Oct 10 2022

Intrusion Detection System (IDS) and Its Detailed Working Function

Category: Intrusion Detection SystemDISC @ 8:34 am
Intrusion Detection System (IDS) and Its Detailed Working Function – SOC/SIEM

An intrusion detection system (IDS) is a type of security software designed to automatically alert administrators when someone or something is trying to compromise information system through malicious activities such as DDOS Attacks or security policy violations.

An IDS works by monitoring system activity through examining vulnerabilities in the system, the integrity of files and analyzing patterns based on already known attacks. It also automatically monitors the Internet to search for any of the latest threats which could result in a future attack.

Detection Methods

An IDS can only detect an attack. It cannot prevent attacks. In contrast, an IPS prevents attacks by detecting them and stopping them before they reach the target.

An attack is an attempt to compromise confidentiality, integrity, or availability.
The two primary methods of detection are signature-based and anomaly-based. Any type of IDS (HIDS or NIDS) can detect attacks based on signatures, anomalies, or both.

The HIDS monitors the network traffic reaching its NIC, and the NIDS monitors the traffic on the network.

Host Based intrusion detection system (HIDS)

A host-based intrusion detection system (HIDS) is additional software installed on a system such as a workstation or a server.

It provides protection to the individual host and can detect potential attacks and protect critical operating system files. The primary goal of any IDS is to monitor traffic.

The role of a host Intrusion Detection System is passive, only gathering, identifying, logging, and alerting. Examples of HIDS:

The primary goal of any IDS is to monitor traffic. For a HIDS, this traffic passes through the network interface card (NIC). Many host-based IDSs have expanded to monitor application activity on the system.

As one example, you can install a HIDS on different Internet-facing servers, such as web servers, mail servers, and database servers. In addition to monitoring the network traffic reaching the servers, the HIDS can also monitor the server applications.

It’s worth stressing that a HIDS can help detect malicious software (malware) that traditional anti-virus software might miss.

Because of this, many organizations install a HIDS on every workstation as an extra layer of protection, in addition to traditional anti-virus software. Just as the HIDS on a server is used primarily to monitor network traffic, a workstation HIDS is mainly used to monitor network traffic reaching the workstation. However, a HIDS can also monitor some applications and can protect local resources such as operating system files. In other organizations, administrators only install a HIDS when there’s a perceived need.

For example, if an administrator is concerned that a specific server with proprietary data is at increased risk of an attack, the administrator might choose to install a HIDS on this system as an extra layer of protection.

Each uncompleted session consumes resources on the server, and if the SYN flood attack continues, it can crash the server.

Some servers reserve a certain number of resources for connections, and once the attack consumes these resources, the system blocks additional connections. Instead of crashing the server, the attack prevents legitimate users from connecting to the server.

IDSs and IPSs can detect an SYN flood attack and respond to block the attack. Additionally, many firewalls include a flood guard that can detect SYN flood attacks and take steps to close the open sessions.

Network-Based Intrusion Detection System (NIDS)

An Introduction to Intrusion Detection Systems

Oct 08 2022

Email Defenses Under Siege: Phishing Attacks Dramatically Improve

Category: Information Security,PhishingDISC @ 3:31 pm

About 1 in 5 phishing email messages reach workers’ inboxes, as attackers get better at dodging Microsoft’s platform defenses and defenders run into processing limitations.

computer code on a screen with a red fish hook dangling in the middle
Source: Andrea Danti via Alamy Stock Photo

This week’s report that cyberattackers are laser-focused on crafting attacks specialized to bypass Microsoft’s default security showcases an alarming evolution in phishing tactics, security experts said this week.

Threat actors are getting better at slipping phishing attacks through the weak spots in platform email defenses, using a variety of techniques, such as zero-point font obfuscation, hiding behind cloud-messaging services, and delaying payload activation, for instance. They’re also doing more targeting and research on victims.

As a result, nearly 1 in 5 phishing emails (18.8%) bypassed Microsoft’s platform defenses and landed in workers’ inboxes in 2022, a rate that increased 74% compared to 2020, according to research published on Oct. 6 by cybersecurity firm Check Point Software. Attackers increasingly used techniques to pass security checks, such as Sender Policy Framework (SPF), and obfuscate functional components of an e-mail, such as using zero-size fonts or hiding malicious URLs from analysis.

The increasing capabilities of attackers is due to the better understanding of current defenses, says Gil Friedrich, vice president of email security at Avanan, an email security firm acquired by Check Point in August 2021.

“It is a family of 10 to 20 techniques, but they all lead to the objective of deceiving a company’s security layers,” he says. “The end result is always an email that looks genuine to the recipient but looks different to the algorithm that analyzes the content.”

Microsoft declined to comment on the research. However, the company has warned of advanced techniques, such as adversary-in-the-middle phishing (AiTM), which uses a custom URL to place a proxy server between a victim and their desired site, allowing the attacker to capture sensitive data, such as usernames and passwords. In July, the company warned that more than 10,000 organizations had been targeted during one AiTM campaign.

Check Point is not the only vendor to warn that phishing attacks are getting better. In a survey, email security firm Proofpoint found that 83% of organizations experienced a successful email-based phishing attack, nearly half again as many as suffered such an attack in 2020. Cybersecurity firm Trend Micro saw the number of phishing attacks more than double, growing 137% in the first half of 2022 compared to the same period in 2021, according to the firm’s 2022 Mid-year Cybersecurity report.

Meanwhile, cybercriminals services, such as phishing-as-a-service and malware-as-a-service, are encapsulating the most successful techniques into easy-to-use offerings. In a survey of penetration testers and red teams, nearly half (49%) considered phishing and social engineering to be the attack techniques with the best return on investment.

Research & Recon Inform Phishing

https://www.darkreading.com/remote-workforce/email-defenses-under-siege-phishing-attacks-dramatically-improve

Defending Phishing Attacks on Organizations For Beginners

Phishing Awareness and Training

Phishing Detection Using Content-Based Image Classification

Phishing Attacks Skyrocket with Microsoft and Facebook as Most Abused Brands

Tags: phishing attacks, Phishing Awareness and Training

Oct 07 2022

What Are You Doing for Cyber Security Awareness Month?

Category: Information Security,Security AwarenessDISC @ 8:51 am
Cyber Security Awareness 2022

This October is Cyber Security Awareness Month, an event designed to educate people about information security and the steps they can take to stay safe online.

Now in its nineteenth year, the campaign provides tools and resources to help people learn more about the cyber security industry and the ways they can get involved.

