InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Most small-to medium-sized business (SMBs) hiring a CISO may be challenging business decision to find a suitable and affordablee candidate and the impacts of cyber breach to the SMBs can be devastating since many of those businesses are unable to sustain the costs of breach. A vCISO can provide the expertise needed to ensure your information security, privacy programs are succeeding and your company is prepared to assess and analyze an incident, all at cost-effective price.
DISCās Virtual CISO (vCISO) service assists organizations to design, develop and implement information security programs based on various standards and regulations. We provide professional security services which includes but not limited to leadership team (strategic) but also a support team of security analysts (tactical) to solve distinct cybersecurity challenges to every organization.
Reasons to Consider a Virtual CISO (vCISO)
Expertise covering Industries: vCISOs work with various clients across industries, opening them to events not attainable to CISOs experience in an isolated industry. The security knowledge gained by a vCISO from each client environment is different which ensures an improved expertise to assess the next organization, which positively impacts on the next client project.
Flexibility in Unique Business Environments: vCISOs first gain a thorough understanding of each organizationās business model, company culture, risk tolerance, and objectives. From there, they gain an understanding of security risks faced by the organization. With a full view of the security landscape, the vCISO will communicate the findings to help clients make the appropriate security decisions for their environment.
Efficiency with Core Competencies: A virtual CISO fills will prioritize security findings where organizations need it most. By focusing on cybersecurity strategy and implementation, vCISOs helps internal security team with control understanding and implementation responsibility. This enables both staff and cybersecurity leadership to remain dedicated to their respective core competencies.
Objective Independence: vCISOs are an independent third party with an objective viewpoint and goals of helping clients make the best security decisions for their business.
Economical: DISCās vCISO programs generally cost a fraction of a full-time CISO and supporting security team. According to salary.com report, the average salary for a CISO is $260,000 per year in California. On average, DISC’s vCISO clients pay a fraction of what it would cost to hire an in-house CISO.
Most important skills of vCISO: is to translate between business and IT as a facilitator
vCISO risk remediation solution:
What is risk to business
Likelihood of occurrence and what will be the risk to business
Impact of occurring and what will be the risk to business
Cost of fixing, implementing or remediating and what will be the residual risk
During the month of November, researchers at the cybersecurity firm LookingGlass examined the most significant vulnerabilities in the financial services industry in the United States.
The company looked at assets with public internet-facing assets from more than 7 million IP addresses in the industry and discovered that a seven-year-old Remote Code Execution vulnerability affecting Microsoft Windows was at the top of the list.
According to CISA, the āFinancial Services Sector includes thousands of depository institutions, providers of investment products, insurance companies, other credit and financing organizations, and the providers of the critical financial utilities and services that support these functions.ā
Reports stated that the industry employs about 8 million Americans and contributes $1.5 trillion, or 7.4% of the nationās overall GDP.
Microsoft Exchange Vulnerabilities
Over 900 times in the financial sector have been affected by a critical remote code execution vulnerability identified as (CVE-2015-1635), affecting Microsoft Windows and it has been around for seven years.
If this vulnerability is exploited successfully, a remote attacker may execute arbitrary code with system privileges and result in a buffer overflow.
The next most often exploited vulnerability was (CVE-2021-31206), which affects Microsoft Exchange Servers. Reports say in the month of November, this vulnerability was exploited 700 times in the financial services industry in the United States.
Top list of vulnerabilities in the financial services sector
āOur data holdings attribute roughly 7 million of these to the U.S. financial services sector, which includes insurance companies, rental & leasing companies, and creditors, among other subsectorsā, explains LookingGlass researchers.
According to recent reports from the U.S. Department of Treasury, ransomware attacks alone cost U.S. financial institutions close to $1.2 billion in 2021, a nearly 200% increase from the year before.
The Financial Crimes Enforcement Network (FCEN) of the Treasury identified Russia as the main source of numerous ransomware variants hitting the industry in its study.
Compliance services are emerging as one of the hottest areas of cybersecurity. While compliance used to be mainly the province of large enterprises, times have changed, and it is now a day-to-day concern for a growing number of small and medium businesses.
Even when these organizations are not regulated, SMEs often aim to follow compliance and/or security frameworks either for their own risk mitigation or in order to comply with the standards required by their customers. The driver is often their customersā supply chain concerns and requirements. As large businesses adopt cybersecurity and compliance frameworks and agree to certain standards, they impose similar demands on their suppliers.
This is a major opportunity for virtual CISO (vCISO) providers assuming they can broaden their offerings to encompass compliance. vCISO service providers perform a vital role in building a comprehensive cybersecurity program for their SME customers.āÆThey ensure that organizations put basic security measures in place to reduce the risk of a cyberattack and adequate safeguards to protect sensitive information. As such, those delivering vCISO services are well-positioned to expand their services into compliance. Some have already extended their service portfolio by adding compliance-related services, adding value to their customers.
While this should be a natural and easy transition, many vCISO service providers struggle to make this move. Adding compliance and audit readiness services may be overwhelming ā it requires a specific skill set and may be time-consuming.
Fortunately, vCISO platforms are emerging that integrate the compliance function and automate much of the work allowing vCISO service providers to easily add compliance services to their offering with no extra burden or cost.
One of the most dominating threats in the current cyberspace era is ransomware which is constantly affecting organizations of all sizes. In order to cast a wider net of potential targets, attackers are constantly changing their tactics and expanding their tradecraft to make sure that they are successful.
