Security Posts

Vulnerability management explained

AlienVault Blogs - Hace 6 horas 8 mins
This blog was written by a third party author. What is vulnerability management? Every year, thousands of new vulnerabilities are discovered, requiring organizations to patch operating systems (OS) and applications and reconfigure security settings throughout the entirety of their network environment. To proactively address vulnerabilities before they are utilized for a cyberattack, organizations serious about the security of their environment perform vulnerability management to provide the highest levels of security posture possible. Vulnerability management is generally defined as the process of identifying, categorizing, prioritizing, and resolving vulnerabilities in operating systems (OS), enterprise applications (whether in the cloud or on-premises), browsers, and end-user applications. An ongoing process, vulnerability management seeks to continually identify vulnerabilities that can be remediated through patching and configuration of security settings. Addressing threats with vulnerability management Bad actors look to take advantage of discovered vulnerabilities in an attempt to infect a workstation or server. Managing threats is a reactive process where the threat must be actively present. Whereas vulnerability management is proactive, seeking to close the security gaps that exist before they are taken advantage of. More than just patching vulnerabilities It’s important to note that formal vulnerability management doesn’t simply involve the act of patching and reconfiguring insecure settings. Vulnerability management is a disciplined practice that requires an organizational mindset within IT that new vulnerabilities are found daily requiring the need for continual discovery and remediation. What is considered a vulnerability? Any means by which an external threat actor can gain unauthorized access or privileged control to an application, service, endpoint, or server is considered a vulnerability. Tangible examples include communication ports open to the internet, insecure configurations of either software or OSs, methods by which to gain privileged access through approved interaction with a given application or OS, and a susceptibility to allow malware to infect a system. How are vulnerabilities defined? While security vendors can choose to build their own vulnerability definitions, vulnerability management is commonly seen as being an open, standards-based effort using the security content automation protocol (SCAP) standard developed by the National Institute of Standards and Technology (NIST). At a high level, SCAP can be broken down into a few components:
  • Common vulnerabilities and exposures (CVE) – Each CVE defines a specific vulnerability by which an attack may occur.
  • Common configuration enumeration (CCE) – A CCE is a list of system security configuration issues that can be used to develop configuration guidance.
  • Common platform enumeration (CPE) – CPEs are standardized methods of describing and identifying classes of applications, operating systems, and devices within your environment. CPEs are used to describe what a CVE or CCE applies to.
  • Common vulnerability scoring system (CVSS) – This scoring system works to assign severity scores to each defined vulnerability and is used to prioritize remediation efforts and resources according to the threat. Scores range from 0 to 10, with 10 being the most severe.
Many public sources of vulnerability definitions exist, such as the National Vulnerability Database (NVD) or Microsoft’s security updates and are freely available. Additionally, several vendors offer access to private vulnerability databases via paid subscription. Security configuration baselines are also used to establish how OSs and applications should be configured for the most security. The Center for Internet Security provides the broadest range of updated configuration baselines against which to assess and remediate configuration-based vulnerabilities. The vulnerability management process Every new vulnerability introduces risk to the organization. So, a defined process is often used to provide organizations with a way to identify and address vulnerabilities quickly and continually. At a high level, 6 processes make up vulnerability management—each with their own subprocesses and tasks.
  • Discover: You can’t secure what you’re unaware of. The first process involves taking an inventory of all assets across the environment, identifying details including operating system, services, applications, and configurations to identify vulnerabilities. This usually includes both a network scan and an authenticated agent-based system scan. Discovery should be performed regularly on an automated schedule.
  • Prioritize: Second, discovered assets need to be categorized into groups and assigned a risk-based prioritization based on criticality to the organization.
  • Assess: Third is establishing a risk baseline for your point of reference as vulnerabilities are remediated and risk is eliminated. Assessments provide an ongoing baseline over time.
  • Remediate: Fourth, based on risk prioritization, vulnerabilities should be fixed (whether via patching or reconfiguration). Controls should be in place so that that remediation is completed successfully and progress can be documented.
  • Verify: Fifth, validation of remediation is accomplished through additional scans and/or IT reporting.
  • Report: Finally, IT, executives, and the C-suite all have need to understand the current state of risk around vulnerabilities. IT needs tactical reporting on vulnerabilities identified and remediated (by comparing the most recent scan with the previous one), executives need a summary of the current state of vulnerability (think red/yellow/green type reporting), and the C-suite needs something high-level like simple risk scores across parts of the business.
Strong vulnerability management programs see each process (and any sub-processes) as a continual lifecycle designed to help improve security and reduce organizational risk found in the network environment. Strong programs see this as being a daily process rather than quarterly or annually. Vulnerability management solutions Many commercial solutions exist to simplify and automate the process of vulnerability management. Some focus solely on vulnerability assessment, some perform vulnerability scanning only, while still others look to provide comprehensive coverage of the entire vulnerability management process. Additionally, many security solutions go beyond just offering vulnerability management, adding value by integrating other security functionality that, in total, helps to protect the environment better, including:
  • Asset discovery
  • Data classification
  • Intrusion detection
  • Privilege access management
  • Threat detection and response
  • SIEM and log data correlation
  • Compliance auditing and reporting
Categorías: Security Posts