This year’s event focuses on phishing and ransomware – two of the biggest threats that organisations currently face.

According to Proofpoint’s 2022 State of the Phish Report, 83% of organisations fell victim to a phishing attack last year. Meanwhile, Verizon’s 2021 Data Breach Investigations Report found that 25% of all data breaches involve phishing.

The attack method is often used to deliver ransomware, which itself is responsible for significant damage. Our research discovered more than 100 publicly disclosed ransomware attacks in the first half of 2022, with intrusions shuttering businesses and creating huge financial problems.

Getting involved

There are events being held throughout October as part of National Cyber Security Awareness Month. Both national governments and private organisations have supported the campaign and are running programmes online and in person.

You can find a full list of events on Stay Safe Online, where you can also find information security tips.

The theme of this year’s campaign is ‘See Yourself in Cyber’, and individuals are encouraged to get involved online with the hashtag #BeCyberSmart.

A key component of that is protecting yourself from scams. The campaign reminds people that: “The signs can be subtle, but once you recognize a phishing attempt you can avoid falling for it.

“Before clicking any links or downloading attachments, take a few seconds (like literally 4 seconds) and ensure the email looks legit.”

The campaign also highlights the benefits of multi-factor authentication, strong passwords and regularly updating software.

How IT Governance can help

You can also follow the latest developments with Cyber Security Awareness Month by following us on LinkedIn. We’ll will provide the latest updates on the campaign to help you get involved in events near you.

Plus, our experts will provide quick and simple tips to boost your cyber security awareness. Did you know, for example, that one of the most effective ways to boost your defences is also one of the simplest – ensuring that your accounts are protected by strong, unique passwords.

This applies not only to login credentials but also to databases and other sensitive information that you store online. The InterContinental Hotel Group was recently caught out by a cyber attack, after criminal hackers discovered a database protected by the password ‘Qwerty1234’.

The breach enabled the attackers to access the most sensitive parts of the hotel giant’s computer systems, and ultimately led to a phishing attack in which an employee was duped into downloading malware that destroyed huge volumes of sensitive data.

Another top tip for preventing cyber attacks is to test your employees with Phishing Challenge E-learning Game. These are messages that use the same techniques as genuine scams without the malicious payload.

The attacks give you the opportunity to monitor how your employees respond to a bogus email. Do they click a link right away? Do they recognise that it’s a scam and delete it? Do they contact the IT team to alert them of the threat?

Simulated phishing is an essential technique in an organisation’s cyber security practices. It complements traditional staff awareness training to assess the effectiveness of your programme in a real-world scenario.

https://www.itgovernance.co.uk/blog/what-are-you-doing-for-cyber-security-awareness-month?

Time to Change Our Flawed Approach to Security Awareness

Cybersecurity Awareness Campaigns: How Effective Are They in Changing Behavior?

Tags: Cyber Security Awareness Month

Oct 06 2022

Top Cybersecurity Threats for Public Sector

Category: Cyber Threats,Information Security,Insider Threat,Threat detection,Threat ModelingDISC @ 9:11 am
Top Cybersecurity Threats for Public Sector

In the private sector, hackers and cybercriminals are prone to leaving organizations with good security infrastructures alone. Because they often go after low-hanging fruit, hacking into a well-protected network is perceived as more trouble than it’s worth.

But the public sector is a different matter entirely. The government and government agencies have access to assets and data that criminals would love to get their hands on, even with the added trouble. So, even though the public sector is well protected, it will not stop cybercriminals from attempting to break in.

The top cybersecurity threats for the public sector are as follows.

Phishing

An IRONSCALES survey published in October 2021 shows over 80% of respondents experienced an increase in email phishing attacks since the start of the pandemic.

Phishing involves the utilization of legitimate-looking emails to steal the login credentials or other sensitive information of a target organization. While it’s just as much a risk for small and medium-sized businesses, in the public sector, phishing attacks could potentially be nation-state sponsored, making it a possible double whammy.

While taking advantage of the latest and greatest software to protect yourself from top cybersecurity threats is par for the course, what makes phishing so pernicious is that it relies on human error. With phishing emails looking more authentic than ever, they are harder to catch.

Distributed Denial of Service (DDoS) Attacks

A recent report says ransom DDoS attacks increased 29% year over year and 175% quarter over quarter in quarter four of 2021. Some of the biggest targets were the public sector, schools, travel organizations, and credit unions.

DDoS attacks are known to bring down some of the largest websites and are quite difficult to prevent. They are considered by some to be the most “powerful weapon” on the internet, easily making DDoS attacks one of the top cyber security threats to the government.

DDoS attacks can happen at any time, affect any part of a website, and disrupt and interrupt services, usually leading to massive financial damage.

Nation-State Sponsored Cyber Attacks

With mainstream media daily broadcasting events as they are occurring to every channel imaginable (cable TV, smartphones, social media, etc.) cyber warfare has become an increasingly common way to launch disinformation campaigns, perform cyber espionage or terrorism, and even cyber-sabotage targets.

Nation-state-sponsored cyber attacks aim to

  • Hinder communication
  • Gather intelligence
  • Steal intellectual property
  • Damage to digital and physical infrastructure

They are even used for financial gain.

Though cyber attacks are sometimes used in tandem with real life attacks, what makes cyber warfare especially challenging is that it happens virtually and often covertly. There usually isn’t any declaration of war. That makes it difficult to prove who is responsible for the attack.

Ransomware

Ransomware attacks may not be an emerging trend by any means. They may not even be anything new. But they do have a history of wreaking havoc on the public sector and therefore need to be taken seriously.

Rewind to 2019 when the U.S. was hit by an unrelenting barrage of ransomware attacks that ultimately affected at least 966 government agencies, educational establishments, and healthcare providers to $7.5 billion (Emsisoft).

These attacks resulted in 911 services being interrupted, surveillance systems going offline, badge scanners and building access systems not working, websites going down, extended tax payment deadlines, and much more.

The threat of ransomware attacks still looms today and is no less a concern in 2022 than they were in 2019. As far as cyber security threats to the government are concerned, ransomware attacks should be kept on the cybersecurity radar.

What The Public Sector Can Do to Stay Ahead?

Beyond taking full advantage of the latest tech, for the public sector to stay ahead of cyber security in the public sector, you have to create a culture of cybersecurity within your organizations, offering ongoing training to their teams.

You need to secure all infrastructure, including cloud, mobile, and Internet of Things (IoT). You also want to improve compromise detection and be fully prepared for any attack. Plans should be documented and practiced regularly, so detection and response are immediate.

