Offensive Security Conference – February 12-17 2018 // Berlin
If you haven’t already registered/made travel arrangements, perhaps the speakers list will hurry you along.
While you wait for the conference, can you match the author(s) to the papers based on title alone? Several papers have multiple authors, but which ones?
Enjoy!
It took more than a wallet-sized photo, but until patched, the Window 10 Hello facial recognition feature accepted a near IR printed (340×340 pixel) image to access a Windows device.
Catalin Cimpanu has the details at: Windows 10 Facial Recognition Feature Can Be Bypassed with a Photo.
The disturbing line in Cipanu’s report reads:
…
The feature is not that widespread since not many devices with the necessary hardware, yet when present, it is often used since it’s quite useful at unlocking computers without having users type in long passwords.
…
When hardware support for Windows Hello spreads, you can imagine its default use in corporate and government offices.
The Microsoft patch may defeat a 2-D near IR image but for the future, I’d invest in a 3-D printer with the ability to print in the near IR.
I don’t think your Guy Fawkes mask will work on most Windows devices:
But it might make a useful “cover” for a less common mask. If security forces have to search every Guy Fawkes mask, some Guy Fawkes+ masks are bound to slip through. Statistically speaking.
If you watched Natalie Silvanovich‘s presentation on mining the JavaScript standard for vulnerabilities, the tweet from Computer Science @CompSciFact pointing to Programming Languages Used for Music must have you drooling like one of Pavlov‘s dogs.
I count one hundred and forty-seven (147) languages, of varying degrees of popularity, none of which has gotten the security review of ECMA-262. (Michael Aranda wades through terminology/naming issues for ECMAScript vs. JavaScript at: What’s the difference between JavaScript and ECMAScript?.)
Good hunting!
From the description:
Web standards are ever-evolving and determine what browsers can do. But new features can also lead to new vulnerabilities as they exercise existing functionality in new and unexpected ways. This talk discusses some of the more interesting and unusual features of JavaScript, and how they lead to bugs in a variety of software, including Adobe Flash, Chrome, Microsoft Edge and Safari.
Natalie Silvanovich is a security researcher at Google Project Zero.
Whether you are looking for origin of bugs in a standard or playing the long game, creating the origin of bugs in standards (NSA for example), this is a must watch video!
A transcript with CVE links, etc, would be especially useful.
How a Dorm Room Minecraft Scam Brought Down the Internet by Garett M. Graff.
From the post:
The most dramatic cybersecurity story of 2016 came to a quiet conclusion Friday in an Anchorage courtroom, as three young American computer savants pleaded guilty to masterminding an unprecedented botnet—powered by unsecured internet-of-things devices like security cameras and wireless routers—that unleashed sweeping attacks on key internet services around the globe last fall. What drove them wasn’t anarchist politics or shadowy ties to a nation-state. It was Minecraft.
…
Graff’s account is mandatory reading for:
Enjoy!
Acts 20:35 records Jesus as saying, in part: “It is more blessed to give than to receive.”
Mall shoppers may honor that admonition without their knowledge (or consent).
Automated WPA Phishing Attacks: WiFiPhisher
From the webpage:
Wifiphisher is a security tool that mounts automated victim-customized phishing attacks against WiFi clients in order to obtain credentials or infect the victims with malwares. It is primarily a social engineering attack that unlike other methods it does not include any brute forcing. It is an easy way for obtaining credentials from captive portals and third party login pages (e.g. in social networks) or WPA/WPA2 pre-shared keys.
…
Security advice for mallers:
Otherwise, you may have a very blessed holiday shopping experience.
Network Security Testing: Evil Foca
From the webpage:
Evil Foca is a tool for security pentesters and auditors whose purpose it is to test security in IPv4 and IPv6 data networks. The software automatically scans the networks and identifies all devices and their respective network interfaces, specifying their IPv4 and IPv6 addresses as well as the physical addresses through a convenient and intuitive interface.
…
The tool is capable of carrying out various attacks such as:
- MITM over IPv4 networks with ARP Spoofing and DHCP ACK Injection.
- MITM on IPv6 networks with Neighbor Advertisement Spoofing, SLAAC attack, fake DHCPv6.
- DoS (Denial of Service) on IPv4 networks with ARP Spoofing.
- DoS (Denial of Service) on IPv6 networks with SLAAC DoS.
- DNS Hijacking.
…
Requirements
- Windows XP or later.
…
ATMs and users running Windows XP are justification for possessing Windows XP.
But upgrading from Windows XP as an operations platform should be encouraged. For any purpose.
Yes?