This is how EKANS ransomware is targeting industrial control systems

Zero Day | ZDNet RSS Feed - Hace 7 horas 7 mins
New samples of the ransomware reveal the techniques used to attack critical ICS systems.
Categorías: Security Posts

3 Steps to better cybersecurity in touchless business solutions (Part 2 of 3)

AlienVault Blogs - Hace 8 horas 9 mins
This blog was written by an independent guest blogger. Image Source In Part 1 of this series, we covered the first step to better cybersecurity in touchless business solutions, which is to practice extra caution in cashless payment solutions. We continue by discussing the second step to improve cybersecurity for touchless systems, which is to increase protocols for cybersecurity and data privacy. Heighten cybersecurity and data protection protocols Amazon launched Amazon Go in 2016, a connected grocery store that promises no lines, no check-outs, and no registers. It uses what Amazon calls a “Just Walk Out” technology that integrates computer vision, deep learning algorithms, and sensor fusion, just like the technology in self-driving cars. Shoppers can just walk into an Amazon Go store, check-in through the Amazon Go app on their phones, and shop. They can automatically check out by picking items off the shelf. The multiple sensors within the store record items the customer has taken out. The customer gets charged on their account with the store items through the app. Video Source In China, Jack Ma’s Alibaba has opened around 65 locations for its Hema Store that utilise robotic technology, online payment apps, and overhead conveyor belts to revolutionise shoppers’ experience. It’s a great mix of online and offline shopping, where customers physically go to a store, browse items they want to buy, and then scan products with their Alibaba app to get more product details or add the product to cart. Consumers can also choose to have the products delivered right to their homes, even within the next 30 minutes. Xenia and Aurus also aim to put the power of the POS (point of sale) in the pocket of their guests. They offer cashierless technology that provides a seamless shopping experience in furniture retail. In its app, you will see product details, purchase history, peer reviews, and other recommended items, and other additional information useful for guests. The consumer can start a cart from home, seamlessly shift to the offline store, and end the transaction through the instant cart to “paystation” transfers. Caper introduces self-directed check-out with their AI-powered shopping carts with image recognition and sensor fusion. These “Smart Carts” were launched in a couple of groceries in New York City in 2019. Instead of installing hardware and retrofitting the entire store, which not all businesses would be able to implement immediately, Caper works with simple software integration so shoppers can scan, pay, and go. Carts are connected to the store’s central POS system and can scan the grocery item barcode with no app download necessary. The system can interact with customers by providing a store map, item locator, recommend items on sale, and inform customers of any promotion or deals to avail of. A shopper can pay directly on the cart with either their debit/credit card or through mobile payment for a complete cashierless, self-check-out system.

