Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

December 16, 2017

Evil Foca [Encourage Upgrades from Windows XP]

Filed under: Cybersecurity,Security — Patrick Durusau @ 10:04 am

Network Security Testing: Evil Foca

From the webpage:

Evil Foca is a tool for security pentesters and auditors whose purpose it is to test security in IPv4 and IPv6 data networks. The software automatically scans the networks and identifies all devices and their respective network interfaces, specifying their IPv4 and IPv6 addresses as well as the physical addresses through a convenient and intuitive interface.

The tool is capable of carrying out various attacks such as:

  • MITM over IPv4 networks with ARP Spoofing and DHCP ACK Injection.
  • MITM on IPv6 networks with Neighbor Advertisement Spoofing, SLAAC attack, fake DHCPv6.
  • DoS (Denial of Service) on IPv4 networks with ARP Spoofing.
  • DoS (Denial of Service) on IPv6 networks with SLAAC DoS.
  • DNS Hijacking.

Requirements

  • Windows XP or later.

ATMs and users running Windows XP are justification for possessing Windows XP.

But upgrading from Windows XP as an operations platform should be encouraged. For any purpose.

Yes?

Otherwise, what’s next? A luggable computer for your next assignment?

December 15, 2017

getExploit (utility)

Filed under: Cybersecurity,Security — Patrick Durusau @ 9:38 pm

getExploit

From the webpage:

Python script to explore exploits from exploit-db.com. Exist a similar script in Kali Linux, but in difference this python script will have provide more flexibility at search and download time.

Looks useful, modulo the added risk of a local copy.

Yeti (You Are What You Record)

Filed under: Cybersecurity,Security — Patrick Durusau @ 9:09 pm

Open Distributed Threat Intelligence: Yeti

From the webpage:

Yeti is a platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository. Yeti will also automatically enrich observables (e.g. resolve domains, geolocate IPs) so that you don’t have to. Yeti provides an interface for humans (shiny Bootstrap-based UI) and one for machines (web API) so that your other tools can talk nicely to it.

Yeti was born out of frustration of having to answer the question “where have I seen this artifact before?” or Googling shady domains to tie them to a malware family.

In a nutshell, Yeti allows you to:

  • Submit observables and get a pretty good guess on the nature of the threat.
  • Inversely, focus on a threat and quickly list all TTPs, Observables, and associated malware.
  • Let responders skip the “Google the artifact” stage of incident response.
  • Let analysts focus on adding intelligence rather than worrying about machine-readable export formats.
  • Visualize relationship graphs between different threats.

This is done by:

  • Collecting and processing observables from a wide array of different sources (MISP instances, malware trackers, XML feeds, JSON feeds…)
  • Providing a web API to automate queries (think incident management platform) and enrichment (think malware sandbox).
  • Export the data in user-defined formats so that they can be ingested by third-party applications (think blocklists, SIEM).

Yeti sounds like a good tool, but always remember: You Are What You Record.

Innocent activities captured in your Yeti repository could be made to look like plans for criminal activity.

Just a word to the wise.

KubeCon/CloudNativeCon [Breaking Into Clouds]

Filed under: Cloud Computing,Conferences,Cybersecurity,Security — Patrick Durusau @ 8:48 pm

KubeCon/CloudNativeCon just concluded in Austin, Texas with 179 videos now available on YouTube.

A sortable list of presentations: https://kccncna17.sched.com/. How long that will persist isn’t clear.

If you missed Why The Federal Government Warmed Up To Cloud Computing, take a minute to review it now. It’s a promotional piece but the essential take away, government data is moving to the cloud, remains valid.

To detect security failures during migration and post-migration, you will need to know cloud technology better than the average migration tech.

The videos from KubeCon/CloudNativeCon 2017 are a nice starter set in that direction.

THC-Hydra – Very Fast Network Logon Cracker

Filed under: Cybersecurity,Security — Patrick Durusau @ 3:11 pm

Very Fast Network Logon Cracker: THC-Hydra

From the webpage:

Number one of the biggest security holes are passwords, as every password security study shows. Hydra is a parallized login cracker which supports numerous protocols to attack. New modules are easy to add, beside that, it is flexible and very fast. This fast, and many will say fastest network logon cracker supports many different services. Deemed ‘The best parallelized login hacker’: for Samba, FTP, POP3, IMAP, Telnet, HTTP Auth, LDAP, NNTP, MySQL, VNC, ICQ, Socks5, PCNFS, Cisco and more. Includes SSL support and is part of Nessus.

If you don’t know CyberPunk, they have great graphics:

If you have found the recent 1.4 billion password dump, THC-Hydra is in your near future.

December 14, 2017

98% Fail Rate on Privileged Accounts – Transparency in 2018

Filed under: Cybersecurity,Government,Government Data,Security,Transparency — Patrick Durusau @ 9:55 am

Half of companies fail to tell customers about data breaches, claims study by Nicholas Fearn.

From the post:

Half of organisations don’t bother telling customers when their personal information might have been compromised following a cyber attack, according to a new study.

The latest survey from security firm CyberArk comes with the full implementation of the European Union General Data Protection Regulation (GDPR) just months away.

Organisations that fail to notify the relevant data protection authorities of a breach within 72 hours of finding it can expect to face crippling fines of up to four per cent of turnover – with companies trying to hide breaches likely to be hit with the biggest punishments.

The findings have been published in the second iteration the CyberArk Global Advanced Threat Landscape Report 2018, which explores business leaders’ attitudes towards IT security and data protection.

The survey found that, overall, security “does not translate into accountability”. Some 46 per cent of organisations struggle to stop every attempt to breach their IT infrastructure.

And 63 per cent of business leaders acknowledge that their companies are vulnerable to attacks, such as phishing. Despite this concern, 49 per cent of organisations don’t have the right knowledge about security policies.

You can download the report cited in Fearn’s post at: Cyberark Global Advanced Threat Landscape Report 2018: The Business View of Security.

