Jan 15 2024

Network Penetration Testing Checklist – 2024

Category: Pen Test — disc7 @ 9:18 am

Network Penetration Testing Checklist – 2024

Network Penetration Testing checklist determines vulnerabilities in the network posture by discovering open ports, troubleshooting live systems, and services, and grabbing system banners.

The pen-testing helps the administrator close unused ports, add additional services, hide or customize banners, troubleshoot services, and calibrate firewall rules.

You should test in all ways to guarantee there is no security loophole.

Network penetration testing, also known as ethical hacking or white-hat hacking, is a systematic process of evaluating the security of a computer network infrastructure.

The goal of a network penetration test is to identify vulnerabilities and weaknesses in the network’s defenses that malicious actors could potentially exploit.

Network penetration testing is a critical process for evaluating the security of a computer network by simulating an attack from malicious outsiders or insiders. Here is a comprehensive checklist for conducting network penetration testing:

Pre-Engagement Activities

Define Scope: Clearly define the scope of the test, including which networks, systems, and applications will be assessed.
Get Authorization: Obtain written permission from the organization’s management to conduct the test.
Legal Considerations: Ensure compliance with all relevant laws and regulations.
Set Objectives: Establish what the penetration test aims to achieve (e.g., identifying vulnerabilities, testing incident response capabilities).
Plan and Schedule: Develop a testing schedule that minimizes impact on normal operations.

Reconnaissance

Gather Intelligence: Collect publicly available information about the target network (e.g., via WHOIS, DNS records).
Network Mapping: Identify the network structure, IP ranges, domain names, and accessible systems.
Identify Targets: Pinpoint specific devices, services, and applications to target during the test.

Threat Modeling

Identify Potential Threats: Consider possible threat actors and their capabilities, objectives, and methods.
Assess Vulnerabilities: Evaluate which parts of the network might be vulnerable to attack.

Vulnerability Analysis

Automated Scanning: Use tools to scan for known vulnerabilities (e.g., Nessus, OpenVAS).
Manual Testing Techniques: Perform manual checks to complement automated tools.
Document Findings: Keep detailed records of identified vulnerabilities.

Exploitation

Attempt Exploits: Safely attempt to exploit identified vulnerabilities to gauge their impact.
Privilege Escalation: Test if higher levels of access can be achieved.
Lateral Movement: Assess the ability to move across the network from the initial foothold.

Post-Exploitation

Data Access and Exfiltration: Evaluate what data can be accessed or extracted.
Persistence: Check if long-term access to the network can be maintained.
Cleanup: Remove any tools or scripts installed during the testing.

Analysis and Reporting

Compile Findings: Gather all data, logs, and evidence.
Risk Assessment: Analyze the risks associated with the identified vulnerabilities.
Develop Recommendations: Propose measures to mitigate or eliminate vulnerabilities.
Prepare Report: Create a detailed report outlining findings, risks, and recommendations.

Review and Feedback

Present Findings: Share the report with relevant stakeholders.
Discuss Remediation Strategies: Work with the IT team to discuss ways to address vulnerabilities.
Plan for Re-Testing: Schedule follow-up tests to ensure vulnerabilities are effectively addressed.

Continuous Improvement

Update Security Measures: Implement the recommended security enhancements.
Monitor for New Vulnerabilities: Regularly scan and test the network as new threats emerge.
Educate Staff: Train staff on new threats

and security best practices.

Tools and Techniques

Select Tools: Choose appropriate tools for scanning, exploitation, and analysis (e.g., Metasploit, Wireshark, Burp Suite).
Custom Scripts and Tools: Sometimes custom scripts or tools are required for specific environments or systems.

Ethical and Professional Conduct

Maintain Confidentiality: All findings should be kept confidential and shared only with authorized personnel.
Professionalism: Conduct all testing with professionalism, ensuring no unnecessary harm is done to the systems.

Post-Engagement Activities

Debrief Meeting: Conduct a meeting with the stakeholders to discuss the findings and next steps.
Follow-Up Support: Provide support to the organization in addressing the vulnerabilities.

Documentation and Reporting

Detailed Documentation: Ensure that every step of the penetration test is well-documented.
Clear and Actionable Reporting: The final report should be understandable to both technical and non-technical stakeholders and provide actionable recommendations.

Compliance and Standards

Adhere to Standards: Follow industry standards and best practices (e.g., OWASP, NIST).
Regulatory Compliance: Ensure the testing process complies with relevant industry regulations (e.g., HIPAA, PCI-DSS).

Final Steps

Validation of Fixes: Re-test to ensure vulnerabilities have been properly addressed.
Lessons Learned: Analyze the process for any lessons that can be learned and applied to future tests.

Awareness and Training

Organizational Awareness: Increase awareness about network security within the organization.
Training: Provide training to staff on recognizing and preventing security threats.

By following this checklist, organizations can conduct thorough and effective network penetration tests, identifying vulnerabilities and strengthening their network security posture.

Let’s see how we conduct step-by-step Network penetration testing using famous network scanners.

1. Host Discovery

Footprinting is the first and most important phase where one gathers information about their target system.

DNS footprinting helps to enumerate DNS records like (A, MX, NS, SRV, PTR, SOA, and CNAME) resolving to the target domain.

A – A record is used to point the domain name such as gbhackers.com to the IP address of its hosting server.
MX – Records responsible for Email exchange.
NS – NS records are to identify DNS servers responsible for the domain.
SRV – Records to distinguish the service hosted on specific servers.
PTR – Reverse DNS lookup, with the help of IP you can get domains associated with it.
SOA – Start of record, it is nothing but the information in the DNS system about DNS Zone and other DNS records.
CNAME – Cname record maps a domain name to another domain name.

We can detect live hosts, and accessible hosts in the target network by using network scanning tools such as Advanced IP scanner, NMAP, HPING3, and NESSUS.

Ping&Ping Sweep:

root@kali:~# nmap -sn 192.168.169.128
root@kali:~# nmap -sn 192.168.169.128-20 To ScanRange of IP
root@kali:~# nmap -sn 192.168.169.* Wildcard
root@kali:~# nmap -sn 192.168.169.128/24 Entire Subnet

Whois Information

To obtain Whois information and the name server of a website

root@kali:~# whois testdomain.com

http://whois.domaintools.com/
https://whois.icann.org/en

Traceroute

Network Diagonastic tool that displays route path and transit delay in packets

root@kali:~# traceroute google.com

Online Tools

http://www.monitis.com/traceroute/
http://ping.eu/traceroute/

2. Port Scanning

Perform port scanning using Nmap, Hping3, Netscan tools, and Network monitor. These tools help us probe a server or host on the target network for open ports.

Open ports allow attackers to enter and install malicious backdoor applications.

root@kali:~# nmap –open gbhackers.com
To find all open ports root@kali:~# nmap -p 80 192.168.169.128
Specific Portroot@kali:~# nmap -p 80-200 192.168.169.128
Range of ports root@kali:~# nmap -p “*” 192.168.169.128

Online Tools

http://www.yougetsignal.com/
https://pentest-tools.com/information-gathering/find-subdomains-of-domain

Perform banner grabbing or OS fingerprinting using tools such as Telnet, IDServe, and NMAP to determine the operating system of the target host.

Once you know the version and operating system of the target, you need to find the vulnerabilities and exploit them. Try to gain control over the system.

root@kali:~# nmap -A 192.168.169.128
root@kali:~# nmap -v -A 192.168.169.128 with high verbosity level

IDserve is another good tool for banner grabbing.

Online Tools

https://www.netcraft.com/
https://w3dt.net/tools/httprecon
https://www.shodan.io/

4. Scan For Vulnerabilities

Scan the network using vulnerabilities using GIFLanguard, Nessus, Ratina CS, SAINT.

These tools help us find vulnerabilities in the target system and operating systems. With these steps, you can find loopholes in the target network system.

GFILanguard

It acts as a security consultant and offers patch management, vulnerability assessment, and network auditing services.

Nessus

Nessus is a vulnerability scanner tool that searches for bugs in the software and finds a specific way to violate the security of a software product.

Data gathering.
Host identification.
Port scan.
Plug-in selection.
Reporting of data.

5. Draw Network Diagrams

Draw a network diagram about the organization that helps you to understand the logical connection path to the target host in the network.

The network diagram can be drawn by LANmanager, LANstate, Friendly pinger, and Network View.

6. Prepare Proxies

Proxies act as an intermediary between two networking devices. A proxy can protect the local network from outside access.

With proxy servers, we can anonymize web browsing and filter unwanted content, such as ads.

Proxies such as Proxifier, SSL Proxy, Proxy Finder, etc., are used to hide from being caught.

6. Document All Findings

The last and very important step is to document all the findings from penetration testing.

This document will help you find potential vulnerabilities in your network. Once you determine the vulnerabilities, you can plan counteractions accordingly.

You can download the rules and scope Worksheet here – Rules and Scope sheet

Thus, penetration testing helps assess your network before it gets into real trouble that may cause severe loss in value and finance.

Important Tools Used For Network Pentesting

Frameworks

Kali Linux, Backtrack5 R3, Security Onion

Reconnaisance

Smartwhois, MxToolbox, CentralOps, dnsstuff, nslookup, DIG, netcraft

Discovery

Angry IP scanner, Colasoft ping tool, nmap, Maltego, NetResident,LanSurveyor, OpManager

Port Scanning

Nmap, Megaping, Hping3, Netscan tools pro, Advanced port scannerService Fingerprinting Xprobe, nmap, zenmap

Enumeration

Superscan, Netbios enumerator, Snmpcheck, onesixtyone, Jxplorer, Hyena, DumpSec, WinFingerprint, Ps Tools, NsAuditor, Enum4Linux, nslookup, Netscan

Scanning

Nessus, GFI Languard, Retina, SAINT, Nexpose

Password Cracking

Ncrack, Cain & Abel, LC5, Ophcrack, pwdump7, fgdump, John The Ripper,Rainbow Crack

Sniffing

Wireshark, Ettercap, Capsa Network Analyzer

MiTM Attacks

Cain & Abel, Ettercap

Exploitation

Metasploit, Core Impact

You should concentrate on These most important checklists with Network Penetration Testing.

Network Penetration Testing with Nmap

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Network Penetration Testing, Network Penetration Testing with Nmap

Comments (0)

Jan 12 2024

Framework discloses data breach after accountant gets phished

Category: Data Breach,Phishing — disc7 @ 10:21 am

https://www.bleepingcomputer.com/news/security/framework-discloses-data-breach-after-accountant-gets-phished/

Framework Computer disclosed a data breach exposing the personal information of an undisclosed number of customers after Keating Consulting Group, its accounting service provider, fell victim to a phishing attack.

The California-based manufacturer of upgradeable and modular laptops says a Keating Consulting accountant was tricked on January 11 by a threat actor impersonating Framework’s CEO into sharing a spreadsheet containing customers’ personally identifiable information (PII) “associated with outstanding balances for Framework purchases.”

“On January 9th, at 4:27am PST, the attacker sent an email to the accountant impersonating our CEO asking for Accounts Receivable information pertaining to outstanding balances for Framework purchases,” the company says in data breach notification letters sent to affected individuals.

“On January 11th at 8:13am PST, the accountant responded to the attacker and provided a spreadsheet with the following information: Full Name, Email Address, Balance Owed.

“Note that this list was primarily of a subset of open pre-orders, but some completed past orders with pending accounting syncs were also included in this list.”

Framework says its Head of Finance notified Keating Consulting’s leadership of the attack once he became aware of the breach roughly 29 minutes after the external accountant replied to the attacker’s emails at 8:42 AM PST on January 11th.

As part of a subsequent investigation, the company identified all customers whose information was exposed in the attack and notified them of the incident via email.

Affected customers warned of phishing risks

Since the exposed data includes the names of customers, their email addresses, and their outstanding balances, it could potentially be used in phishing attacks that impersonate the company to request payment information or redirect to malicious websites designed to gather even more sensitive information from those impacted.

The company added that it only sends emails from ‘support@frame.work’ asking customers to update their information when a payment has failed and it never asks for payment information via email. Customers are urged to contact the company’s support team about any suspicious emails they receive.

Framework says that from now on, all Keating Consulting employees with access to Framework customer information will be required to have mandatory phishing and social engineering attack training.

“We are also auditing their standard operating procedures around information requests,” the company added.

“We are additionally auditing the trainings and standard operating procedures of all other accounting and finance consultants who currently or previously have had access to customer information.”