As a result of ransomware attacks, a wide range of industries, systems, and platforms are being affected. When it comes to protecting hybrid devices and working environments at work today, it is vital to understand how ransomware works across these systems and platforms.
In contrast to other platforms,Ā Mac ransomwareĀ tends to rely substantially on user assistance such as downloading and running fake applications or trojanized programs to infect computers.
Unveiling the TTPs of Ransomware
During ransomware campaigns, the attackers typically gain access to a target device, execute the malware, encrypt the files belonging to the target, and inform the target of a ransom demand and request for payment.
The following steps are taken by malware creators in order to accomplish these objectives:-
Abuses legitimate functionalities
Devise various techniques to exploit vulnerabilities
Evade defenses
Force users to infect their devices
Microsoft analyzed the following four Mac ransomware families:-
KeRanger
FileCoder
MacRansom
EvilQuest
Technical Analysis
It is important for ransomware to target which files to encrypt in order to gain the greatest amount of success. Based on Microsoftās observations, ransomware families enumerate files and directories in several different ways on Mac as follows:-
Using the Find binary
Using library functions opendir, readdir, and closedir
Using the NSFileManager class through Objective-C
The primary goal of malware creators is to prevent or evade the analysis of files by either the human analyst or an automated analysis system.
Among the ransomware families discussed above, either hardware-based checks are employed to ensure that the ransomware is not detected, or special code is made to prevent analysis of the ransomware.
As far as hardware-based checks are concerned, they are the following:-
Checking a deviceās hardware model
Checking the logical and physical processors of a device
Checking the MAC OUI of the device
Checking the deviceās CPU count and memory size
Among the checks related to the code are the following:-
Delayed execution
PT_DENY_ATTACH (PTRACE)
P_TRACED flag
Time-based check
It is quite common for malware to use persistence to make sure it continues to run even after the system has been restarted.
The EvilQuest and MacRansom ransomware families, among the Mac ransomware families that have been analyzed, have both utilized persistence techniques.
As a result, these malware families use a variety of persistence techniques to maintain their presence in the system. And here below we have mentioned the persistence techniques:-
Creating launch agents or launch daemons
Using kernel queues
There are often similarities in the anti-analysis and persistence techniques of the ransomware families that we have analyzed. There is, however, a difference in the encryption logic between these ransomware families.
The encryption of files is often done using AES-RSA algorithms, while other techniques are used, such as system utilities, XOR routines, or custom algorithms.
The methods for encrypting data vary from adding a patch in place to deleting the original file and creating a new one in its place. As part of its implementation of in-memory execution, EvilQuest uses the following APIs:-
NSCreateObjectFileImageFromMemory ā used for creating an object file image from the data present in memory
NSLinkModule ā used to link the object file image
NSLookupSymbolInModule ā used for looking for a specific symbol
NSAddressOfSymbol ā used to get the address of the symbol.
Recommendation
It is possible for defenses to mitigate the impact of ransomware attacks by taking the following mitigation steps:-
Do not install apps from sources other than the official app store of the software platform.
Protect privileged resources by restricting access to them.
Use a web browser that supports Microsoft Defender SmartScreen, such as Microsoft Edge.
Keep your operating system and applications up-to-date by installing the latest versions of them.
On your Mac, make sure you are using Microsoft Defender for Endpoints.
The impacted automotive giants include BMW, Toyota, Ford, Honda, Mercedes-Benz and many more…
These API vulnerabilities exposed vehicles to information theft, account takeover, remote code execution (RCE), and even hijacking of physical commands such as starting and stopping engines.
Millions of vehicles belonging to 16 different manufacturers had completely exposed API vulnerabilities which could be abused to unlock, start, and track cars while also impacting the privacy of the vehicle owners.
In a detailed report, Curry laid out vulnerabilities found in the automotive APIs powering several automotive giants including the following:
Kia
BMW
Ford
Honda
Acura
Jaguar
Nissan
Porsche
Toyota
Ferrari
Spireon
Reviver
Genesis
Hyundai
Infiniti
SiriusXM
Land Rover
Rolls Royce
Mercedes-Benz
According to researchers, information theft to account takeover, remote code execution (RCE), and even hijacking physical commands such as starting and stopping engines of cars were all real possibilities that hackers could access before the security vulnerabilities were fixed by respective manufacturers following responsible disclosure.
Spireonās telematics solution faced the most serious of issues which could have been exploited to gain full administrator access to the companyās platform, enabling a threat actor to issue arbitrary commands to about 15.5 million vehicles as well as update device firmware.
āUsing our access, we could access all user accounts, devices (vehicles), and fleets,ā Curry said. āSome of the fleets on the website included ambulances, police cruisers, and large trucks. Using the Spireon access, we could send fully arbitrary commands and update device configurations.ā
Another vulnerability reported in the researchersā findings showed that a poorly configured API endpoint for generating one-time passwords for the web portals of BMW and Rolls Royce could allow attackers to take over the accounts of any employee and contractor, thereby gaining access to sensitive customer and vehicle information.
A poorly implemented SSO functionality in Ferrariās web applications allowed the researchers to gain unrestricted access to the JavaScript code of several internal applications. The source code contained internal API keys and usage patterns, allowing potential attackers to create and modify usersā or (worse yet) give themselves superuser permissions. The vulnerabilities effectively allowed attackers to take ownership of Ferrari cars.
