Security Posts

Infocon: green

ISC Stormcast For Tuesday, October 22nd 2019 https://isc.sans.edu/podcastdetail.html?id=6718
Categories: Security Posts

Resilient architectures part 2: Benchmarking performance of webserver-based applications

BreakingPoint Labs Blog - 1 hour 13 min ago
This blog entry is the second in a series of cloud testing use cases focused on deploying and using…
Categories: Security Posts

Best Practices for Network Security Threat Hunting

BreakingPoint Labs Blog - 1 hour 13 min ago
Security threats continually change. New forms of malware and ransomware appear every year. The…
Categories: Security Posts

The Network Makeover Overview

BreakingPoint Labs Blog - 1 hour 13 min ago
The Network Makeover is here! Wondering what it’s all about? This online event features >50…
Categories: Security Posts

Hardware reverse engineering: Hack TP-Link AC1750 router root password using JTAG

BreakingPoint Labs Blog - 1 hour 13 min ago
Here at the Application and Threat Intelligence (ATI) Research Center, we are in the business of…
Categories: Security Posts

Insider Threats - What Do You Need To Know?

BreakingPoint Labs Blog - 1 hour 13 min ago
Introduction This post is adapted (by which I mean stolen wholesale) from a piece posted by a…
Categories: Security Posts

Fighting malware. What’s in your arsenal?

BreakingPoint Labs Blog - 1 hour 13 min ago
Ransomware, or as we call it during the Halloween season, “Boo!”, is indeed a terrifying situation…
Categories: Security Posts

How network security is evolving—Behavior is the new signature

BreakingPoint Labs Blog - 1 hour 13 min ago
It is said that “Habits make the man.” True to this popular adage, the cybersecurity industry is…
Categories: Security Posts

Four tips to ensure optimal SD-WAN performance

BreakingPoint Labs Blog - 1 hour 13 min ago
While the adoption of SD-WAN brings significant cost-savings and flexibility to the enterprise, it…
Categories: Security Posts

Own IT. Secure IT. Protect IT. Ixia and NCASM 2019

BreakingPoint Labs Blog - 1 hour 13 min ago
Once again Ixia is proud to participate in National Cybersecurity Awareness Month. We were proud…
Categories: Security Posts

Ransomware and Getting Out of Difficult Decisions

BreakingPoint Labs Blog - 1 hour 13 min ago
Estimates put the cost of the City of Baltimore’s recent ransomware breach at $18 million, $10…
Categories: Security Posts

Announcing the 10th Volume of our State of Software Security Report

Zero in a bit - 6 hours 21 min ago
Today marks a big milestone for Veracode, and for the application security industry – we’re releasing the 10th volume of our State of Software Security (SOSS) report. 10 SOSS reports and 80,000+ apps later, we’ve accumulated a lot of data, and a lot of insights, about application security trends and best practices. This year, we took a look back at the AppSec picture over the past 10 years, and dug into the data amassed from our security scans from April 2018 to March 2019. Some big takeaways: The more things change, the more they stay the same: We’ve seen some positive movement this year, but we’ve got a long way to go. The same vulnerabilities are populating the top 10 list, and the percentage of applications that have at least one vulnerability on initial scan has remained high and stagnant over the past 10 years. Secure coding training is clearly still a critical component of any security program. We’ve moved beyond just finding flaws to fixing them: Our VP of Services Pejman Pourmousa was recently quoted saying, “you can’t scan your way to secure code.” And that sentiment appears to be gaining momentum. This year’s data, especially compared to data over the past 10 years, reveals that developers are indeed focused on fixing the security flaws they find more than ever before. For example, half of applications showed a net reduction in flaws over the sample time frame. Another 20% either had no flaws or showed no change. This means 70% of development teams are keeping pace or pulling ahead in the flaw-busting race! Security debt is piling up: Although fix rates are improving, most organizations are prioritizing newly found security flaws, while letting older, unaddressed flaws linger. This accumulation of security debt is both illustrated in our SOSS data and has started to emerge as a pain point in our conversations with customers. But this year’s data also provides some compelling evidence surrounding steps organizations can take to start chipping away at that debt. In particular, organizations that are scanning the most are carrying 5x less security debt than those scanning the least. See below for the data highlights, and check out the full report for all the data details, plus our advice on how to use the story told by the numbers to improve your own application security program.  
Categories: Security Posts

It's Time to Outsource Your Passwords to an App

Wired: Security - 8 hours 59 min ago
Your brain has better things to do than store secure passwords. Get a dedicated password manager to keep your login data synced and secure across all devices.
Categories: Security Posts

In Hong Kong, Which Side Is Technology On?