A Framework spokesperson was not immediately available for comment when BleepingComputer asked about the number of affected customers in the data breach.

Big Breaches: Cybersecurity Lessons for Everyone

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: data breach

Comments (0)

Jan 12 2024

Fake Recruiters Defraud Facebook Users via Remote-Work Offers

Category: Information Security — disc7 @ 8:56 am

Scammers are targeting multiple brands with “job offers” on Meta’s social media platform, that go as far as to offer what look like legitimate job contracts to victims.

https://www.darkreading.com/remote-workforce/fake-recruiters-defraud-facebook-users-remote-work-offers

A fresh wave of job scams is spreading on Meta’s Facebook platform that aims to lure users with offers for remote-home positions and ultimately defraud them by stealing their personal data and banking credentials.

Researchers from Qualys are warning of “ongoing attacks against multiple brands” offering remote work through Facebook ads that go so far as to send what look like legitimate work contracts to victims, according to a blog post published Jan. 10 by Jonathan Trull, Qualys CISO and senior vice president of solutions architecture.

The attackers dangle offers of work-at-home opportunities to lure Facebook users to install or move to a popular chat app with someone impersonating a legitimate recruiter to continue the conversation. Eventually, attackers ask for personal information and credentials that potentially can allow attackers to defraud them in the future.

Likely aiming to take advantage of people’s tendency to make resolutions in the new year, these fake job ads — a persistent online threat — typically “see a rise in prevalence following the holidays” when people are primed for new opportunities, Trull wrote.

Qualys Caught Up in Scam

The researchers discovered the scams because fake recruiters were purporting to be from Qualys with offers of remote work. The company, however, never posts its job listings on social media, only on its own website and reputable employment sites, Trull said.

The initial text lures for the scam occur in group chats that solicit users to move to private messaging with the scammer who posts the job opening. “In several cases, the scammer appears to have compromised legitimate Facebook users and then targeted their direct connections,” Trull wrote.

Once a victim installs Go Chat or Signal — the messaging apps used in the scam — attackers ask for additional details so they can receive and sign what appears to be an official Qualys job offer complete with logos, correct corporate addresses, and signature lines.

Attackers then ask victims to send a copy of a government-issued photo ID, both front and back, and told to digitally cash a check to buy software for a new computer that their new employer will ship to them.

Qualys has notified both Facebook and law enforcement of the scam and encourages users to do the same if they observe it on the platform. The blog post did not list the names of other companies or brands that might also be targeted in the attacks.

Avoid Being Scammed

Job scams are indeed a constant online security issue, one that’s on the rise, according to the US Better Business Bureau (BBB). Online ads and phishing campaigns are popular conduits for job scammers, which use social engineering to bait people into responding and then either steal their personal data, online credentials, and/or money. Scams also can have a negative reputational impact on the companies whose brands are used in the scam.

To avoid being scammed by a fake job listing, Qualys provided some best practices for online employment seekers to follow when using the Internet to search for opportunities.

In general, a mindset of “if it’s too good to be true, it probably is” is a good rule of thumb to approaching online job listings, Trull wrote. “Listen to your intuition,” he added. “If it doesn’t feel right, you should probably not proceed.”

Qualys also advised that people always verify offers by looking up a job opening on an organization’s official website and contacting the company directly instead of using social media contacts that could be abused as part of a scam.

People also should be “highly skeptical” of any job solicitation that doesn’t come from an official source, even if the social media source making the offer appears trusted. Since social media accounts can be hijacked, the source can appear legitimate but isn’t.

Further, if an online recruiter asks a person to install an app to apply for a position, it’s probably a scam, Trull warned. “Real recruiters will call you, email, or set up a multimedia interview call at their expense without any concern — they are set up for it if they are a recruiter,” he wrote.

Fake: Fake Money

FAKE: Fake Money

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Fake Money, Fake Recuriter

Comments (0)

Jan 11 2024

INSIDE THE SCAM: HOW RANSOMWARE GANGS FOOL YOU WITH DATA DELETION LIES!

Category: Ransomware — disc7 @ 2:29 pm

Inside the Scam: How Ransomware Gangs Fool You with Data Deletion Lies!

Recently, there has been an emergence of a new scam targeting victims of ransomware attacks. This scam involves individuals or groups posing as “security researchers” or “ethical hackers,” offering to delete data stolen by ransomware attackers for a fee. The scam plays on the fears and vulnerabilities of organizations already compromised by ransomware attacks, such as those by the Royal and Akira ransomware gangs.

The modus operandi of these scammers is quite consistent and alarming. They approach organizations that have already been victimized by ransomware and offer a service to hack into the servers of the ransomware groups and delete the stolen data. This proposition typically comes with a significant fee, sometimes in the range of 1-5 Bitcoins (which could amount to about $190,000 to $220,000).

These scammers often use platforms like Tox Chat to communicate with their targets and may go by names like “Ethical Side Group” or use monikers such as “xanonymoux.” They tend to provide “proof” of access to the stolen data, which they claim is still on the attacker’s servers. In some instances, they accurately report the amount of data exfiltrated, giving their claims an air of credibility.

A notable aspect of this scam is that it adds an additional layer of extortion to the victims of ransomware. Not only do these victims have to contend with the initial ransomware attack and the associated costs, but they are also faced with the prospect of paying yet another party to ensure the safety of their data. This situation highlights the complexities and evolving nature of cyber threats, particularly in the context of ransomware.

RedEye: A great opensource cyber security Log Visualization tool for Red and Blue teams

Security experts and researchers, like those from Arctic Wolf, have observed and reported on these incidents, noting the similarities in the tactics and communication styles used by the scammers in different cases. However, there remains a great deal of uncertainty regarding the actual ability of these scammers to delete the stolen data, and their true intentions.

THE EMERGING SCAM IN RANSOMWARE ATTACKS

1. THE FALSE PROMISE OF DATA DELETION

Ransomware gangs have been known not to always delete stolen data even after receiving payment. Victims are often misled into believing that paying the ransom will result in the deletion of their stolen data. However, there have been numerous instances where this has not been the case, leading to further exploitation.

2. FAKE ‘SECURITY RESEARCHER’ SCAMS

A new scam involves individuals posing as security researchers, offering services to recover or delete exfiltrated data for a fee. These scammers target ransomware victims, often demanding payment in Bitcoin. This tactic adds another layer of deception and financial loss for the victims.

3. THE HACK-BACK OFFERS

Ransomware victims are now being targeted by fake hack-back offers. These offers promise to delete stolen victim data but are essentially scams designed to extort more money from the victims. This trend highlights the evolving nature of cyber threats and the need for greater awareness.

4. THE ILLOGICAL NATURE OF PAYING FOR DATA DELETION

Paying to delete stolen data is considered an illogical and ineffective strategy. Once data is stolen, there is no guarantee that the cybercriminals will honor their word. The article argues that paying the ransom often leads to more harm than good.

5. THE ROLE OF RANSOMWARE GROUPS

Some ransomware groups are involved in offering services to delete exfiltrated data for a fee. However, these offers are often scams, and there is no assurance that the data will be deleted after payment.

These scams underscores the critical importance of cybersecurity vigilance and the need for robust security measures to protect against ransomware and related cyber threats. It also highlights the challenging decision-making process for organizations that fall victim to ransomware: whether to pay the ransom, how to handle stolen data, and how to respond to subsequent extortion attempts.

The Ransomware Hunting Team: A Band of Misfits’ Improbable Crusade to Save the World from Cybercrime

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: ransomware attacks

Comments (0)

Jan 11 2024

APIs are increasingly becoming attractive targets

Category: API security — disc7 @ 10:35 am

APIs are increasingly becoming attractive targets

APIs power the digital world—our phones, smartwatches, banking systems and shopping sites all rely on APIs to communicate. They can help ecommerce sites accept payments, enable healthcare systems to securely share patient data, and even give taxis and public transportation access to real-time traffic data.

Nearly every business today now uses them to build and provide better sites, apps and services to consumers. However, if unmanaged or unsecured, APIs present a goldmine for threat actors to exfiltrate potentially sensitive information.

“APIs are central to how applications and websites work, which makes them a rich, and relatively new, target for hackers,” said Matthew Prince, CEO at Cloudflare. “It’s vital that companies identify and protect all their APIs to prevent data breaches and secure their businesses.”

APIs popularity boosts attack volume

The seamless integrations that APIs allow for have driven organizations across industries to increasingly leverage them – some more quickly than others. The IoT, rail, bus and taxi, legal services, multimedia and games, and logistics and supply chain industries saw the highest share of API traffic in 2023.

APIs dominate dynamic Internet traffic around the globe (57%), with each region that Cloudflare protects seeing an increase in usage over the past year. However, the top regions that explosively adopted APIs and witnessed the highest traffic share in 2023 were Africa and Asia.

As with any popular business critical function that houses sensitive data, threat actors attempt to exploit any means necessary to gain access. The rise in popularity of APIs has also caused a rise in attack volume, with HTTP Anomaly, Injection attacks and file inclusion being the top three most commonly used attack types mitigated by Cloudflare.

Shadow APIs provide a defenseless path for threat actors

Organizations struggle to protect what they cannot see. Nearly 31% more API REST endpoints (when an API connects with the software program) were discovered through machine learning versus customer-provided identifiers – e.g., organizations lack a full inventory of their APIs.

Regardless if an organization has full visibility of all their APIs, DDoS mitigation solutions can help block potential threats. 33% of all mitigations applied to API threats were blocked by DDoS protections already in place.

“APIs are powerful tools for developers to create full-featured, complex applications to serve their customers, partners, and employees, but each API is a potential attack surface that needs to be secured,” said Melinda Marks, Practice Director, Cybersecurity, for Enterprise Strategy Group. “As this new report shows, organizations need more effective ways to address API security, including better visibility of APIs, ways to ensure secure authentication and authorization between connections, and better ways to protect their applications from attacks.”

API Security in Action

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: API Security

Comments (0)

Jan 10 2024

DevSecOps: 5 Tips for Developing Better, Safer Apps

Category: DevSecOps — disc7 @ 8:48 am

https://www.crowdstrike.com/blog/devsecops-tips-to-develop-better-safer-apps/

According to the CrowdStrike 2023 Global Threat Report, there was a 95% increase in cloud exploits in 2022, with a three-fold increase in cases involving cloud-conscious threat actors. The cloud is rapidly becoming a major battleground for cyberattacks — and the cost of a breach has never been higher. The estimated average cost of a breach impacting multi-cloud environments is more than $4.75 million USD in 2023.¹ The acceleration of cloud-focused threat activity and its effects has made security a key priority across organizations.

Security in the Cloud Is a Shared Responsibility

Security teams are accountable for protecting against risks, but they cannot be the only ones. Each team must try to communicate why their part of the development lifecycle is important to the other teams in the pipeline. With the growth of cloud-native applications and the demand for faster application delivery or continuous integration/continuous delivery (CI/CD), the use of containers is increasing widely. As businesses adopt containerized and serverless technologies and cloud-based services, more complex security issues arise.

Application developers have a tricky balance to maintain between speed and security. In DevOps, security used to be an issue addressed after development — but that’s changing. Now, developers who previously had to code right up to the last minute — leaving almost no time to find and fix vulnerabilities — are using tools like Infrastructure as code (IaC) scanning to validate they have fewer security vulnerabilities before they move to the next phase of development.

When security is considered at every step in the pipeline, it ensures developers find and address issues early on and it streamlines the development process. DevSecOps helps developers find and remediate vulnerabilities earlier in the app development process. Vulnerabilities discovered and addressed during the development process are less expensive and faster to fix. By automating testing, remediation and delivery, DevSecOps ensures stronger software security without slowing development cycles. The goal is to make security a part of the software development workflow, instead of having to address more issues during runtime.

5 Tips to Develop Apps with Security and Efficiency

1. Automate security reviews and testing. Every DevSecOps pipeline should utilize a combination or variation of tools and features like those listed below. A good automated and unified solution will provide broad visibility and address those issues as they arise, while alerting, enforcing compliance and providing customized reports with relevant insights for the DevOps and security teams.