This concept may be more viable for small to medium scale grocery owners who can opt for a few smart carts at a time. Image Source Risks in cashierless operations Consumer data at risk Amazon has a significant advantage when it comes to data in setting up their Amazon Go stores. Using deep learning, Amazon can compile a list of highly purchased items in their online store and make it available in a specific locality. Every time you also shop, whether online or in an Amazon Go store, your buying preferences and consumer habits (even the length of time you perused certain items) are recorded for future reference. Some experts see this as a very invasive, privacy-eroding strategy in collecting data on consumer habits. Some experts are also baffled why Amazon, who dominates with nearly 50% of the eCommerce industry, would want to open a brick-and-mortar store. Despite the backlash, Cashierless stores such as Amazon Go befit well into what our “new normal” will look like in a few months. Amazon is launching 3,000 Amazon Go stores by 2021. Alibaba’s Hema stores are also set to be available in every major city in China. Touchless technologies will continue to emerge to serve the growing demand for social distancing modes of retail. Potential for hHacking Amazon has amassed tons of data through their line of products—Prime, Kindle, Fire TV, Twitch, Amazon Web Services or AWS-hosted platforms, and the infamous Alexa. Amazon Go addition to this fleet of data collection channels makes Amazon a bigger target for hackers. Whether Amazon will monetise user data in the future is something that experts are not yet sure of, but it can be a possibility. The potential for hacking within their systems and breaching that massive wealth of consumer data is also another troubling possibility. How we can stay protected It lies now on how robust the security system Amazon and other similar companies set in place to prevent a data breach of any sort. Other related companies that gather consumer data must invest in and prioritise on cybersecurity and data protection as they continue to develop technologies in response to current global needs. For individual consumers, practice online hygiene by minimising your digital footprint. Do not just give your sensitive information everywhere, especially to entities that will not be accountable to you regarding the use of your data. Manage your subscriptions strictly and have a separate credential for banking and eCommerce transactions different from the ones you use for browsing, online subscriptions, and social media. Set physical measures like complicated passwords changed routinely and two-step verification. These are simple measures you can layer up to strengthen your cybersecurity and data protection. Get comprehensive security software that can protect you, your devices, and your data from malware attacks and data breach. But online shopping and banking of any sort without the proper protection is like going to war without any weapon or armour. And in our digital world, the more we automate—such as a cashierless environment—the more we are also susceptible to digital attacks if we do not upgrade our security systems.
Categorías: Security Posts

133m records for sale as fruits of data breach spree keep raining down

Naked Security Sophos - Hace 8 horas 47 mins
Databases can be had for as little as $100, on up to $1,100. Most, if not all, are being sold by the hacking group Shiny Hunters.
Categorías: Security Posts