A misconfiguration in the Mercedes-Benz single sign-on (SSO) system enabled the researchers to gain access to several internal company assets, including private GitHub repositories and internal communication tools.
Attackers could pose as employees, allowing them to access sensitive information, send commands to customer vehicles, perform RCE attacks, and use social engineering to escalate their privileges across the Mercedes-Benz infrastructure.
āThere were some car companies where youād own one, then copy the exact same methodology to another car company and get in with the same vulnerability,ā Curry wrote in a blog post.
The researchers found that some flaws existed across the platforms of several companies, including tons of exposed actuators (vehicle component control), debug endpoints, and administrative functions for managing vehicles, purchase contracts, and telematic devices.
This only goes to show that as much of a hurry as these car companies were to install these devices, they completely overlooked the task of securing their online ecosystem.Ā
The open-source jsonwebtoken (JWT) library is affected by a high-severity security flaw that could lead to remote code execution.
The open-source JsonWebToken (JWT) library is affected by a high-severity security flaw, tracked as CVE-2022-23529 (CVSS score: 7.6), that could lead to remote code execution.
The package is maintained by Auth0, it had over 9 million weekly downloads as of January 2022 and it is used by more than 22.000 projects.
The flaw was discovered by Unit 42 researchers, it can be exploited by threat actors by tricking a server into verifying a maliciously crafted JSON web token (JWT) request.
āBy exploiting this vulnerability, attackers could achieve remote code execution (RCE) on a server verifying a maliciously crafted JSON web token (JWT) request.ā reads theĀ advisoryĀ published by Palo Alto Networks.Ā āWith that being said, in order to exploit the vulnerability described in this post and control the secretOrPublicKey value, an attacker will need to exploit a flaw within the secret management process.ā
JsonWebToken is an open-source JavaScript package that allows users to verify/sign JSON web tokens (JWT).
The flaw impacts JsonWebToken package version 8.5.1 or an earlier version, the JsonWebToken package version 9.0.0 addressed the issue.
āFor versions <=8.5.1 of jsonwebtoken library, if a malicious actor has the ability to modify the key retrieval parameter (referring to the secretOrPublicKey argument from the readme link) of the jwt.verify() function, they can gain remote code execution (RCE).ā reads theĀ advisoryĀ published on GitHub.Ā āYou are affected only if you allow untrusted entities to modify the key retrieval parameter of the jwt.verify() on a host that you control.ā
Vulnerabilities in open-source projects are very dangerous, threat actors could exploit them as part of supply chain attacks that can impact any projects relying on them.
āOpen source projects are commonly used as the backbone of many services and platforms today. This is also true for the implementation of sensitive security mechanisms such as JWTs, which play a huge role in authentication and authorization processes.ā concludes Palo Alto. āSecurity awareness is crucial when using open source software. Reviewing commonly used security open source implementations is necessary for maintaining their dependability, and itās something the open source community can take part in.ā
Below is the timeline for this vulnerability:
July 13, 2022 ā Unit 42 researchers sent a disclosure to the Auth0 team under responsible disclosure procedures
July 27, 2022 ā Auth0 team updated that the issue was under review
Aug. 23, 2022 ā Unit 42 researchers sent an update request
Aug. 24, 2022 ā Auth0 team updated that the engineering team was working on the resolution
Dec. 21, 2022 ā A patch was provided by the Auth0 engineering team
enetration Testing Companies are pillars when it comes to information security, nothing is more important than ensuring your systems and data are safe from unauthorized access, Many organizations have a flawed security culture, with employees motivated to protect their own information rather than the organization.
This sets up an opportunity for attackers seeking ways into a company to exploit it and get access to critical data and secrets.
In this article, we will see theĀ 10 best penetration testing companiesĀ and understand whatĀ penetration testingĀ is. We will also discuss its importance, different types of tests, and how they are conducted.Ā
What Is Penetration Testing?
The term āpenetration testingā refers to the process of checking an applicationās or networkās security by exploiting any known vulnerabilities.
These security flaws might be found in a variety of places, such as system configuration settings, authentication methods, and even end-user risky behaviors.
Apart from assessing security, pentesting is also used to assess the effectiveness of defensive systems and security tactics.
The cyber security condition is shifting at a breakneck speed. New vulnerabilities are discovered and exploited all of the time, some of them are publicly recognized, and others are not.
Being aware is the greatest defence you can have. A penetration test uncovers security flaws in your system that might lead to data theft and denial of service.
Best Penetration Testing Companies: Key Features and Services
Automated Vulnerability Scans, Continuous Scanning, CI/CD Integration, Zero false positives, Pentest Report, Customer Support, and Theories on How to Report to Regulators.
Proof-Based Scanning, Full HTML5 Support, Web Services Scanning, Built-in Tools, SDLC Integration
Integration with JIRA and Github, OWASP Top 10, PCI, HIPAA, and other compliance report templates customer Reports API for building personalized security reports test vulnerabilities functionality
Certified ethical hackers on the team33 years of overall experience in ITIBM Business Partner in Security Operations & Response, Recognized with 8 Gold Microsoft Competencies
Malware analysis tools are highly essential for Security Professionals who always need to learn many tools, techniques, and concepts to analyze sophisticated Threats and current cyber attacks.