SAST: Static application security testing to detect insecure code before it’s used (tools like GitHub, GitGuardian and Snyk, to name a few)
SCA: Software composition analysis to detect library vulnerabilities before building (tools like GitHub and GitLab)
CSA: Container scanning analysis to detect Operating System Library vulnerabilities and mitigate risk (tools like CrowdStrike Falcon® Cloud Security and GitLab)

Figure 1. Dynamic container analysis in the Falcon platform (click to enlarge)

IaC scanning: Infrastructure-as-code scanning to detect vulnerabilities in infrastructure (tools like Falcon Cloud Security and GitLab)

Figure 2. Falcon infrastructure-as-code (IaC) scanning (click to enlarge)

ASPM: Application security posture management to detect application vulnerabilities and risks once deployed (such as Falcon Cloud Security)

Figure 3. Architecture view of apps, services, APIs and more in Falcon (click to enlarge)

2. Integrate with developer toolchains. Streamline and consolidate your toolchain so developers and security teams can focus their attention on a single interface and source of truth. The tighter the integration between security and app development, the earlier threats can be identified, and the faster delivery can be accelerated. By seamlessly integrating with Jenkins, Bamboo, GitLab and others, Falcon Cloud Security allows DevOps teams to respond to and remediate incidents faster within the toolsets they already use.

3. Share security knowledge among teams. DevSecOps is a journey enabled by technology, but a process that starts with people. Your DevSecOps team should share lessons learned and mitigation steps after resolving the compromise. Some organizations even assign a security champion who helps introduce this sense of responsibility of security within the team. Be prepared to get your teams on board before changing the process, and ensure everyone understands the benefits of DevSecOps. Make security testing part of your project kickoffs and charters, and empower your teams with training, education and tools to make their jobs easier.

4. Measure your security posture. Identify the software development pain points and security risks, create a plan that works well for your organization and your team, and drive execution. Make sure to track and measure results such as the time lost in dealing with vulnerabilities after code is merged. Then, look for patterns in the type or cause of those vulnerabilities, and make adjustments to detect and address them earlier. This introduces a shared plan with integration into the build and production phases. CrowdStrike offers a free comprehensive Cloud Security Risk Review and services to help you plan, execute and measure your plan.

5. “Shift right” as well as “shift left.” Detection doesn’t always guarantee security. Shifting right and knowing how secure your applications and APIs are in production is just as important. By leveraging ASPM to uncover potential vulnerabilities in the application code once they are up and deployed, teams can find potential exposure in their application code that could allow backdoor access to other critical data and systems.

The bottom line is that while security and development used to be separate, the lines are now blurring to a point where security is becoming more and more integrated with the day-to-day job of developers. The benefit is that the modern practice brings together teams across the company to a common understanding, which then drives business growth. DevSecOps requires teams to collaborate and enables the organization to deliver safer applications to customers without compromising security.

How CrowdStrike Powers Your DevSecOps Journey

Security is not meant to be a red light on the road to your business goals or slow down your software development. It is meant to enable you to reach those goals safely with minimal risk. Falcon Cloud Security empowers DevSecOps teams to “shift left” in the application security paradigm, with tools including Infrastructure-as-Code Scanning, Image Assessment, and Kubernetes Admission Controller, all designed to ensure applications are secure earlier in application development and deployment.

CrowdStrike Falcon Cloud Security lets DevOps and security teams join forces to build applications securely before deployment, monitor they are compliant once deployed, and ensure the code is secure during runtime using ASPM. With ASPM in a unified interface that’s easy to visualize and understand, customers can “shift right” to reduce risk and stop breaches from applications that are already deployed.

The DevSecOps Playbook: Deliver Continuous Security at Speed

DevSecOps A leaders Guide

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: DevOps, DevSecOps, The DevSecOps Playbook

Comments (0)

Jan 08 2024

11 WAYS OF HACKING INTO CHATGPT LIKE GENERATIVE AI SYSTEMS

Category: ChatGPT,Hacking — disc7 @ 9:41 pm

11 ways of hacking into ChatGpt like Generative AI systems

In the rapidly evolving landscape of artificial intelligence, generative AI systems have become a cornerstone of innovation, driving advancements in fields ranging from language processing to creative content generation. However, a recent report by the National Institute of Standards and Technology (NIST) sheds light on the increasing vulnerability of these systems to a range of sophisticated cyber attacks. The report, provides a comprehensive taxonomy of attacks targeting Generative AI (GenAI) systems, revealing the intricate ways in which these technologies can be exploited. The findings are particularly relevant as AI continues to integrate deeper into various sectors, raising concerns about the integrity and privacy implications of these systems.

INTEGRITY ATTACKS: A THREAT TO AI’S CORE

Integrity attacks affecting Generative AI systems are a type of security threat where the goal is to manipulate or corrupt the functioning of the AI system. These attacks can have significant implications, especially as Generative AI systems are increasingly used in various fields. Here are some key aspects of integrity attacks on Generative AI systems:

Data Poisoning:
- Detail: This attack targets the training phase of an AI model. Attackers inject false or misleading data into the training set, which can subtly or significantly alter the model’s learning. This can result in a model that generates biased or incorrect outputs.
- Example: Consider a facial recognition system being trained with a dataset that has been poisoned with subtly altered images. These images might contain small, imperceptible changes that cause the system to incorrectly recognize certain faces or objects.
Model Tampering:
- Detail: In this attack, the internal parameters or architecture of the AI model are altered. This could be done by an insider with access to the model or by exploiting a vulnerability in the system.
- Example: An attacker could alter the weightings in a sentiment analysis model, causing it to interpret negative sentiments as positive, which could be particularly damaging in contexts like customer feedback analysis.
Output Manipulation:
- Detail: This occurs post-processing, where the AI’s output is intercepted and altered before it reaches the end-user. This can be done without directly tampering with the AI model itself.
- Example: If a Generative AI system is used to generate financial reports, an attacker could intercept and manipulate the output to show incorrect financial health, affecting stock prices or investor decisions.
Adversarial Attacks:
- Detail: These attacks use inputs that are specifically designed to confuse the AI model. These inputs are often indistinguishable from normal inputs to the human eye but cause the AI to make errors.
- Example: A stop sign with subtle stickers or graffiti might be recognized as a speed limit sign by an autonomous vehicle’s AI system, leading to potential traffic violations or accidents.
Backdoor Attacks:
- Detail: A backdoor is embedded into the AI model during its training. This backdoor is activated by certain inputs, causing the model to behave unexpectedly or maliciously.
- Example: A language translation model could have a backdoor that, when triggered by a specific phrase, starts inserting or altering words in a translation, potentially changing the message’s meaning.
Exploitation of Biases:
- Detail: This attack leverages existing biases within the AI model. AI systems can inherit biases from their training data, and these biases can be exploited to produce skewed or harmful outputs.
- Example: If an AI model used for resume screening has an inherent gender bias, attackers can submit resumes that are tailored to exploit this bias, increasing the likelihood of certain candidates being selected or rejected unfairly.
Evasion Attacks:
- Detail: In this scenario, the input data is manipulated in such a way that the AI system fails to recognize it as something it is trained to detect or categorize correctly.
- Example: Malware could be designed to evade detection by an AI-powered security system by altering its code signature slightly, making it appear benign to the system while still carrying out malicious functions.

PRIVACY ATTACKS ON GENERATIVE AI

Privacy attacks on Generative AI systems are a serious concern, especially given the increasing use of these systems in handling sensitive data. These attacks aim to compromise the confidentiality and privacy of the data used by or generated from these systems. Here are some common types of privacy attacks, explained in detail with examples:

Model Inversion Attacks:
- Detail: In this type of attack, the attacker tries to reconstruct the input data from the model’s output. This is particularly concerning if the AI model outputs something that indirectly reveals sensitive information about the input data.
- Example: Consider a facial recognition system that outputs the likelihood of certain attributes (like age or ethnicity). An attacker could use this output information to reconstruct the faces of individuals in the training data, thereby invading their privacy.
Membership Inference Attacks:
- Detail: These attacks aim to determine whether a particular data record was used in the training dataset of a machine learning model. This can be a privacy concern if the training data contains sensitive information.
- Example: An attacker might test an AI health diagnostic tool with specific patient data. If the model’s predictions are unusually accurate or certain, it might indicate that the patient’s data was part of the training set, potentially revealing sensitive health information.
Training Data Extraction:
- Detail: Here, the attacker aims to extract actual data points from the training dataset of the AI model. This can be achieved by analyzing the model’s responses to various inputs.
- Example: An attacker could interact with a language model trained on confidential documents and, through carefully crafted queries, could cause the model to regurgitate snippets of these confidential texts.
Reconstruction Attacks:
- Detail: Similar to model inversion, this attack focuses on reconstructing the input data, often in a detailed and high-fidelity manner. This is particularly feasible in models that retain a lot of information about their training data.
- Example: In a generative model trained to produce images based on descriptions, an attacker might find a way to input specific prompts that cause the model to generate images closely resembling those in the training set, potentially revealing private or sensitive imagery.
Property Inference Attacks:
- Detail: These attacks aim to infer properties or characteristics of the training data that the model was not intended to reveal. This could expose sensitive attributes or trends in the data.
- Example: An attacker might analyze the output of a model used for employee performance evaluations to infer unprotected characteristics of the employees (like gender or race), which could be used for discriminatory purposes.
Model Stealing or Extraction:
- Detail: In this case, the attacker aims to replicate the functionality of a proprietary AI model. By querying the model extensively and observing its outputs, the attacker can create a similar model without access to the original training data.
- Example: A competitor could use the public API of a machine learning model to systematically query it and use the responses to train a new model that mimics the original, effectively stealing the intellectual property.

SEGMENTING ATTACKS

Attacks on AI systems, including ChatGPT and other generative AI models, can be further categorized based on the stage of the learning process they target (training or inference) and the attacker’s knowledge and access level (white-box or black-box). Here’s a breakdown:

BY LEARNING STAGE:

Attacks during Training Phase:
- Data Poisoning: Injecting malicious data into the training set to compromise the model’s learning process.
- Backdoor Attacks: Embedding hidden functionalities in the model during training that can be activated by specific inputs.
Attacks during Inference Phase:
- Adversarial Attacks: Presenting misleading inputs to trick the model into making errors during its operation.
- Model Inversion and Reconstruction Attacks: Attempting to infer or reconstruct input data from the model’s outputs.
- Membership Inference Attacks: Determining whether specific data was used in the training set by observing the model’s behavior.
- Property Inference Attacks: Inferring properties of the training data not intended to be disclosed.
- Output Manipulation: Altering the model’s output after it has been generated but before it reaches the intended recipient.

BY ATTACKER’S KNOWLEDGE AND ACCESS:

White-Box Attacks (Attacker has full knowledge and access):
- Model Tampering: Directly altering the model’s parameters or structure.
- Backdoor Attacks: Implanting a backdoor during the model’s development, which the attacker can later exploit.
- These attacks require deep knowledge of the model’s architecture, parameters, and potentially access to the training process.
Black-Box Attacks (Attacker has limited or no knowledge and access):
- Adversarial Attacks: Creating input samples designed to be misclassified or misinterpreted by the model.
- Model Inversion and Reconstruction Attacks: These do not require knowledge of the model’s internal workings.
- Membership and Property Inference Attacks: Based on the model’s output to certain inputs, without knowledge of its internal structure.
- Training Data Extraction: Extracting information about the training data through extensive interaction with the model.
- Model Stealing or Extraction: Replicating the model’s functionality by observing its inputs and outputs.

IMPLICATIONS:

Training Phase Attacks often require insider access or a significant breach in the data pipeline, making them less common but potentially more devastating.
Inference Phase Attacks are more accessible to external attackers as they can often be executed with minimal access to the model.
White-Box Attacks are typically more sophisticated and require a higher level of access and knowledge, often limited to insiders or through major security breaches.
Black-Box Attacks are more common in real-world scenarios, as they can be executed with limited knowledge about the model and without direct access to its internals.

Understanding these categories helps in devising targeted defense strategies for each type of attack, depending on the specific vulnerabilities and operational stages of the AI system.