Otherwise, what’s next? A luggable computer for your next assignment?
From the webpage:
Python script to explore exploits from exploit-db.com. Exist a similar script in Kali Linux, but in difference this python script will have provide more flexibility at search and download time.
…
Looks useful, modulo the added risk of a local copy.
Open Distributed Threat Intelligence: Yeti
From the webpage:
Yeti is a platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository. Yeti will also automatically enrich observables (e.g. resolve domains, geolocate IPs) so that you don’t have to. Yeti provides an interface for humans (shiny Bootstrap-based UI) and one for machines (web API) so that your other tools can talk nicely to it.
Yeti was born out of frustration of having to answer the question “where have I seen this artifact before?” or Googling shady domains to tie them to a malware family.
In a nutshell, Yeti allows you to:
- Submit observables and get a pretty good guess on the nature of the threat.
- Inversely, focus on a threat and quickly list all TTPs, Observables, and associated malware.
- Let responders skip the “Google the artifact” stage of incident response.
- Let analysts focus on adding intelligence rather than worrying about machine-readable export formats.
- Visualize relationship graphs between different threats.
This is done by:
- Collecting and processing observables from a wide array of different sources (MISP instances, malware trackers, XML feeds, JSON feeds…)
- Providing a web API to automate queries (think incident management platform) and enrichment (think malware sandbox).
- Export the data in user-defined formats so that they can be ingested by third-party applications (think blocklists, SIEM).
…
Yeti sounds like a good tool, but always remember: You Are What You Record.
Innocent activities captured in your Yeti repository could be made to look like plans for criminal activity.
Just a word to the wise.
KubeCon/CloudNativeCon just concluded in Austin, Texas with 179 videos now available on YouTube.
A sortable list of presentations: https://kccncna17.sched.com/. How long that will persist isn’t clear.
If you missed Why The Federal Government Warmed Up To Cloud Computing, take a minute to review it now. It’s a promotional piece but the essential take away, government data is moving to the cloud, remains valid.
To detect security failures during migration and post-migration, you will need to know cloud technology better than the average migration tech.
The videos from KubeCon/CloudNativeCon 2017 are a nice starter set in that direction.
Very Fast Network Logon Cracker: THC-Hydra
From the webpage:
Number one of the biggest security holes are passwords, as every password security study shows. Hydra is a parallized login cracker which supports numerous protocols to attack. New modules are easy to add, beside that, it is flexible and very fast. This fast, and many will say fastest network logon cracker supports many different services. Deemed ‘The best parallelized login hacker’: for Samba, FTP, POP3, IMAP, Telnet, HTTP Auth, LDAP, NNTP, MySQL, VNC, ICQ, Socks5, PCNFS, Cisco and more. Includes SSL support and is part of Nessus.
If you don’t know CyberPunk, they have great graphics:
If you have found the recent 1.4 billion password dump, THC-Hydra is in your near future.
Half of companies fail to tell customers about data breaches, claims study by Nicholas Fearn.
From the post:
Half of organisations don’t bother telling customers when their personal information might have been compromised following a cyber attack, according to a new study.
The latest survey from security firm CyberArk comes with the full implementation of the European Union General Data Protection Regulation (GDPR) just months away.
Organisations that fail to notify the relevant data protection authorities of a breach within 72 hours of finding it can expect to face crippling fines of up to four per cent of turnover – with companies trying to hide breaches likely to be hit with the biggest punishments.
The findings have been published in the second iteration the CyberArk Global Advanced Threat Landscape Report 2018, which explores business leaders’ attitudes towards IT security and data protection.
The survey found that, overall, security “does not translate into accountability”. Some 46 per cent of organisations struggle to stop every attempt to breach their IT infrastructure.
And 63 per cent of business leaders acknowledge that their companies are vulnerable to attacks, such as phishing. Despite this concern, 49 per cent of organisations don’t have the right knowledge about security policies.
…
You can download the report cited in Fearn’s post at: Cyberark Global Advanced Threat Landscape Report 2018: The Business View of Security.
If you think that report has implications for involuntary/inadvertent transparency, Cyberark Global Advanced Threat Landscape Report 2018: Focus on DevOps, reports this gem:
…
It’s not just that businesses underestimate threats. As noted above, they also do not seem to fully understand where privileged accounts and secrets exist. When asked which IT environments and devices contain privileged accounts and secrets, responses (IT decision maker and DevOps/app developer respondents) were at odds with the claim that most businesses have implemented a privileged account security solution. A massive 98% did not select at least one of the ‘containers’, ‘microservices’, ‘CI/CD tools’, ‘cloud environments’ or ‘source code repositories’ options. At the risk of repetition, privileged accounts and secrets are stored in all of these entities.