Malware Analysis ToolsĀ & Courses
Malware Analysis Courses
Hex Editors
Disassemblers
Detection and Classification
Dynamic Binary Instrumentation
Dynamic Analysis
Deobfuscation
Debugging
Malware Analaysis Courses
Reverse Engineering
Binary Analysis
Decompiler
Bytecode Analysis
Reconstruction
Memory Forensics
Windows Artifacts
Storage and Workflow
Malware samples
Courses
Domain Analysis
Books
Malware Analysis Courses
Here we have listed the best courses list for malware analysis, reverse engineering, exploit development and more..
A hex editor (or binary file editor or byteeditor) is a type of computer program that allows for manipulation of the fundamental binary data that constitutes a computer file. The name āhexā comes from āhexadecimalā: a standard numerical format for representing binary data.
A disassembler is a computer program that translates machine language into assembly languageāthe inverse operation to that of an assembler.
A disassembler differs from a decompiler, which targets a high-level language rather than an assembly language. Disassembly, the output of a disassembler, is often formatted for human-readability rather than suitability for input to an assembler, making it principally a reverse-engineering tool.
This introductory malware dynamic analysis class is dedicated to people who are starting to work on malware analysis or who want to know what kinds of artifacts left by malware can be detected via various tools.
The class will be a hands-on class where students can use various tools to look for how malware is: Persisting, Communicating, and Hiding
WinDbgā multipurpose debugger for the Microsoft Windows computer operating system, used to debug user mode applications, device drivers, and the kernel-mode memory dumps.
X64dbgā An open-source x64/x32 debugger for windows.
Binary Format andĀ Ā Binary Analysis
The Compound File Binary Format is the basic container used by several different Microsoft file formats such as Microsoft Office documents and Microsoft Installer packages.
A decompiler is a computer program that takes an executable file as input, and attempts to create a high level source file which can be recompiled successfully. It is therefore the opposite of a compiler, which takes a source file and makes an executable.Generic Decompiler
Metadefender.com ā Scan a file, hash or IP address for malware (free).
NetworkTotal ā A service that analyzes pcap files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware using Suricata configured with EmergingThreats Pro.
Noriben ā Uses Sysinternals Procmon to collect information about malware in a sandboxed environment.
Aleph ā Open Source Malware Analysis Pipeline System.
CRITs ā Collaborative Research Into Threats, a malware and threat repository.
FAME ā A malware analysis framework featuring a pipeline that can be extended with custom modules, which can be chained and interact with each other to perform end-to-end analysis.
Analyze malicious JS and shellcode from PDFs and Office documents. See also the browser malware section.
AnalyzePDFā A tool for analyzing PDFs and attempting to determine whether they are malicious.
box-js ā A tool for studying JavaScript malware, featuring JScript/WScript support and ActiveX emulation.
diStormā Disassembler for analyzing malicious shellcode.
JS Beautifier ā JavaScript unpacking and deobfuscation.
JS Deobfuscator ā Deobfuscate simple Javascript that use eval or document.write to conceal its code.
libemu ā Library and tools for x86 shellcode emulation.
malpdfobjā Deconstruct malicious PDFs into a JSON representation.
OfficeMalScanner ā Scan for malicious traces in MS Office documents.
olevba ā A script for parsing OLE and OpenXML documents and extracting useful information.
Origami PDFā A tool for analyzing malicious PDFs, and more.
PDF Tools ā pdfid, pdf-parser, and more from Didier Stevens.
PDF X-Ray Liteā A PDF analysis tool, the backend-free version of PDF X-RAY.
peepdf ā Python tool for exploring possibly malicious PDFs.
QuickSand ā QuickSand is a compact C framework to analyze suspected malware documents to identify exploits in streams of different encodings and to locate and extract embedded executables.
Spidermonkeyā Mozillaās JavaScript engine, for debugging malicious JS.
Practice Malware Analysis ToolsĀ
Practice Reverse Engineering. Be careful with malware.
RPISEC Malware Analysis ā These are the course materials used in the Malware Analysis course at at Rensselaer Polytechnic Institute during Fall 2015.
/r/ReverseEngineeringā Reverse engineering subreddit, not limited to just malware.
Credits
This list is Created with helping of following Awesome Peoples.
Lenny Zeltser and other contributors for developing REMnux.
Michail Hale Ligh, Steven Adair, Blake Hartstein, and Mather Richard for writing the Malware Analystās Cookbook, which was a big inspiration for creating the list;
It was recently reported that Chinese researchers had made a breakthrough in the field of quantum computing. A quantum computer with around the same power as what will soon be available to the general public has been designed to break the RSA public-key encryption system.
The breaking of 2048-bit RSA encryption would have a major impact on the security of the system.
Basically, what Chinese experts are looking for is a method of finding the secret prime numbers that underpin the algorithm in a consistent and quick manner.
There is no doubt that the RSA algorithm itself has been largely replaced by others in consumer-facing protocols like:-
Transport Layer Security
Older enterprise
Operational technology software
Code-signing certificates
Researchers stated that breaking the widely used RSA-2048 algorithm is possible using a āuniversal quantum algorithm for integer factorization by combining the classical lattice reduction with a quantum approximate optimization algorithm (QAOA). The number of qubits required is O(logN/loglogN), which is sublinear in the bit length of the integer N, making it the most qubit-saving factorization algorithm to date.ā
Chinese Researchers Claim
There is a possibility that malicious adversaries could generate these signing keys or decrypt messages that are protected by RSA encryption. If they managed to generate these keys or decrypt the messages, they could also observe internet traffic as well.
Some of these attacks have even been known to pass off malicious code as genuine software updates, which would allow them to seize control of third-party devices by posing as legitimate updates.