Top Cybersecurity Threats for Public Sector

Tags: Top Cybersecurity Threats

Oct 05 2022

WireShark 4.0.0 Released – What’s New?

Category: Network securityDISC @ 9:18 am
WireShark 4.0.0 Released – What’s New!!

There are several open-source packet analyzers available, but Wireshark is among the most popular. Moreover, the application has been upgraded to version 4.0.0 and comes with multiple new features and fixes.

It is not only network administrators who use Wireshark packet analyzers to analyze packets, but also security analysts to analyze packets.

Wireshark network protocol analyzer can be used for the following primary purposes:-

  • Troubleshooting
  • Analysis
  • Development
  • Education

An array of organizations use the tool to manage their business activities related to their business, and it has been adopted by organizations of all sizes.

What’s New?

The official Windows 32-bit package of Wireshark is no longer being distributed with the release of this version. Here below we have mentioned all the new additions:-

  • With many new extensions available, the display filter syntax has become much more powerful.
  • Redesigns have been made to the Conversation and Endpoint dialogs.
  • Packet Detail and Packet Bytes are now displayed underneath the Packet List pane in the default layout for the main window.
  • A number of improvements have been made to the hex dump import from Wireshark and from text2pcap.
  • A great deal of improvement has been made in the performance of using MaxMind geolocation.

New and Updated Features

In this latest release, Here below we have mentioned all the new and updated features:-

  • The macOS packages now ship with Qt 6.2.4 and require macOS 10.14. They previously shipped with Qt 5.15.3.
  • The Windows installers now ship with Npcap 1.71. They previously shipped with Npcap 1.70.
  • The Windows installers now ship with Npcap 1.70. They previously shipped with Npcap 1.60.
  • The ‘v’ (lower case) and ‘V’ (upper case) switches have been swapped for editcap and mergecap to match the other command line utilities.
  • The ip.flags field is now only the three high bits, not the full byte. Display filters and Coloring rules using the field will need to be adjusted.
  • New address type AT_NUMERIC allows simple numeric addresses for protocols which do not have a more common-style address approach, analog to AT_STRINGZ.
  • The Conversation and Endpoint dialogs have been redesigned.
  • The Windows installers now ship with Qt 6.2.3. They previously shipped with Qt 6.2.4.
  • The Windows installers now ship with Npcap 1.60. They previously shipped with Npcap 1.55.
  • The Windows installers now ship with Qt 6.2.4. They previously shipped with Qt 5.12.2.
  • The display filter syntax has been updated and enhanced.The default main window layout has been changed so that the Packet Detail and Packet Bytes are side by side underneath the Packet List pane.
  • The HTTP2 dissector now supports using fake headers to parse the DATAs of streams captured without first HEADERS frames of a long-lived stream (such as a gRPC streaming call which allows sending many request or response messages in one HTTP2 stream). Users can specify fake headers using an existing stream’s server port, stream id and direction.
  • The IEEE 802.11 dissector supports Mesh Connex (MCX).
  • The “Capture Options” dialog contains the same configuration icon as the Welcome Screen. It is now possible to configure interfaces there.
  • The “Extcap” dialog remembers password items during runtime, which makes it possible to run extcaps multiple times in row without having to reenter the password each time. Passwords are never stored on disk.
  • It is possible to set extcap passwords in tshark and other CLI tools.
  • The extcap configuration dialog now supports and remembers empty strings. There are new buttons to reset values back to their defaults.
  • Support to display JSON mapping for Protobuf message has been added.
  • macOS debugging symbols are now shipped in separate packages, similar to Windows packages.
  • In the ZigBee ZCL Messaging dissector the zbee_zcl_se.msg.msg_ctrl.depreciated field has been renamed to zbee_zcl_se.msg.msg_ctrl.deprecated
  • The interface list on the welcome page sorts active interfaces first and only displays sparklines for active interfaces. Additionally, the interfaces can now be hidden and shown via the context menu in the interface list
  • The Event Tracing for Windows (ETW) file reader now supports displaying IP packets from an event trace logfile or an event trace live session.
  • ciscodump now supports IOS, IOS-XE and ASA remote capturing.
  • The PCRE2 library is now required to build Wireshark.
  • You must now have a compiler with C11 support in order to build Wireshark.

WireShark 4.0.0 Released – What’s New!!

Wireshark for Security Professionals

Wireshark cheat sheet

Tags: wireshark, WireShark Cheat Sheet

Oct 04 2022

How cybersecurity frameworks apply to web application security

Category: App SecurityDISC @ 2:26 pm
How cybersecurity frameworks apply to web application security

A cybersecurity framework provides a formal and comprehensive set of guidelines to help organizations define their security policies, assess cybersecurity posture, and improve resilience. Cybersecurity frameworks specify security controls, risk assessment methods, and suitable safeguards to protect information systems and data from cyberthreats. Though originally developed for government agencies and other large organizations, cybersecurity frameworks can also be a useful source of security best practices for medium and small businesses. Without getting too formal, let’s see what cybersecurity frameworks exist, why you may want to use one, and how to hand-pick the cybersecurity processes and actions that apply to your specific web application security program.

Why cybersecurity frameworks exist

Depending on the organization, a successful cyberattack can have serious social, economic, or even political consequences. Whether they result in a denial of service, a data breach, or a stealthy and persistent presence in targeted systems, cyberattacks are now a permanent concern not only for business and government but even for military operations. Well-defined cybersecurity programs are vital for organizations of all sizes, but simply saying “secure everything” isn’t good enough, especially given the complexity of today’s interconnected information systems and supply chains. And with data security and privacy high on the agenda, a systematic and formalized approach is necessary to identify specific security controls that keep sensitive information inaccessible to malicious actors.

With public and private organizations of all sizes facing similar cybersecurity events and challenges, it became clear that a common cybersecurity framework would benefit everyone. By working to a common set of best-practice policies and recommendations, everyone would be able to define their own cybersecurity practices and protective technologies while maintaining a common baseline for auditing and certification. And for organizations that may lack the resources or technical resources to design their own policies from scratch, having such a starter policy kit could be the only way to come up with a reasonably complete and effective cybersecurity policy.