3 different ways cyber criminals are using ChatGPT to conduct new cyber attacks

HACKING CHATGPT

The ChatGPT AI model, like any advanced machine learning system, is potentially vulnerable to various attacks, including privacy and integrity attacks. Let’s explore how these attacks could be or have been used against ChatGPT, focusing on the privacy attacks mentioned earlier:

Model Inversion Attacks:
- Potential Use Against ChatGPT: An attacker might attempt to use ChatGPT’s responses to infer details about the data it was trained on. For example, if ChatGPT consistently provides detailed and accurate information about a specific, less-known topic, it could indicate the presence of substantial training data on that topic, potentially revealing the nature of the data sources used.
Membership Inference Attacks:
- Potential Use Against ChatGPT: This type of attack could try to determine if a particular text or type of text was part of ChatGPT’s training data. By analyzing the model’s responses to specific queries, an attacker might guess whether certain data was included in the training set, which could be a concern if the training data included sensitive or private information.
Training Data Extraction:
- Potential Use Against ChatGPT: Since ChatGPT generates text based on patterns learned from its training data, there’s a theoretical risk that an attacker could manipulate the model to output segments of text that closely resemble or replicate parts of its training data. This is particularly sensitive if the training data contained confidential or proprietary information.
Reconstruction Attacks:
- Potential Use Against ChatGPT: Similar to model inversion, attackers might try to reconstruct input data (like specific text examples) that the model was trained on, based on the information the model provides in its outputs. However, given the vast and diverse dataset ChatGPT is trained on, reconstructing specific training data can be challenging.
Property Inference Attacks:
- Potential Use Against ChatGPT: Attackers could analyze responses from ChatGPT to infer properties about its training data that aren’t explicitly modeled. For instance, if the model shows biases or tendencies in certain responses, it might reveal unintended information about the composition or nature of the training data.
Model Stealing or Extraction:
- Potential Use Against ChatGPT: This involves querying ChatGPT extensively to understand its underlying mechanisms and then using this information to create a similar model. Such an attack would be an attempt to replicate ChatGPT’s capabilities without access to the original model or training data.

Integrity attacks on AI models like ChatGPT aim to compromise the accuracy and reliability of the model’s outputs. Let’s examine how these attacks could be or have been used against the ChatGPT model, categorized by the learning stage and attacker’s knowledge:

ATTACKS DURING TRAINING PHASE (WHITE-BOX):

Data Poisoning: If an attacker gains access to the training pipeline, they could introduce malicious data into ChatGPT’s training set. This could skew the model’s understanding and responses, leading it to generate biased, incorrect, or harmful content.
Backdoor Attacks: An insider or someone with access to the training process could implant a backdoor into ChatGPT. This backdoor might trigger specific responses when certain inputs are detected, which could be used to spread misinformation or other harmful content.

ATTACKS DURING INFERENCE PHASE (BLACK-BOX):

Adversarial Attacks: These involve presenting ChatGPT with specially crafted inputs that cause it to produce erroneous outputs. For instance, an attacker could find a way to phrase questions or prompts that consistently mislead the model into giving incorrect or nonsensical answers.
Output Manipulation: This would involve intercepting and altering ChatGPT’s responses after they are generated but before they reach the user. While this is more of an attack on the communication channel rather than the model itself, it can still undermine the integrity of ChatGPT’s outputs.

IMPLICATIONS AND DEFENSE STRATEGIES:

During Training: Ensuring the security and integrity of the training data and process is crucial. Regular audits, anomaly detection, and secure data handling practices are essential to mitigate these risks.
During Inference: Robust model design to resist adversarial inputs, continuous monitoring of responses, and secure deployment architectures can help in defending against these attacks.

REAL-WORLD EXAMPLES AND CONCERNS:

To date, there haven’t been publicly disclosed instances of successful integrity attacks specifically against ChatGPT. However, the potential for such attacks exists, as demonstrated in academic and industry research on AI vulnerabilities.
OpenAI, the creator of ChatGPT, employs various countermeasures like input sanitization, monitoring model outputs, and continuously updating the model to address new threats and vulnerabilities.

In conclusion, while integrity attacks pose a significant threat to AI models like ChatGPT, a combination of proactive defense strategies and ongoing vigilance is key to mitigating these risks.

While these attack types broadly apply to all generative AI systems, the report notes that some vulnerabilities are particularly pertinent to specific AI architectures, like Large Language Models (LLMs) and Retrieval Augmented Generation (RAG) systems. These models, which are at the forefront of natural language processing, are susceptible to unique threats due to their complex data processing and generation capabilities.

The implications of these vulnerabilities are vast and varied, affecting industries from healthcare to finance, and even national security. As AI systems become more integrated into critical infrastructure and everyday applications, the need for robust cybersecurity measures becomes increasingly urgent.

The NIST report serves as a clarion call for the AI industry, cybersecurity professionals, and policymakers to prioritize the development of stronger defense mechanisms against these emerging threats. This includes not only technological solutions but also regulatory frameworks and ethical guidelines to govern the use of AI.

In conclusion, the report is a timely reminder of the double-edged nature of AI technology. While it offers immense potential for progress and innovation, it also brings with it new challenges and threats that must be addressed with vigilance and foresight. As we continue to push the boundaries of what AI can achieve, ensuring the security and integrity of these systems remains a paramount concern for a future where technology and humanity can coexist in harmony.

ChatGPT FOR CYBERSECUITY: The Ultimate Weapon Against Hackers

Comments (1)

Jan 06 2024

Red Team Guide

Category: Information Security,Pen Test — disc7 @ 9:59 am

Red Team Guide by Hadess

Red-team-guide-by-hadess Download

RTFM – Red Team Field Manual

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Red team, Rtfm

Comments (0)

Jan 04 2024

15 open-source cybersecurity tools you’ll wish you’d known earlier

Category: Open Network,Security Tools — disc7 @ 4:33 pm

15 open-source cybersecurity tools you’ll wish you’d known earlier

Open-source tools represent a dynamic force in the technological landscape, embodying innovation, collaboration, and accessibility. These tools, developed with transparency and community-driven principles, allow users to scrutinize, modify, and adapt solutions according to their unique needs.

In cybersecurity, open-source tools are invaluable assets, empowering organizations to fortify their defenses against evolving threats.

In this article, you will find a list of open-source cybersecurity tools that you should definitely check out.

Nemesis: Open-source offensive data enrichment and analytic pipeline

Nemesis is a centralized data processing platform that ingests, enriches, and performs analytics on offensive security assessment data (i.e., data collected during penetration tests and red team engagements).

SessionProbe: Open-source multi-threaded pentesting tool

SessionProbe is a multi-threaded pentesting tool designed to evaluate user privileges in web applications.

Mosint: Open-source automated email OSINT tool

Mosint is an automated email OSINT tool written in Go designed to facilitate quick and efficient investigations of target emails. It integrates multiple services, providing security researchers with rapid access to a broad range of information.

Vigil: Open-source LLM security scanner

Vigil is an open-source security scanner that detects prompt injections, jailbreaks, and other potential threats to Large Language Models (LLMs).

AWS Kill Switch: Open-source incident response tool

AWS Kill Switch is an open-source incident response tool for quickly locking down AWS accounts and IAM roles during a security incident.

PolarDNS: Open-source DNS server tailored for security evaluations

PolarDNS is a specialized authoritative DNS server that allows the operator to produce custom DNS responses suitable for DNS protocol testing purposes.

k0smotron: Open-source Kubernetes cluster management

Open-source solution k0smotron is enterprise-ready for production-grade Kubernetes cluster management with two support options.

Kubescape 3.0 elevates open-source Kubernetes security

Targeted at the DevSecOps practitioner or platform engineer, Kubescape, the open-source Kubernetes security platform has reached version 3.0.

Logging Made Easy: Free log management solution from CISA

CISA launched a new version of Logging Made Easy (LME), a straightforward log management solution for Windows-based devices that can be downloaded and self-installed for free.

GOAD: Vulnerable Active Directory environment for practicing attack techniques

Game of Active Directory (GOAD) is a free pentesting lab. It provides a vulnerable Active Directory environment for pen testers to practice common attack methods.

Wazuh: Free and open-source XDR and SIEM

Wazuh is an open-source platform designed for threat detection, prevention, and response. It can safeguard workloads in on-premises, virtual, container, and cloud settings.

Yeti: Open, distributed, threat intelligence repository

Yeti serves as a unified platform to consolidate observables, indicators of compromise, TTPs, and threat-related knowledge. It enhances observables automatically, such as domain resolution and IP geolocation, saving you the effort.

BinDiff: Open-source comparison tool for binary files

BinDiff is a binary file comparison tool to find differences and similarities in disassembled code quickly.

LLM Guard: Open-source toolkit for securing Large Language Models

LLM Guard is a toolkit designed to fortify the security of Large Language Models (LLMs). It is designed for easy integration and deployment in production environments.

Velociraptor: Open-source digital forensics and incident response

Ve l ociraptor is a sophisticated digital forensics and incident response tool designed to improve your insight into endpoint activities.

Open Source Intelligence Methods and Tools: A Practical Guide to Online Intelligence

Practical Threat Intelligence and Data-Driven Threat Hunting: A hands-on guide to threat hunting with the ATT&CK™ Framework and open source tools

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Open Source Intelligence Methods and Tools, Open-Source Tools

Comments (0)

Jan 04 2024

Google Chrome Use After Free Flaw Let Attacker Hijack Browser

Category: Cyber Attack,Information Security,Web Security — disc7 @ 10:26 am

Google Chrome Use After Free Flaw Let Attacker Hijack Browser

The latest stable channel update for Google Chrome, version 120.0.6099.199 for Mac and Linux and 120.0.6099.199/200 for Windows, is now available and will shortly be rolled out to all users.

Furthermore, the Extended Stable channel has been updated to 120.0.6099.200 for Windows and 120.0.6099.199 for Mac.

There are six security fixes in this release. Three of these flaws allowed an attacker to take control of a browser through use-after-free conditions.

Use-after-free is a condition in which the memory allocation is freed, but the program does not clear the pointer to that memory. This is due to incorrect usage of dynamic memory allocation during an operation.

CVE-2024-0222: Use After Free In ANGLE

Use after free in ANGLE in Google Chrome presents a high-severity vulnerability that might have led to a remote attacker compromising the renderer process and using a crafted HTML page to exploit heap corruption.

Google awarded $15,000 to Toan (suto) Pham of Qrious Secure for reporting this vulnerability.

CVE-2024-0223: Heap Buffer Overflow In ANGLE

This high-severity flaw was a heap buffer overflow in ANGLE that could have been exploited by a remote attacker using a crafted HTML page to cause heap corruption.

Toan (suto) Pham and Tri Dang of Qrious Secure received a $15,000 reward from Google for discovering this vulnerability.

CVE-2024-0224: Use After Free In WebAudio

A high-severity use after free in WebAudio in Google Chrome might potentially allow a remote attacker to exploit heap corruption through a manipulated HTML page.

Google awarded Huang Xilin of Ant Group Light-Year Security Lab a $10,000 reward for finding this issue.

CVE-2024-0225: Use After Free In WebGPU

A remote attacker may have been able to exploit heap corruption through a specifically designed HTML page due to high severity vulnerability in Google’s use after free in WebGPU.

The details about the reporter of this vulnerability were mentioned as anonymous.

The use after free conditions existed in Google Chrome before version 120.0.6099.199. To avoid exploiting these vulnerabilities, Google advises users to update to the most recent version of Google Chrome.

How To Update Google Chrome

Open Chrome.
At the top right, click More.
Click Help About Google Chrome.
Click Update Google Chrome. Important: If you can’t find this button, you’re on the latest version.
Click Relaunch.

Browser Security Platform Checklist

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Google Chrome

Comments (0)

Jan 03 2024

Malware using google exploit maintain access

Category: Information Security,Malware,Password Security — disc7 @ 7:38 am

Information stealing malware are actively taking advantage of an undocumented Google OAuth endpoint named MultiLogin to hijack user sessions and allow continuous access to Google services even after a password reset.

According to CloudSEK, the critical exploit facilitates session persistence and cookie generation, enabling threat actors to maintain access to a valid session in an unauthorized manner.

The technique was first revealed by a threat actor named PRISMA on October 20, 2023, on their Telegram channel. It has since been incorporated into various malware-as-a-service (MaaS) stealer families, such as Lumma, Rhadamanthys, Stealc, Meduza, RisePro, and WhiteSnake.

The MultiLogin authentication endpoint is primarily designed for synchronizing Google accounts across services when users sign in to their accounts in the Chrome web browser (i.e., profiles).

A reverse engineering of the Lumma Stealer code has revealed that the technique targets the “Chrome’s token_service table of WebData to extract tokens and account IDs of chrome profiles logged in,” security researcher Pavan Karthick M said. “This table contains two crucial columns: service (GAIA ID) and encrypted_token.”

This token:GAIA ID pair is then combined with the MultiLogin endpoint to regenerate Google authentication cookies.

Karthick told The Hacker News that three different token-cookie generation scenarios were tested –

When the user is logged in with the browser, in which case the token can be used any number of times.
When the user changes the password but lets Google remain signed in, in which case the token can only be used once as the token was already used once to let the user remain signed in.
If the user signs out of the browser, then the token will be revoked and deleted from the browser’s local storage, which will be regenerated upon logging in again.