…
A fail rate of 98% on identifying “privileged accounts and secrets?”
Reports like this make you wonder about the clamor for transparency of organizations and governments. Why bother?
Information in 2018 is kept secure by a lack of interest in collecting it.
Remember that for your next transparency discussion.
If you know or are interested in >A Guide To Kernel Exploitation: Attacking the Core by Enrico Perla and Massimiliano Oldani, the source files are now available at: https://github.com/yrp604/atc-sources.
The website that accompanied the book is now reported to be defunct. Thanks to yrp604 for preserving these files.
Enjoy!
1.4 Billion Clear Text Credentials Discovered in a Single Database by Julio Casal.
From the post:
Now even unsophisticated and newbie hackers can access the largest trove ever of sensitive credentials in an underground community forum. Is the cyber crime epidemic about become an exponentially worse?
While scanning the deep and dark web for stolen, leaked or lost data, 4iQ discovered a single file with a database of 1.4 billion clear text credentials — the largest aggregate database found in the dark web to date.
None of the passwords are encrypted, and what’s scary is the we’ve tested a subset of these passwords and most of the have been verified to be true.
The breach is almost two times larger than the previous largest credential exposure, the Exploit.in combo list that exposed 797 million records. This dump aggregates 252 previous breaches, including known credential lists such as Anti Public and Exploit.in, decrypted passwords of known breaches like LinkedIn as well as smaller breaches like Bitcoin and Pastebin sites.
This is not just a list. It is an aggregated, interactive database that allows for fast (one second response) searches and new breach imports. Given the fact that people reuse passwords across their email, social media, e-commerce, banking and work accounts, hackers can automate account hijacking or account takeover.
This database makes finding passwords faster and easier than ever before. As an example searching for “admin,” “administrator” and “root” returned 226,631 passwords of admin users in a few seconds.
The data is organized alphabetically, offering examples of trends in how people set passwords, reuse them and create repetitive patterns over time. The breach offers concrete insights into password trends, cementing the need for recommendations, such as the NIST Cybersecurity Framework.
… (emphasis in original)
The full post goes onto discuss sources of the data, details of the dump file, freshness and password reuse. See Casal’s post for those details.
But no links were provided to the:
“…largest trove ever of sensitive credentials in an underground community forum.”
How would you go about verifying such a discovery?
The post offers the following hints:
With #1, clear text credentials, I should be able to search for #2 “imported.log” and one of fifty-five (55) unique file names to come up with a fairly narrow set of search results. Not perfect but not a lot of manual browsing.
All onion search engines have .onion addresses.
Ahmia Never got to try one of the file names, “imported.log” returns 0 results.
Caronte I entered “imported.log,” but Caronte searches for “imported log.” Sigh, I really tire of corrective search interfaces. You? No useful results.
Haystack 0 results for “imported.log.”
Not Evil 3973 “hits” for “imported.log.” With search refinement, still no joy.
Bottom line: No verification of the reported credentials discovery.
Possible explanations:
Verification is all the rage in mainstream media.
How do you verify reports of content on the Dark Web? Or do you?
Apache Kafka: Online Talk Series
From the webpage:
Watch this six-part series of online talks presented by Kafka experts. You will learn the key considerations in building a scalable platform for real-time stream data processing, with Apache Kafka at its core.
This series is targeted to those who want to understand all the foundational concepts behind Apache Kafka, streaming data, and real-time processing on streams. The sequence begins with an introduction to Kafka, the popular streaming engine used by many large scale data environments, and continues all the way through to key production planning, architectural and operational methods to consider.
Whether you’re just getting started or have already built stream processing applications for critical business functions, you will find actionable tips and deep insights that will help your enterprise further derive important business value from your data systems.
Video titles:
1. Introduction To Streaming Data and Stream Processing with Apache Kafka, Jay Kreps, Confluent CEO and Co-founder, Apache Kafka Co-creator.
2. Deep Dive into Apache Kafka by Jun Rao, Confluent Co-founder, Apache Kafka Co-creator.
3. Data Integration with Apache Kafka by David Tucker, Director, Partner Engineering and Alliances.
4. Demystifying Stream Processing with Apache Kafka, Neha Narkhede, Confluent CTO and Co-Founder, Apache Kafka Co-creator.
5. A Practical Guide to Selecting a Stream Processing Technology by Michael Noll, Product Manager, Confluent.
6. Streaming in Practice: Putting Kafka in Production by Roger Hoover, Engineer, Confluent. (Registration required. Anyone know a non-registration version of Hoover’s presentation?)