Commonly used cybersecurity frameworks

You can think of a cybersecurity framework as a common box of parts for building cybersecurity policies. More formally, a cybersecurity framework can be any document that defines procedures and goals to guide more detailed policies. Existing documents that contain such cybersecurity guidelines include:

  • The NIST Cybersecurity Framework: The most widely used document for cybersecurity policy and planning, developed by the National Institute of Standards and Technology.
  • ISO 27001 Information Security Management: Guidelines for information security management systems (ISMS) prepared by the International Organization for Standardization.
  • CIS Critical Security Controls for Effective Cyber Defense: A framework of actions to protect organizations from known cyberthreats, prepared by the Center for Internet Security.
  • Risk management frameworks: Documents such as NIST’s Risk Management Framework (NIST SP 800-37 Rev. 2) and the ISO 27005:2018 standard for Information Security Risk Management focus on risk management strategies, including cybersecurity risk management.
  • Industry-specific frameworks: Many industries have their own security standards for these sectors, such as PCI DSS for electronic payment processing, HIPAA rules for healthcare, or COBIT for IT management and governance.

A closer look at the NIST cybersecurity framework

In 2013, a US presidential executive order was issued calling for a standardized cybersecurity framework to describe and structure activities and methodologies related to cybersecurity. In response to this, NIST developed its Framework for Improving Critical Infrastructure Cybersecurity, commonly called the NIST Cybersecurity Framework (NIST CSF). It is a detailed policy document created not only to help organizations manage and reduce their cybersecurity risk but also to create a common language for communicating about cybersecurity activities. While the framework was initially intended only for companies managing critical infrastructure services in the US private sector, it is now widely used by public and private organizations of all sizes.

The NIST CSF is divided into three main components:

  • Framework core: The main informational part of the document, defining common activities and outcomes related to cybersecurity. All the core information is organized into functions, categories, and subcategories.
  • Framework profile: A subset of core categories and subcategories that a specific organization has chosen to apply based on its needs and risk assessments.
  • Implementation tiers: A set of policy implementation levels, intended to help organizations in defining and communicating their approach and the identified level of risk for their specific business environment.

The framework core provides a unified structure of cybersecurity management processes, with the five main functions being IdentifyProtectDetectRespond, and Recover. For each function, multiple categories and subcategories are then defined. This is where organizations can pick and mix to put together a set of items for each function that corresponds to their individual risks, requirements, and expected outcomes. For clarity and brevity, each function and category has a unique letter identifier, so for example Asset Management within the Identify function is denoted as ID.AM, while Response Planning within the Response function is RS.RP

Each category includes subcategories that correspond to specific activities, and these subcategories get numerical identifiers. To give another example, subcategory Detection processes are tested under the Detection Processes category and Detect function is identified as DE.DP-3. Subcategory definitions are accompanied by references to the relevant sections of standards documents for quick access to the normative guidelines for each action.

NIST cybersecurity framework

Applying the NIST framework to application security

By design, the NIST CSF has an extremely broad scope and covers far more activities than any specific organization is likely to need. To apply the framework to web application security, you start by analyzing each of the five functions as they relate to your existing and planned application security activities and risk management processes. Then, you select the categories and subcategories relevant to your specific needs and use them as the backbone of your own security policy to ensure you cover all the risks and activities you need. For general web application security, a skeleton cybersecurity policy would need to include at least the following subcategories for each function:

Identify:

  • ID.AM-2: Software platforms and applications within the organization are inventoried
  • ID.RA-1: Asset vulnerabilities are identified and documented

Protect:

  • PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
  • PR.DS-2: Data-in-transit is protected
  • PR.IP-10: Incident response and recovery plans are tested

Detect:

  • DE.AE-2: Detected events are analyzed to understand attack targets and methods
  • DE.CM-8: Vulnerability scans are performed

Respond:

  • RS.RP-1: Response plan is executed during or after an incident
  • RS.AN-1: Notifications from detection systems are investigated

Recover:

  • RC.RP-1: Recovery plan is executed during or after a cybersecurity incident
  • RC.CO-3: Recovery activities are communicated to internal and external stakeholders as well as executive and management teams

IBM Application Security for Developers (Free)

Learn to identify security vulnerabilities in applications and implement secure code practices to prevent events like data breaches and leaks. Become familiar with DevSecOps practices, and SAST for identifying security flaws.

Web Application Security: Exploitation and Countermeasures for Modern Web Applications

Tags: Countermeasures for Modern Web Applications, Web Application Security

Oct 04 2022

Chrome 106 Released – Google Fixed 20 Security Bugs – Update Now!

Category: Web SecurityDISC @ 1:54 pm
Chrome 106 Released – Google Fixed 20 Security Bugs – Update Now!

The Chrome web browser was recently updated to a new stable version released by Google. Google Chrome’s updated version Chrome 106 offers a number of brand-new features and improvements, and it also includes a number of security updates.

The new version of Chrome 106 has been already released by Google to the stable channel for all the major platforms:-

  • Windows (Chrome 106.0.5249.61/62)
  • Mac (Chrome 106.0.5249.61)
  • Linux (Chrome 106.0.5249.61)

In the course of hours, days, or even weeks, the update will be rolled out to all devices throughout the world in phases. 

Security fixes

This update contains 20 security fixes that have been applied to Chrome 106 Stable so far. As usual, the official release notes only include a list of security issues that were reported externally to the developers. 

There are different levels of security ratings, the highest being high. There have been at least five security issues that have been publicly disclosed. These five flaws were rated as high, while the remaining have been rated between medium and low.

Here below we have mentioned those five high severity security vulnerabilities:-

  • CVE-2022-3304: Use after free in CSS.
  • CVE-2022-3201: Insufficient validation of untrusted input in Developer Tools.
  • CVE-2022-3305: Use after free in Survey.
  • CVE-2022-3306: Use after free in Survey.
  • CVE-2022-3307: Use after free in Media.

There seem to be no exploits in the wild that take advantage of any of the issues. The release notes for this version do not mention anything about that.

Update Now

To speed up the installation of the Chrome 106 update, Chrome users can load the following URL in the address bar of the browser:-

  • chrome://settings/help

Whenever you open this webpage in Chrome, it will display the current version and automatically check for any updates that have been released.

Chrome 106 Released – Google Fixed 20 Security Bugs – Update Now!

Tags: chrome bugs

Oct 04 2022

BlackCat Ransomware Gang Claims to Have Hacked US Department of Defense Contractor

Category: Hacking,RansomwareDISC @ 8:47 am
BlackCat Ransomware Gang Claims to Have Hacked US Department of Defense Contractor

NJVC has been added to the victim list of the BlackCat (ALPHV) ransomware gang. NJVC provides IT support to the US government’s intelligence and defense organizations.