When reached for comment, Google acknowledged the existence of the attack method but noted that users can revoke the stolen sessions by logging out of the impacted browser.

“Google is aware of recent reports of a malware family stealing session tokens,” the company told The Hacker News. “Attacks involving malware that steal cookies and tokens are not new; we routinely upgrade our defenses against such techniques and to secure users who fall victim to malware. In this instance, Google has taken action to secure any compromised accounts detected.”

“However, it’s important to note a misconception in reports that suggests stolen tokens and cookies cannot be revoked by the user,” it further added. “This is incorrect, as stolen sessions can be invalidated by simply signing out of the affected browser, or remotely revoked via the user’s devices page. We will continue to monitor the situation and provide updates as needed.”

The company further recommended users turn on Enhanced Safe Browsing in Chrome to protect against phishing and malware downloads.

“It’s advised to change passwords so the threat actors wouldn’t utilize password reset auth flows to restore passwords,” Karthick said. “Also, users should be advised to monitor their account activity for suspicious sessions which are from IPs and locations which they don’t recognize.”

“Google’s clarification is an important aspect of user security,” said Hudson Rock co-founder and chief technology officer, Alon Gal, who previously disclosed details of the exploit late last year.

“However, the incident sheds light on a sophisticated exploit that may challenge the traditional methods of securing accounts. While Google’s measures are valuable, this situation highlights the need for more advanced security solutions to counter evolving cyber threats such as in the case of infostealers which are tremendously popular among cybercriminals these days.”

(The story was updated after publication to include additional comments from CloudSEK and Alon Gal.)

The Web Application Hacker’s Handbook: Discovering and Exploiting Security Flaws

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: MultiLogin Exploit

Comments (0)

Jan 02 2024

Hackers Attack UK’s Nuclear Waste Services Through LinkedIn

Category: Cyber Attack,Hacking — disc7 @ 10:48 am

Hackers Attack UK’s Nuclear Waste Services Through LinkedIn

Fortunately for Radioactive Waste Management (RWM), the first-of-its-kind hacker attack on the project was unsuccessful.

The United Kingdom’s Radioactive Waste Management (RWM) company overseeing the nation’s radioactive waste has revealed a recent cyberattack attempt through LinkedIn. While the attack was reportedly unsuccessful, it has raised eyebrows in the nuclear sector, sparking concerns about the security of critical nuclear infrastructure.

As reported by The Guardian, the hackers directed their attack at the company through LinkedIn. However, whether it was a phishing attack or an attempt to trick employees into installing malware on the system, the modus operandi remains unknown.

Typically, LinkedIn is exploited for phishing scams targeting employees of specific companies. An example from last year involves ESET researchers reporting a cyberespionage campaign by North Korean government-backed hackers from the Lazarus group. The campaign specifically targeted employees at a Spanish aerospace firm.

The RWM is spearheading the £50bn Geological Disposal Facility (GDF) project, aimed at constructing a substantial underground nuclear waste repository in Britain. As a government-owned entity, RWM facilitated the merger of three nuclear bodies—the GDF project, the Low-Level Waste Repository, and another waste management entity—to establish Nuclear Waste Services (NWS).

“NWS has seen, like many other UK businesses, that LinkedIn has been used as a source to identify the people who work within our business. These attempts were detected and denied through our multi-layered defences,” stated an NWS spokesperson.

However, the incident raises concerns, as experts warn that social media platforms such as LinkedIn are becoming preferred playgrounds for hackers. These platforms provide multiple avenues for infiltration, including the creation of fake accounts, phishing messages, and direct credential theft.

The FBI’s special agent in charge of the San Francisco and Sacramento field offices, Sean Ragan, has emphasized the ‘significant threat’ of fraudsters exploiting LinkedIn to lure users into cryptocurrency investment schemes, citing numerous potential victims and past and current cases.

In October 2023, email security firm Cofense discovered a phishing campaign abusing Smart Links, part of the LinkedIn Sales Navigator and Enterprise service, to send authentic-looking emails, steal payment data, and bypass email protection mechanisms.

In November 2023, a LinkedIn database containing over 35 million users’ personal information was leaked by a hacker named USDoD, who previously breached the FBI’s InfraGard platform. The database was obtained through web scraping, an automated process to extract data from websites.

Social engineering attacks, such as deceptive emails and malicious links, offer hackers a gateway to sensitive information. LinkedIn has taken steps to warn users about potential scams and provide resources for staying safe online. Still, concerns about digital security remain prevalent in the nuclear industry, especially after the Guardian exposé of cybersecurity vulnerabilities at the Sellafield plant.

In 2023, the Sellafield nuclear site in Cumbria experienced cybersecurity issues, indicating a need for improved safeguards and tighter regulations. The RWM incident highlights the growing interest of cybercrime syndicates to target nuclear sites.

The NWS acknowledges the need for continuous improvement to strengthen cybersecurity measures, highlighting that emergency response plans must match evolving business needs.

Cyber Threats and Nuclear Weapons

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Cyber Threats and Nuclear Weapons, UK’s Nuclear Waste Services

Comments (0)

Dec 29 2023

New Medusa Stealer Attacking Users To Steal Login Credentials

Category: Cyber Attack,Password Security — disc7 @ 9:24 am

New Medusa Stealer Attacking Users to Steal Login Credentials

While the world celebrated Christmas, the cybercrime underworld feasted on a different kind of treat: the release of Meduza 2.2, a significantly upgraded password stealer poised to wreak havoc on unsuspecting victims.

Cybersecurity researchers at Resecurity uncovered the details of New Medusa Stealer malware.

Resecurity is a cybersecurity company specializing in endpoint protection, risk management, and cyber threat intelligence.

Translation:
Attention! The New Year’s Update
Before the New Year 2024, the Meduza team decided to please customers with an update. Under the Christmas tree, you can find great gifts such as significant improvements in user interface (panel), modal windows on loading, and expansion of data collection objects

A Feast Of Features

Meduza 2.2 boasts a veritable buffet of enhancements, including:

Expanded Software Coverage: The stealer now targets over 100 browsers, 100 cryptocurrency wallets, and a slew of other applications like Telegram, Discord, and password managers. This broader reach increases its potential for victimization.
Enhanced Credential Extraction: Meduza 2.2 digs deeper, grabbing data from browser local storage dumps, Windows Credential Manager, and Windows Vault, unlocking a treasure trove of sensitive information.
Google Token Grabber: This new feature snags Google Account tokens, allowing attackers to manipulate cookies and gain access to compromised accounts.
Improved Crypto Focus: Support for new browser-based cryptocurrency wallets like OKX and Enrypt, along with Google Account token extraction, makes Meduza a potent tool for financial fraud.
Boosted Evasion: The stealer boasts an optimized crypting stub and improved AV evasion techniques, making it harder to detect and remove.

These advancements position Meduza as a serious competitor to established players like Azorult and Redline Stealer.

Its flexible configuration, wide application coverage, and competitive pricing ($199 per month) make it an attractive option for cybercriminals of all skill levels.

A Recipe For Trouble

The consequences of Meduza’s widespread adoption are grim.

Account Takeovers (ATOs): Stolen credentials can be used to hijack email accounts, social media profiles, bank accounts, and other online services.
Online Banking Theft: Financial data gleaned from infected machines can be used to drain bank accounts and initiate fraudulent transactions.
Identity Theft: Sensitive information like names, addresses, and Social Security numbers can be exploited for identity theft and financial fraud.

To combat this growing threat, individuals and organizations must:

Practice strong password hygiene: Use unique, complex passwords for all accounts and enable two-factor authentication where available.
Beware of phishing scams: Don’t click on suspicious links or download attachments from unknown sources.
Keep software up to date: Regularly update operating systems, applications, and security software to patch vulnerabilities.
Invest in robust security solutions: Implement comprehensive security solutions that can detect and block malware like Meduza.

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Medusa Stealer

Comments (0)

Dec 28 2023

Chinese Hackers Exploit New Zero-Day In Barracuda’s ESG To Deploy Backdoor

Category: cyber security,Information Security,Zero day — disc7 @ 12:56 pm

Chinese Hackers Exploit New Zero-Day in Barracuda’s ESG to Deploy Backdoor

Barracuda Email Security Gateway (ESG) Appliance has been discovered with an Arbitrary code Execution vulnerability exploited by a China Nexus threat actor tracked as UNC4841.

Additionally, the vulnerability targeted only a limited number of ESG devices.

However, Barracuda has deployed a security update to all the active ESGs to address this vulnerability, and has been automatically applied to all the devices, which does not require any action from the user.

The new vulnerability has been assigned to CVE-2023-7102, and the severity is yet to be categorized.

Chinese Hackers Exploit New Zero-Day

This vulnerability exists due to using a third-party library, “Spreadsheet::ParseExcel,” in the Barracuda ESG appliances.

This open-source third-party library is vulnerable to arbitrary code execution that can be exploited by sending a specially crafted Excel email attachment to the affected device.

The Chinese Nexus threat actors have been using this vulnerability to deploy new variants of SEASPY and SALTWATER malware to the affected devices.

However, Barracuda has patched these vulnerabilities accordingly. Moreover, Barracuda stated, “Barracuda has filed CVE-2023-7102 about Barracuda’s use of Spreadsheet::ParseExcel which has been patched”.

Another vulnerability, CVE-2023-7101, affected the same spreadsheet: ParseExcel, and no patches or updates were available.

Nevertheless, both of these vulnerabilities were associated with a previously discovered vulnerability, CVE-2023-2868, that was exploited by the same threat group in May and June 2023.

Furthermore, a complete report about these vulnerabilities, along with additional information, has been published, which provides detailed information about this vulnerability and the previously discovered vulnerabilities.

Indicators Of Compromise

Malware	MD5 Hash	SHA256	File Name(s)	File Type
CVE-2023-7102 XLS Document	2b172fe3329260611a9022e71acdebca	803cb5a7de1fe0067a9eeb220dfc24ca56f3f571a986180e146b6cf387855bdd	ads2.xls	xls
CVE-2023-7102 XLS Document	e7842edc7868c8c5cf0480dd98bcfe76	952c5f45d203d8f1a7532e5b59af8e330 6b5c1c53a30624b6733e0176d8d1acd	don.xls	xls
CVE-2023-7102 XLS Document	e7842edc7868c8c5cf0480dd98bcfe76	952c5f45d203d8f1a7532e5b59af8e330 6b5c1c53a30624b6733e0176d8d1acd	personalbudget.xls	xls
SEASPY	7b83e4bd880bb9d7904e8f553c2736e3	118fad9e1f03b8b1abe00529c61dc3edf da043b787c9084180d83535b4d177b7	wifi-service	x-executable
SALTWATER	d493aab1319f10c633f6d223da232a27	34494ecb02a1cccadda1c7693c45666e1 fe3928cc83576f8f07380801b07d8ba	mod_tll.so	x-sharedlib

Network IOCs

IP Address	ASN	Location
23.224.99.242	40065	US
23.224.99.243	40065	US
23.224.99.244	40065	US
23.224.99.245	40065	US
23.224.99.246	40065	US
23.225.35.234	40065	US
23.225.35.235	40065	US
23.225.35.236	40065	US
23.225.35.237	40065	US
23.225.35.238	40065	US
107.148.41.146	398823	US

Tiger Trap: America’s Secret Spy War with China

21st Century Chinese Cyberwarfare

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: 21st Century Chinese Cyberwarfare, cyber security, Tiger trap, zero-day

Comments (0)

Dec 27 2023

EXPERTS ANALYZED ATTACKS AGAINST POORLY MANAGED LINUX SSH SERVERS

Category: Cyber Attack,Linux Security — disc7 @ 8:07 am

Experts analyzed attacks against poorly managed Linux SSH servers

Researchers warn of attacks against poorly managed Linux SSH servers that mainly aim at installing DDoS bot and CoinMiner.

Researchers at AhnLab Security Emergency Response Center (ASEC) are warning about attacks targeting poorly managed Linux SSH servers, primarily focused on installing DDoS bots and CoinMiners.

In the reconnaissance phase, the threat actors perform IP scanning to look for servers with the SSH service, or port 22 activated, then launch a brute force or dictionary attack to obtain the ID and password.

Threat actors can also install malware to scan, perform brute force attacks, and sell breached IP and account credentials on the dark web.

Common malware used in attacks against poorly managed Linux SSH servers include ShellBot [1][2], Tsunami [3], ChinaZ DDoS Bot [4], and XMRig CoinMiner [5].