5 ways to reduce risky habits online

Webroot - Hace 9 horas 9 mins
Reading Time: ~ 4 min. After surveying more than 10,000 people in 50 states about their cybersecurity habits, we wound up with some pretty surprising results. Like the fact that tech experts demonstrate riskier behaviors than average Americans. But the most significant result of all was the fact that most Americans are more confident than they should be when it comes practicing good cyber hygiene. So, we thought this would be a good opportunity to highlight a few of the riskiest behaviors from the report and suggest ways to correct them and minimize your chances of falling for a cyberattack. Small business owners beware
  • The problem – It’s not easy being a home-based business owner. Also known as very small businesses (VSBs), they’re often too busy and stretched thin just running their businesses. They often lack the time and resources to do everything they should to protect their important business files from online threats.
  • Risky habits – Around 80% of VSB owners use the same device for both work and personal use. In addition, 71% use the same password for their personal and business accounts, putting both their personal life and company at risk.
  • The fix Owning separate devices for personal and small business use can be cost-prohibitive. But you can enforce better security by partitioning business files on your hard drive and creating a secure password to access those files. Make sure that password is different from any you’re using for personal use. Again, easier said than done in today’s world of password proliferation. If you’re struggling keeping track of all your passwords, consider using a password management app, especially for business files.
Knowing is half the battle
  • The problem – There is a gap between awareness and real understanding of cyber-related attacks. Most Americans can confidently explain phone scams but are not as equipped to explain malware or phishing. This indicates that Americans may not be as prepared to confront risks as they think.
  • Risky habits – Americans who never read the news are 70% less likely to recognize malware, phishing, ransomware or crypto-mining, and 51% less likely to be able to confidently explain these risks. Compare this with 89% of Americans who consistently consume technology news and can confidently explain common cybersecurity risks.
  • The fix Not everyone can afford security awareness training, but if you’re a business, consider the cost and consequences of a data breach to your business. Regular security awareness training can significantly increase your ability to identify and prevent a malware or phishing attack. If you’re a consumer or VSB owner, you can easily find free sources of cybersecurity news (like this one!). As the report shows, being a regular reader of tech news can significantly raise your awareness and reduce your risk.
Digital defense and immunity
  • The problem – One in five Americans say they’ve been impacted by malware in the past year. While 61% of Americans say they’ve not been impacted, 18% aren’t sure. And with only 32% of Americans who feel they understand cyber-related attacks, it’s likely that many more have been impacted and just don’t know it.
  • Risky habit – Many businesses and users haven’t updated their defenses. They haven’t updated their antivirus protection to include cloud-based threat intelligence, AI and machine-learning (ML). Or they’re failing to install necessary patches to plug holes in applications. And they’re still running obsolete operating systems, like Windows 7 or Server 2008, leaving them highly exposed.
  • The fix – For today’s advanced threats, you need multiple layers of protection, including advanced antivirus as well as backup. Having just one of these layers is not enough. Perimeter protection with AI/ML functionality is critical for identifying polymorphic code that changes with each device it seeks to infect. Backup is essential for mitigating phishing attacks and disaster scenarios. Cybercriminals can also identify outdated operating systems. So, it’s worth the extra cost to update them, even if the hardware they’re running on is still functioning normally.
Identity theft
  • The problem – Poor cybersecurity often leads to identity theft. Failing to wipe a device before discarding it is one problem. So is sharing personal information on social media and video streaming sites. The more hackers know about you, the easier it is for them to impersonate you online.
  • Risky habits – A quarter of Americans have had their identity stolen, including 8% who have been a victim of identity theft more than once. Twice as many people who use mobile banking apps have been victims compared with those who don’t. Across industries, those in technology, banking and automotive are most likely to become victims of identity theft.
  • The fix – Cover your tracks wherever you go. Erase the contents on a device before discarding it. Beware of the personal information you reveal on social media. And consider using a bank’s website rather than its app for personal banking.
Something phishy
  • The problem – We knew phishing was a problem. In fact, it may be even bigger than our results indicate. A lot of users don’t know how to identify phishing scams. You can’t protect yourself from threats you don’t see coming.
  • Risky habits – According to the report, 36% of respondents claim to have fallen for a phishing scam. But more enlightening is that only 35% claim to know how to identify a phishing attack. Similar to the lack of understanding about cyber-related attacks in general, the report seems to indicate that phishing is far more prevalent than the data indicate.
  • The fix Learn the tricks of the phishing trade, like bogus URLs and emails that ask you to confirm personal and banking information. Remember, bank logos can be easily faked. And banks won’t typically reach out to you for information they already have on file. If someone claiming to be from a bank contacts you by phone, call them back on an authentic customer service number from one of your banking statements.
Where to learn more Want to read the complete 2020 state-by-state results? You can download a copy here. If you have any questions about improving your cyber security habits, feel free to reach out to us. The post 5 ways to reduce risky habits online appeared first on Webroot Blog.
Categorías: Security Posts

DLL Injection: Cómo hacer Hacking en Windows con msfvenom y PowerShellMafia

Un informático en el lado del mal - Hace 10 horas 9 mins
Dotando de conocimiento a nuestra herramienta ATTPwn, donde pretendemos añadir la emulación de la amenaza llamada Duqu, me tocó investigar un poco mas a fondo qué es eso de la Inyección de DLL. Esta práctica de hacer DLL injection es además, una de las muchas técnicas que recoge MITRE ATT&CK y que se utiliza básicamente para llevar a cabo la ejecución de código dentro de un proceso (el cual a su vez ya está en ejecución).
Figura 1: DLL Injection: Cómo hacer Hacking en Windows
con msfvenom y PowerShellMafia


En este caso concreto, consiste en forzar la carga y ejecución de una biblioteca dinámica la cuál no estaba proyectada en su diseño original. A modo de recordatorio, las DLL (Dynamic Link Library), son fragmentos de código que se cargan bajo demanda por parte del sistema operativo durante la ejecución de una aplicación. 
Figura 2: Libro de Hacking Windows
En el libro “Hacking Windows: Ataques a sistemas y redes Microsoft" de la editorial 0xWord podrás encontrar este y otros muchos tipos de ataques dirigidos a la plataforma Windows para conseguir saltarse las protecciones del sistema.