With annual revenue of over $290 million, the company NJVC has a very impressive record. It is claimed that the BlackCat Ransomware Gang has hacked the Department of Defense of the United States of America.

https://twitter.com/ido_cohen2/status/1575400938445148160?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1575400938445148160%7Ctwgr%5E976c826f6097a93f3c2ed9be16ee13aa180e1e03%7Ctwcon%5Es1_c10&ref_url=https%3A%2F%2Fgbhackers.com%2Fblackcat-ransomware-gang%2F

DarkFeed, a deep web intelligence company that operates on the dark web, spotted the message on 28 September. There was a breach declaration provided by BlackCat, which resulted in its immediate suspension. TheRegister said.

Until 30 September, the Dark Web site that hosted BlackCat’s leak site was accessible. NJVC is no longer listed as a victim of the gang and has been removed from its website.

“We strongly recommend that you contact us to discuss your situation. Otherwise, the confidential data in our possession will be released in stages every 12 hours. There is a lot of material,” ALPHV said, per the screenshot.

Professional Rookies

In late 2021, the first outbreaks of BlackCat ransomware were observed, and the Rust programming language was used in BlackCat. 

Ransomware-as-a-service (RaaS) is one of the business models operated by this organization, just like so many others in the criminal underworld.

A number of prominent ransomware families are known to have been used by threat actors who started deploying BlackCat ransomware.

Here below we have mentioned those ransomware families:-

  • Conti
  • LockBit
  • REvil

Darkside and Blackmatter ransomware cartels are linked with the BlackCat cartel. This group may have a well-established network with close ties to the ransomware industry in the case of the ransomware business.

As one of the most active ransomware gangs in recent years, BlackCat has been among the most prominent. It is estimated that in 2022, near about 12% of all attacks were perpetrated by this group.

It is estimated that the group’s activity has increased by 117% since the quarter before, in comparison with the quarter prior. Moreover, as part of the group’s strategy, high-profile, critical industries are being targeted by the group.

Cheerscrypt Linux-based Ransomware Encrypt Both Linux & Windows Systems

Ransomware Protection Playbook

Tags: BlackCat, Department of Defense

Oct 03 2022

RansomEXX gang claims to have hacked Ferrari and leaked online internal documents

Category: RansomwareDISC @ 10:13 am
RansomEXX gang claims to have hacked Ferrari and leaked online internal documents

The Italian luxury sports car manufacturer Ferrari confirmed the availability of internal documents online, but said it has no evidence of cyber attack.

Documents belonging to the Italian luxury sports car manufacturer Ferrari are circulating online, the company confirmed their authenticity stating it is not aware of cyber attacks.

ferrari logo illustration

Ferrari is investigating the leak of the internal documents and announced it will implement all the necessary actions.

While the circumstance suggests the company could have suffered a ransomware attack, the car manufacturer that it has no evidence of a compromise of its systems or ransomware, it also added that its business and operations were not impacted.

The news of the alleged cyber attack was first reported by the Italian website Red Hot Cyber which first reported that the ransomware gang RansomEXX claimed to have breached the popular car maker on its Tor leak site.

The ransomware group claimed to have stolen 6.99GB of data, including internal documents, datasheets, repair manuals, etc.

The source of the documents is still unclear. In the past, the ransomware gang Everest breached the systems of the Speroni SPA, a company in the supply chain of multiple car makers, including Ferrari and leaked company documents online.

Tags: Ferrari

Oct 03 2022

State-Sponsored Hackers Used MS Exchange 0-Day Bugs to Attack At least 10 Orgs

Category: Hacking,Zero dayDISC @ 8:44 am
State-Sponsored Hackers Used MS Exchange 0-Day Bugs to Attack At least 10 Orgs

In August 2022, hackers launched a limited wave of attacks that targeted at least 10 organizations around the world. 

There are two newly disclosed zero-day vulnerabilities being exploited by the hackers in these attacks in order to gain access to and compromise Exchange servers in these attacks.

Chopper web shell was installed during these attacks in order to make hands-on keyboard access more convenient. Attackers utilize this technique to gain access to Active Directory in order to perform reconnaissance and exfiltration of data.

As a result of these wild exploits, it is likely that these vulnerabilities will be weaponized further in the coming days due to the growing trend toward weaponizing them.

0-Day Flaws Exploited

Here below we have mentioned the two 0-Day flaws exploited by the hackers in the wild to attack 10 organizations:-

  • CVE-2022-41040: Microsoft Exchange Server Elevation of Privilege Vulnerability with CVSS score: 8.8.
  • CVE-2022-41082: Microsoft Exchange Server Remote Code Execution Vulnerability with CVSS score: 8.8.

The combination of these two zero-day vulnerabilities together has been named “ProxyNotShell.” The exploitation of these vulnerabilities is possible by using a standard account with a standard authentication process.

In many different ways, it is possible to acquire the credentials of standard users. While the GTSC, a Vietnamese cybersecurity company, was the first to discover the vulnerabilities that have been exploited.

It is suspected that these intrusions were carried out by a Chinese threat actor.

Mitigation

No action is required on the part of Microsoft Exchange Online customers. Microsoft recommended reviewing the URL Rewriting Instructions for Microsoft Exchange customers using on-premises Exchange and also recommended users implement them immediately.

If you are a Microsoft Exchange Server user using Microsoft 365 Defender, then you have to follow the following checklist provided by Microsoft:-

  • Enable cloud-based protection in Microsoft Defender Antivirus.
  • Protect security services from being interrupted by attackers by enabling tamper protection.
  • Microsoft Defender for Endpoint can detect malicious artifacts when EDR is operating in block mode.
  • Protect the Internet network from malicious domains and other malicious content by enabling network protection.
  • Enable full automation for investigation and remediation. By doing so Microsoft Defender for Endpoint can be notified of breaches immediately, allowing it to take immediate action.
  • Discovering your network’s devices will allow you to have greater visibility into what’s going on.

While as additional prevention measures they also recommended users to:-

  • Enable multi-factor authentication (MFA)
  • Legacy authentication must be disabled
  • Do not accept suspicious or unknown 2FA prompts
  • Make sure to use complex passwords

Tags: MS Exchange 0-Day, State-Sponsored Hackers

Oct 02 2022

White House Releases Software Supply Chain Security Guidance

Category: Vendor AssessmentDISC @ 1:39 pm
White House Releases Software Supply Chain Security Guidance

The White House published a memo requiring agencies to comply with guidance from the Office of Management and Budget (OMB) which aims to improve software supply chain integrity and security. 

Signed by OMB Director Shalanda Young, the memo builds on Executive Order (EO) 14028, Improving the Nation’s Cybersecurity from May 2021, which is focused on the security and integrity of the software supply chain.

