Projects
CloudSecDocs.com is a website collecting technical notes, how-tos, and cheatsheets related to cloud-native technologies (not only security-focused), hand curated by myself.
I have been part of the CNCF committee tasked with creating the Certified Kubernetes Security Specialist (CKS) Certification.
I am a maintainer of Cartography (from Lyft), a Python tool that consolidates infrastructure assets and the relationships between them in a graph view powered by a Neo4j database. As part of my involvement, I'm actively contributing new features as well as helping defining the long term roadmap for Cartography.
The "Cloud Security Reading List" is a low volume mailing list (once per week) that highlights security-related news focused on the cloud native landscape, hand curated by myself. Knowing how difficult it is to stay up to date with all the different news and releases occurring in this industry, I hope this will be helpful for other people who are particularly interested in this corner of the security scenario.
I've been a Technical Reviewer of the "Cloud Native Devops with Kubernetes" book.
GoScan is an interactive network scanner client, featuring auto-completion, which provides abstraction and automation over nmap.
Although it started as a small side-project I developed in order to learn @golang, GoScan can now be used to perform host discovery, port scanning, and service enumeration not only in situations where being stealthy is not a priority and time is limited (think at CTFs, OSCP, exams, etc.), but also (with a few tweaks in its configuration) during professional engagements.
GoScan is also particularly suited for unstable environments (think unreliable network connectivity, lack of 'screen', etc.), given that it fires scans and maintain their state in an SQLite database. Scans run in the background (detached from the main thread), so even if connection to the box running GoScan is lost, results can be retrieved asynchronously. That is, data can be imported into GoScan at different stages of the process, without the need to restart the entire process from scratch if something goes wrong.
In addition, the Service Enumeration phase integrates a collection of other tools (e.g., EyeWitness, Hydra, nikto, etc.), each one tailored to target a specific service.
Although it started as a small side-project I developed in order to learn @golang, GoScan can now be used to perform host discovery, port scanning, and service enumeration not only in situations where being stealthy is not a priority and time is limited (think at CTFs, OSCP, exams, etc.), but also (with a few tweaks in its configuration) during professional engagements.
GoScan is also particularly suited for unstable environments (think unreliable network connectivity, lack of 'screen', etc.), given that it fires scans and maintain their state in an SQLite database. Scans run in the background (detached from the main thread), so even if connection to the box running GoScan is lost, results can be retrieved asynchronously. That is, data can be imported into GoScan at different stages of the process, without the need to restart the entire process from scratch if something goes wrong.
In addition, the Service Enumeration phase integrates a collection of other tools (e.g., EyeWitness, Hydra, nikto, etc.), each one tailored to target a specific service.
Offensive ELK is a custom Elasticsearch setup, aiming to show how traditional “defensive” tools can be effectively used for offensive security data analysis, helping your team collaborate and triage scan results.
In particular, Elasticsearch offers the chance to aggregate a multitude of disparate data sources, query them with a unified interface, with the aim of extracting actionable knowledge from a huge amount of unclassified data.
In particular, Elasticsearch offers the chance to aggregate a multitude of disparate data sources, query them with a unified interface, with the aim of extracting actionable knowledge from a huge amount of unclassified data.
The iOS Security Testing Framework. Needle is the MWR's iOS Security Testing Framework, released at Black Hat USA in August 2016. It is an open source modular framework which aims to streamline the entire process of conducting security assessments of iOS applications, and acts as a central point from which to do so. Needle is intended to be useful not only for security professionals, but also for developers looking to secure their code. A few examples of testing areas covered by Needle include: data storage, inter-process communication, network communications, static code analysis, hooking and binary protections.
The release of version 1.0.0 provided a major overhaul of its core and the introduction of a new native agent, written entirely in Objective-C. The new NeedleAgent is an open source iOS app complementary to Needle, that allows to programmatically perform tasks natively on the device, eliminating the need for third party tools.
Needle has been presented at and used by workshops in various international conferences like Black Hat USA/EU, OWASP AppSec and DEEPSEC. It was also included by ToolsWatch in the shortlist for the Top Security Tools of 2016, and it is featured in the OWASP Mobile Testing Guide. On the week of its release, it reached #3 on Netsec, the first page of Hacker News, and it was trending on Github.