There are several key components that pose a significant threat to traditional cryptography that are raised by quantum computing.
Quantum vs Classical
It is claimed that a 372-qubit quantum computer can be utilized to break the 2048-bit algorithm. Although there are some caveats to this statement, it is still worth noting.
In order to demonstrate their hypothesis, they were only able to use a device with 10 qubits to practice on, and they were unable to use any device with more than 48 bits to demonstrate it.
The findings of these studies have been questioned by many experts. Without any meaningful peer review, the paper was published on the preprint service ArXiv by the authors.
An acceptable minimum standard for evaluating a research paperās scientific merit would be considered by many to be an essential part of the scientific procedure.
A computer security expert named Bruce Schneier said in a paper published in October that there was still much to be decided about whether the technique can be applied in a real-world setting.
There are several prestigious universities in China that the authors are affiliated with. Schneier argued that even if the claims of the research are proven untrue, they point to a race between researchers to develop a way to break encryption in the near future using quantum computing.
We find that a quantum circuit with 372 physical qubits and a depth of thousands is necessary to challenge RSA-2048 even in the simplest 1D-chain system. Such a scale of quantum resources is most likely to be achieved on NISQ devices in the near future, researchers stated.
According to a post on a well-known hacker forum, Volvo Cars has experienced a new data breach, with stolen information allegedly being made available for sale.
Anis Haboubi, a French cybersecurity expert, was the first to discover that a threat actor was seeking to sell data purportedly taken from Volvo Cars on a well-known hacking site.
On December 31, 2022, a forum member operating online with the moniker IntelBroker reported that VOLVO CARS had been the target of a ransomware attack. He alleges that the Endurance Ransomware gang attacked the company and stole 200GB of private information that is now being sold.
The seller mentioned that he doesnāt demand a ransom because he thinks the victim wonāt pay it.
āThe company has not been approached with a ransom demand. Based on the information available, the company does not currently see an impact on its business or operationsā, according to a Volvo representative.
IntelBroker is offering the relevant data for $2500 in Monero, and he shared a number of screenshots as evidence of the hack. He forbids any escrow, which is a highly suspicious situation.
According to reports, the leak included sensitive data like access to several of the companyās databases, WiFi logins and points, employee listings, software keys, and other private data.
āI am currently selling the following information:
Database access, CICD access, Atlassian access, domain access, WiFi points, and logins, auth bearers, API, PAC security access, employee lists, software licenses, and keys and system files.ā reads the announcement on the hacking forum.
āThere is much data on āunresolvedā reports of exploits. I have taken them all and they will also be included in this sale.ā
Itās notable that the attacker shared screenshots of allegedly stolen data that indicate details about vehicles the company sells to law enforcement agencies, especially in Europe.
Threat actors have set a relatively low price of $2,500 for the dataset, indicating that the data may not be as sensitive as the seller would want.
If genuine, this would be Volvoās second security compromise in less than 18 months. The company claimed that a āsmall portionā of its R&D assets had been taken during the breach in late 2021.
Hence, itās unclear at this moment whether the seller is seeking to sell information from the 2021 data breach or if there has been a new data leak. Some users of the same hacker site said that since last week, the companyās unsecured Citrix access has been exposed online.
Security researchers released their car hacking research discussing vulnerabilities affecting millions of vehicles, and lots of different car companies such as Kia, Toyota, BMW, Rolls Royce, Ferrari, Ford, and many more. If an attacker were able to find vulnerabilities in the API endpoints that vehicle telematics systems used, they could honk the horn, flash the lights, remotely track, lock/unlock, and start/stop vehicles, completely remotely. Their goal was to find vulnerabilities affecting the automotive industry. This write-up details their work exploring the security of telematic systems, automotive APIs, and the infrastructure that supports them. Details: https://samcurry.net/web-hackers-vs-the-auto-industry/
This Open Port Scanner tool helps to identify which TCP port is open on your target machine and also provides OS information, service information, and also traceroute.
The Nmap Port scanner tool is a web interface for the widely known Nmap port scanner which is implemented with the correct parameter so as to give speed and accuracy.
Zenmap/Nmap port scanner
The scanning process is sending packets to each port and listening for acknowledgment.
This is called an āSYN scanā, which sends TCP SYN packets to each port. If a port replies with SYN-ACK, it is flagged as open and an RST is sent back by the Nmap port scanner.
In this way, no full TCP connection is established with the target machine.
IPVOID helps to identify services that are running on the server and view TCP open ports.
It also checks and verifies whether the firewall is working accurately. There are security services that block IPs that you donāt hold, so try not to check.
IPVOID port Scanner
The online tool offers a wide range of scanning options to discover details about IP addresses.
This Open port scanner tool helps to check services that are available and running on the server.
If we want to check what OS version is running, and whether ports are open on a server, and whether the server has enabled a firewall or not, then, in this case, to check all the above information, it uses raw IP packets.
Network Port Scanner Tool
This tool is extremely useful to find out if your port forwarding is set up correctly or if your server applications are blocked or not by a firewall.
It helps you to identify which service is accessible outside of the intranet. Machines use a router with NAT to bind with the internet canāt be obtained outside of the intranet.
Although, by using port forwarding, ports can deviate from the router to the particular machine.
MxToolBox
This Open port scanner online allows for verifying whether redirection works correctly or not.
Key Features
Round-trip SMTP monitoring.
Inbound and outbound email tests and header analysis.