That EO emphasized the importance of secure software development environments and directed the National Institute of Standards and Technology (NIST) to issue guidance identifying practices that enhance the security of the software supply chain.

The recent memo, published on September 14, requires each federal agency to comply with the NIST guidance when using third-party software on the agency’s information systems or otherwise affecting the agency’s information.

Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center, said it is heartening to see the memo establish a desire for consistency in the process by which they obtain self-attestations from suppliers.

“Such consistency and any eventually-centralized repository should help minimize the burden suppliers have in complying with the requirements of this memo,” he explained. “This is the first point where we have a directive for agencies to comply with guidance emerging from EO 14028.”

Software Supply Chain Security: A Challenging Space

Mackey said the single most important thing to realize is that software security is a problem space and that there is no silver bullet.

“No single action will prevent the next ransomware attack and the execution of tools doesn’t inherently fix vulnerabilities,” he said. “This is a highly technical space that is rather complex and nuanced. Well-intentioned humans will always make some mistakes and perfection isn’t attainable.”

That means the IT security industry needs to accept that software will always have weaknesses that can be exploited in certain circumstances.

“The moment you combine software into a supply chain, the potential for weaknesses increases and the potential for the authors of components within the supply chain to know the circumstances of how their software is used goes down,” Mackey said. 

Rick Holland, CISO and vice president of strategy at Digital Shadows, a provider of digital risk protection solutions, said from his perspective, the White House’s EO on improving the nation’s cybersecurity was a step in the right direction.

He said the OMB guidance is another good step; however, he added that this is a very long journey that will be measured not in months, but in years and, possibly, decades.

“The guidance focuses on vendor self-attestations and not independent validation,” he pointed out. “A government software supplier could claim to comply with NIST standards, but without third-party confirmation, the agency won’t know for sure. Zero-trust principles should apply here, too; don’t trust that a supplier is compliant—confirm it.”

He argued that the biggest threat to supply chain security is the complexity in defending against supply chain threats.

“Point-in-time security questionnaires are a legal requirement, not a preventive control. The number of third-party providers can be staggering, with security teams having to assess hundreds of providers,” he said.

Holland pointed out that security teams often don’t know the sensitive data their suppliers can access or the attack paths coming from their partners.

“Adversaries often do a better job of data discovery than defenders,” he added. 

A Plan For Moving Forward

Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cybersecurity risk remediation, said the idea behind the government’s plan is good and the NIST guidelines are solid.

“What remains to be seen is how vendors will implement the guidance and whether it is enough to deal with a very dynamic threat space,” he added. 

He said while zero-day vulnerabilities still get the biggest headlines, the fact remains that users represent the broadest threat surface.

“Phishing, social engineering and other attacks against personnel remain consistent threat vectors and will almost certainly remain so,” he explained. “Having the most secure application code and supply chain won’t help when users are still giving up their passwords.”

Parkin said by requiring third-party vendors to adhere to the NIST standards, they can encourage them to develop software that is more secure and more robust—but that only really applies to vendors that want to work in the government space.

“They can’t necessarily push those standards on the public sector,” he noted. “And without a robust testing scheme to assure that when a vendor says ‘We comply’, that they actually do, some risks will remain.”

Mackey said mitigating software supply chain threats requires an understanding of the risk such threats pose to both the production of software and its associated operation and communicating the nature of those risks from producers to operators.

Properly managing software supply risk requires teams to move from a paradigm where tools are run and teams “do security” to one where the impact of findings from tools are understood and mitigations are made based on the context of how the given application runs.

“Solving this problem requires teams to think in terms of risk analysis first and then identify which tooling is best positioned to provide data supporting the analysis,” he explained.

Parkin added that threat actors have always adapted to the defenses put in place to stop them, and it’s difficult to say what technique they’ll shift to next.

“They will continue to look for vulnerabilities in the software, and they will continue to go after the users using whatever technique they find works,” he warned.

white house supply chain

Tags: Software Supply Chain Security Guidance

Oct 01 2022

New WhatsApp 0-Day Bug Let Hackers Execute a Code & Take Full App Control Remotely

Category: Security vulnerabilities,Zero dayDISC @ 11:23 am
New WhatsApp 0-Day Bug Let Hackers Execute a Code & Take Full App Control Remotely

WhatsApp silently fixed two critical zero-day vulnerabilities that affect both Android & iOS versions allowing attackers to execute an arbitrary code remotely.

Facebook-owned messenger WhatsApp is one of the Top-ranked Messenger apps with more than Billion users around the world in both Android and iPhone.

Both vulnerabilities are marked under “critical” severity with a CVE Score of 10/10 and found by the WhatsApp internal security Team.

Simplifying these following vulnerabilities, Whatsapp could cause your device to be hacked by receiving a Video File or When on a Video call.

CVE-2022-36934 –  Integer Overflow Bug

An Integer overflow bug that affects WhatsApp allows attackers to execute the specially crafted arbitrary code during an established Video call without any sort of user interaction.

An integer overflow also know as “wraparound” occurs when an integer value is incremented to a value that is too large to store in the associated representation. 

This RCE bug affects an unknown code of the WhatsApp component Video Call Handler, which allows an attacker to manipulate the bug to trigger a heap-based buffer overflow and take complete control of WhatsApp Messenger.

“A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().”

Hackers can take advantage of this remote code execution vulnerability to deploy the malware on the user’s device to steal sensitive files and also used for surveillance purposes.

According to WhatsApp Advisory “An integer overflow in WhatsApp for Android prior to v2.22.16.12, Business for Android prior to v2.22.16.12, iOS prior to v2.22.16.12, Business for iOS prior to v2.22.16.12 could result in remote code execution in an established video call.”

CVE-2022-27492 – Integer Underflow Bug

WhatsApp Bug

Tags: WhatsApp 0-Day

Sep 30 2022

LIST OF Materials for ISO Internal Audit

Category: Information Security,ISO 27kDISC @ 2:55 pm

LIST-OF-Materials-for-ISO-Internal-Audit-1Download

Tags: ISO internal audit

Sep 30 2022

Parrot Security OS 5.1 Release

Category: Linux SecurityDISC @ 8:30 am
Parrot Security OS 5.1 Release – What’s New!!

Parrot 5.1 – What’s New?