Once successfully logged in, the threat actor first executed the following command to check the total number of CPU cores.

> grep -c ^processor /proc/cpuinfo

“The execution of this command signifies that the threat actor has obtained the account credentials. Afterward, the threat actor logged in again using the same account credentials and downloaded a compressed file.” reads the analysis published by ASEC. “The compressed file contains a port scanner and an SSH dictionary attack tool. Additionally, commands accidentally typed by the threat actor can be seen, such as “cd /ev/network” and “unaem 0a”.”

These researchers believe that the tools employed in the attacks are based on the ones that have been created by the PRG old Team. Each threat actor created its custom version of the tools by modifying them.

The researchers recommend administrators should use strong passwords that are difficult to guess and change them periodically. These measures should protect the Linux SSH servers from brute force attacks and dictionary attacks. The experts also recommend updating to the latest patch to prevent attacks exploiting known vulnerabilities.

“Administrators should also use security programs such as firewalls for servers that are accessible from the outside to restrict access from threat actors. Finally, caution must be practiced by updating V3 to the latest version to block malware infection in advance.” concludes the report.

Mastering Linux Security and Hardening: A practical guide to protecting your Linux system from cyber attacks

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: SSH SERVERS

Comments (0)

Dec 26 2023

Tackling cloud security challenges head-on

Category: Cloud computing — disc7 @ 8:22 am

Tackling cloud security challenges head-on

Cloud security is a critical aspect of modern computing, as businesses and individuals increasingly rely on cloud services to store, process, and manage data. Cloud computing offers numerous benefits, including scalability, flexibility, and cost efficiency, but it also introduces unique security challenges that need to be addressed to ensure the confidentiality, integrity, and availability of sensitive information.

In this Help Net Security round-up, we present segments from previously recorded videos in which security experts share their insights and experiences, shedding light on critical aspects of cloud security.

Complete videos

Paul Calatayud, CISO at Aqua Security, talks about cloud native security and the problem with the lack of understanding of risks to this environment.
Jane Wong, VP of Security Products at Splunk, talks about challenges organizations are facing to secure their multicloud environments.
Keith Nakasone, Federal Strategist at VMware, discusses how government agencies can scale the use of multicloud environments for mission success.
Dimitri Sirota, CEO at BigID, discusses how companies are unprepared to deal with the unique challenges of securing data in the cloud.
Andrew Slater, Practice Director – Cloud at Node4, talks about how organizations have encountered challenges in getting the final 20-30% of their production workloads into public cloud environments and addresses the cybersecurity implications.

Cloud Security Career Handbook: A beginner’s guide to starting and succeeding in Cloud Security

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: cloud security, Cloud Security Career

Comments (0)

Dec 22 2023

Building A Network Security Strategy: Complete Checklist To Protect Your Network

Category: Network security — disc7 @ 10:13 am

Building a Network Security Strategy: Complete Checklist To Protect Your Network

Whether you’re a large or small business, network security is something you can’t ignore.

Threat actors can and will, infiltrate businesses of any size wreaking havoc on computer systems, maliciously encrypting data, and in some cases completely destroying a company’s ability to stay in business.

While the latter situation isn’t that common, there have been several recent instances where poor network security has led to significant security breaches.

Consider the Uber breach QAwZ from September 2022, where an MFA fatigue attack led to a breach of Uber’s systems.

A similar attack led to a breach of CISCO’s systems, and Activision ended up being hacked after an SMS phishing attack, which reportedly led to a significant data breach of Activision’s IP and employee data.

These breaches signal the need for better network security practices, and they also show how single security measures are not enough.

All of the breaches mentioned above happened because of a weakness in each company’s MFA practices, but they could’ve been mitigated by other security measures including zero trust granular access rules.

Organizations of all sizes need a network security strategy with modern, cloud-based tools and technologies to stay secure:

Single Sign-On (SSO) with Multi-Factor Authentication (MFA)
Zero Trust Network Access
Malware Protection
Web Filtering

Single Sign-On (SSO) With Multi-Factor Authentication (MFA)

Before we even get to network security, organizations should deploy a Single Sign-On (SSO) identity provider with Multi-Factor Authentication (MFA) support.

SSO allows users to access multiple applications using one login.

This makes it easier for users to integrate network security practices into their daily routine without much friction, while the IT team has a much easier time keeping everyone organized.

MFA, meanwhile, adds an extra layer of security by requiring users to provide two or more pieces of evidence to prove their identity.

This is typically a username and password, followed by a one-time code, or biometric authentication such as a fingerprint or facial recognition.

Under an MFA scheme, you can require just a second authentication factor or multiple depending on the level of security you need and your threat model.

SSO with MFA also reduces the risk of password-related security incidents, such as password theft or reuse.

It also makes it harder for hackers to access your network since they have to not only steal the password but somehow obtain the second or even third factor to finally break in.

But as we mentioned at the beginning of this article there are ways to get around MFA security measures, so how do you make sure that doesn’t happen?

It starts with training and clearly defined policies that convey to employees that IT teams and outside security contractors will never ask them for their MFA security codes.

Second, you can increase the difficulty of MFA for higher privileged accounts such as a number-based challenge that requires the user to see both sets of numbers to correctly answer the MFA challenge.

Biometric measures can also be effective as long as employees understand they should never authorize an MFA request they didn’t initiate.

Zero Trust Network Access (ZTNA)

Network-security-checklist Download

Building Secure and Reliable Systems: Best Practices for Designing, Implementing, and Maintaining Systems

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Network Security Strategy

Comments (0)

Dec 21 2023

HOW TO SEND SPOOF EMAILS FROM DOMAINS THAT HAVE SPF AND DKIM PROTECTIONS?

Category: Email Security — disc7 @ 8:57 am

How to send spoof emails from domains that have SPF and DKIM protections?

SMTP stands for Simple Mail Transfer Protocol. It’s a protocol used for sending emails across the Internet. SMTP operates on a push model, where the sending server pushes the email to a receiving server or an intermediary mail server. Here are some basic concepts associated with SMTP:

Sending and Receiving Servers: SMTP involves at least two servers: the sending mail server and the receiving mail server. The sending server initiates the process.
SMTP Ports: Commonly, SMTP uses port 25 for non-encrypted communication and port 587 for encrypted communication (STARTTLS). Some servers also use port 465 for SSL/TLS encrypted communication.
SMTP Commands and Responses: SMTP communication is based on commands and responses. Common commands include HELO (or EHLO for Extended SMTP), MAIL FROM to specify the sender, RCPT TO for the recipient, and DATA for the body of the email. Responses from the server indicate success or failure of these commands.
MIME (Multipurpose Internet Mail Extensions): Although SMTP is limited to sending text, MIME standards enable SMTP to send other types of data like images, audio, and video by encoding them into text format.
SMTP Authentication: This is used to authenticate a user who wants to send an email. It helps in preventing unauthorized access to the email server.
SMTP Relay: This refers to the process of transferring an email from one server to another. When an SMTP server forwards an email to another server for further delivery, it’s called relaying.
SMTP in Email Clients: Email clients (like Outlook, Thunderbird) use SMTP to send emails. These clients require configuration of SMTP settings (server address, port, authentication) to send emails.
Limitations and Security: SMTP itself does not encrypt email content; it relies on other protocols (like SSL/TLS) for security. Also, SMTP does not inherently include strong mechanisms to authenticate the sender, which has led to issues like spam and phishing.
Interaction with Other Protocols: SMTP is typically used alongside POP3 or IMAP, which are protocols used for retrieving emails from a mail server.
Use in Modern Email Systems: Despite its age, SMTP remains a fundamental part of the email infrastructure in the Internet and is used in virtually all email systems today.

SMTP SMUGGLING

SMTP Smuggling refers to a technique used in network security to bypass security measures by exploiting vulnerabilities in the Simple Mail Transfer Protocol (SMTP). SMTP is the standard protocol used for sending emails across the Internet. Smuggling in this context typically involves manipulating the SMTP conversation in a way that allows an attacker to inject malicious commands or payloads into an email message. These payloads might be overlooked by security systems that are not properly configured to handle anomalous SMTP traffic.

There are several ways SMTP smuggling can be executed:

Command Injection: By inserting additional SMTP commands into message fields (like the ‘MAIL FROM’ or ‘RCPT TO’ fields), an attacker might trick a server into executing commands it shouldn’t.
CRLF Injection: SMTP commands are typically separated by a carriage return and line feed (CRLF). If an attacker can inject CRLF sequences into a message, they might be able to append additional commands or modify the behavior of the email server.
Content Smuggling: This involves hiding malicious content within an email in a way that evades detection by security systems, which might scan emails for known threats.

Email authentication mechanisms

Email authentication mechanisms like SPF, DKIM, and DMARC are crucial in the fight against email spoofing and phishing. They help verify the authenticity of the sender and ensure the integrity of the message. Here’s a basic overview of each:

1. SPF (SENDER POLICY FRAMEWORK)

Purpose: SPF is used to prevent sender address forgery. It allows the domain owner to specify which mail servers are permitted to send email on behalf of their domain.
How It Works: The domain owner publishes SPF records in their DNS. These records list the authorized sending IP addresses. When an email is received, the receiving server checks the SPF record to verify that the email comes from an authorized server.
Limitations: SPF only checks the envelope sender (return-path) and not the header (From:) address, which is often what the recipient sees.

2. DKIM (DOMAINKEYS IDENTIFIED MAIL)

Purpose: DKIM provides a way to validate a domain name identity that is associated with a message through cryptographic authentication.
How It Works: The sending server attaches a digital signature linked to the domain to the header of the email. The receiving server then uses the sender’s public key (published in their DNS) to verify the signature.
Advantages: DKIM verifies that parts of the email (including attachments) have not been altered in transit.

3. DMARC (DOMAIN-BASED MESSAGE AUTHENTICATION, REPORTING, AND CONFORMANCE)

Purpose: DMARC builds on SPF and DKIM. It allows the domain owner to specify how an email that fails SPF and DKIM checks should be handled.
How It Works: DMARC policies are published in DNS. These policies instruct the receiving server what to do with mail that doesn’t pass SPF or DKIM checks (e.g., reject the mail, quarantine it, or pass it with a note).
Benefits: DMARC also includes reporting capabilities, letting senders receive feedback on how their email is being handled.

COMBINED EFFECTIVENESS

Complementary Roles: SPF, DKIM, and DMARC work together to improve email security. SPF validates the sending server, DKIM validates the message integrity, and DMARC tells receivers what to do if the other checks fail.
Combat Spoofing and Phishing: By using these mechanisms, organizations can significantly reduce the risk of their domains being used for email spoofing and phishing attacks.
Adoption and Configuration: Proper configuration of these protocols is critical. Misconfiguration can lead to legitimate emails being rejected or marked as spam.

IMPLEMENTATION

DNS Records: All three require DNS records to be set up. SPF and DMARC are text records, while DKIM uses a TXT record for the public key.
Email Servers and Services: Many email services and servers support these protocols, but they usually require manual setup and configuration by the domain administrator.

Overall, SPF, DKIM, and DMARC are essential tools in the email administrator’s toolkit for securing email communication and protecting a domain’s reputation.

In a groundbreaking discovery, Timo Longin, in collaboration with the SEC Consult Vulnerability Lab, has unveiled a novel exploitation technique in the realm of email security. This technique, known as SMTP smuggling, poses a significant threat to global email communication by allowing malicious actors to send spoofed emails from virtually any email address.

Discovery of SMTP Smuggling: The concept of SMTP smuggling emerged from a research project led by Timo Longin, a renowned figure in the cybersecurity community known for his work on DNS protocol attacks. This new technique exploits differences in how SMTP servers interpret protocol rules, enabling attackers to bypass standard email authentication methods like SPF (Sender Policy Framework).

How SMTP Smuggling Works: SMTP smuggling operates by exploiting the interpretation differences of the SMTP protocol among various email servers. This allows attackers to ‘smuggle’ or send spoofed emails that appear to originate from legitimate sources, thereby passing SPF alignment checks. The research identified two types of SMTP smuggling: outbound and inbound, affecting millions of domains and email servers.

TECHNICAL INSIGHTS: UNDERSTANDING SMTP SMUGGLING IN DEPTH

SMTP Smuggling Exploited: SMTP smuggling takes advantage of discrepancies in how different email servers interpret the SMTP protocol. Specifically, it targets the end-of-data sequence, which signifies the end of an email message. In a standard SMTP session, this sequence is represented by a line with only a period (.) character, preceded by a carriage return and a line feed (<CR><LF>.<CR><LF>). However, variations in interpreting this sequence can lead to vulnerabilities.