This Open port scanner online tool is also known as ā HideMy[.]nameā. If anyone wants to hide their identity and access anything and everything, go for a Web proxy.
This tool hides and changes your IP address, and location and you will stay incognito while using the browser.
Proxy Tool
It is a median to the machine and required website. You can also watch blocked content and play online games as well.
You can surf the internet with maximum speed and connection. It gives protection, privacy, and liberty on any device while browsing.
It scanās all the IP addresses and TCP and UDP ports to check network vulnerabilities.
You can run the scan from the command line as well, save scan configurations also, and minimize run time scan with multi-threading. Trace end-user and terminal machine connection activity.
Solar Winds Port Scanner
It recognizes unknown vulnerabilities and network protocols.
Yougetsignal is the open port checker tool that let you check any external IP address for open ports.
It is a useful tool to check for the restriction placed in the Firewall. With this tool, you can check for all TCP and UDP ports.
Yougetsignal Open port checker
With the listed above port scanner tools, you can determine the open ports in the network infrastructure.
It is always recommended to close the ports if they are not in use for security reasons.
Key Features
Port Forwarding Tester
What Is My IP Address
Network Location Tool
Visual Trace Route Tool
Conclusion
Listed are some of the free tools available online to check for the open ports on the server and for other DNS queries.
We have categorized some of the best port scanner and port checker tools to help to find the open ports and other port-related operations while performing a penetration test on the network.What is the security Risk due to Open Ports?
Most of the suspicious software behaves like a service waiting for connections from a remote assailant so as to give him data or authority over the machine. The most common security practice is to close unused ports in private machines, in order to block known access to any service which may keep running on the PC without the clientās information, regardless of authorized service is being misconfigured or because of the suspicious software.Is Port Scanning illegal?
Port scanning itself is not illegal, but scanning the destination host without authorization is illegal and you will get into trouble. TCP Port scanners help the server administrators and penetration testers to examine at which ports the data is entering into the network and to protect it from invaders.
If youāre interested in penetration testing and digital forensics, you know that Kali Linux is worth a try. And if youāre already doing it, chances are good you are already using it.
We talked to Jim OāGorman, Chief Content and Strategy Officer at Offensive Security (OffSec), about the direction in which the development of the open-source distro is headed.
[The answers have been edited for clarity.]
Kali Linux keeps growing and improving. How much does user feedback influence where you want to go next? What do users want the most?
Two questions drive Kaliās development:
1. What needs to be done to ensure that Kali Linux is the best possible platform for professional and hobbyist information security work? 2. What needs to be done to ensure that Kali is the best possible platform for information security training?
There is a lot of overlap between those two questions, but realistically they are separate and distinct items. However, by getting them both right on a single platform, we create an environment where people can train, study, and learn, but also use the same platform for real-world efforts. In essence, it means that you train like you fight.
The answer to the first question is driven by input from the Kali and OffSec teams. As infosec professionals ourselves, what are the things we run into on a day-to-day basis and how do we make our life easier by ensuring the toolset is of the highest quality possible? We also work closely with OffSecās pentesting team.
We also listen to input from other Kali users. Kali is a totally open-source project and anyone and everyone can pitch in and contribute. And they do! If you wish a tool to be included in Kali, package it and submit it! If you wish a configuration worked a certain way out of the box, modify the package and submit the change. Itās very direct and easy to do, and it is in our documentation. Anyone ā regardless of their background ā can play a part.
The second way users influence development is through bug reports, feature requests, and conversations on OffSecās Discord and other social media. The Kali team is out there as part of the infosec community ā talk to us and let us know what you are seeing. Also, when possible, we will set up private conversations with large organizations that use Kali to get a feel for their unique needs.
The answer the second question ā How to make Kali the best possible platform for training? ā we work very closely with the OffSec content development team to find out what tools they are using for training, what sort of default environment works best for learners, and what we can do in Kali to support general education efforts.
Surprisingly, even though Kali is built for advanced information security work, it is often the first Linux many users ever use. So we are careful with the design of Kali to ensure that it is approachable. We want to ensure that you donāt have to be a Linux professional to utilize Kali successfully in OffSec courses.
Whatās your vision for Kali Linux in the next 12 months? What areas need polishing?
The changing of attack techniques over time does not impact Kali as much as you might think, as techniques are more often than not implemented in tools and scripts. While the tools and scripts change, Kali Linux as a platform to launch them does not have to change much. The closest item to this is expanding Kali to run everywhere. Our goal is to put the Kali toolset as close as possible to you no matter where you are.
Kali installed on bare metal, Kali in a VM, Kali in containers (Docker & LXC), Kali on WSL, Kali on various ARM devices such as Raspberry Pi, Kali in a cloud instance such as AWS and Azure, Kali on your Android phone or tablet ā we even have Kali running on a watch! No matter where you are or what your needs are, we want Kali to be easy to access and run.
Kali is primarily gered towards pentesting and red teaming, but we are looking at expanding into other areas of information security as well.
Kali Linux comes with a myriad of tools. Whatās the process for including or removing a piece of software? What tools are used the most?
What tools run in Kali is really a matter of input from the team, community, and OffSec. Our goal is to have the most frequently used and important tools installed and working out of the box. Other common tools are installed quickly and easily with a single command.
We add new tools based on the answers to a number of questions: What functionality does the tool provide and is it unique or different enough from functionalities of other tools? Is the tool going to be maintained and updated over a reasonable period of time? How functional is the tool? It is a wrapper for another tool? Does the developer have a positive reputation?