If you think that report has implications for involuntary/inadvertent transparency, Cyberark Global Advanced Threat Landscape Report 2018: Focus on DevOps, reports this gem:


It’s not just that businesses underestimate threats. As noted above, they also do not seem to fully understand where privileged accounts and secrets exist. When asked which IT environments and devices contain privileged accounts and secrets, responses (IT decision maker and DevOps/app developer respondents) were at odds with the claim that most businesses have implemented a privileged account security solution. A massive 98% did not select at least one of the ‘containers’, ‘microservices’, ‘CI/CD tools’, ‘cloud environments’ or ‘source code repositories’ options. At the risk of repetition, privileged accounts and secrets are stored in all of these entities.

A fail rate of 98% on identifying “privileged accounts and secrets?”

Reports like this make you wonder about the clamor for transparency of organizations and governments. Why bother?

Information in 2018 is kept secure by a lack of interest in collecting it.

Remember that for your next transparency discussion.

December 13, 2017

A Guide To Kernel Exploitation: Attacking the Core (source files)

Filed under: Cybersecurity,Security — Patrick Durusau @ 4:07 pm

If you know or are interested in >A Guide To Kernel Exploitation: Attacking the Core by Enrico Perla and Massimiliano Oldani, the source files are now available at: https://github.com/yrp604/atc-sources.

The website that accompanied the book is now reported to be defunct. Thanks to yrp604 for preserving these files.

Enjoy!

December 10, 2017

Incomplete Reporting – How to Verify A Dark Web Discovery?

Filed under: Cybersecurity,Dark Web,Security — Patrick Durusau @ 4:50 pm

1.4 Billion Clear Text Credentials Discovered in a Single Database by Julio Casal.

From the post:

Now even unsophisticated and newbie hackers can access the largest trove ever of sensitive credentials in an underground community forum. Is the cyber crime epidemic about become an exponentially worse?

While scanning the deep and dark web for stolen, leaked or lost data, 4iQ discovered a single file with a database of 1.4 billion clear text credentials — the largest aggregate database found in the dark web to date.

None of the passwords are encrypted, and what’s scary is the we’ve tested a subset of these passwords and most of the have been verified to be true.

The breach is almost two times larger than the previous largest credential exposure, the Exploit.in combo list that exposed 797 million records. This dump aggregates 252 previous breaches, including known credential lists such as Anti Public and Exploit.in, decrypted passwords of known breaches like LinkedIn as well as smaller breaches like Bitcoin and Pastebin sites.

This is not just a list. It is an aggregated, interactive database that allows for fast (one second response) searches and new breach imports. Given the fact that people reuse passwords across their email, social media, e-commerce, banking and work accounts, hackers can automate account hijacking or account takeover.

This database makes finding passwords faster and easier than ever before. As an example searching for “admin,” “administrator” and “root” returned 226,631 passwords of admin users in a few seconds.

The data is organized alphabetically, offering examples of trends in how people set passwords, reuse them and create repetitive patterns over time. The breach offers concrete insights into password trends, cementing the need for recommendations, such as the NIST Cybersecurity Framework.
… (emphasis in original)

The full post goes onto discuss sources of the data, details of the dump file, freshness and password reuse. See Casal’s post for those details.

But no links were provided to the:

“…largest trove ever of sensitive credentials in an underground community forum.

How would you go about verifying such a discovery?

The post offers the following hints:

  1. “…single file … 1.4 billion clear text credentials”
  2. dump contains file “imported.log”
  3. list shown from “imported.log” has 55 unique file names

With #1, clear text credentials, I should be able to search for #2 “imported.log” and one of fifty-five (55) unique file names to come up with a fairly narrow set of search results. Not perfect but not a lot of manual browsing.

All onion search engines have .onion addresses.

Ahmia Never got to try one of the file names, “imported.log” returns 0 results.

Caronte I entered “imported.log,” but Caronte searches for “imported log.” Sigh, I really tire of corrective search interfaces. You? No useful results.

Haystack 0 results for “imported.log.”

Not Evil 3973 “hits” for “imported.log.” With search refinement, still no joy.

Bottom line: No verification of the reported credentials discovery.

Possible explanations:

  • Files have been moved or renamed
  • Forum is password protected
  • Used the wrong Dark Web search engines

Verification is all the rage in mainstream media.

How do you verify reports of content on the Dark Web? Or do you?

December 9, 2017

Zero Days, Thousands of Nights [Zero-day – 6.9 Year Average Life Expectancy]

Filed under: Cybersecurity,Government,Security,Transparency — Patrick Durusau @ 11:41 am

Zero Days, Thousands of Nights – The Life and Times of Zero-Day Vulnerabilities and Their Exploits by Lillian Ablon, Timothy Bogart.

From the post:

Zero-day vulnerabilities — software vulnerabilities for which no patch or fix has been publicly released — and their exploits are useful in cyber operations — whether by criminals, militaries, or governments — as well as in defensive and academic settings.

This report provides findings from real-world zero-day vulnerability and exploit data that could augment conventional proxy examples and expert opinion, complement current efforts to create a framework for deciding whether to disclose or retain a cache of zero-day vulnerabilities and exploits, inform ongoing policy debates regarding stockpiling and vulnerability disclosure, and add extra context for those examining the implications and resulting liability of attacks and data breaches for U.S. consumers, companies, insurers, and for the civil justice system broadly.

The authors provide insights about the zero-day vulnerability research and exploit development industry; give information on what proportion of zero-day vulnerabilities are alive (undisclosed), dead (known), or somewhere in between; and establish some baseline metrics regarding the average lifespan of zero-day vulnerabilities, the likelihood of another party discovering a vulnerability within a given time period, and the time and costs involved in developing an exploit for a zero-day vulnerability.