Outbound and Inbound Smuggling: The research identified two types of SMTP smuggling: outbound and inbound. Outbound smuggling involves sending emails from a compromised server, while inbound smuggling pertains to receiving emails on a server that misinterprets the end-of-data sequence. Both types can be exploited to send spoofed emails that appear to come from legitimate sources.

EXPLOITING SPF ALIGNMENT CHECKS:

The concept of “Exploiting SPF Alignment Checks” in the context of SMTP smuggling revolves around manipulating the Sender Policy Framework (SPF) checks to send spoofed emails. SPF is an email authentication method designed to prevent sender address forgery. Here’s a detailed explanation of how SPF alignment checks can be exploited through SMTP smuggling:

UNDERSTANDING SPF:

SPF Basics: SPF allows domain owners to specify which mail servers are permitted to send emails on behalf of their domain. This is done by publishing SPF records in DNS. When an email is received, the recipient server checks the SPF record to verify if the email comes from an authorized server.
SPF Check Process: The SPF check typically involves comparing the sender’s IP address (found in the SMTP envelope) against the IP addresses listed in the domain’s SPF record. If the IP address matches one in the SPF record, the email passes the SPF check.

EXPLOITATION THROUGH SMTP SMUGGLING:

Manipulating the ‘MAIL FROM’ Address: In SMTP smuggling, attackers manipulate the ‘MAIL FROM’ address in the SMTP envelope. This address is used for SPF validation. By carefully crafting this address, attackers can pass the SPF check even when sending from an unauthorized server.
Discrepancy between ‘MAIL FROM’ and ‘From’ Header: There’s often a discrepancy between the ‘MAIL FROM’ address in the SMTP envelope (used for SPF checks) and the ‘From’ header in the email body (which the recipient sees). SMTP smuggling exploits this by setting the ‘MAIL FROM’ address to a domain that passes the SPF check, while the ‘From’ header is spoofed to appear as if the email is from a different, often trusted, domain.
Bypassing SPF Alignment: The key to this exploitation is the difference in how various mail servers interpret and process SMTP protocol rules. By smuggling in additional commands or data, attackers can make an email appear to come from a legitimate source, thus bypassing SPF alignment checks.
Consequences: This exploitation can lead to successful phishing attacks, as the email appears to be from a trusted source, despite being sent from an unauthorized server. Recipients are more likely to trust and act upon these emails, leading to potential security breaches.

TECHNICAL EXPERIMENTATION

The “Technical Experimentation” aspect of the SMTP smuggling research conducted by SEC Consult involved a series of methodical tests and analyses to understand how different email servers handle SMTP protocol, particularly focusing on the end-of-data sequence.

Split Tunnel SMTP Exploit Allows an Attacker to Inject Payloads Into Email Servers

OBJECTIVE OF THE EXPERIMENTATION:

The primary goal was to identify discrepancies in how outbound (sending) and inbound (receiving) SMTP servers interpret the SMTP protocol, especially the end-of-data sequence. This sequence is crucial as it signifies the end of an email message.

EXPERIMENT SETUP:

Selection of Email Providers: The researchers selected a range of public email providers that support mail submissions via SMTP. This included popular services like Outlook.com, Gmail, GMX, iCloud, and others.
SMTP Analysis Server: A specialized SMTP analysis server was set up to receive emails from these providers. This server played a critical role in observing how different SMTP servers handle various SMTP commands and sequences.
SMTP Analysis Client: An SMTP analysis client was used to send emails through the outbound SMTP servers of the selected providers. This client was configured to vary the SMTP commands and sequences used in the emails.

KEY AREAS OF FOCUS:

End-of-Data Sequence Variations: The researchers experimented with different end-of-data sequences, such as <LF>.<LF> (Line Feed) instead of the standard <CR><LF>.<CR><LF> (Carriage Return, Line Feed). The goal was to see if outbound servers would process these non-standard sequences differently.
Server Responses to DATA Command: Different responses from email providers to the DATA SMTP command were observed. These responses provided insights into how each server might handle end-of-data sequences.
Operating System Differences: The experiment also considered how different operating systems interpret “a line by itself.” For example, Windows uses <CR><LF> to denote the end of a line, while Unix/Linux systems use <LF>. This difference could affect how email servers process the end-of-data sequence.

EXPERIMENT EXECUTION:

Sending Test Emails: The SMTP analysis client sent test emails through the outbound SMTP servers of the selected providers, using various end-of-data sequences.
Observing Responses: The inbound SMTP analysis server received these emails and recorded how each outbound server handled the different sequences.
Identifying Anomalies: The researchers looked for anomalies where outbound servers did not correctly interpret or filter non-standard end-of-data sequences, and inbound servers accepted them as valid.

FINDINGS:

The experimentation revealed that some SMTP servers did not conform to the standard interpretation of the SMTP protocol, particularly in handling end-of-data sequences. This non-conformity opened the door for SMTP smuggling, where attackers could insert additional SMTP commands into email content.

CASE STUDY – GMX SMTP SERVER

A notable example of SMTP smuggling was demonstrated using GMX’s SMTP server. The researchers were able to send an email with a specially crafted end-of-data sequence that the GMX server did not filter out. This allowed them to insert additional SMTP commands into the email content, which were then executed by the recipient server, effectively ‘smuggling’ malicious commands or content.

EXPLOITATION TECHNIQUE:

Manipulating End-of-Data Sequence: The researchers experimented with different end-of-data sequences, such as <LF>.<LF> instead of the standard <CR><LF>.<CR><LF>.
Observing GMX Server Response: It was observed that when a specific sequence (<LF>.<CR><LF>) was sent to the GMX outbound SMTP server, it passed this sequence unfiltered to the inbound SMTP server.

SUCCESSFUL SMTP SMUGGLING:

Breaking Out of Message Data: By using the <LF>.<CR><LF> sequence, the researchers were able to ‘break out’ of the message data at the inbound SMTP server. This meant that anything following this sequence could be interpreted as a separate SMTP command or additional email content.
Demonstration of Vulnerability: This technique allowed the researchers to effectively insert additional SMTP commands into the email content, demonstrating a successful SMTP smuggling attack.

The research team’s first successful SMTP smuggling exploit was demonstrated using GMX’s SMTP server. This breakthrough confirmed the feasibility of the technique and its potential to compromise email security on a large scale. SMTP smuggling represents a new frontier in email spoofing, challenging existing security measures and highlighting the need for continuous vigilance in the cybersecurity domain. The discovery underscores the importance of regular security audits and updates to protect against emerging threats. The discovery of SMTP smuggling has significant implications for email security. Vulnerabilities were identified in major email services, including Microsoft and GMX, which were promptly addressed. However, SEC Consult has issued a warning to organizations using Cisco Secure Email, urging them to update their configurations to mitigate this vulnerability.

TECHNICAL AND SECURITY MITIGATIONS:

Patch and Update Systems: Regularly update and patch email servers and related software. Providers should ensure their systems are up-to-date with the latest security patches that address known vulnerabilities, including those related to SMTP smuggling.
Enhance Email Authentication: Implement and enforce advanced email authentication protocols like DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting, and Conformance). These protocols provide additional layers of verification, ensuring that the email’s sender is legitimate and that the message content hasn’t been tampered with.
Configure Email Servers Correctly: Ensure that email servers, especially those handling outbound and inbound emails, are configured correctly to handle SMTP protocol standards, particularly the end-of-data sequence. This involves strict adherence to protocol specifications to prevent any ambiguity in interpretation.
Use Advanced Email Filtering Solutions: Employ advanced email filtering solutions that can detect and block spoofed emails. These solutions often use machine learning and other advanced techniques to identify anomalies in email messages that might indicate a spoofing attempt.
Regular Security Audits: Conduct regular security audits of email infrastructure to identify and rectify potential vulnerabilities. This should include a review of server configurations, authentication mechanisms, and update protocols.

SMTP smuggling represents a significant advancement in the understanding of email protocol vulnerabilities. It challenges the existing security paradigms and calls for a reevaluation of email security strategies. As the cybersecurity community works to address these vulnerabilities, this discovery serves as a crucial reminder of the dynamic and evolving nature of cyber threats.

Phishing Dark Waters: The Offensive and Defensive Sides of Malicious

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: SPF AND DKIM, SPOOF EMAILS

Comments (0)

Dec 20 2023

The Future of DevSecOps: Emerging Trends in 2024 and Beyond

Category: DevSecOps — disc7 @ 12:21 pm

https://istari-global.com/insights/articles/future-of-devsecops-emerging-trends-2024/

In the rapidly evolving landscape of software development and cybersecurity, the integration of security planning earlier in the software development life cycle has become paramount. This practice, known as DevSecOps, has gained significant traction in recent years as businesses recognize its potential to bolster cyber defenses and ensure the security of their digital assets. As we look ahead to 2024 and beyond, it is crucial to understand the key trends that will shape the future of DevSecOps. I wanted to take a few moments to discuss the emerging trends that will drive innovation and efficiency in the field of DevSecOps, including automation, tool consolidation, infrastructure as code, remediation, and the evolution of the software bill of materials (SBOMs).

Key Trends in 2024

Automation Underpinning Innovation

Automation is at the forefront of driving operational efficiency in the field of security. In 2024, we can expect to see further advancements in automation, coupled with artificial intelligence (AI), empowering companies to streamline decision-making processes and optimize resource allocation. By leveraging automation and AI, security teams can focus on strategic initiatives, leaving operational functions to automated systems. This shift will enable organizations to respond to security threats with greater precision and agility, ultimately enhancing their cyber defenses.

The concept of “secure-by-design” will also gain additional momentum in 2024. By establishing cybersecurity standards, detecting vulnerabilities, and addressing them at the outset, organizations can prevent risks before they manifest. This transformative approach will enable businesses to innovate without unforeseen impediments, ensuring that security is an integral part of the development process from the very beginning.

Tool Consolidation

As organizations seek to incorporate security into their processes, the need for tool consolidation becomes apparent. Rather than accumulating an excessive number of tools, which can lead to inefficiencies and increased costs, businesses will opt for more streamlined security tool architectures and services. According to Gartner, 75% of organizations have already begun the process of consolidating their security tools. By merging tool-chain observability and monitoring into a single platform, companies can gain a comprehensive view of their security landscape and identify any potential blockages. This consolidation will create a more conducive environment for building and strengthening security processes.

Infrastructure as Code (IaC)

Traditional IT infrastructure management processes are often manual, resulting in increased costs and resource allocation. With the rapid growth of cloud computing and the constant release of new applications, infrastructure as code (IaC) emerges as a valuable tool. By utilizing configuration files, IaC allows for the automated management and oversight of today’s ever-evolving infrastructure. This level of abstraction frees engineers from the burden of keeping up with constant changes, maximizing the potential of cloud computing and enabling developers to allocate their time more efficiently.

Remediation

In response to the rising threat of cybercrime, organizations are shifting their focus from mere detection to proactive remediation. Rather than simply identifying security breaches, companies are increasingly investing in continuous monitoring and prompt remediation to eliminate threats. Gartner recommends that organizations be prepared to perform emergency remediation on key systems immediately following the release of security patches. To achieve this, companies must adopt intelligent and automated remediation approaches that are integrated into their processes. Prescriptive “best practices” alone will not suffice; automation is necessary to effectively address security issues in real-time.

Beyond SBOMs

The software bill of materials (SBOMs), an inventory of the codebase, has gained recognition as a game-changer in software transparency. However, in 2024, we can expect SBOMs to evolve further to meet industry standards and deliver on their promise. While SBOMs provide valuable insights into the software components used by an application, there are still obstacles to overcome. Many tools designed to automate SBOM generation lack consistency in data provision, hindering their adoption. Additionally, SBOMs have limited value in procurement decisions, as they require frequent updates to remain relevant. To establish a well-managed and secure software supply chain, additional tools such as software composition analysis and code signing will become essential. Achieving this will require industry-wide collaboration, defining best practices, and incentivizing vendors to prioritize transparency.

Security Remains Vital

Despite budget constraints and organizational restructuring, DevSecOps remains a critical area of focus for businesses. Cybersecurity risks continue to be a top concern, and DevSecOps strategies offer a cost-effective solution to mitigate these risks. However, organizations will optimize their budget allocations by investing in solutions that provide actionable results. In 2024, we can expect to see a greater emphasis on remediation, integration of security into the software development life cycle, and automation to streamline operational processes.