Wired: Security - 8 hours 59 min ago
Both. Yes, authoritarians have co-opted tech. But the story is far from over.
Categories: Security Posts

ISC Stormcast For Tuesday, October 22nd 2019 https://isc.sans.edu/podcastdetail.html?id=6718, (Tue, Oct 22nd)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts

Faast: El servicio de Pentesting Persistente y el Reporte Responsable a Apple

Un informático en el lado del mal - 14 hours 46 min ago
Han pasado más de seis años desde que comenzamos a hablar de Pentesting Persistente, Pentesting Continuo, Pentesting By Design, en un momento en el que nadie hablaba de él, y donde muchas veces nos decían que era imposible. Hoy en día es una práctica muy común. Para implementar nuestra visión, nosotros cogimos el core de nuestra querida FOCA, lo transformamos en un entorno Cloud-Native, y creamos el Servicio de Pentesting Persistente Faast en ElevenPaths, del que hemos hablado muchas veces.

Figura 1: Faast: El servicio de Pentesting Persistente y el Reporte Responsable a Apple
Lejos de parar con esta visión, Faast no ha hecho más que crecer, mejorando los procesos e integraciones para ampliar la búsqueda de nuevos recursos, y optimizando los algoritmos de detección de vulnerabilidades y fallos de configuración.

Figura 2: Faast de ElevenPaths
Y aunque la idea fuese concebida en el año 2013, la evolución de la industria no ha hecho más que reforzar este planteamiento, donde los entornos mutan cada vez más rápido gracias al mayor uso de nubes, y al auge de tecnologías basadas en contenedores, cuales facilitan la puesta en producción de nuevos activos. A día de hoy muchas de las soluciones de detección de vulnerabilidades ofrecen este tipo de Pentesting Persistente, por los buenos resultaos que dan.


Figura 3: OWASP 2013 "¿Por qué los cibercriminales siempre ganan?" por Chema Alonso
Esto nos ha permitido reportar a las grandes tecnológicas diferentes vulnerabilidades que hemos encontrado analizando sus activos, como se puede ver en los agradecimientos de Microsoft y los reconocimientos de Apple, entre otras grandes empresas. Esto no es nuevo, ya antes se los daban a nuestra querida FOCA.

Figura 4: Agradecimientos de Apple a Faast Team en ElevenPaths
Pero ¿qué podemos encontrar en un análisis a una de las gandes como Apple? Lo lógico sería pensar que no encontraremos ningún problema ya que estas compañías invierten muchísimos recursos en mantener sus sistemas seguros. Pero se demuestra año tras año, la seguridad 100% no existe. En un scan rápido de Faast a la web WWW de Apple, podemos observar varias cosas que llaman la atención, algo que ya hemos visto muchas veces en el el pasado. Antes os dejamos los artículos del pasado:
- Think Different: Un Hostname sin Domain en los inversores de Apple
- Los certificados digitales que usa Apple en su CDN son de peor calidad
- Algunos backups de Apple son de una extensión "original"
- Una mirada "faast" a Apple buscando al caniche
- Un repaso al pentesting persistente tres años después en ElevenPaths
- Análisis de un HPP (HTTP Parameter Pollution) en Apple
- Apple atacada por la viagra en los servidores de iTunes
- Un HTTP Redirect no te libra de securizar un servidor web
- IIS Short Name Bug en los servidores de apple.com
- La FOCA se merece un iPad
- Un .SVN/Entries en Apple.com descubierto por la FOCA
- Apple se olvida de unas webs del siglo XX en sus servidoresEn una reciente revisión, hemos visto aún muchas de las cosas que adolecía en el pasado, como podéis ver en este listado. Y ahora vamos con el presente
• Software desactualizado: en este caso un apache que en esa versión concreta dispone de ciertas debilidades, incluso detectadas este mismo año como se puede apreciar en los CVE asociados.Figura 5: Versiones de Apache desactualizadas con CVEs• Cabecera ‘Cross Origin’ demasiado permisiva: No es buena práctica aplicar wildcard (*) a este tipo de elementos, mejor mantener un listado de dominios permitidos.
Figura 6: Cabecera Cross Origin configurada con *• Fichero dwsync.xml: clásico fichero que genera la aplicación Dreamweaver y no debería incluirse en un despliegue de la web. Nos puede proporcionar rutas o nombres de fichero que no deberían estar ahí.
Figura 7: Fichero DWSync.xml• Target _blank phishing: en las etiquetas HTML <a> con el atributo target=’_blank’ no se está incluyendo la propiedad rel=’noopener’ (o noreferrer), la cual ya se comentó en este artículo que escribo Chema Alonso.
Figura 8: URLs con enlaces si rel='noopener'• Metadatos: Una gran cantidad de metadatos, que revelan usuarios. Algunos de estos trabajadores son internos, y otros de compañías que prestan servicio a Apple. Además de diferente software con el que se crean estos documentos, que van desde las aplicaciones ofimáticas clásicas, a versiones concretas de librerías para la conversión de documentos a formato PDF.Figura 9: Metadatos, Metadatos, Metadatos. Lista de usuarios.
• Cross-site scripting (XSS): Una vulnerabilidad de las más clásicas en entornos web. Se encuentra en el Top 10 de OWASP desde hace muchos años, y permite a cualquier visitante del sitio web ejecutar código Javascript inyectando en la propia URL del sitio web, o en alguno de sus campos de formularios.
Figura 10: XSS Reportado, corregido y agradecido por Apple (Figura 4)
Como es costumbre hemos vuelto a hacer una ‘Revelación Responsable’ de estos problemas, algunos considerados vulnerabilidades, y otros como relajación de la configuración. Apple lo ha recibido de buen grado y nos ha agradecido la colaboración para mantener sus servicios más seguros.