Longevity and Discovery by Others

  • Zero-day exploits and their underlying vulnerabilities have a rather long average life expectancy (6.9 years). Only 25 percent of vulnerabilities do not survive to 1.51 years, and only 25 percent live more than 9.5 years.
  • No vulnerability characteristics indicated a long or short life; however, future analyses may want to examine Linux versus other platform types, the similarity of open and closed source code, and exploit class type.
  • For a given stockpile of zero-day vulnerabilities, after a year, approximately 5.7 percent have been publicly discovered and disclosed by another entity.

Rand researchers Ablon and Bogart attempt to interject facts into the debate over stockpiling zero-day vulnerabilities. It a great read, even though I doubt policy decisions over zero-day stockpiling will be fact-driven.

As an advocate of inadvertent or involuntary transparency (is there any other honest kind?), I take heart from the 6.9 year average life expectancy of zero-day exploits.

Researchers should take encouragement from the finding that within a given year, only 5.7 of all zero-days vulnerability discoveries overlap. That is 94.3% of zero-day discoveries are unique. That indicates to me vulnerabilities are left undiscovered every year.

Voluntary transparency, like presidential press conferences, is an opportunity to shape and manipulate your opinions. Zero-day vulnerabilities, on the other hand, can empower honest/involuntary transparency.

Won’t you help?

December 8, 2017

Google About to Publicly Drop iPhone Exploit (More Holiday News!)

Filed under: Cybersecurity,FBI,Security — Patrick Durusau @ 5:41 pm

The Jailbreaking Community Is Bracing for Google to Publicly Drop an iPhone Exploit by Lorenzo Franceschi-Bicchierai.

From the post:


Because exploits are so valuable, it’s been a long time since we’ve seen a publicly accessible iPhone jailbreak even for older versions of iOS (let alone one in the wild for an up to date iPhone.) But a tweet sent by a Google researcher Wednesday has got the security and jailbreaking communities in a frenzy. The tweet suggests that Google is about to drop an exploit that is a major step toward an iPhone jailbreak, and other researchers say they will be able to take that exploit and turn it into a full jailbreak.

It might seem surprising that an iPhone exploit would be released by Google, Apple’s closest competitor, but the company has a history of doing so, albeit with less hype than this one is garnering.

Ian Beer is a Google Project Zero security researcher, and one of the most prolific iOS bug hunters. Wednesday, he told his followers to keep their “research-only” devices on iOS 11.1.2 because he was about to release “tfp0” soon. (tfp0 stands for “task for pid 0,” or the kernel task port, which gives you control of the core of the operating system.) He also hinted that this is just the first part of more releases to come. iOS 11.1.2 was just patched and updated last week by Apple; it is extremely rare for exploits for recent versions of iOS to be made public.

Another surprise in the offing for the holiday season! See Franceschi-Bicchierai’s post for much speculation and possibilities.

Benefits from a current iPhone Exploit

  • Security researchers obtain better access to research iPhone security issues
  • FBI told by courts to hire local hackers instead of badgering Apple
  • Who carries iPhones? (security clueless public officials)

From improving the lot of security researchers, local employment for hackers and greater exposure of public officials, what’s there to not like?

Looking forward to the drop and security researchers jumping on it like a terrier pack on a rat.

Another Windows Critical Vulnerability (and I forgot to get MS anything)

Filed under: Cybersecurity,Microsoft,Security — Patrick Durusau @ 11:58 am

Microsoft Issues Emergency Windows Security Update For A Critical Vulnerability by Swati Khandelwal.

From the post:

If your computer is running Microsoft’s Windows operating system, then you need to apply this emergency patch immediately. By immediately, I mean now!

Microsoft has just released an emergency security patch to address a critical remote code execution (RCE) vulnerability in its Malware Protection Engine (MPE) that could allow an attacker to take full control of a victim’s PC.

Enabled by default, Microsoft Malware Protection Engine offers the core cybersecurity capabilities, like scanning, detection, and cleaning, for the company’s antivirus and antimalware programs in all of its products.

According to Microsoft, the vulnerability affects a large number of Microsoft security products, including Windows Defender and Microsoft Security Essentials along with Endpoint Protection, Forefront Endpoint Protection, and Exchange Server 2013 and 2016, impacting Windows 7, Windows 8.1, Windows 10, Windows RT 8.1, and Windows Server.

Tracked as CVE-2017-11937, the vulnerability is a memory corruption issue which is triggered when the Malware Protection Engine scans a specially crafted file to check for any potential threat.
… (emphasis in original)

I always feel bad when I read about newly discovered vulnerabilities in Microsoft Windows. Despite MS opening up computers around the world to the idly curious if not the malicious, I haven’t gotten them anything.

I’m sure Munich must be celebrating its plan to switch to Windows 10 for €50m. You wouldn’t think unintended governmental transparency would be that expensive. Munich could save everyone time and trouble by backing up all its files/data to an open S3 bucket on AWS. Thoughts?

Khandelwal also reports Microsoft says that this vulnerability isn’t being used in the wild. Modulo that claim comes from the originator of the vulnerability. If it couldn’t/didn’t recognize the vulnerability in its code, what are the odds of it recognizes its exploit by others? Your call.

See Khandelwal’s post for more details.

December 6, 2017

Security Analyst Summit – #TheSAS2017

Filed under: Cybersecurity,Security — Patrick Durusau @ 9:42 pm

Security Analyst Summit – #TheSAS2017

From the webpage:

The Kaspersky Security Analyst Summit (SAS) is a unique annual event connecting anti-malware researchers and developers, global law enforcement agencies and CERTs and members of the security research community.

The summit is one of the best places to learn, debate, share and showcase cutting-edge research, new technologies and discuss ways to improve collaboration in the fight against cyber-crime.

Now you have a chance to get access to the unique videos of the presentations given at #TheSAS2017

Registration required but where are you going to hide from Kaspersky anyway? 😉

I count sixty-three (63) videos.

If you want to start 2018 with a broad overview of security issues, this is one place to start.

