From Security Weekly WikiJump to navigationJump to search
- Windows TCPIP Finger Command - C2 Channel and Bypassing Security Software - Literally giving Windows the finger: Typically, (Port 79) default port used by FINGER protocol is often blocked by organizations. Privileged users can bypass this using Windows NetSh Portproxy. This can allow us to bypass Firewall restrictions to reach servers using unrestricted ports like 80/443. Portproxy queries are then sent first to the Local Machines ip-address which are then forwarded to the C2 server specified.
- 5 Security Lessons Humans Can Learn From Their Dogs - Somewhat interesting points, a bit of a strech though I do like the concept: When you hire a dog trainer, you need to be open about the issues and challenges you have with your puppy. The same goes for your corporate culture, where too often no news is good news.
- CrimeOps: The Operational Art of Cyber Crime - Why was FIN7 so amazingly successful using only stodgy “Top 10 Infosec Risks” TTP? The answer is FIN7’s sophisticated organisation and management capabilities. They adopted agile processes and a DevOps methodology. Good team coordination and project management tools were combined with rapid iteration on their toolchain and TTP to maintain efficacy and operational capability. Let's explore CrimeOps. THIS: Using JIRA, FIN7 created an issue ticket for each victim. As the attack progressed through reconnaissance, infiltration, lateral traversal, and target exploitation (by collecting data into "loot"), the issue was updated. Usernames and passwords, output from security tools, screenshots and video captures, everything relevant to increasing their access and control over the victim, was added to JIRA.
- Nozomi Networks Becomes CVE Numbering Authority - There are currently over 130 CVE Numbering Authorities across 24 countries, but Nozomi says it’s the first OT and IoT cybersecurity firm to become a CNA.
- U.S. House Passes IoT Cybersecurity Bill - If it becomes law, the IoT Cybersecurity Improvement Act will require NIST to issue standards and guidelines for secure development, patching, identity management, and configuration management for IoT products. All IoT devices acquired by the federal government will have to comply with these recommendations. (https://www.house.gov/the-house-explained/the-legislative-process for those struggling to remember how a bill becomes law from grade school, like me ;)
- Do Vulnerabilities Ever Get Old? Recent "Mirai" Variant Scanning for 20 Year Old Amanda Version? - So is it looking for a 20-year-old version? Possibly not. Why is it looking for backup clients? There are many possibilities...
- Meet the Computer Scientist Who Helped Push for Paper Ballots - This was a great article, here are Simmons concerns on electronic voting summed up: Just about everything. I'm especially worried about an attack on our voting technology: the electronic poll books, the voting machines, and the scanners that tabulate the ballots. If folks share the concerns of our intelligence community - and they should - that Russia wants to mess with our election, then allowing Internet voting, which is the most insecure form of voting possible, would be a gift to Russia, or China, or Iran, or North Korea, or indeed any nation/state or organization that wants to steal our elections.
- Largest Hacking Campaign Since 2015 Targeted Magento Stores Via Unpatched Bug - Over the weekend, almost two thousand Magento 1 stores across the world have been hacked in the largest documented campaign to date. Dubbed “CardBleed”, it was a typical Magecart attack: injected malicious code would intercept the payment information of unsuspected store customers. Inspected stores were found running Magento version 1, which was announced End-Of-Life last June.
- NSA publishes guidance on UEFI Secure Boot customization
- Three Cybersecurity Lessons from a 1970s KGB Key Logger - It turns out, what may very well be the first keylogger was built by the Soviet Union and used on IBM Selectric typewriters in the U.S. Embassy way back in the 1970s. What the NSA learned back then can still apply to cybersecurity today. Annoying, but funny: The NSA removed about 11 tons of equipment from the embassy, and about 10 tons were shipped in covertly. The Russians had shut down the elevator for preventive maintenance (remember, this is during the cold war when both sides would do things to annoy the other), so most of the gear was moved through the building by stairs.
- Suspicious Endpoint Containment with OSSEC - I wrote a Windows command line script that temporarily replaces the existing local firewall rules by a very restricted new set: Communication with the OSSEC server is still allowed, An IP address is allowed on all ports TCP/UDP, All remaining traffic is blocked
- Padlocks, Phishing and Privacy; The Value Proposition of a VPN - HTTPS & SSL doesn't mean "trust this." It means "this is private." You may be having a private conversation with Satan. (Quote from https://twitter.com/shanselman/status/187572289724887041)
- Zerologon hacking Windows servers with a bunch of zeros - The "key" to understanding this attack is here in the NetLogon spec: If AES support is negotiated between the client and the server, the Netlogon credentials are computed using the AES-128 encryption algorithm in 8-bit CFB mode with a zero initialization vector.
- Microsoft announces new Project OneFuzz framework, an open source developer tool to find and fix bugs at scale - Microsoft Security
- Windows Exploit Released For Microsoft Zerologon Flaw
- Bluetooth Spoofing Bug Affects Billions of IoT Devices - Another one? Original research: https://friends.cs.purdue.edu/pubs/WOOT20.pdf
- MFA Bypass Bugs Opened Microsoft 365 to Attack - The vulnerabilities were a result of the “inherently insecure protocol” (WS-Trust) as described by Microsoft combined with various bugs in its implementation by the IDPs. In some cases, an attacker could spoof his IP address to bypass MFA via a simple request header manipulation. In another case, altering the user-agent header caused the IDP to misidentify the protocol and believe it to be using Modern Authentication. In all cases, Microsoft logs the connection as “Modern Authentication” due to the exploit pivoting from legacy protocol to the modern one. Unaware of the situation and the risks involved, the administrators and security professionals monitoring the tenant would see the connection as made via Modern Authentication.
- German Hospital Hacked, Patient Taken to Another City Dies | SecurityWeek.Com
- Kubernetes Goat
- flAWS - Pretty cool CTF that lets you sharpen your cloud hacking skills.
- Zerologon Windows exploit lets attackers instantly become admins on enterprise networks
- Linux users beware - you could be facing more cyber threats than ever before
- How Hackers Can Pick Your LocksJust By Listening - The hacking technology would go something like this: from a few centimeters away, the person conducting the attack records audio of the victim unlocking their door. For these purposes, a smartphone works just fine, the researchers found, but other microphone equipment could also suffice if it’s strong enough. With proprietary software, the team removed noise from the audio file and calculated the distance between each ridge in the key, known as the "bitting depth."
- An overview of targeted attacks and APTs on Linux
- Most compliance requirements are completely absurd - Help Net Security - Jeff will love this: However, I think those who write requirements should take the Payment Card Industry Data Security Standard (PCI DSS) as an example. The PCI DSS applies to all organizations that store cardholder data and the requirements are clear, regularly updated, and you can find everything you need in one place. The way PCI DSS compliance is structured (in terms of requirement, testing procedures and guidance) is a lot clearer than anything else I’ve seen. It contains very little room for subjectivity, and you know exactly where you stand with it.