Figura 11: Client-Side Attacks: XSS, CSSP, SSRF, XSPA, SSJSPor ahora tiene varias vulnerabilidades que está pendiente de corregir, así que os contaremos más de ellas cuando las hayan corregido. Os recomiendo el libro de Client-Side Attacks de Enrique Rando, que explica bien cómo descubrir y explotar estas vulnerabilidades.

Autor: Ioseba Palop, Senior Software Architect Faast team (Contactar con Ioseba Palop)


Sigue Un informático en el lado del mal RSS 0xWord
Categories: Security Posts

A Brief History of Russian Hackers' Evolving False Flags

Wired: Security - Mon, 2019/10/21 - 23:51
Most hackers know how to cover their tracks. But Russia’s elite groups are working at a whole other level.
Categories: Security Posts

Reviewing best practices for IT asset management in the cloud

AlienVault Blogs - Mon, 2019/10/21 - 15:00
It used to be that businesses needing their own large computer networks had to do everything themselves. They had to buy all of their servers, all of their networking appliances. They needed the physical space on premises for all of their datacenters, the HVAC people to keep everything cool, and the massive electricity bills to keep all of that going. But in the past several years, the growth of cloud services has been exponential. It’s great for the enterprise because depending on a business’s specific needs, they can either have everything but their local area network on the cloud, or they can have some hybrid of their own on premises network and a cloud provider or two, fully integrated. Either way, they can put at least some of their networking needs in the hands of a cloud provider such as AWS, Microsoft Azure, or Google Cloud. That can save a company a lot of time, labor, space, and money. Plus, the agility and flexibility that cloud providers offer is great! Do you need to double the data capacity of your network as soon as possible? It’s much quicker and easier to change your cloud provider plan and do some adjustments on your end than it is to double the size of your on prem network. The cloud can be a lifesaver, but your IT people still need to know how to manage their computing assets there, especially when it comes to cybersecurity. Cloud asset management is a special matter, and it’s absolutely vital to understand. What is cloud asset management? Your IT assets are the hardware, software, and networking entities that your company has as tools and resources for their objectives. An excellent example of an IT asset is a database. Databases are very important, particularly in the backend of your applications. With the implementation of cloud networks, these IT assets become cloud assets too. So instead of having your MySQL databases entirely on your on premises servers and data storage, you can have them run from the server and data storage capacity that your cloud provider offers your business. But making sure your cloud-hosted assets function well and maintain security is its own area of knowledge: cloud asset management. There are challenges involved in cloud asset management which differ from managing assets on your own infrastructure. For instance, developers and administrators often don’t use the security tools that their cloud providers offer them. Also, visibility into your assets can be more difficult in the cloud. You can’t secure what you can’t see! Cloud asset management best practices There’s a lot to learn when it comes to cloud asset management. It can seem overwhelming to start. Thankfully, there are some best practices to keep in mind which will provide you with a strong foundation for properly handling the cloud. Monitor your cloud as thoroughly as possible As I mentioned, visibility in cloud networks can be a special challenge. There’s also the everyday performance of your network to consider. You won’t be physically inside of your cloud provider’s datacenter, so you’ll need to be able to see as much as possible with monitoring tools. This isn’t all directly security related. You need to make sure that your provider honors your Service Level Agreement. Watch your bandwidth and make sure that it suits your organization’s needs at all times. Make sure all of your cloud assets have excellent availability, as much uptime as possible. You could have thousands of users depending on your cloud at any given second. Monitor thoroughly and constantly to make sure that your cloud is always capable and reliable. Redundancy and automation are your friends Redundancy goes a long way when it comes to keeping good uptime and everything working properly. There should be as few single points of failure as possible, preferably none. Redundancy can manifest in everything from having plenty of data backups, to having extra servers, to coding in redundancy. If your cloud provider can host your cloud in multiple sites, that’s great too. Automation, when well implemented, helps to reduce the possibility of human error, saves labor costs, and also makes everything more efficient. Cloud management tasks are often tedious and repetitive. And when it comes to tedium and repetition, computers always out-perform human beings. Have a risk management plan Problems aren’t completely avoidable. It’s best to be prepared for them. In order to develop a risk management plan, you first have to figure out what your risks are. Inventory all of your cloud assets and consider all of the applicable possibilities. Have plans for natural disasters, cyber attacks, electrical outages, and any other issues which may occur. Have specific procedures for particular risks, and make sure your employees are trained in them. Cloud asset management software you should know about Choosing the right cloud management software can make a big difference. Here are some applications that I recommend. CloudSploit is leading open source security configuration monitoring tool for cloud infrastructure. The application benefits from being tested by many cloud security experts for specific issues with AWS, Azure, GitHub, and Oracle Cloud. BetterCloud is touted as the first SaaS (software as a service) Operations Management platform. Key features include automated user onboarding and offboarding, and data protection policies with privileged access management. Multi-cloud and hybrid asset management Very often organizations choose to have hybrid and multi-cloud environments. In some cases it’s the best option. Hybrid networks combine your on premises network with a cloud provider, and multi-cloud environments entail multiple cloud providers. Hybrid cloud management is both a process and a software platform which dictates the principles of how a hybrid cloud should be managed. It can be pretty tricky at first. Your on premises network and your cloud network can be very different from each other in many ways. Thankfully both cloud asset management software developers and cloud platforms have tools to facilitate combining your networks so everything works reliably. Learn about them and implement them. Conclusion The cloud can make it much easier, more efficient, and more agile to manage your network. Your IT assets are just as important when they become cloud assets. Good cloud asset management provides excellent uptime, mitigates risk, and provides more reliable functionality.
Categories: Security Posts