Enjoy!

PS: Any favorites?

INFILTRATE 2018 – Vote on Papers – Closes 14 December 2017

Filed under: Conferences,Cybersecurity,Security — Patrick Durusau @ 9:59 am

INFILTRATE 2018 – OPEN CFP

Cast your vote for the talks you want to see at INFILTRATE 2018.

As of today, 6 December 2017, I count 26 presentations.

The titles alone are enough to sell the conference:

  1. Energy Larceny-Breaking into a solar power plant
  2. Chainspotting: Building Exploit Chains with Logic Bugs
  3. Back To The Future – Going Back In Time To Abuse Android's JIT
  4. Windows Offender: Attacking The Windows Defender Emulator
  5. Bypassing Mitigations by Attacking JIT Server in Microsoft Edge
  6. A year of inadvertent macOS bugs
  7. L'art de l’Évasion: Modern VMWare Exploitation techniques
  8. Unboxing your VirtualBoxes: A close look at a desktop hypervisor
  9. Fuzzing the ‘Unfuzzable’
  10. How to become a Penetration tester – an attempt to guide the next generation of hackers
  11. Parasite OS
  12. Detecting Reverse Engineering with Canaries
  13. Discovering & exploiting a Cisco ASA pre-auth RCE vulnerability
  14. Synthetic Reality; Breaking macOS One Click at a Time
  15. Dissecting QNX – Analyzing & Breaking QNX Exploit Mitigations and Secure Random Number Generators
  16. Malware​ ​ tradecrafts​ ​ and nasty​ ​ secrets​ ​ of​ ​ evading​ ​ to escalating
  17. Sandbox evasion using VBA Referencing
  18. Exploits in Wetware
  19. How to escalate privileges to SYSTEM in Windows 10
  20. Pack your Android: Everything you need to know about Android Boxing
  21. How to hide your browser 0-days
  22. So you think IoT DDoS botnets are dangerous – Bypassing ISP and Enterprise Anti-DDoS with 90's techn
  23. Making love to Enterprise Software
  24. I Did it Thrawn’s Way- Spiels and the Symbiosis of Red Teaming & Threat Intelligence Analysis
  25. Digital Vengeance: Exploiting Notorious C&C Toolkits
  26. Advanced Social Engineering and OSINT for Penetration Testing

Another example of open sharing as opposed to the hoard and privilege approach of the defensive cybersecurity community. White hats are fortunate to only be a decade behind. Consider it the paranoia penalty. Fear of sharing knowledge harms you more than anyone else.

Speaking of sharing, the archives for INFILTRATE 2011 through INFILTRATE 2017 are online.

May not be true for any particular exploit, but given the lagging nature of cyberdefense, not to mention shoddy patch application, any technique less than ten years old is likely still viable. Remember SQL injection turned 17 this year and remains the #1 threat to websites.

Vote on your favorite papers for INFILTRATE 2018 – OPEN CFP
and let’s see some great tweet coverage for the conference!

INFILTRATE Security Conference, April 26 & 27 2018, @Fountainbleau Hotel

INFILTRATE is a deep technical conference that focuses entirely on offensive security issues. Groundbreaking researchers focused on the latest technical issues will demonstrate techniques that you cannot find elsewhere. INFILTRATE is the single-most important event for those who are focused on the technical aspects of offensive security issues, for example, computer and network exploitation, vulnerability discovery, and rootkit and trojan covert protocols. INFILTRATE eschews policy and high-level presentations in favor of just hard-core thought-provoking technical meat.

Registration: infiltrate@immunityincdotcom

Twitter: @InfiltrateCon.

Enjoy!

December 5, 2017

Tabula: Extracting A Hit (sorry) Security List From PDF Report

Filed under: Cybersecurity,Extraction,Government,PDF,Security — Patrick Durusau @ 11:44 am

Benchmarking U.S. Government Websites by Daniel Castro, Galia Nurko, and Alan McQuinn, provides a quick assessment of 468 of the most popular federal websites for “…page-load speed, mobile friendliness, security, and accessibility.”

Unfortunately, it has an ugly table layout:

Double column listings with the same headers?

There are 476 results on Stackoverflow this morning for extracting tables from PDF.

However, I need a cup of coffee, maybe two cups of coffee answer to extracting data from these tables.

Enter Tabula.

If you’ve ever tried to do anything with data provided to you in PDFs, you know how painful it is — there’s no easy way to copy-and-paste rows of data out of PDF files. Tabula allows you to extract that data into a CSV or Microsoft Excel spreadsheet using a simple, easy-to-use interface. Tabula works on Mac, Windows and Linux.

Tabula is download, extract, start and point your web browser to http://localhost:8080 (or http://127.0.0.1:8080), load your PDF file, select the table, export the content, easy to use.

I tried selecting the columns separately (one page at a time) but then used table recognition and selected the entirety of Table 6 (security evaluation). I don’t think it made any difference in the errors I was seeing in the result (dropping first letter of site domains, but check with your data.)

Warning: For some unknown reason, possibly a defect in the PDF and/or Tabula, the leading character from the second domain field was dropped on some entries. Not all, not consistently, but it was dropped. Not to mention missing the last line of entries on a couple of pages. Proofing is required!

Not to mention there were other recognition issues

Capture wasn’t perfect due to underlying differences in the PDF:

cancer.gov,100,901,fdic.gov,100,"3,284"
weather.gov,100,904,blm.gov,100,"3,307"
transportation.gov,,,100,,,"3,340",,,ecreation.gov,,,100,,,"9,012",
"regulations.gov1003,390data.gov1009,103",,,,,,,,,,,,,,,,
nga.gov,,,100,,,"3,462",,,irstgov.gov,,,100,,,"9,112",
"nrel.gov1003,623nationalservice.gov1009,127",,,,,,,,,,,,,,,,
hrsa.gov,,,100,,,"3,635",,,topbullying.gov,,,100,,,"9,285",
"consumerfinance.gov1004,144section508.gov1009,391",,,,,,,,,,,,,,,,

With proofing, we are way beyond two cups of coffee but once proofed, I tossed it into Calc and produced a single column CSV file: 2017-Benchmarking-US-Government-Websites-Security-Table-6.csv.