Jugando con las DLL

Ahora que tenemos más conocimientos sobre esta técnica, vamos a llevarla a la práctica con una PoC para jugar un poco con las inyecciones de DLL y repasar algunos conceptos que nos van a venir de maravilla para lo siguiente. Tienes el script en GitHub.
Figura 3: Script para la PoC
La realizaremos apoyándonos en el siguiente script, donde dado el ID de un proceso cualquiera, intenta inyectarle la DLL que hayamos generado para la ejecución de código usando las siguientes sentencias que podemos identificar rápidamente:

• VirtualAllocEx: reserva y/o una región de páginas del espacio de direcciones virtual del proceso que la invoca.  • WriteProcessMemory: permitirá escribir datos en un área de memoria de un proceso específico.
Para empezar necesitamos crear una DLL, para ello utilizaremos msfvenom con el siguiente comando:

“/usr/bin/msfvenom -a x86 --platform Windows -p windows/exec CMD='cmd.exe /k "echo this is a PoC of DLL injection Attpwn"' -f dll > attpwn.dll”
Inyectando la DLL a un proceso

En este caso hemos generado la librería para x86, si queremos que se ejecute en equipos de x64, tendremos que modificar ese parámetro. Por otro lado, el objetivo final de esta DLL generada con este módulo de Metasploit es ejecutar una CMD en la que se muestra el siguiente texto “this is a PoC of DLL injection Attpwn”.

Figura 4: Metasploit para Pentesters Gold Edition
También necesitamos el PID del proceso en el que queramos inyectar la DLL generada anteriormente. Para nuestra prueba de concepto vamos a generar un nuevo proceso del bloc de notas y nos quedaremos con los detalles de ese proceso con la siguiente linea:

“$app = Start-Process notepad -passthru”
Como queremos poder ejecutar tantas veces como queramos este script y para ello necesitamos pasar el fichero .DLL, vamos a codificar en base 64 el fichero de la DLL para tenerlo embebido en el propio script como se ve en la image siguiente.

Figura 5: DLL Codificada en Base64

En función de la arquitectura del equipo donde se ejecute nuestra DLL, tendremos que lanzar la librería de x64 o x32.

Usando powershellmafia

Una vez tenemos la librería embebida y el proceso en el cual queremos introducir la DLL, con el siguiente código, lo que hacemos es crear una carpeta donde guardaremos la librería embebida, para posteriormente cargarla con el script de powershellmafia, donde le pasamos el ID del proceso y la ruta de la librería que acabamos de guardar.

New-Item $Env:SystemDrive"\attpwn" -ItemType Directory $path = $Env:SystemDrive+"\attpwn"  $filePath = $Env:SystemDrive+"\attpwn\inject.DLL"  $FileBytes | Set-Content $filePath -Encoding Byte  $execution = Invoke-DllInjection -ProcessID $app.Id -Dll $filePath
Al ejecutar dicho código podemos ver la consola con el mensaje de la DLL y por detrás el bloc de notas. Cabe destacar que en el caso de la CMD , tendrá los mismos privilegios que el proceso donde se inyecta.

Figura 6: PoC de DLL Injection con PowerShellMafia
En el vídeo de la Figura 6 podéis ver un ejemplo de cómo se puede hacer un DLL Injection con PowerShellMafia para que lo pruebes tú mismo.

Reflexiones finales

Está técnica no solo se utiliza en procesos maliciosos, también se utiliza para la depuración remota de código. En mi caso, sin ser consciente, lo utilizaba con el IDE de embarcadero, el cual proporciona un ejecutable y unas librerías y de manera transparente al desarrollador. Este ejecutable buscaba el PID del proceso del binario a depurar, y conseguía a través de esas DLL comunicarse con el ordenador remoto y así poder realizar esa depuración de código desde una ubicación remota.

Figura 7: Máxima Seguridad en Windows Gold Edition de Sergio de los Santos
A modo de conclusión, puede ser utilizada partiendo de un proceso legítimo llegar a ejecutar una shell por la cual seguir obteniendo información del entorno y finalmente llegar a comprometerlo por completo, para minimizar los riesgos de esta técnica podemos utilizar herramientas que nos proporciona Windows, como es el caso de AppLocker la cual puede controlar archivos .dll mediante scripts o reglas que se añadan. En el libro “Máxima Seguridad en Windows: Secretos Técnicos” podrás encontrar más información sobre cómo proteger al máximo tu sistema Microsoft.