I was able to find versions of the first five videos that don’t require you to register to view them.
I make it a practice to dodge marketing department registrations whenever possible.
You?
Zero Days, Thousands of Nights – The Life and Times of Zero-Day Vulnerabilities and Their Exploits by Lillian Ablon, Timothy Bogart.
From the post:
Zero-day vulnerabilities — software vulnerabilities for which no patch or fix has been publicly released — and their exploits are useful in cyber operations — whether by criminals, militaries, or governments — as well as in defensive and academic settings.
This report provides findings from real-world zero-day vulnerability and exploit data that could augment conventional proxy examples and expert opinion, complement current efforts to create a framework for deciding whether to disclose or retain a cache of zero-day vulnerabilities and exploits, inform ongoing policy debates regarding stockpiling and vulnerability disclosure, and add extra context for those examining the implications and resulting liability of attacks and data breaches for U.S. consumers, companies, insurers, and for the civil justice system broadly.
The authors provide insights about the zero-day vulnerability research and exploit development industry; give information on what proportion of zero-day vulnerabilities are alive (undisclosed), dead (known), or somewhere in between; and establish some baseline metrics regarding the average lifespan of zero-day vulnerabilities, the likelihood of another party discovering a vulnerability within a given time period, and the time and costs involved in developing an exploit for a zero-day vulnerability.
…
Longevity and Discovery by Others
- Zero-day exploits and their underlying vulnerabilities have a rather long average life expectancy (6.9 years). Only 25 percent of vulnerabilities do not survive to 1.51 years, and only 25 percent live more than 9.5 years.
- No vulnerability characteristics indicated a long or short life; however, future analyses may want to examine Linux versus other platform types, the similarity of open and closed source code, and exploit class type.
- For a given stockpile of zero-day vulnerabilities, after a year, approximately 5.7 percent have been publicly discovered and disclosed by another entity.
…
Rand researchers Ablon and Bogart attempt to interject facts into the debate over stockpiling zero-day vulnerabilities. It a great read, even though I doubt policy decisions over zero-day stockpiling will be fact-driven.
As an advocate of inadvertent or involuntary transparency (is there any other honest kind?), I take heart from the 6.9 year average life expectancy of zero-day exploits.
Researchers should take encouragement from the finding that within a given year, only 5.7 of all zero-days vulnerability discoveries overlap. That is 94.3% of zero-day discoveries are unique. That indicates to me vulnerabilities are left undiscovered every year.
Voluntary transparency, like presidential press conferences, is an opportunity to shape and manipulate your opinions. Zero-day vulnerabilities, on the other hand, can empower honest/involuntary transparency.
Won’t you help?
The Jailbreaking Community Is Bracing for Google to Publicly Drop an iPhone Exploit by Lorenzo Franceschi-Bicchierai.
From the post:
…
Because exploits are so valuable, it’s been a long time since we’ve seen a publicly accessible iPhone jailbreak even for older versions of iOS (let alone one in the wild for an up to date iPhone.) But a tweet sent by a Google researcher Wednesday has got the security and jailbreaking communities in a frenzy. The tweet suggests that Google is about to drop an exploit that is a major step toward an iPhone jailbreak, and other researchers say they will be able to take that exploit and turn it into a full jailbreak.It might seem surprising that an iPhone exploit would be released by Google, Apple’s closest competitor, but the company has a history of doing so, albeit with less hype than this one is garnering.
Ian Beer is a Google Project Zero security researcher, and one of the most prolific iOS bug hunters. Wednesday, he told his followers to keep their “research-only” devices on iOS 11.1.2 because he was about to release “tfp0” soon. (tfp0 stands for “task for pid 0,” or the kernel task port, which gives you control of the core of the operating system.) He also hinted that this is just the first part of more releases to come. iOS 11.1.2 was just patched and updated last week by Apple; it is extremely rare for exploits for recent versions of iOS to be made public.
…
Another surprise in the offing for the holiday season! See Franceschi-Bicchierai’s post for much speculation and possibilities.
From improving the lot of security researchers, local employment for hackers and greater exposure of public officials, what’s there to not like?
Looking forward to the drop and security researchers jumping on it like a terrier pack on a rat.
Microsoft Issues Emergency Windows Security Update For A Critical Vulnerability by Swati Khandelwal.
From the post:
If your computer is running Microsoft’s Windows operating system, then you need to apply this emergency patch immediately. By immediately, I mean now!
Microsoft has just released an emergency security patch to address a critical remote code execution (RCE) vulnerability in its Malware Protection Engine (MPE) that could allow an attacker to take full control of a victim’s PC.