Enjoy!

PS: I discovered a LibreOffice Calc “gotcha” in this exercise. If you select a column for the top and attempt to paste it under an existing column (same or different spreadsheet), you get the error message: “There is not enough room on the sheet to insert here.”

When you select a column from the top, it copies all the blank cells in that column so there truly isn’t sufficient space to paste it under another column. Tip: Always copy columns in Calc from the bottom of the column up.

December 4, 2017

Finding Interesting Amazon S3 Buckets

Filed under: Cybersecurity,Security — Patrick Durusau @ 10:59 am

Bucket Stream

From the webpage:

This tool simply listens to various certificate transparency logs (via certstream) and attempts to find public S3 buckets from permutations of the certificates domain name.

(graphic omitted)

Be responsible. I mainly created this tool to highlight the risks associated with public S3 buckets and to put a different spin on the usual dictionary based attacks.
… (emphasis in original)

If you find the March of Dimes or the International Federation of the Red Cross and Red Crescent with an insecure Amazon S3 bucket, take the author’s advice and report it.

If asked about Amazon S3 buckets belonging to groups, organizations and governments actively seeking to harm others, I would answer differently.

You?

November 30, 2017

Will 2018 Be Your First Penetration? [Possession of SANS Posters]

Filed under: Cybersecurity,Security — Patrick Durusau @ 11:21 am

Blueprint: Building A Better Pen Tester Tuesday, January 9th, 2018 at 1:00 PM EST (18:00:00 UTC).

From the post:

Register for this webcast and have (4) printed copies of the *new* SANS Pen Test Poster “Blueprint: Building A Better Pen Tester” mailed to the address on your SANS Portal Account. Don’t have an account? Register today and then join Ed Skoudis, on January 9th at 1pm EST, as he dives into all the tips available on the poster so you’ll know how use it to become a better pen tester. If you’re not a pen tester, this webcast will help you learn many helpful tips to make you a better information security professional and bring additional value and tradecraft to your organization.

Posters will be mailed after the webcast in January 2018.
… (emphasis in original)

It’s never clear if “pen tester” is tongue in cheek or not. Perhaps the ambiguity is intentional.

Either I or Gimp failed to enlarge the posters sufficiently to produce readable text. But, given the reputation of SANS, it’s a nice way to start the new year.

Is possession of SANS posters considered evidence of illegal activity? Any court cases you can cite?

November 20, 2017

What do you mean, “We?”

Filed under: Cybersecurity,Security — Patrick Durusau @ 10:35 am

Prasad Ajgaonkar reports in 94pc of cyber attacks are caused by lack of infosecurity awareness training. Is your organisation safe?:

Do you know that a cyber attack takes place every 10 minutes in India? This rate is higher than that in 2016, where a cyber attack took place once every 12 minutes. A study conducted by Fortinet found that a whopping 94 percent of IT experts believe that information security (InfoSec) practices in Indian organizations are sorely inadequate and completely fail to protect from cyber attacks in today’s world.

It is crucial to be aware that the exorbitantly high cyber attacks in India is a human issue, rather than an IT issue. This means that employees failing to follow InfoSec practices- rather than IT system failures- is the biggest contributor of cyber attacks.

Therefore, it is critical to ensure that all employees at an organisation are vigilant, fully aware of cyber-threats, and trained to follow InfoSec practices at all times.

Focusing on the lack of training for employees, the post suggests this solution:

Story-telling and scenario based training would be an excellent and highly effective way to ensure that employees consistently practice InfoSec measures. An effective InfoSec training programme has the following features:

  1. Educating employees through story-telling and interactive media – …
  2. Continuous top of the mind recall – …
  3. Presenting InfoSec tips, trivia and reminders to employees through mobile phone apps…
  4. Training through scenario-based assessments – …
  5. Training through group discussions – …

I have a simpler explanation for poor cybersecurity practices of employees in India.

The Hindu captured it in one headline: India Inc pay gap: CEOs earn up to 1,200-times of average staff

Many thought the American pay gap at CEOs make 271 times the pay of most workers was bad.

Try almost four (4) times the American CEO – worker pay gap.

How much commonality of interest exists between the worker who gets $1 and for every $1, their CEO gets $1,200?

Conventional training, excluding the use of drugs and/or physical torture, isn’t likely to create a commonality of interest. Yes?

Cybersecurity “solutions” that don’t address the worker to CEO wage gap, are castles made of sand.

November 16, 2017

Are You A Member of the 300+ Mile High Club? 1,738 Satellite Targets

Filed under: Cybersecurity,Radio,Security — Patrick Durusau @ 5:32 pm

UCS Satellite Database – In-depth details on the 1,738 satellites currently orbiting Earth.

From the post:

Assembled by experts at the Union of Concerned Scientists (UCS), the Satellite Database is a listing of the more than 1000 operational satellites currently in orbit around Earth.

Our intent in producing the database is to create a research tool for specialists and non-specialists alike by collecting open-source information on operational satellites and presenting it in a format that can be easily manipulated for research and analysis.

It is available as both a downloadable Excel file and in a tab-delimited text format. A version is also provided in which the “Name” column contains only the official name of the satellite in the case of government and military satellites, and the most commonly used name in the case of commercial and civil satellites.

Satellites are much easier targets than undersea cables. Specialized equipment required for both, but undersea cables also require a submarine while satellites only a line of sight. Much easier to arrange.

With a high quality antenna and electronic gear, the sky is alive with targets. For extra points, install your antenna remote to you and use an encrypted channel to control and receive data. (Makes you less obvious than several satellite dishes in the back yard.)