Autor: Víctor Rodriguez Boyero, Security Researcher en el equipo de Ideas Locas de CDCO de Telefónica.
Sigue Un informático en el lado del mal RSS 0xWord
Categorías: Security Posts

Facebook says 5,000 app developers got user data after cutoff date

Zero Day | ZDNet RSS Feed - Hace 16 horas 43 mins
A Facebook privacy mechanism blocks apps from receiving user data if users didn't use an app for 90 days. Facebook said 5,000 apps continued to receive user data regardless.
Categorías: Security Posts

ISC Stormcast For Thursday, July 2nd 2020 https://isc.sans.edu/podcastdetail.html?id=7064, (Thu, Jul 2nd)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categorías: Security Posts

Setting up the Dshield honeypot and tcp-honeypot.py, (Wed, Jul 1st)

After Johannes did his Tech Tuesday presentation last week on setting up Dshield honeypots, I thought I'd walk you through how I setup my honeypots. I like to combine the Dshield honeypot with Didier Stevens' tcp-honeypot so I can capture more suspicious traffic. Today, I'll walk you through my setup using a VM hosted by Digital Ocean, though the steps would work for pretty much any cloud provider. I'm using Digital Ocean because you can set up a simple VM that is more than adequate as a honeypot for $5/mo. So, let's get to it. First off, I'm going to create a new droplet (you may have to create a new project first). It is pretty straight forward.  As you can see, that gets you a VM with 1 processor and 1GB of RAM, but that will be plenty. Next, you get to choose which datacenter you want this VM running in. For this exercise, I'm choosing London, but my next one might be Bangalore or Singapore or Toronto (you know how those Canadians are). There a few more decisions you need to make. I highly recommend that you upload an ssh public key rather than setting a root password, but once you've done all that, hit the button to create your VM and wait until it comes back with the public IP of said new VM. Now, from wherever you intend to administer the VM from, slogin root@<ip of your VM>, and one of the first things I would do (assuming you used a public key) is to modify /etc/ssh/sshd_config and change PermitRootLogin to without-password (don't get me started on what a poor choice that was for the name for enforcing only key-based logins). From this point on, I'll mostly follow the instructions found on github for installing the Dshield honeypot on Ubuntu. Note, I can skip the step about installing openssh-server since that is already there by default. Before installing the honeypot, let's get the system current on patches # apt update && apt full-upgrade -y && init 6 So, we're now up-to-date on patches. Personally, there are a few other things that I add now to help me administer the honeypot, like installing aide and apticron. I also tweak the settings for unattended-upgrades, and modify /etc/postfix/main.cf to set the interfaces line to loopback-only, but we have a reasonably minimal system, at this point. Next we'll get the install script from github (git is also already installed) and actually install the Dshield honeypot. Then you can run dshield/bin/install.sh to do the actual install. A couple of things to beware of in doing the install. First, make sure you include the IP of the system from which you plan to administer the honeypot in the 'local' IPs. Trust me, I've locked myself out more than once by forgetting that, so learn from my mistakes. Then, I'm going to set this honeypot for manual update for reasons I'll explain below. Otherwise, I pretty much just take the defaults and paste in my e-mail and API key from my account page at isc.sans.edu. At this point, you actually should have a working Dshield honeypot, but as I mentioned above, I want to add another honeypot tool. I've become a big fan of Didier Stevens' tcp-honeypot-3.py (he's going to rename it when he officially releases it sometime soon-ish, because it can also do UDP), but I'm using the 0.1.0 version from Feb 2020. He appears not to have checked into his github beta repo, so if you want to play with the version I'm using, I guess you could contact me or just wait for Didier's official release whenever that happens. I've actually made 2 minor modifications to the 0.1.0 version, the first is that I make it log to /var/log/tcp-honeypot-3/ and I've fixed the logging so that it shows src-dst rather than dst-src. The latter fix Didier has already incorporated, and I expect he'll have a way of doing the former by the time he releases. I've also created a systemd unit file (no, I don't want to get into the religious wars about how good or awful systemd is, that's what all the Linux distros are going with, so that is what I'm using to make sure the tcp-honeypot starts up with the system). Again, I've shared it with Didier, but if you want to play with it now, I've temporarily put it up on my own github (though I will probably remove it if Didier includes it with his release), you can find it here. So, now I have both the Dshield honeypot on tcp-honeypot on the system, but the tcp-honeypot isn't actually capturing anything. The problem is, the Dshield honeypot is controlling the iptables rules. So, we'll need to modify those rules to allow traffic through to the tcp-honeypot. The reason I set the Dshield honeypot to manual updates is that any update to the Dshield honeypot, would wipe out these updates to the iptables rules. Johannes is working on an update to allow the "local" iptables rules to persist, so at some point, I'll be able to run auto update back on. He's also working on handling IPv6, too (which the current version of the honeypot disables completely on your VM). No pressure, Johannes, now that others know you are working on it there's no pressure to get it done soon. :-) With the systemd unit file properly placed into /etc/systemd/system/, I can run  # systemctl enable tcp-honeypot && systemctl start tcp-honeypot  Now, let's see what all is listening on my honeypot, I'll quickly run lsof -Pni and I get the following So, those python3 lines are the tcp-honeypot, the ones running as the cowrie user are the standard Dshield honeypot processes. I need to update the iptables rules to allow traffic through to the tcp-honeypot. I could do this in a couple of ways, but ultimately, we need to remember that the rules that the Dshield honeypot installed are located in /etc/network/iptables. So, we could modify that file, and then run iptables-restore < /etc/network/iptables. I actually chose to first run iptables-save > /etc/network/iptables, just to make sure that there was no difference between that file and what was live on the system. Then I added the 2 rules in the green box below to allow traffic through to the ports that tcp-honeypot is listening on and then ran the iptables-restore < /etc/network/iptables mentioned above. This way, I was reasonably certain I wouldn't lock myself out in the process. And there you have it. My honeypot is now more flexible with both the standard Dshield honeypot and Didier's tcp-honeypot. Now if I see strange spikes in traffic to unknown ports, I can have tcp-honeypot listen on that port, update the appropriate rule above (for TCP or UDP) do the iptables-restore and I'll have a log where I can look at that traffic and hopefully figure out what the attackers are looking for. I hope you found this useful, if you have questions or suggestions, feel free to comment here or e-mail me. ---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categorías: Security Posts