Parrot created the latest release of the operating system to ensure it was as stable and adaptable as possible. There are a number of factors that have contributed to the success of this project.

https://twitter.com/ParrotSec/status/1575519347430543360?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1575519347430543360%7Ctwgr%5Eb4ff9b14e2b445fb0b87f6f3431d3db2784b50b1%7Ctwcon%5Es1_c10&ref_url=https%3A%2F%2Fgbhackers.com%2Fparrot-5-1%2F

Here below we have mentioned all the new additions:-

  • New kernel 5.18
  • Updated docker containers
  • Updated backports
  • System updates
  • Firefox profile overhault
  • Major updates for tools
  • New AnonSurf 4.0
  • Parrot IoT improvements
  • Architect Edition improvements
  • New infrastructure powered by Parrot and Kubernetes

How to Download or Update?

The Parrot OS 5.1 can be downloaded by clicking on the following link. In order to keep users safe, ParrotSec always recommends to users that third-party sources should never be trusted.

You can also use the official torrent files for these downloads if the direct downloads are not working for you. As in most cases, the firewall and network restrictions can be circumvented by doing so.

If you are already using any older version of Parrot OS then you can update to the latest version and to do so you have to follow a few commands that we have mentioned below:-

sudo parrot-upgrade

or

sudo apt update && sudo apt full-upgrade

Parrot Security OS 5.1

EZITSOL 32GB 9-in-1 Linux Bootable USB 

Tags: Parrot Security OS 5.1

Sep 29 2022

6 Pocket eBooks every ISO professional should read

Category: ISO 27kDISC @ 1:15 pm

If you’re into ISO implementation or auditing, then you know that ISO books are a valuable resource. They can teach you new things, introduce you to new concepts around implementation, auditing and help you stay up-to-date on the latest trends in your field. That’s why I’ve put together this list of 6 essential reference eBooks for ISO professional.

ISO INTERNAL AUDIT: A PLAIN ENGLISH GUIDE

THE SHORT HANDBOOK CONTAINING EXPERT GUIDANCE ON ISO INTERNAL AUDIT

Author, auditor, and experienced ISO consultant Dejan Kosutic has created this shorter book, as part of the handbook ISO pocket book series, focused solely on preparing for the ISO internal audit.

This book, ISO Internal Audit: A Plain English Guide, is based on Advisera’s internal auditor online courses. It provides a quick read for people who are focused solely on preparing for ISO 9001, ISO 14001, ISO 27001, OHSAS 18001, ISO 22000, ISO 20000, or internal audits against any other ISO standard, and don’t have the time (or need) to read a comprehensive book about ISO implementation. It has one aim in mind: to give you the knowledge and practical tips to prepare for the ISO internal audit without struggle, stress, or headaches.

PREPARATIONS FOR THE ISO IMPLEMENTATION PROJECT:
A PLAIN ENGLISH GUIDE

Author and experienced ISO consultant Dejan Kosutic has created this shorter book as part of the ISO pocket book series, focused solely on preparation for the ISO implementation.

This book, Preparations for the ISO Implementation Project: A Plain English Guide, is based on an excerpt from Kosutic’s previous book Secure & Simple. It provides a quick read for people who are focused solely on preparation for the implementation of an ISO standard (e.g., ISO 9001, ISO 14001, ISO 27001, ISO 20000, ISO 22000, OHSAS 18001, ISO 13485, or IATF 16949), and who don’t have the time (or need) to read a comprehensive book about ISO implementation. It has one aim in mind: to give you the knowledge and practical advice you need to prepare for your ISO implementation without struggle, stress, or headaches.

MANAGING ISO DOCUMENTATION: A PLAIN ENGLISH GUIDE

Author and experienced ISO consultant Dejan Kosutic has created this shorter book, as part of the ISO pocket book series, focused solely on managing ISO documentation.

This book, Managing ISO Documentation: A Plain English Guide, is based on an excerpt from Kosutic’s previous book Secure & Simple. It provides a quick read for people who are focused solely on preparing documentation for ISO 9001, ISO 14001, ISO 27001, ISO 20000, ISO 22000, OHSAS 18001, ISO 13485, and/or IATF 16949, and don’t have the time (or need) to read a comprehensive book about ISO implementation. It has one aim in mind: to give you the knowledge and practical tips to manage your ISO documentation without struggle, stress, or headaches.

PREPARING FOR ISO CERTIFICATION AUDIT: A PLAIN ENGLISH GUIDE

Author, certification auditor, and experienced ISO consultant Dejan Kosutic has created this shorter book, as part of the handbook ISO pocket book series, focused solely on preparing for the ISO 9001/ISO 14001/ISO 27001 certification audit.

This book, Preparing for ISO Certification Audit: A Plain English Guide, is based on an excerpt from Kosutic’s previous book Secure & Simple. It provides a quick read for people who are focused solely on preparing for ISO 9001, ISO 14001, ISO 27001, or certification audit against any other ISO standard, and don’t have the time (or need) to read a comprehensive book about ISO implementation. It has one aim in mind: to give you the knowledge and practical tips to prepare for the ISO certification audit process and pass the certification without struggle, stress, or headaches.

ISO 27001 ANNEX A CONTROLS IN PLAIN ENGLISH

Author and experienced information security consultant Dejan Kosutic has created this shorter book, as part of the ISO pocket book series, focused solely on safeguards specified in ISO 27001:2013.

This book, ISO 27001 Annex A Controls in Plain English, is based on an excerpt from his previous book Secure & Simple. It provides a quick read for people who are focused solely on security controls, and don’t have the time (or need) to read a comprehensive book about ISO 27001. This series of handbooks has one aim in mind: To help you understand what these 114 controls are all about.
In the second book of this series, ISO 27001 Annex A Controls in Plain English.

ISO 27001 RISK MANAGEMENT IN PLAIN ENGLISH

THE SHORT HANDBOOK CONTAINING EXPERT GUIDANCE FOR THE RISK MANAGEMENT OF ISO 27001

Author and experienced information security consultant Dejan Kosutic has created this shorter book, as part of the handbook ISO pocket book series, focused solely on the issues of risk management according to ISO 27001.

This book, ISO 27001 Risk Management in Plain English, is based on an excerpt from his previous book Secure & Simple. It provides a quick read for people who are focused solely on risk management, and don’t have the time (or need) to read a comprehensive book about ISO 27001. It has one aim in mind: to give you the knowledge and practical step-by-step process you need to successfully implement ISO 27001 risk assessment and treatment – without struggle, stress, or headaches.

Tags: ISO Cert Audit, ISO controls, ISO documentation, ISO implementation, ISO internal audit

Sep 29 2022

A cracked copy of Brute Ratel post-exploitation tool leaked on hacking forums

Category: HackingDISC @ 8:27 am
A cracked copy of Brute Ratel post-exploitation tool leaked on hacking forums

The Brute Ratel post-exploitation toolkit has been cracked and now is available in the underground hacking and cybercrime communities.