PS: Follow the USC Satellite DB on Twitter. Plus, the Union of Concerned Scientists.

November 15, 2017

Going Among Capitalists? Don’t Forget Your S8 USB Cable!

Filed under: Cybersecurity,Privacy,Security — Patrick Durusau @ 5:45 pm

Teardown of a consumer voice/location cellular spying device that fits in the tip of a USB cable by Cory Doctorow.

From the post:

Mich from ha.cking bought a $25 “S8 data line locator” device — a cellular spying tool, disguised as a USB cable and marketed to the general public — and did a teardown of the gadget, offering a glimpse into the world of “trickle down surveillance” where the kinds of surveillance tools used by the NSA are turned into products and sold to randos over the internet for $25.

The S8 makes use of the GSM cellular network and takes a regular micro-SIM, and can use any of the international GSM bands. You communicate with it by sending it SMSes or by using a web front-end, which causes it to switch on a hidden mic so you can listen in on its surroundings; it can also give a coarse approximation of its location (based on GSM towers, not GPS, and accurate to within about 1.57km).

For all the technical details see: Inside a low budget consumer hardware espionage implant by mich @0x6d696368by.

In some legal jurisdictions use of this cable may be construed as a crime. But, as US torture of prisoners, NSA surveillance, and numerous other crimes by US operatives demonstrates, prosecution of crimes is at the whim and caprice of prosecutors.

Calling something a “crime” is pejorative labeling for media purposes, unless you are a prosecutor deciding on prosecution. Otherwise, it’s just labeling.

From Forever Vulnerable (aka Microsoft) – Seventeen Years of Vulnerability

Filed under: Cybersecurity,Microsoft,Security — Patrick Durusau @ 4:15 pm

A seventeen year old vulnerability was patched in the Microsoft Equation Editor yesterday.

For a semi-technical overview, see Office Equation Editor Security Bug Runs Malicious Code Without User Interaction by Catalin Cimpanu.

For all the details and a back story useful for finding vulnerabilities, see: Skeleton in the closet. MS Office vulnerability you didn’t know about by Embedi.

Walking through the steps in the post to “re-discover” this vulnerability is good exercise.

It’s not the fault of Microsoft that its users fail to patch/upgrade Microsoft products. That being said, CVE-2017-11882, with a seventeen year range, should be added to your evergreen list of Microsoft vulnerabilities.

Call For Cyber Weapons (Arsenal at Black Hat Asia 2018)

Filed under: Conferences,Cybersecurity,Security — Patrick Durusau @ 11:46 am

Welcome to Arsenal at Black Hat Asia 2018 – Call for Tools Open

Deadline: January 10 at 23:59 Pacific

From the webpage:

The Black Hat Arsenal team will be back in Singapore with the very same goal: give hackers & security researchers the opportunity to demo their newest and latest code.

The Arsenal tool demo area is dedicated to researchers and the open source community. The concept is quite simple: we provide the space and you bring your machine to showcase your work and answer questions from delegates attending Black Hat.

Once again, the ToolsWatch (@toolswatch) team will work in conjunction with Black Hat for the special event Black Hat Arsenal Asia 2018.

The 16th session will be held at the Marina Bay Sands in Singapore from March 22-March 23, 2018.

The same rules to consider before applying to Arsenal:

  • Bring your computer (with VGA output), adapter, your tool, your stickers
  • Avoid stodgy presentations. Folks are expecting action, so give’em action.
  • No vendor pitches or gear!
  • Be yourself, be cool, and wear a smile.
  • Hug the folks at Arsenal :)
  • Above all, have tremendous fun!!

For any questions, contact blackhatarsenal@ubm.com.

*Please note: You may use the plaint text “Upload File” section if you wish to include whitepapers or research; however, this field is optional and not required.

Not as much advance notice as you have for Balisage 2018 but surely you are building new tools on a regular basis!

As you have learned from tools written by others, come to Arsenal at Black Hat Asia 2018 and enable others to learn from you.

Terminology: I say “weapons” instead of “tools” to highlight the lack of any “us” when it comes to cybersecurity.

Governments and corporations have an interest in personal privacy and security only when it furthers their agendas and none when it doesn’t.

Making governments and corporations more secure isn’t in my interest. Is it in yours? (Governments have declared their lack of interest in your privacy and security by their actions. Nothing more need be said.)

November 14, 2017

Hackers! 90% of Federal IT Managers Aiming for Their Own Feet!

Filed under: Artificial Intelligence,Cybersecurity,Government,Machine Learning,Security — Patrick Durusau @ 2:58 pm

The Federal Cyber AI IQ Test November 14, 2017 reports:


Most Powerful Applications:

  • 90% of Feds say AI could help prepare agencies for real-world cyber attack scenarios and 87% say it would improve the efficiency of the Federal cyber security workforce
  • 91% say their agency could utilize AI to monitor human activity and deter insider threats, including detecting suspicious elements and large amounts of data being downloaded, and analyzing risky user behavior
  • (emphasis in original)

One sure conclusion from this report, 90% of Feds don’t know AIs mistake turtles for rifles, 90% of the time. The adversarial example literature is full of such cases and getting more robust by the day.

The trap federal IT managers have fallen into is a familiar one. To solve an entirely human problem, a shortage of qualified labor, they want mechanize the required task, even if it means a lower qualify end result. Human problems are solved poorly, if at all, by mechanized solutions.

Opposed by lowest common denominator AI systems, hackers will be all but running the mints as cybersecurity AI systems spread across the federal government. “Ghost” federal installations will appear on agency records for confirmation of FedEx/UPS shipments. The possibilities are endless.

If you are a state or local government or even a federal IT manager, letting hackers run wild isn’t a foregone conclusion.

You could pattern your compensation packages after West Coast start-ups, along with similar perks. Expensive but do you want an OMB type data leak on your record?