If a tool stops being updated and stops working, weāll try to work with the author. If they are unresponsive and the effort of maintaining the tool becomes too complex, we document this and then often remove it.
We get a lot of input from the OffSec pentesting team on what tools they are using in the field today, as well as the OffSec content developers on what tools are being used as part of the courseware. The idea is to have all the tools used in OffSec coursework out of the box to keep things easy for students.
Do major software development trends influence your approach to enhancing Kali Linux? How do you prioritize features?
When prioritizing features, we look at what is needed at the current time. We release Kali in quarterly updates so that dictates our development cycle. Each cycle we look at what is happening in the industry, where the gaps are, and determine what to prioritize.
On this front, there is a lot to balance. Everything from the distribution of Kali, installation, user experience, tools, stability, so on and so forth. Itās a full operating system and a small team so we have to pick and choose what goes into it, we canāt do everything each cycle. Again, input from the community and OffSec sets the priorities.
Thereās been a lot of buzz around AI lately. Do you expect AI to play a role in future Kali Linux versions?
As Kali is a base OS, not right now. For tools that run in Kali, perhaps in time. As soon as the tools are there we will add them into Kali if they are any good. But there are also always fad trends so we tend not to get over-excited about them until they start to actually deliver results.
We have seen demonstrations of tools being developed with some of the PoC which have been creating some buzz, but as they are not ready to be released we are a ways off from this yet.
At the time of writing, a misconfigured server belonging to an Enterprise Resource Planning (ERP) Software provider based in California, United States was still exposing data to public without any security authentication or password.
An Elasticsearch server belonging to a major international IT recruitment and software solution provider is currently exposing the personal data of more than half a million Indian candidates looking for jobs.
However, the data is not limited to jobseeker as the server is also exposing the companyās employeesā data. Another important aspect of this data exposure is the fact that it also contains the companyās client records from different companies, including Apple and Samsung.
This was confirmed to Hackread.com by Anurag Sen, a prominent independent security researcher. What is worse, the server is still exposed and publicly accessible without any security authentication or password. Originally, the server was being exposed since late December 2022.
It all started when Anurag scanned for misconfigured databases on Shodan and noted a server exposing more than 6GB worth of data to public access. Anurag said that the server belongs to a company originally based in the United States with offices around the globe including India. Whilst the database contains details of job seekers in India.
Hackread.com would not share the name of the company in this article because the server is still exposed.
Exposed Data
Anuragās analysis of the server revealed that the exposed records contain personal data of over 575,000 individuals, while the size of the data is over 6.3GB and increasing with new data with each day passing. This data includes the following:
Full Name
Date of birth
Email address
Phone number
Resume details
Employer details
The screenshot below shows the candidate details and client data that are currently being exposed:
Image credit: Anurag Sen ā Hackread.com
The screenshot below was taken from the live server that shows the companyās client details. Some of these are top companies Apple, Samsung, Sandisk, Unilog, Moody, Intuit, NEC Corporation, Falabella and many more.
The companyās client list also indicates that its a high-profile business with a presence all over the globe.
Screenshot credit: Anurag Sen ā Hackread.com
Indian CERT Alerted
Since the server is still live at the time of writing; Anurag alerted the Indian Computer Emergency Response Team over the weekend. However, there has been no response from the authorities yet.
India and server misconfiguration
India is home to almost 1.4 billion people. This makes the country a lucrative target for businesses as well as cybercriminals. The more the investment, the more widespread and vulnerable the IT infrastructure becomes.
It is yet unclear whether a third party accessed the database with malicious intent, such as ransomware gangs or threat actors. However, if it did, it would be devastating for the victim and the healthcare firm responsible for the server.
Furthermore, considering the extent and nature of the exposed data, the incident can have far-reaching implications, such as bad actors downloading the data, carrying out phishing scams, or identity theft-related fraud.
Hackers can hold the companyās server or data for ransom and leak it on cybercrime forums if their demands are not met. Nevertheless, the victims in this situation are the job hunters who trusted authorities with their personal information.
Misconfigured Databases ā Threat to Privacy
Misconfigured or unsecured databases, as we know it, have become a major privacy threat to companies and unsuspected users. In 2020, researchers identified over 10,000 unsecured databases that exposed more than ten billion (10,463,315,645) records to public access without any security authentication.
In 2021, the number increased to 399,200 exposed databases. The top 10 countries with top database leaks due to misconfiguration in 2021 included the following:
11 of the world’s top cyber security experts gather to discuss how to protect ourselves against cybercrime. Includes interviews with Rob Boles, Jesse Castro, Michael Einbinder-Schatz, Rick Jordan, Konrad Martin, Rene Miller, Paul Nebb, Will Nobles, Adam Pittman, Leia Shilobod, and Peter Verlezza.
Regula has presented their vision of the developments that will shape the industryās landscape in 2023.Ā Deepfakes, new cyber-hygiene norms, and demand for mature ID verification platforms are among some of the predictions for the next year.
While more and more industries move their customer experiences to digital, online identity verification is becoming an essential part of our life. It lets people cope with all sorts of mission-critical activities online: opening bank accounts, applying for benefits, getting insurance payouts, and even getting medical advice.
Still, the security of the digital IDV process is the number one concern that is forming the industryās landscape and driving the majority of significant changes.