Enabled by default, Microsoft Malware Protection Engine offers the core cybersecurity capabilities, like scanning, detection, and cleaning, for the company’s antivirus and antimalware programs in all of its products.
According to Microsoft, the vulnerability affects a large number of Microsoft security products, including Windows Defender and Microsoft Security Essentials along with Endpoint Protection, Forefront Endpoint Protection, and Exchange Server 2013 and 2016, impacting Windows 7, Windows 8.1, Windows 10, Windows RT 8.1, and Windows Server.
Tracked as CVE-2017-11937, the vulnerability is a memory corruption issue which is triggered when the Malware Protection Engine scans a specially crafted file to check for any potential threat.
… (emphasis in original)
I always feel bad when I read about newly discovered vulnerabilities in Microsoft Windows. Despite MS opening up computers around the world to the idly curious if not the malicious, I haven’t gotten them anything.
I’m sure Munich must be celebrating its plan to switch to Windows 10 for €50m. You wouldn’t think unintended governmental transparency would be that expensive. Munich could save everyone time and trouble by backing up all its files/data to an open S3 bucket on AWS. Thoughts?
Khandelwal also reports Microsoft says that this vulnerability isn’t being used in the wild. Modulo that claim comes from the originator of the vulnerability. If it couldn’t/didn’t recognize the vulnerability in its code, what are the odds of it recognizes its exploit by others? Your call.
See Khandelwal’s post for more details.
From the webpage:
Malpedia is a free service offered by Fraunhofer FKIE.
…
The primary goal of Malpedia is to provide a resource for rapid identification and actionable context when investigating malware. Openness to curated contributions shall ensure an accountable level of quality in order to foster meaningful and reproducible research.
Also, please be aware that not all content on Malpedia is publicly available.
More specifically, you will need an account to access all data (malware samples, non-public YARA rules, …).
In this regard, Malpedia is operated as an invite-only trust group.
…(emphasis in original)
You are probably already aware of Malpedia but I wasn’t.
Enjoy!
Security Analyst Summit – #TheSAS2017
From the webpage:
The Kaspersky Security Analyst Summit (SAS) is a unique annual event connecting anti-malware researchers and developers, global law enforcement agencies and CERTs and members of the security research community.
The summit is one of the best places to learn, debate, share and showcase cutting-edge research, new technologies and discuss ways to improve collaboration in the fight against cyber-crime.
Now you have a chance to get access to the unique videos of the presentations given at #TheSAS2017
Registration required but where are you going to hide from Kaspersky anyway? 😉
I count sixty-three (63) videos.
If you want to start 2018 with a broad overview of security issues, this is one place to start.
Enjoy!
PS: Any favorites?
Champing at the Cyberbit: Ethiopian Dissidents Targeted with New Commercial Spyware by Bill Marczak, Geoffrey Alexander, Sarah McKune, John Scott-Railton, and Ron Deibert.
From the post:
Key Findings
- This report describes how Ethiopian dissidents in the US, UK, and other countries were targeted with emails containing sophisticated commercial spyware posing as Adobe Flash updates and PDF plugins. Targets include a US-based Ethiopian diaspora media outlet, the Oromia Media Network (OMN), a PhD student, and a lawyer. During the course of our investigation, one of the authors of this report was also targeted.
- We found a public logfile on the spyware’s command and control server and monitored this logfile over the course of more than a year. We saw the spyware’s operators connecting from Ethiopia, and infected computers connecting from IP addresses in 20 countries, including IP addresses we traced to Eritrean companies and government agencies.
- Our analysis of the spyware indicates it is a product known as PC Surveillance System (PSS), a commercial spyware product with a novel exploit-free architecture. PSS is offered by Cyberbit — an Israel-based cyber security company that is a wholly-owned subsidiary of Elbit Systems — and marketed to intelligence and law enforcement agencies.
- We conducted Internet scanning to find other servers associated with PSS and found several servers that appear to be operated by Cyberbit themselves. The public logfiles on these servers seem to have tracked Cyberbit employees as they carried infected laptops around the world, apparently providing demonstrations of PSS to the Royal Thai Army, Uzbekistan’s National Security Service, Zambia’s Financial Intelligence Centre, the Philippine President’s Malacañang Palace, ISS World Europe 2017 in Prague, and Milipol 2017 in Paris. Cyberbit also appears to have provided other demos of PSS in France, Vietnam, Kazakhstan, Rwanda, Serbia, and Nigeria.
…
Detailed research and reporting, the like of which is absent in reporting about election year “hacks” in the United States.