November 12, 2017

Azeria-Labs VM – Naked Ubuntu VM w/ emulated ARMv6l

Filed under: ARM,Cybersecurity,Security — Patrick Durusau @ 8:44 pm

Azeria-Labs VM – Naked Ubuntu VM w/ emulated ARMv6l by Azeria.

From the webpage:

Let me guess, you don’t want to bother with any of this and just want a ready-made Ubuntu VM with all QEMU stuff setup and ready-to-play. Very well. The first Azeria-Labs VM is ready. It’s a naked Ubuntu VM containing an emulated ARMv6l.

This VM is also for those of you who tried emulating ARM with QEMU but got stuck for inexplicable linux reasons. I understand the struggle, trust me.

It’s Sunday evening here and I have conference calls tomorrow. 🙁

Still, I wanted to pass on the news about the Azeria-Labs VM and Azeria’s pointer to “ARM” challenges at Root Me.

Enjoy!

Beginner’s Guide to Exploitation on ARM

Filed under: Cybersecurity,Security — Patrick Durusau @ 8:25 pm

Beginner’s Guide to Exploitation on ARM by Billy Ellis.

From the website:

‘Beginner’s Guide to Exploitation on ARM’ is a beginner-friendly book aimed at individuals who are interested in learning the core concepts behind software vulnerability analysis & exploit development.

It explains everything from the basics of the ARM architecture to the various methods of exploitation used to take advantage of memory corruption vulnerabilities within modern systems today, using diagrams and example applications along the way to ensure that each chapter is easy to follow!

Judging from the rave reviews on Twitter and other forums, the time to order is now!

We’re all expecting relatives for the holiday season, at least in the US and Europe, so why not treat yourself to some reading material?

I will be posting more on this book after it arrives.

Enjoy!

WiMonitor – Hacker Arsenal, Design Suggestions

Filed under: Cybersecurity,Security — Patrick Durusau @ 8:11 pm

WiMonitor

From the webpage:

WiMonitor makes Wi-Fi packet sniffing and network monitoring dead simple!

Once configured the device automatically scans channels 1-13 in the 2.4GHz band, captures packets and sends them to a remote IP address over Ethernet for further processing. The encapsulation is compatible with Wireshark so you can analyze Wi-Fi traffic using it.

More information on how to get started: Getting Started Guide.

Design Suggestions:

I’m not the artistic type but I do have a couple of suggestions for the housing of the WiMonitor.

Stock image from website:

Right, let’s make the case a bright white, use “Hacker Arsenal” with a bright graphic on top surface, have labels for Wan/Lan and USB (those are hard to recognize) and of course, a power light to attract attention.

Sigh. I guess it go well with your standard working shirt:

Those c-suite types won’t notice you at all. Completely invisible.

If you strive to be a little less noticeable, ask Hacker Arsenal for a little less obvious WiMonitor. Something along these lines:

First, a black case, lose the cover as well:

(Yes, I need to work on my graphic editing skills. 😉 )

Second, make an internal USB connection sufficient for 256GB USB thumb drive, battery for power and lose the power light.

Make it drop and retrieve ready.

Now that would be a hot package!

Antivirus Engines Have Design Flaws?

Filed under: Cybersecurity,Security — Patrick Durusau @ 7:24 am

Antivirus Engine Design Flaw Helps Malware Sink Its Teeth Into Your System by Catalin Cimpanu.

Cimpanu routs the chest beating of antivirus vendors with this report on a design flaw common to Windows antivirus products. Code named AVGater by its discoverer, Florian Bogner, who also created a colorful logo for the vulnerability:

(Source: #AVGater: Getting Local Admin by Abusing the Anti-Virus Quarantine by Florian Bogner)

Cimpanu gives a high level summary and Bogner more details to support further investigation of this design flaw. An incomplete list of impacted vendors: Trend Micro, Emsisoft, Kaspersky Lab, Malwarebytes, Ikarus, and Zone Alarm by Check Point.

So the answer is yes, antivirus engines do have design, and other, flaws.

Antivirus and other security software, increase the available attack surface for discovery of flaws and vulnerabilities.

If your antivirus or security software vendor denies increasing your attack surface, best you consider another vendor.

November 9, 2017

Encouraging CS Careers – Six Backdoors in Less Than an Hour!

Filed under: Cybersecurity,Security — Patrick Durusau @ 2:53 pm

Farmers Insurance for inspiration CS stories? If you doubt the answer is yes!, you haven’t read: “I HAD SIX BACKDOORS INTO THEIR NETWORK IN LESS THAN AN HOUR” by Jason Kersten.

From the post:

Hired hackers share real-world stories of breaking into computer systems (legally) through phishing scams and other high-tech mischief

It was a moment that would likely make any bank robber’s or computer hacker’s head spin: Joshua Crumbaugh talked his way behind the teller windows of a small bank in Maryland by posing as an IT technician working on the bank’s email system. As he installed malware designed to give him even more illegal access to the bank’s systems, he noticed the door to the vault was open. When no one was looking, he walked in. Piles of cash filled shelves, all within easy reach.

He turned around, held out his phone, and took a selfie. Later, he sent the picture to the bank’s CEO.

Fortunately, no crime had been committed. The CEO had hired Crumbaugh, a penetration tester (also known as a “pen tester”), to test the bank’s security. In his 10 years as a pen tester and CEO of PeopleSec, Crumbaugh has hacked everything from an NBA stadium to an oil rig. For the bank test, he identified the bank’s Internet Service Provider, called the bank pretending to be from the ISP’s customer service department, and set up a service appointment. “They were overly trusting,” says Crumbaugh, noting the bank’s own IT guy had also given him remote access to its systems without checking his credentials.

According to the 2016 State of Cybersecurity in Small & Medium-Sized Businesses report from the Ponemon Institute, a research center for global privacy, data and IT security issues, more than half of the 598 businesses surveyed had experienced a cyber attack in the prior year. A full half of respondents experienced data breaches involving customer and employee information. The companies surveyed spent an average of $900,000 cleaning up the mess, and many spent an additional $1 million to pay for disrupted workflow as a consequence of the security issues.