Javelin Strategy & Research reports that in 2022, identity fraud and scams cost $52 billion and affected over 42 million people in the US alone. The rising number of identity fraud cases, along with fraudstersā hunger for personal information collected by service providers, will lead to three important changes in how data will be used and treated:
Even industries that are not so heavily regulated will invest more in the ID verification process, adding extra security layers. There will be more checks with increased complexity and additional steps in the verification process: biometric checks, verifying IDs, SMSs, and passwords, checking recent transactions, etc.
This will lead to prioritization of comprehensive liveness checks to make sure that submitted documents are valid and really exist. An ID document contains various security features: holograms, elements printed with optical variable inks, and biometric data, to name a few, and an image of it should be taken using methods so that these elements can be captured and verified.
Regula experts expect to see a push from users for more data protection rules, and for more transparency from online businesses. In the wake of multiple public disclosures of data leaks, users are gradually losing trust in how their data is treated and becoming more cautious about what they share with third parties and how. Addressing this trend, companies will attempt to bring that trust back via increased investments in customer data protection measures.
When it comes to more complex identity fraud cases related to synthetic media like deepfakes, experts expect to see a rise in amateur scam attempts along with the emergence of next-gen biometric-related fraud.
Both trends are developing in parallel and are powered by the same factor: the growing maturity and availability of machine-learning based technologies that make it possible to fake photos, videos, voices, and other characteristics previously considered unique.
Based on the opinion of Regula experts, all these trends will lead to a market that is developed enough to embrace mature end-to-end IDV solutions that are capable of not only verifying documents, but also biometric characteristics, like face, voice, and fingerprints.
āThe good news is that minimal security measures are currently enough to repel 95% of possible attacks. The remaining 5% is where the difficulties lie. Now, most deepfakes are created for free, and theyāre of such a quality that thereās no immediate danger. But thatās a matter of how many resources fraudsters will be willing to invest. At the moment, when theyāre ready to spend significant amounts of money per deepfake, itās a problem that requires interactive multi-layered protection. So if we picture the trends above as a scale, where convenience for the customer is on one end and security on the other, the balance is shifting to the latter,ā notesĀ Ihar Kliashchou, CTO at Regula.
In relation to this yearās trending topics ā digital identity and decentralized identity ā the companyās experts have their own take on that:
In the ideal world, a universal digital identity would help eliminate most of the issues with fake identities. However, in reality, creating and gaining broad acceptance and implementation of a secure single source of truth is going to take a significant amount of time. Still, weāre already seeing more different local and even company-based digital identities trying to become a single source of truth on a local level.
The idea of decentralized identity is going to be held back for some time. With the benefit of being built on blockchains and allowing users to control their digital identifiers, this system still comes with weaknesses. Since no one controls it centrally, no one will be responsible for it in case of any problems. Additionally, there is the matter of trust. Blockchain is strongly associated in peopleās minds with crypto, and the FTX crash that has happened in the last couple of months has undermined peopleās trust in it.
Matt Kunze, an ethical hacker, reported wiretapping bugs in Google Home Smart Speakers, for which he received a bug bounty worth $107,500.
Google Assistant is currently more popular among smart homeowners than Amazon Alexa and Apple Siri, given its superior intuitiveness and capability to conduct lengthy conversations. However, according to the latest research, a vulnerability inĀ Google Home Smart speakersĀ could allow attackers to control the smart device and eavesdrop on user conversations indoors
Findings Details
The vulnerability was identified by Matt Kunze, a security researcher using the moniker DownrightNifty Matt. The researchers revealed that if exploited, the vulnerability could allow the installation of backdoors and convert Google Home Smart speakers into wiretapping devices. Moreover, Google fixed the issue in April 2021 following responsible disclosure on 8 January 2021 and developing a Proof-of-Concept for the company.
Possible Dangers
The vulnerability could let an adversary present within the deviceās wireless proximity install a backdoor account on the device and start sending remote commands, access the microphone feed, and initiate arbitrary HTTP requests. All of this could be possible if the attacker is within the userās LAN range because making malicious requests exposes the Wi-Fi password of the device and provides the attacker direct access to all devices connected to the network.
What Caused the Issue?
Matt discovered that the problem was caused by the software architecture used in Google Home devices as it let an adversary add a rogue Google user account to their targetās smart home devices.
A threat actor would trick the individual into installing a malicious Android application to make the attack work. It will detect a Google Home automation device connected to the network and stealthily start issuing HTTP requests to link the threat actorās account to the victimās device.
In addition, the attacker could stage a Wi-Fi de-authentication attack to disconnect the Google Home device from the network and force the appliance to initiate a setup mode and create an open Wi-Fi network. Subsequently, the attacker can connect to this network and request additional details such as device name, certificate, and cloud_device_id. They could use the information and connect their account to the victimās device.
According to Mattās blog post, the attacker could perform a range of functions, such as turning the speakerās volume down to zero and making calls to any phone number apart from spying on the victim via the microphone. The victim wonāt suspect anything because just the deviceās LED turns blue when the exploitation happens, and the user would think the firmware is being updated.
Matt successfully connected an unknown user account to a Google Home speaker. He created aĀ backdoor accountĀ on the targeted device and obtained unprecedented privileges that let him send remote commands to the Home mini smart speaker, access its microphone feed, etc. Watch the demo shared by the researcher:
It is worth noting that thereās no evidence this security loophole was misused since its detection in 2021. Being an ethical hacker, the researcher notified Google about the issue, and it was patched. Matt received aĀ bug bountyĀ worth $107,500 for detecting this security flaw.