Despite the excellence of reporting in this post, I find it disappointing that Citizen Lab sees this as an occasion for raising legal and regulatory issues. Especially in light of the last substantive paragraph noting:
As we explore in a separate analysis, while lawful access and intercept tools have legitimate uses, the significant insecurities and illegitimate targeting we have documented that arise from their abuse cannot be ignored. In the absence of stronger norms and incentives to induce state restraint, as well as more robust regulation of spyware companies, we expect that authoritarian and other politically corrupt leaders will continue to obtain and use spyware to covertly surveil and invisibly sabotage the individuals and institutions that hold them to account.
Exposing the abuse of peaceful citizens by their governments is a powerful tool but for me, it falls far short of holding them to account. I have always thought of being “held to account” meant there were negative consequences associated with undesirable behavior.
Do you know of any examples of governments holding Cyberbit or similar entities accountable?
I am aware that the U.S. Congress has from time to time passed legislation “regulating the CIA” and other agencies, all of which was ignored by the regulated agencies. That doesn’t sound like accountability to me.
You?
PS: Despite my disagreement on the call for action, this is a great example of how to provide credible details about malicious cyberactivity. Would that members of the IC would read it and take it to heart.
Cast your vote for the talks you want to see at INFILTRATE 2018.
As of today, 6 December 2017, I count 26 presentations.
The titles alone are enough to sell the conference:
Another example of open sharing as opposed to the hoard and privilege approach of the defensive cybersecurity community. White hats are fortunate to only be a decade behind. Consider it the paranoia penalty. Fear of sharing knowledge harms you more than anyone else.
Speaking of sharing, the archives for INFILTRATE 2011 through INFILTRATE 2017 are online.
May not be true for any particular exploit, but given the lagging nature of cyberdefense, not to mention shoddy patch application, any technique less than ten years old is likely still viable. Remember SQL injection turned 17 this year and remains the #1 threat to websites.
Vote on your favorite papers for INFILTRATE 2018 – OPEN CFP
and let’s see some great tweet coverage for the conference!
INFILTRATE Security Conference, April 26 & 27 2018, @Fountainbleau Hotel
INFILTRATE is a deep technical conference that focuses entirely on offensive security issues. Groundbreaking researchers focused on the latest technical issues will demonstrate techniques that you cannot find elsewhere. INFILTRATE is the single-most important event for those who are focused on the technical aspects of offensive security issues, for example, computer and network exploitation, vulnerability discovery, and rootkit and trojan covert protocols. INFILTRATE eschews policy and high-level presentations in favor of just hard-core thought-provoking technical meat.
Registration: infiltrate@immunityincdotcom
Twitter: @InfiltrateCon.
Enjoy!
Benchmarking U.S. Government Websites by Daniel Castro, Galia Nurko, and Alan McQuinn, provides a quick assessment of 468 of the most popular federal websites for “…page-load speed, mobile friendliness, security, and accessibility.”
Unfortunately, it has an ugly table layout:
Double column listings with the same headers?
There are 476 results on Stackoverflow this morning for extracting tables from PDF.
However, I need a cup of coffee, maybe two cups of coffee answer to extracting data from these tables.
Enter Tabula.
If you’ve ever tried to do anything with data provided to you in PDFs, you know how painful it is — there’s no easy way to copy-and-paste rows of data out of PDF files. Tabula allows you to extract that data into a CSV or Microsoft Excel spreadsheet using a simple, easy-to-use interface. Tabula works on Mac, Windows and Linux.
Tabula is download, extract, start and point your web browser to http://localhost:8080 (or http://127.0.0.1:8080), load your PDF file, select the table, export the content, easy to use.
I tried selecting the columns separately (one page at a time) but then used table recognition and selected the entirety of Table 6 (security evaluation). I don’t think it made any difference in the errors I was seeing in the result (dropping first letter of site domains, but check with your data.)
Warning: For some unknown reason, possibly a defect in the PDF and/or Tabula, the leading character from the second domain field was dropped on some entries. Not all, not consistently, but it was dropped. Not to mention missing the last line of entries on a couple of pages. Proofing is required!