The release of version 1.0.0 provided a major overhaul of its core and the introduction of a new native agent, written entirely in Objective-C. The new NeedleAgent is an open source iOS app complementary to Needle, that allows to programmatically perform tasks natively on the device, eliminating the need for third party tools.
Needle has been presented at and used by workshops in various international conferences like Black Hat USA/EU, OWASP AppSec and DEEPSEC. It was also included by ToolsWatch in the shortlist for the Top Security Tools of 2016, and it is featured in the OWASP Mobile Testing Guide. On the week of its release, it reached #3 on Netsec, the first page of Hacker News, and it was trending on Github.
Talks:
- BlackHat Arsenal USA 2016
- OWASP AppSec USA 2016
- BlackHat Arsenal EU 2016
- BlackHat Arsenal USA 2017
Workshops:
- DEEPSEC 2016
The Offensive iOS Exploitation workshop is an exercise-driven training course that uses detailed tutorials to guide the attendees through all the steps necessary to exploit a real iOS application, and in the process, provide them an understanding of the modern attacker's mind-set and capabilities. The course cover iOS hacking, from the basics of vulnerability hunting on the platform to advanced exploitation techniques. In addition, this workshop use MWR's newly released "Needle" to identify and exploit all the common mobile application security flaws, over and above the OWASP Mobile Top Ten.
At its conclusion, it will have imparted the information necessary to develop secure and robust applications. Other take-aways will include how to develop secure mobile applications that can withstand advanced attacks, how hackers attack mobile applications and iOS devices, and the most up to date and effective secure coding practices.
At its conclusion, it will have imparted the information necessary to develop secure and robust applications. Other take-aways will include how to develop secure mobile applications that can withstand advanced attacks, how hackers attack mobile applications and iOS devices, and the most up to date and effective secure coding practices.
Workshops:
- DEEPSEC 2016
Technical Reviewer in the peer review process of some IEEE Journals (i.e., 'Transactions on Emerging Topics in Computing (TETCSI)').
Technical Reviewer of the security-related chapters of the "500 Lines or Less" book.
Media:
- Release Warning (AOSABOOK - 09 July, 2016)
- Book Release (AOSABOOK - 12 July, 2016)
- 500 Lines or Less Release (AOSABOOK - 12 July, 2016)
AndroRAT++ is a proof-of-concept mobile malware, embedded in a legitimate application, that enhances the features of a well-know RAT application (AndroRAT). The RAT, once installed, allows the attacker to control the phone remotely, obtaining access to certain sensitive information, and using the device for malicious purposes. The attacker can also attempt to escalate his privileges in order to gain complete access to the device's resources. An exploit kit has been embedded in the source code of AndroRAT++: the attacker can then silently obtain root privileges and, therefore, complete access to the device.
Talks:
- BSides Vienna 2014
As first contribution to the OWASP Project, I was assigned to team responsible for the translation of the Top 10 2013 in Italian.
We pointed out the security weaknesses of using Social Authentication (SA) as part of a two-factor authentication scheme, focusing on Facebook's deployment. We have designed an automated attack able to break the SA, to demonstrate the feasibility of carrying out large-scale attacks against social authentication with minimal effort on behalf of an attacker. We then revisited the SA concept and proposed reSA, a two-factor authentication scheme that can be easily solved by humans but is robust against face-recognition software.
Awards:
- NATO CCDCOE Best Student Thesis Award, as the best thesis published on cyber defence topics. Awarded during the International Conference on Cyber Conflict (CyCon 2014), Tallinn
- 'Innovation in Information Security' Thesis Award (Premio Tesi Clusit: 'Innovare la sicurezza delle informazioni'), as the 2nd best thesis published in Italy in 2013. Awarded during the Security Summit 2014, Milan
Papers:
- All Your Face Are Belong to Us: Breaking Facebook's Social Authentication (ACSAC 2012)
- Faces in the Distorting Mirror: Revisiting Photo-based Social Authentication (CCS 2014)
- Social Authentication: Vulnerabilities, Mitigations, and Redesign (DEEPSEC 2014)
Talks:
- CyCon 2014
- DEEPSEC 2014