MACsec Hardware Testing—Why Back-to-Back Validation Falls Short

BreakingPoint Labs Blog - Hace 17 horas 23 mins
MACsec has become an important encryption technology that is shipped with next-generation chips,…
Categorías: Security Posts

ATI Adds Maze Ransomware Attack Campaign

BreakingPoint Labs Blog - Hace 17 horas 23 mins
Last month, the Application and Threat Intelligence (ATI) Team released a new type of cyberattack…
Categorías: Security Posts

Monitoring SSL VPN Gateways - A Step-by-Step Guide

BreakingPoint Labs Blog - Hace 17 horas 23 mins
Virtual private network (VPN) connectivity is one of the most critical services in today’s…
Categorías: Security Posts

Assess the Effectiveness of Dynamic NGFW Updates: Palo Alto Security Audit

BreakingPoint Labs Blog - Hace 17 horas 23 mins
One benefit of breach and attack simulation is continuous assessment, and I set Keysight Threat…
Categorías: Security Posts

Assess Cloud-based Web Application Firewalls with Breach and Attack Simulation

BreakingPoint Labs Blog - Hace 17 horas 23 mins
Securing your web applications is a necessity. As the 2020 Verizon DBIR reports, web application…
Categorías: Security Posts

Lessons Learned from Verizon DBiR 2020

BreakingPoint Labs Blog - Hace 17 horas 23 mins
Verizon had just released its annual Data Breach Incident Report (DBiR) 2020. It analyzes 32,002…
Categorías: Security Posts

"Tap if you can, SPAN if you must."

BreakingPoint Labs Blog - Hace 17 horas 23 mins
If you've ever wondered why that piece of advice is fairly common among IT and security…
Categorías: Security Posts

Be Confident Stopping Hancitor, Wannacry Internal, & more

BreakingPoint Labs Blog - Hace 17 horas 23 mins
Being current is critical in cybersecurity. When attacks spring up you worry if you're protected.…
Categorías: Security Posts

US CERTS Top 10 Exploits in the Wild

BreakingPoint Labs Blog - Hace 17 horas 23 mins
We love to think about security in terms of dark geniuses with hoodies, face tats and piercings…
Categorías: Security Posts

COVID-19 Late Testing a Lesson for Every Network Equipment Manufacturer

BreakingPoint Labs Blog - Hace 17 horas 23 mins
I was watching the TED talk by Bill Gates recorded in March 2020 about how humanity should have…
Categorías: Security Posts

Connection discovered between Chinese hacker group APT15 and defense contractor

Zero Day | ZDNet RSS Feed - Hace 17 horas 44 mins
Lookout said it linked APT15 malware to Xi'an Tianhe Defense Technology, a Chinese defense contractor.
Categorías: Security Posts
Distribuir contenido