Not to mention there were other recognition issues
Capture wasn’t perfect due to underlying differences in the PDF:
cancer.gov,100,901,fdic.gov,100,"3,284" weather.gov,100,904,blm.gov,100,"3,307" transportation.gov,,,100,,,"3,340",,,ecreation.gov,,,100,,,"9,012", "regulations.gov1003,390data.gov1009,103",,,,,,,,,,,,,,,, nga.gov,,,100,,,"3,462",,,irstgov.gov,,,100,,,"9,112", "nrel.gov1003,623nationalservice.gov1009,127",,,,,,,,,,,,,,,, hrsa.gov,,,100,,,"3,635",,,topbullying.gov,,,100,,,"9,285", "consumerfinance.gov1004,144section508.gov1009,391",,,,,,,,,,,,,,,,
With proofing, we are way beyond two cups of coffee but once proofed, I tossed it into Calc and produced a single column CSV file: 2017-Benchmarking-US-Government-Websites-Security-Table-6.csv.
Enjoy!
PS: I discovered a LibreOffice Calc “gotcha” in this exercise. If you select a column for the top and attempt to paste it under an existing column (same or different spreadsheet), you get the error message: “There is not enough room on the sheet to insert here.”
When you select a column from the top, it copies all the blank cells in that column so there truly isn’t sufficient space to paste it under another column. Tip: Always copy columns in Calc from the bottom of the column up.
From the webpage:
This tool simply listens to various certificate transparency logs (via certstream) and attempts to find public S3 buckets from permutations of the certificates domain name.
(graphic omitted)
Be responsible. I mainly created this tool to highlight the risks associated with public S3 buckets and to put a different spin on the usual dictionary based attacks.
… (emphasis in original)
If you find the March of Dimes or the International Federation of the Red Cross and Red Crescent with an insecure Amazon S3 bucket, take the author’s advice and report it.
If asked about Amazon S3 buckets belonging to groups, organizations and governments actively seeking to harm others, I would answer differently.
You?
Blueprint: Building A Better Pen Tester Tuesday, January 9th, 2018 at 1:00 PM EST (18:00:00 UTC).
From the post:
Register for this webcast and have (4) printed copies of the *new* SANS Pen Test Poster “Blueprint: Building A Better Pen Tester” mailed to the address on your SANS Portal Account. Don’t have an account? Register today and then join Ed Skoudis, on January 9th at 1pm EST, as he dives into all the tips available on the poster so you’ll know how use it to become a better pen tester. If you’re not a pen tester, this webcast will help you learn many helpful tips to make you a better information security professional and bring additional value and tradecraft to your organization.
Posters will be mailed after the webcast in January 2018.
… (emphasis in original)
It’s never clear if “pen tester” is tongue in cheek or not. Perhaps the ambiguity is intentional.
Either I or Gimp failed to enlarge the posters sufficiently to produce readable text. But, given the reputation of SANS, it’s a nice way to start the new year.
Is possession of SANS posters considered evidence of illegal activity? Any court cases you can cite?
The Motherboard Guide to Avoiding State Surveillance by Sarah Jeong.
From the post:
In the wake of September 11th, the United States built out a massive surveillance apparatus, undermined constitutional protections, and limited possible recourse to the legal system.
Given the extraordinary capabilities of state surveillance in the US—as well as the capabilities of governments around the world—you might be feeling a little paranoid! It’s not just the NSA—the FBI and even local cops have more tools at their disposal to snoop on people than ever before. And there is a terrifying breadth of passive and unexpected surveillance to worry about: Your social media accounts can be subpoenaed, your emails or calls can be scooped up in bulk collection efforts, and your cell phone metadata can be captured by Stingrays and IMSI catchers meant to target someone else.
Remember, anti-surveillance is not the cure, it’s just one thing you can do to protect yourself and others. You probably aren’t the most at-risk person, but that doesn’t mean you shouldn’t practice better security. Surveillance is a complicated thing: You can practice the best security in the world, but if you’re sending messages to someone who doesn’t, you can still be spied on through their device or through their communications with other people (if they discuss the information you told them, for instance).
That’s why it’s important that we normalize good security practices: If you don’t have that much to be afraid of, it’s all the more important for you to pick up some of these tools, because doing that will normalize the actions of your friends who are, say, undocumented immigrants, or engaged in activism. Trump’s CIA Director thinks that using encryption “may itself be a red flag.” If you have “nothing to hide,” your use of encryption can actually help people at risk by obfuscating that red flag. By following this guide, you are making someone else safer. Think of it as herd immunity. The more people practice good security, the safer everyone else is.
The security tips provided earlier in this guide still apply: If you can protect yourself from getting hacked, you will have a better shot at preventing yourself from being surveilled (when it comes to surveilling iPhones, for instance governments often have few options besides hacking the devices). But tech tools don’t solve all problems. Governments have a weapon in their hands that criminal hackers do not: the power of the law. Many of the tips in this section of the guide will help you not only against legal requests and government hacking, but also against anyone else who may be trying to spy on you.