Teachers in middle or high school need only read the first story and allude to the others to have a diverse group of students clamoring to read the post.

There are boring CS careers where you squint at a lot of math but this article highlights more exciting life styles for those with CS training.

Here’s an inspiration picture to go with your pitch:

More details to go with the image: Inside the Secret Vault: $70 Billion in Gold.

Warn your students about the false claim that cybersecurity benefits everyone.

Correction: Cybersecurity benefits everyone who is happy with the current distribution of rewards and stripes.

People who are not happy with it, not so much.

Tanenbaum on Intel MINIX – Discourtesy is its Own Reward

Filed under: Cybersecurity,Security — Patrick Durusau @ 11:45 am

Andrew S. Tanenbaum has posted An Open Letter to Intel on its incorporation of a modified version of MINIX into its chips.

Tanenbaum points out Intel’s conduct in this case is clearly covered by the Berkeley license of MINIX but he has a valid point that common courtesy dictates a personal note from Intel to Tanenbaum on the widespread deployment of MINIX would have been a nice touch.

In this case, discourtesy carried its own reward because Intel adapted an older version of MINIX to lie at the heart of its chips. A version perhaps not as robust and secure as a later version. A flaw that would have been discovered following a courteous note, which was never sent by Intel.

The mother lode of resources on earlier (and current) versions of MINIX is: http://www.minix3.org/.

How widely deployed is the Intel version of MINIX? Aditya Tiwari says:


After the release of MINIX 3, it is being developed as Microkernel OS. You can find MINIX 3 running inside every Intel-powered desktop, laptop or server launched after 2015. This surely gives it the title of the most used operating system in the world. Although, you don’t use it at all.
… (What Is MINIX? Is The World’s Most Used OS A Threat?)

I haven’t located a “chips shipped with MINIX” number so if you see one, ping me with the source.

Do be courteous, even if not required by license.

Otherwise, you may “pull an Intel” as this mistake will come to be known.

Metasploit for Machine Learning: Deep-Pwning

Filed under: Cybersecurity,Machine Learning,Security — Patrick Durusau @ 8:46 am

Metasploit for Machine Learning: Deep-Pwning

From the post:

Deep-pwning is a lightweight framework for experimenting with machine learning models with the goal of evaluating their robustness against a motivated adversary.

Note that deep-pwning in its current state is no where close to maturity or completion. It is meant to be experimented with, expanded upon, and extended by you. Only then can we help it truly become the goto penetration testing toolkit for statistical machine learning models.

Metasploit for Machine Learning: Background

Researchers have found that it is surprisingly trivial to trick a machine learning model (classifier, clusterer, regressor etc.) into making an objectively wrong decisions. This field of research is called Adversarial Machine Learning. It is not hyperbole to claim that any motivated attacker can bypass any machine learning system, given enough information and time. However, this issue is often overlooked when architects and engineers design and build machine learning systems. The consequences are worrying when these systems are put into use in critical scenarios, such as in the medical, transportation, financial, or security-related fields.

Hence, when one is evaluating the efficacy of applications using machine learning, their malleability in an adversarial setting should be measured alongside the system’s precision and recall.

(emphasis in original)

As motivation for a deep dive into machine learning, looming reliance on machine learning to compensate for a shortage of cybersecurity defender talent is hard to beat. (Why Machine Learning will Boost Cyber Security Defenses amid Talent Shortfall)

Reducing cybersecurity to the level of machine learning is nearly as inviting as use of an older, less secure version of MINIX by Intel. If you are going to take advantage of a Berkeley software license, at least get the best stuff. Yes?

Machine learning is of growing importance, but since classifiers can be fooled into identifying a 3-D turtle as a rifle, it hasn’t reached human levels of robustness.

Or to put that differently, when was the last time you identified a turtle as a rifle?

Turtle vs. rifle is a distinction few of us would miss in language, even without additional properties, as in a topic map. But thinking of their properties or characteristics, maybe a fruitful way to understand why they can be confused.

Or even planning for their confusion and communicating that plan to others.

November 8, 2017

Responding to Bricking to Promote Upgrading

Filed under: Cybersecurity,Security — Patrick Durusau @ 11:38 am

The chagrin of Harmony Link device (Logitech) owners over the bricking of their devices on March 16, 2018 is understandable. But isn’t the “bricking to promote upgrading” strategy described in Cimpanu‘s: Logitech Will Intentionally Brick All Harmony Link Devices Next Year a dangerous one?

Dangerous because the intentional bricking will highlight:

  1. If Harmony Link devices can be remotely bricked on March 16, 2018, they can be bricked at any time prior to March 16, 2018.
  2. If Harmony Link devices can be remotely bricked, local re-installation of earlier firmware will unbrick them. (Backup your firmware today.
  3. If all smart devices can be remotely bricked, …, you knew that but hadn’t considered it operationally. Makes you wonder about other “smart” devices by Logitech can be bricked.

I can’t second Cimpanu‘s suggestion that you run to the Federal Trade Commission (FTC).

First, it would take years and several presidents for “bricking to promote upgrading” rules to be written and with loopholes that favor industry.

Second, successful enforcement of an FTC rule is akin to where Dilbert says “then their lawyers chewed my clothes off.” A long and tedious process.

Logitech’s proposed action suggests one response to this ill-advised bricking strategy.

What if other “smart” Logitech devices began bricking themselves on March 17, 2018? How would Logitech investors react? Impact management/investor relations?

March 16, 2018, Harmony Link Bricking Day (as it will be known in the future) falls on a Friday. The next business day is Monday, March 19, 2018.

Will present Logitech management survive until March 21, 2018, or be pursuing new opportunities and interests?

« Newer PostsOlder Posts »

Powered by WordPress