Conclusion

The future of DevSecOps is promising, with several key trends shaping the field in 2024 and beyond. Automation, tool consolidation, infrastructure as code, remediation, and the evolution of SBOMs will drive innovation and efficiency in the industry. As organizations strive to enhance their cyber defenses and navigate the evolving threat landscape, embracing these trends will be crucial. By staying ahead of the curve and implementing robust DevSecOps practices, businesses can ensure the security of their digital assets and maintain a competitive edge in the digital economy.

Multi-Cloud Strategy for Cloud Architects: Learn how to adopt and manage public clouds by leveraging BaseOps, FinOps, and DevSecOps

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: DevSecOps

Comments (0)

Dec 20 2023

How to Take Your Phone Off the Grid

Category: Information Security,Smart Phone — disc7 @ 9:00 am

Without a Trace: How to Take Your Phone Off the Grid

https://themarkup.org/levelup/2023/10/25/without-a-trace-how-to-take-your-phone-off-the-grid

A guide on anonymizing your phone, so you can use it without it using youBy Monique O. Madan and Wesley Callow

Hi, I’m Monique, an investigative reporter here at The Markup. There are a few key moments in my 15-year career that have led me on a quest to phone anonymity:

When a dark-tinted sedan followed me home after I published a controversial story, which led to the resignation of someone in power.

When a reader published my personal address in a virtual chatroom filled with thousands of people—the reader used my phone number to do a reverse look-up search, and found my address.

The last straw?

When the federal government traced my phone number back to me and blocked me from communicating with incarcerated people during the COVID-19 pandemic.

When I joined the team in August, my first order of business was making sure I had a secure way to connect with the people trusting me with their lives, while simultaneously keeping myself safe. I needed an off-the-grid phone.

Enter Wesley Callow, our IT support specialist.

What happens next is straight out of a scene of your favorite detective movie as he went about procuring the gear to build a phone that would protect my privacy. Just picture him in a cloak.

If I’ve learned anything from this, it’s that cash is king. And, I need a trench coat.

Step 1: Cash, Cards, and a SIM

Just think of me, Wesley, as a London Fog trench coat, collar-popped-to-perfection kind of guy. When Monique reached out, I embarked on a trip into the world of phone anonymity—a meticulous descent into the “no half measures” underworld, to borrow from the series Breaking Bad, a place where digits and data are in disguise.

First thing: In order to make an anonymous purchase, I needed cash—bank and credit cards leave too much of a trace. I drove to our local grocery store and bought some groceries for my teenage boys. This is an almost daily trip, so definitely no suspicious behavior to be spotted. I chatted up the self-checkout assistant about the boys and got an extra $60 in cash back.

When it comes to service providers, Mint Mobile emerged as a top contender, providing relative ease in activation without demanding personal details. They’re like that low-profile café where the barista doesn’t ask for your life story.

I then ventured off to two local Targets where, to my dismay, there were no Mint Mobile prepaid SIM cards. For my third attempt, I tried Best Buy.

I walked in, head down, headed to the cellphone section. Then, the prepaid carrier section. I perused the spinning display, and then, at the very bottom, there was ONE prepaid Mint Mobile SIM left! It was meant to be. For $45, I got three months of service.

I then headed to my next destination: a nearby drug store. I purchased an Apple Store gift card for $10, again using cash. (You could take an Android phone off the grid too, though, but we’re a Mac newsroom).

It was perfect. Zero people were in the store and the clerk was not chatty. I dropped the cash down, exact change—and bounced from the scene. Now I was ready.

Step 2: Wipe the Phone

I had a phone plan. Now, I needed a phone. To begin, Apple/Mac experts suggest purchasing a used, budget-friendly iPhone exclusively with cash. This method, they insist, guarantees no direct ties to one’s identity. Monique had an old phone hiding in her drawer. But first, I needed to make sure it had amnesia.

I had Monique send me her old iPhone via a box I shipped to her with a return label inside of it. Once I received it, I wiped the phone back to its factory settings and made sure there was no preexisting SIM card inside.

Then I put the phone into recovery mode, connected it to an old Mac with no Apple ID, and reformatted it again. Now, it’s double wiped for safety.

Everyone loves a fresh start, right?

Step 3: Identity

For my public Wi-Fi, I infiltrated my local Starbucks. The scent of caramel frappuccinos and whispered secrets filled the air. Here, amidst the caffeine loyal, I set up accounts with Mint, Proton Mail, and Apple. The creation of a disposable email account is essential (Proton Mail is the favored platform), followed by setting up an Apple ID (You’ll need it to download apps on your phone) with your Apple gift card. And if you’re prompted to provide a billing address? Input a random, unrelated location. You won’t ever be connecting a credit card with a real billing address anyway.

Opt for a six-digit security code—not 123456.

Using this now-naked phone, my fresh Mint Mobile SIM card, and an Apple gift card, I sought out a public space with no association to me, such as a library or café—anywhere that has communal computers and Wi-Fi, so we can activate the phone’s service. But wait, Wesley, I thought public Wi-Fi was insecure! Like all things, you have to weigh the pros and cons. The odds of being compromised on a public Wi-Fi network are low in the time it would take to set up the accounts we need, and in return, we don’t have personal location data or a personal IP address attached to those accounts.

Once your accounts are set up, turn off Wi-Fi.

For security purposes, Face ID and Touch ID are a no-go. The unanimous advice: opt for a six-digit security code. And don’t make it 123456.

Step 4: Customizing An Anonymous Device

Post-setup, disable Bluetooth. This is important because Bluetooth signals can be intercepted by third-party devices within range, and that allows hackers to access sensitive information, such as your phone’s contacts and messages. The throwaway Proton Mail email address plays another vital role, acting as the gateway to access Proton, a virtual private network (VPN) that masks all phone application traffic.

It’s like giving your phone a discreet disguise—instead of my trench coat, think Harry Potter’s invisibility cloak.

Always keep your VPN on, and routinely check that it’s working. Subsequently, any required apps should only be downloaded with the VPN engaged.

The Hard Part: Staying Anonymous

Maintaining this cloak of invisibility comes with challenges. If you find this overwhelming, we totally get it. But doing at least some of these steps will protect you—just find the balance and tradeoffs that work for you. For day-to-day usage, some golden rules emerge:

This phone should strictly be used for its principal purpose. Do not use it for casual online strolls, superfluous apps, or note storage.

Cash is essential, but getting your hands on it requires a bit of effort in this cashless society. To keep your phone off the grid, you have to repeat the same routine: take out cash and buy gift cards. You can’t use a credit or bank card.
Add more data to your SIM card and pay your phone bill with a gift card. Don’t opt into auto-renewal, since that requires that you use a credit card.
After using public Wi-Fi, go into Network Settings, and “forget” the network, so you leave no digital trail.
Never connect to your personal home Wi-Fi. Companies can match home addresses with IP addresses. If you have to use it in a pinch, afterward, go into Network Settings, and “forget” the network.
Instead of home Wi-Fi, use your phone’s data plan and Proton VPN to go online. Proton VPN will make sure your IP address is obscured.
If you’re traveling with your off-the-grid phone and a personal phone, turn Wi-Fi off on one phone, if you’re using it on the other. Or, turn off your off-the-grid phone entirely, and only turn it back on when you’re at your destination. The goal here is to prevent any overlap between which networks your phones connect to.
The final and perhaps the most vital rule: This phone should strictly be used for its principal purpose. Do not use it for casual online strolls, superfluous apps, or note storage, though I know that last one will be hard for journalists. If you must keep notes, disable any notes apps from creating a file in the cloud: Settings → Apple ID → iCloud → Apps Using iCloud → Show All.

The Takeaway

Monique here. Do you feel like you just ran a marathon after reading that? Do you need a moment to process? I sure did.

As a gritty street reporter at heart, I’ve learned true and complete anonymity isn’t easy. But in this line of work, it’s worth it. That means constantly backing up my documents and keeping a duplicate contact list elsewhere, in case my line is compromised and I need a new burner.

Wait, did I just use the word “burner”? Feels like I’m living in an episode of How to Get Away with Murder. (Hi, Viola Davis!)

Covering criminal justice, immigration, social justice, and government accountability means my cellphone is my best friend. It’s not only the first line of communication with my sources, but it’s my first line of trust. My phone hosts applications to make contact with people behind bars—oftentimes the only line the incarcerated has to the outside world. It’s the device that rings in the middle of the night from inconsolable parents who have been separated from their children at the border.

Additionally, it confidentially stores my emails and documents people send to me, and it lets me access encrypted chatrooms that help me better understand and network with the communities I cover.

In today’s hyper-connected era, the lengths some are going to preserve their phone anonymity are undeniably intricate. While not a path for everyone, this approach paints a vivid picture of the extreme measures individuals are willing to take in the name of privacy.

As for me, I keep a copy of Wesley’s guide tucked away, so I don’t forget the many, many rules of how to master this cash-gift-card-SIM-phone-wipedown operation. I want my sources—and people on the fence on whether or not to trust me—to know that I am committed to protecting their identity, privacy, and stories.

Living Off the Grid: A Teen’s Guide On How to Navigate Life Without a Cellphone

The Invisible Web: How to Stay Anonymous Online

When spyware turns phones into weapons

How a Spy in your pocket threatens the end of privacy, dignity and democracy

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Living Off the Grid, Pegasus spyware, Spyware, Stay anonymous, Take Your Phone Off the Grid

Comments (1)

« Previous Page — Next Page »

Pre-Engagement Activities

Reconnaissance

Threat Modeling

Vulnerability Analysis

Exploitation

Post-Exploitation

Analysis and Reporting

Review and Feedback

Continuous Improvement

Tools and Techniques

Ethical and Professional Conduct

Post-Engagement Activities

Documentation and Reporting

Compliance and Standards

Final Steps

Awareness and Training

1. Host Discovery

Ping&Ping Sweep:

Whois Information

2. Port Scanning

3. Banner Grabbing/OS Fingerprinting

4. Scan For Vulnerabilities

GFILanguard

Nessus

5. Draw Network Diagrams

6. Prepare Proxies

6. Document All Findings

Important Tools Used For Network Pentesting

Frameworks

Reconnaisance

Discovery

Port Scanning

Enumeration

Scanning

Password Cracking

Sniffing

MiTM Attacks

Exploitation

Affected customers warned of phishing risks

Qualys Caught Up in Scam

Avoid Being Scammed

THE EMERGING SCAM IN RANSOMWARE ATTACKS

1. THE FALSE PROMISE OF DATA DELETION

2. FAKE ‘SECURITY RESEARCHER’ SCAMS

3. THE HACK-BACK OFFERS

4. THE ILLOGICAL NATURE OF PAYING FOR DATA DELETION

5. THE ROLE OF RANSOMWARE GROUPS

APIs popularity boosts attack volume

Shadow APIs provide a defenseless path for threat actors

Security in the Cloud Is a Shared Responsibility

5 Tips to Develop Apps with Security and Efficiency

How CrowdStrike Powers Your DevSecOps Journey

INTEGRITY ATTACKS: A THREAT TO AI’S CORE

PRIVACY ATTACKS ON GENERATIVE AI

SEGMENTING ATTACKS

BY LEARNING STAGE:

BY ATTACKER’S KNOWLEDGE AND ACCESS:

IMPLICATIONS:

HACKING CHATGPT

ATTACKS DURING TRAINING PHASE (WHITE-BOX):

ATTACKS DURING INFERENCE PHASE (BLACK-BOX):

IMPLICATIONS AND DEFENSE STRATEGIES:

REAL-WORLD EXAMPLES AND CONCERNS:

Nemesis: Open-source offensive data enrichment and analytic pipeline

SessionProbe: Open-source multi-threaded pentesting tool

Mosint: Open-source automated email OSINT tool

Vigil: Open-source LLM security scanner

AWS Kill Switch: Open-source incident response tool

PolarDNS: Open-source DNS server tailored for security evaluations

k0smotron: Open-source Kubernetes cluster management

Kubescape 3.0 elevates open-source Kubernetes security

Logging Made Easy: Free log management solution from CISA

GOAD: Vulnerable Active Directory environment for practicing attack techniques

Wazuh: Free and open-source XDR and SIEM

Yeti: Open, distributed, threat intelligence repository

BinDiff: Open-source comparison tool for binary files

LLM Guard: Open-source toolkit for securing Large Language Models

Velociraptor: Open-source digital forensics and incident response

CVE-2024-0222: Use After Free In ANGLE

CVE-2024-0223: Heap Buffer Overflow In ANGLE