You don’t have to turn yourself into a security expert. Just start thinking about your risks, and don’t be intimidated by the technology. Security is an ongoing process of learning. Both the threats and the tools developed to address them are constantly changing, which is one of the reasons why privacy and security advice can often seem fickle and contradictory. But the tips below are a good starting point.
…
Jeong writes a great post but like most of you, what I need is a security cheat sheet so I start off everyday with the same standard security practices.
Read Jeong’s post but think about creating a personalized security cheat sheet that requires your initials at the start of each day and note any security fails on your part for that day.
At the end of each week, review your security fails for patterns and/or improvements.
What’s on your security cheat sheet?
Getting Started With ARM Exploitation by Azeria.
From the post:
Since I published the tutorial series on ARM Assembly Basics, people keep asking me how to get started with exploitation on ARM. Since then, I added some tutorials on how to write ARM Shellcode, an introduction to Memory Corruptions, a detailed guide on how to set up your own ARM lab environment, and some small intro to debugging with GDB. Now it’s time we get to the meat of things and use all this knowledge to start exploiting some binaries.
This first part is aimed at those of you who have no experience with reverse engineering or exploiting ARM binaries. These challenges are relatively easy and are meant to introduce a few core concepts of binary exploitation.
…
Why Study ARM Exploitation?
Can you name another attack surface that large?
No?
Suggest you follow Azeria and her tutorials. Today.
Prasad Ajgaonkar reports in 94pc of cyber attacks are caused by lack of infosecurity awareness training. Is your organisation safe?:
Do you know that a cyber attack takes place every 10 minutes in India? This rate is higher than that in 2016, where a cyber attack took place once every 12 minutes. A study conducted by Fortinet found that a whopping 94 percent of IT experts believe that information security (InfoSec) practices in Indian organizations are sorely inadequate and completely fail to protect from cyber attacks in today’s world.
It is crucial to be aware that the exorbitantly high cyber attacks in India is a human issue, rather than an IT issue. This means that employees failing to follow InfoSec practices- rather than IT system failures- is the biggest contributor of cyber attacks.
Therefore, it is critical to ensure that all employees at an organisation are vigilant, fully aware of cyber-threats, and trained to follow InfoSec practices at all times.
…
Focusing on the lack of training for employees, the post suggests this solution:
…
Story-telling and scenario based training would be an excellent and highly effective way to ensure that employees consistently practice InfoSec measures. An effective InfoSec training programme has the following features:
- Educating employees through story-telling and interactive media – …
- Continuous top of the mind recall – …
- Presenting InfoSec tips, trivia and reminders to employees through mobile phone apps…
- Training through scenario-based assessments – …
- Training through group discussions – …
…
I have a simpler explanation for poor cybersecurity practices of employees in India.
The Hindu captured it in one headline: India Inc pay gap: CEOs earn up to 1,200-times of average staff
Many thought the American pay gap at CEOs make 271 times the pay of most workers was bad.
Try almost four (4) times the American CEO – worker pay gap.
How much commonality of interest exists between the worker who gets $1 and for every $1, their CEO gets $1,200?
Conventional training, excluding the use of drugs and/or physical torture, isn’t likely to create a commonality of interest. Yes?
Cybersecurity “solutions” that don’t address the worker to CEO wage gap, are castles made of sand.
UCS Satellite Database – In-depth details on the 1,738 satellites currently orbiting Earth.
From the post:
Assembled by experts at the Union of Concerned Scientists (UCS), the Satellite Database is a listing of the more than 1000 operational satellites currently in orbit around Earth.
Our intent in producing the database is to create a research tool for specialists and non-specialists alike by collecting open-source information on operational satellites and presenting it in a format that can be easily manipulated for research and analysis.
It is available as both a downloadable Excel file and in a tab-delimited text format. A version is also provided in which the “Name” column contains only the official name of the satellite in the case of government and military satellites, and the most commonly used name in the case of commercial and civil satellites.
…Satellite Database Downloads (includes launches through 8/31/17)
- Database (Excel format)
- Database (text format)
- Database, official names only (Excel format)
- Database, official names only (text format)
Resources:
Satellites are much easier targets than undersea cables. Specialized equipment required for both, but undersea cables also require a submarine while satellites only a line of sight. Much easier to arrange.
With a high quality antenna and electronic gear, the sky is alive with targets. For extra points, install your antenna remote to you and use an encrypted channel to control and receive data. (Makes you less obvious than several satellite dishes in the back yard.)
PS: Follow the USC Satellite DB on Twitter. Plus, the Union of Concerned Scientists.
Powered by WordPress