Quickpost: ExifTool, OLE Files and FlashPix Files

Didier Stevens - Mon, 2019/10/21 - 02:00
ExifTool can misidentify VBA macro files as FlashPix files. The binary file format of Office documents (.doc, .xls) uses the Compound File Binary Format, what I like to refer as OLE files. These files can be analyzed with my tool oledump.py. Starting with Office 2007, the default file format (.docx, .docm, .xlsx, …) is Office Open XML: OOXML. It’s in essence a ZIP container with XML files inside. However, VBA macros inside OOXML files (.docm, .xlsm) are not stored as XML files, they are still stored inside an OLE file: the ZIP container contains a file with name vbaProject.bin. That is an OLE file containing the VBA macros. This can be observed with my zipdump.py tool: oledump.py can look inside the ZIP container to analyze the embedded vbaProject.bin file: And of course, it can handle an OLE file directly: When ExifTool is given a vbaProject.bin file for analysis, it will misidentify it as a picture file: a FlashPix file. That’s because when ExifTool doesn’t have enough metadata or an identifying extension to identify an OLE file, it will fall back to FlashPix file detection. That’s because FlashPix files are also based on the OLE file format, and AFAIK ExifTool started out as an image tool: That is why on VirusTotal, vbaProject.bin files from OOXML files with macros, will be misidentified as FlashPix files: When the extension of a vbaProject.bin file is changed to .doc, ExifTool will misidentify it as a Word document: ExifTool is not designed to identify VBA macro files (vbaProject.bin). These files are not Office documents, neither pictures. But since they are also OLE files, ExifTool tries to guess what they are, based on the extension, and if that doesn’t help, it falls back to the FlashPix file format (based on OLE). There’s no “bug” to fix, you just need to be aware of this particular behavior of ExifTool: it is a tool to extract information from media formats, when it analyses an OLE file and doesn’t have enough metadata/proper file extension, it will fall back to FlashPix identification.   Quickpost info
Categories: Security Posts

New Tool: simple_tcp_stats.py

Didier Stevens - Sun, 2019/10/20 - 12:25
My new tool simple_tcp_stats.py is a Python program that reads pcap files and produces simple statistics for each TCP connection. For the moment, it calculates the entropy of the data (without packet reassembling) of each TCP connection (both directions) and reports this with a CSV file: ConnectionID;head;Size;Entropy
192.168.10.10:50236-96.126.103.196:80;’GET ‘;364;5.42858024035
192.168.10.10:50235-96.126.103.196:80;’GET ‘;426;5.46464090792
96.126.103.196:80-192.168.10.10:50235;’HTTP’;3308;6.06151478505
96.126.103.196:80-192.168.10.10:50236;’HTTP’;493;6.73520107812   simple_tcp_stats_V0_0_1.zip (https)
MD5: 606DB4208BBC5908D9F32A68DDF90AC6
SHA256: 68B275C58736AE450D23BEA82CC1592936E541E00726D8ED95F5CA8ACB02B7CE
Categories: Security Posts
Syndicate content