Fedora Security List,
I wanted to bring your attention to a new SIG:
The goal of this SIG is to be Red Hat's upstream cyber community, and focal
point for new offensive tooling, exploit curation, standards, and reference
A number of exciting projects are planned for this SIG, but we already have
a working alpha-version of our tool, the Enterprise Linux Exploit Mapper
(ELEM) . ELEM lets administrators scan their RHEL or CentOS systems for
vulnerabilities that are associated with known exploits in the wild. We’re
working on adding Fedora support to ELEM. It currently has only one exploit
data source , but we’re adding more .
We’ll be using this list and #fedora-security for comms, and we’d love your
feedback on the SIG and ELEM.
 - https://github.com/fedoraredteam/elem
 - https://www.exploit-db.com
Jason Callaway | jcallaway(a)redhat.com | (240) 285-9529 | GPG Key 0x81ED4A9A
There is an interesting book:
How to succeed by Thinking like the Enemy
I thought it was good. It's not focused on IT, but there is plenty of IT in
it. Good background if you are focused on IT.
"You cannot grade your own homework."
"The boss must buy in." (and signal down the chain)
"not a core practice", "doesn't generate income"
There is an interesting section about 28 minutes into the video (below). In
a commercial world, some people actively avoid red teams. The legal
penalties for negligence are smaller than those for willful harm. That is
followed by a discussion of GM's ignition switch mess. The corporate culture
was to suppress bad news in the interest of maintaining quarterly profits.
You can hide problems in committees.
He gave a talk at the World Affairs Council, Dec 2015
Red teaming: it's a practice as old as the Devil's Advocate, the
sixteenth-century Catholic official charged with discrediting candidates for
sainthood. Today red teams--groups of fearless skeptics and friendly
saboteurs--are used widely in both the public and private sectors. Red
teaming helps pinpoint institutional weaknesses and anticipate potential
threats ahead of the next Special Forces raid, malicious cyberattack, or
corporate merger. But not all red teams are created equal; indeed, some cause
more damage than they avert. Using them effectively just may be the greatest
challenge for organizations in the twenty-first century.
In Red Team, security expert Micah Zenko draws on the little-known case
studies and unprecedented access to elite red teamers to reveal the best
practices, common pitfalls, and winning strategies of these modern-day
Devil's Advocates. Red Team shows how any competitive group can succeed by
thinking like the enemy.
There are several other similar videos on YouTube. I assume they were all
part of a book tour.
These are my opinions. I hate spam.
not sure if this is the appropriate spot to share or not, but was the
closest I could find "security @ fedora"....
while working on a project, I searched for "Fedora" ami images in the
new-ish AWS region us-east-2 ("ohio"), and was pleasantly surprised to find
the easily discoverable and recognizable ami "Fedora release 26
(ami-f3a18096)" (as well as a a "Fedora release 25".....)
upon booting, I was concerned to find an extra ssh authorized key in
~fedora/.ssh/authorized_keys, and soon realized this was _not_ a sanctioned
Fedora release (as confirmed from https://alt.fedoraproject.org/cloud/).
While yes, this is my fault for not starting from a trusted reference to
find a reliable AMI, I found this a pretty easy pit to fall into.
Don't know if there's a remedy, other than getting real Fedora images into
the frontier AWS regions, but thought that I should share...