hash functions
4. Stream Ciphers
5. Block Ciphers
6. Authenticated Encryption
7. Asymmetric Ciphers
8. Key exchange
9. Elliptic Curve Cryptography (ECC)
10. Key length
11. Best practice
12. Further reading
13. Programming

Intro

Requirements for code analysis tools

1. Some background

Defensive programming

1. Short abstract
2. TODO
3. Typical attacks on programs
4. Details todo list
5. Basic pattern for C coding
6. Memsad rabbit hole
7. Further reading

Asserts

1. Asserts in C
2. Assert for python
3. JavaScript
4. Positive side effects of asserts

Compiling

1. Build system
2. Use Docker
3. Use Vagrant
4. Compile for Linux
5. Reproducible builds
6. Static code analysis
7. Mitigation and hardening

Clang

1. Warnings and hardening
2. Static analysis
3. Dynamic code analysis
4. ASAN (Address Sanitizer)
5. LSAN (Leak Sanitizer)
6. UBSan (Undefined Behaviour Sanitizer)
7. Memory Sanitizer
8. Thread Sanitizer
9. Code coverage
10. Fuzzing

JavaScript

1. Retire.js
2. Use a linter: ESLint
3. Strict
4. The JS eco system

Secure python programming

1. Virtualenv build environment
2. Unit tests
3. Code Coverage
4. Flake8 coding style verification
5. Safety
6. Bandit, static code analysis
7. Pylint, stricter than flake8
8. Packaging with setup.py
9. Tox
10. Nox
11. Dependencies
12. Documentation
13. Testing

Intro

Testing compiled binaries

1. Linux
2. Windows
3. Attached info

Flawfinder

1. Finding issues
2. Finding inputs

Cppcheck

1. The Makefile
2. Feature: Library verification
3. Further reading

Testing practice

1. Have testers
2. What to test
3. Unit tests
4. Verification tests
5. Performance tests
6. Destructive testing
7. External reviews
8. Bug bounties
9. Further Reading

Code Coverage

1. GCC

Fuzzing

1. Training project
2. Fuzzing hardware
3. DIY fuzzer
4. Radamsa
5. Dharma
6. AFL American fuzzy lop
7. libFuzzer
8. More fuzzing tricks
9. Further reading

Secret scanning

1. Do not commit credentials and secrets
2. Secret scanners
3. Secret stores
4. Tools

Intro

SSH

1. Reasons for SSH
2. Background
3. Key generation
4. Show (managed) keys
5. Deploying keys
6. Get a shell
7. Execute commands
8. File transfer (scp)
9. SSHFS
10. GIT
11. SSH Tunneling
12. Logs
13. Telnet
14. Further reading

GIT hardening

1. Pure Git
2. Github
3. Getting it done

Thug

1. Basics
2. Data available in json file
3. Bolt on

Intro

Anti Virus tests

1. Abstract
2. Methods
3. Eicar
4. Windows Defender

Antivirus Integration

1. What to scan
2. AMSI
3. Google Safe Browsing

Sharing malware samples

1. The reason why your software is detected as a false positive (all the time)
2. Where to submit to AV companies
3. Submission by Mail
4. Security without borders
5. Citizen Lab
6. CCC
7. Sucker punch

VirusTotal

1. DIY AV testing using VirusTotal: Does not work
2. Getting a feeling for a file
3. Submitting samples
4. Not to do: Uploading APT samples

Antivirus detection

1. Pro detection technology
2. Con detection technology
3. Tips
4. Choosing technology
5. DIY detection
6. DIY classification

Behaviour based classification

1. Container, Virtual Machines or Bare Metal
2. Networking
3. Pafish
4. Al-Khaser
5. VMCloak
6. CAPEv2 Sandbox
7. Small print
8. Something different: Inserting virtual machine traces into the system

CAPEv2

1. Features
2. Installation
3. Links

Features (reporting/processing)

1. Reporting modules:
2. Processing modules

Malware Sources

1. Sources for IOCs
2. Exploit kits
3. C&C
4. Malware
5. Malicious URLs
6. Malicious SSL Certificates
7. Phishing
8. Data breaches
9. Offense

Intro

Kill chain

1. Basics
2. OSINT (Open Source Intelligence)
3. Initial access
4. Persistence
5. Privilege Escalation
6. Sandbox Escape
7. Defense Evasion
8. Lateral Movement
9. Collection
10. Command and Control
11. Exfiltration

Recon-NG

Google Dork

1. Basics
2. SEO expertise
3. Vulnerability indicators
4. Defense
5. Further reading

Beef

1. Basics
2. Features
3. Defense
4. Further reading

Burp suite

1. Basics
2. Defense
3. Further reading

ZAP

1. Basics
2. Docker installation
3. Experimenting
4. Authentication
5. Scan modes
6. As a proxy
7. Scripting
8. CLI
9. Get ZAP results
10. ZAP as proxy
11. Selenium
12. Python requests

Mitmproxy

1. Basics
2. Local usage
3. Usage with a forwarding PC (transparent proxy)
4. Intercepting
5. Scripting
6. Certificates
7. Further reading

Nmap

1. Excluding IPs
2. Finding hosts
3. Finding ports
4. OS detection
5. Finding services
6. Being noisy
7. Being silent
8. Scripts
9. Sources
10. Appendix

External references and resources

1. Books
2. Conferences
3. Blogs
4. News
5. Podcasts
6. Magazines
7. Videos
8. Workshops and Training
9. CTF
10. Lists and bookmarks

RSS feeds as news source

1. RSS reader
2. Security RSS sources

Glossary

The author

1. The origin story: External brain

Authors

Credits

Changelog

1. Aug 2025
2. April 2023
3. December 2022
4. November 2022
5. July 2022
6. October 2021
7. June 2021
8. April 2021
9. February 2021
10. October 2020
11. August 2020
12. May 2020
13. April 2020
14. March 2020
15. February 2020
16. January 2020
17. December 2019
18. November
19. August/September/October 2019
20. July 2019
21. June 2019
22. May 2019
23. April 2019
24. March 2019
25. February 2019
26. January 2019
27. December 2018
28. November 2018
29. October 2018
30. September 2018
31. August 2018
32. July 2018
33. June 2018
34. May 2018, initial release

License