Há algum tempo, escrevo para a PenTest Magazine e para a Hakin9. Estou sempre aberto a convites para escrever para outras revistas ou jornais. Se você acredita que eu possa ser uma boa inclusão para seu time de colunistas ou escritores, não hesite em me contactar através deste formulário, ou por e-mail, ou ainda em alguma das minhas redes sociais.
Abaixo, apresento as capas das revistas em que artigos meus foram publicados, bem como resumos dos mesmos.
The MITRE ATT&CK Framework – MITRE CALDERA Demonstration
Resumo:
I will guide you through the framework’s sections to give you a better understanding of its purpose and how it’s structured. However, as it’s informative only, it would actually be more interesting if we got our hands dirty, as I usually do in my articles. For this, I included a demonstration of MITRE CALDERA, a tool built from ATT&CK to enable a very interesting exercising and training platform.
Leia a edição completa aqui.
Easy Threat Modeling with the Microsoft Threat Modeling Tool
Resumo:
Threat Modeling is one of the most important points when running an Application Security review process. It is not the first one and for sure not the last one. In general, Threat Modeling comes close to the end of the security review cycle. Indeed, this cycle has no absolute end. Each time a new version or feature is released, all steps must be followed again to guarantee that the application remains secure.
Leia a edição completa aqui.
AI and Cybercrimes – Offensive and Defensive Approaches
Resumo:
In recent years, the world has been seeing an exacerbated development of the areas of Artificial Intelligence and Machine Learning. Several algorithms have been created or improved to meet the specific needs of mankind. This brings to light the concern raised earlier about how much development can also mean progress in attacking information assets (systems, data, applications) or generation of malware.
Leia a edição completa aqui.
Make your Cloud with Subutai
Resumo:
Many other currencies appeared after Bitcoin, such as Ethereum, still using the same fundamentals of cryptography and transaction tracking. Blockchain can be and actually is employed to solve many other problems than only cryptocurrencies.
…
This article is about Subutai, a distributed, peer-to-peer open source cloud computing platform with the purpose to give the power of cloud to anyone.
Leia a edição completa aqui.
Dissecting Malware with MobSF
Resumo:
This article will cover Mobile Security Framework. MobSF is a very good tool to analyze Android and iOS malware. For the sake of this article, I opted to test only Android malware samples. Its quick and easy to use GUI makes the task of analyzing malicious code a pleasant experience. Static analysis seems powerful. However, the dynamic analysis engine is extremely useful to see the suspicious application’s real behavior.
Leia a edição completa aqui.
Practicing OSINT with Recon-NG
Resumo:
This article covers Recon-NG, a powerful framework focused on collecting, presenting and exercising the purposes of OSINT. It can target people, domains, companies, systems, vulnerabilities, ports and many more items.
If you have read my article about Maltego (…), you already know something about initial pentesting stages. Yes, it’s exactly what you’re thinking about: reconnaissance. Or, in a more elegant way, target enumeration.
Leia a edição completa aqui.
Use Your Pi as a Security Box
Resumo:
This time, I bring you SweetSecurity, a very nice open source project intended to facilitate the installation of some neat tools whose purpose is to help administrators better manage their security environments. You’re going to use your Raspberry Pi as the security station! Cool, isn’t it? So, let’s get started and see what it can give us.
Leia a edição completa aqui.
Maltego and the Network Enumeration
Resumo:
A good enumeration tool, as well as technique, is valuable and can save lots of time in the subsequent attack efforts. It shall be mentioned that a good approach or methodology must be followed to guarantee effective results. One of the initial, but also very important, steps in successful attacks (or professional pentests) is the target enumeration. For this article, I bring you a discussion about Maltego CE (Community Edition) by Paterva.
Leia a edição completa aqui.
Software Exploitation Through Fuzzing
Resumo:
Through the years, software testing gained importance as a methodology to eliminate or at least reduce the amount of failures in the code. It’s improving its approach to help developers and DevOps teams to successfully meet test criteria. (…).
In this article, I’ll introduce you AFL (American Fuzzy Lop), another open source tool that can help us on our daily pentesting activities.
Leia a edição completa aqui.
Playing with Web Scanners – The ZAP Project
Resumo:
For the initial article of 2017, I bring to you ZAP (Zed Attack Proxy), a quite complete and versatile web scanner aimed in two objectives: being easy to use and still very powerful. (…)
I chose to cover it basically because of three points:
– Open source;
– Very good documentation (including tutorial videos);
– Cross-platform support (Windows, Linux, macOS).
Leia a edição completa aqui.
PowerShell Pentesting with Nishang
Resumo:
Nishang is a framework created by the Indian security expert Nikhil Mittal. It is an interesting tool since it unites a handful of scripts and modules that can be easily coupled with any PowerShell code. Additionally, you can use it to execute various tasks such as network scanning and enumeration, credentials discovery, WLAN passwords obtaining, remote execution and many others. For the sake of this article, I’ll focus on showing some of the possible uses of this framework.
Leia a edição completa aqui.
Using the Volatility Framework to Write Python Forensics Code
Resumo:
In this article, I want to show you the Volatility Framework, an open source initiative to do forensics analysis through memory investigation. Forensics analysis is one of the fastest growing areas in Information Security. Along with Penetration Testing, forensics skills are too valuable and this is easy to find, since we often see on TV, news and Internet many incidents related to server invasion, ransomware, data leakage and so on.
Leia a edição completa aqui.