Threat actors have cracked the Brute Ratel C4 (BRC4) post-exploitation toolkit and leaked it for free in the cybercrime underground. The availability of the cracked version of the tool was first reported by the cybersecurity researcher Will Thomas (@BushidoToken),

Unlike Cobalt strike beacons, BRc4 payloads are less popular, but with similar capabilities. The tool was specifically designed to avoid detection by security solutions such as endpoint detection and response (EDR) and antivirus (AV). Its effectiveness at doing so can clearly be witnessed by the aforementioned lack of detection across vendors on VirusTotal.

Brute Ratel is the most advanced Red Team & Adversary Simulation Software in the current C2 Market. It can not only emulate different stages of an attacker killchain, but also provide a systematic timeline and graph for each of the attacks executed to help the Security Operations Team validate the attacks and improve the internal defensive mechanisms.” reads the description of the tool on its website. “Brute Ratel comes prebuilt with several opsOpec features which can ease a Red Team’s task to focus more on the analytical part of an engagement instead of focusing or depending on Open source tools for post-exploitation. Brute Ratel is a post-exploitation C2 in the end and however does not provide exploit generation features like metasploit or vulnerability scanning features like Nessus, Acunetix or BurpSuite.”

In June, researchers from Palo Alto Networks Unit 42 warned that threat actors are abusing legitimate adversary simulation software BRc4 in their campaigns to evade detection.

In July 2022, Sophos investigated an incident involving the use of the Brute Ratel tool in the wild, alongside Cobalt Strike, that was carried out by ALPHV/BlackCat ransomware gang. 

Thomas is warning that a cracked copy of Brute Ratel is now circulating on multiple underground forums.

On 13 September 2022, an archive file called “bruteratel_1.2.2.Scandinavian_Defense.tar.gz” was uploaded to VirusTotal. This file contains a valid copy of BRC4 version 1.2.2/5. 

Two weeks later, on 28 September, the author of BRC4, Chetan Nayak, confirmed the leak of the tool by MdSec, he blamed a Russian-speaking group known as Molecules for the leak of the cracked copy.

“This means that with the right instructions, the cracked tool can now be run without the activation key that is required to launch the full software and use its features.” wrote Thomas. “There are now multiple posts on multiple of the most populated cybercrime forums where data brokers, malware developers, initial access brokers, and ransomware affiliates all hang out. This includes BreachForums, CryptBB, RAMP, Exploit[.]in, and Xss[.]is, as well as various Telegram and Discord groups. Threat actors connected to various organized cybercrime groups have expressed interest in the leak of the new tool.”

Searching for active threads on hacking forums like XSS it is already possible to find the cracked version of Brute Ratel C4 version 1.2.2.

Brute Ratel Cracked

The availability of the tool in the wild is very concerning because the post-exploitation tool can generate shellcode that is undetected by many EDR and AV products.

“This extended window of detection evasion can give threat actors enough time to establish initial access, begin lateral movement, and achieve persistence elsewhere. Due to its evasive generation of new payloads it renders stopping Brute Ratel by the traditional blocking of Indicators of Compromise (IOCs) inadequate. It is recommended that defenders use behaviour-based detection opportunities to thwart attacks, like the ones outlined in MdSec’s blog (see here).” concludes Thomas. “Overall, enterprises and public sector organizations must recognize the imminent threat of the proliferation of this tool. Its capabilities closely align with the objectives of ransomware groups that are already highly active and looking for new windows of opportunity.”

Tags: Brute Ratel, post-exploitation tool

Sep 28 2022

5 Books Every API Hacker Should Read

Category: API security,Bug Bounty,Information Security,Security playbookDISC @ 12:44 pm
5 Books Every API Hacker Should Read

If you’re into web API security testing, then you know that API hacking books are a valuable resource. They can teach you new things, introduce you to new concepts around breaking web application programming and help you stay up-to-date on the latest trends in your field. That’s why I’ve put together this list of 5 essential books for any API hacker!

API security and you

So before I go through the list of book recommendations, I want to preface that if you are a security researcher who wants to conduct web API security testing, the reality is it’s just as important to focus on the web applications themselves.

As such, a crash course in web hacking fundamentals never hurts. So some of my recommendations may seem more focused on that than on breaking web application programming interfaces.

You may also notice that I also recommend a few books that focus on bounty programs and make it possible to make a living as you break APIs.

The point is, regardless of where you are in your API hacking career, these books can help. I have organized them in such a way that if you can’t afford to buy them all just yet, start from the top and work your way down.

Book #1 : Hacking APIs: Breaking Web Application Programming Interfaces

Link: Hacking APIs: Breaking Web Application Programming Interfaces

Book Review

This is one of the few books that is actually dedicated to API hacking.

This book is a great resource for anyone who wants to learn more about API security and how to hack into web applications. It provides in-depth information on how to break through various types of APIs, as well as tips on how to stay ahead of the curve in this rapidly changing field. Corey also shares his own personal experiences with API hacking, which makes the content even more valuable. If you’re interested in learning more about API security and want to start from the basics, then this is the perfect book for you!

Book #2 : The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws

Link: The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws

Book Review

This book is a tomb of information. It’s the oldest book on the list and by far the largest.

The Web Application Hacker’s Handbook is an essential read for anyone looking to understand how web application vulnerabilities are discovered and exploited. The book is filled with in-depth technical information and real-world examples that will help you understand the inner workings of web applications and how to protect them from potential attacks.

One of the best features of this book is the “Hands-On” sections, which provide you with step-by-step instructions on how to find and exploit various vulnerabilities. This makes it an ideal resource for both beginner and experienced hackers alike.

If you’re looking to beef up your skills in web application security, then The Web Application Hacker’s Handbook is a must-read!

Book #3 : Web Application Security: Exploitation and Countermeasures for Modern Web Applications

Link: Web Application Security: Exploitation and Countermeasures for Modern Web Applications 1st Edition

Book Review

Sometimes before focusing on offense, we have to know defensive tactics.

This book provides in-depth coverage of all the major areas of web application security, from vulnerabilities and exploits to countermeasures and defense strategies. Written by security expert Andrew Hoffman, this book is packed with real-world examples and step-by-step instructions that will help you understand how developers protect their web applications from potential attacks.

If you’re serious about web application security, then this is the perfect book for you!

Book #4 : Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities

Link: Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities

Book Review

If you are looking at being an independent security researcher focused on web API security testing, finding high payout API bugs may be important.

Bug Bounty Bootcamp is a guide to becoming a bug bounty hunter. The book covers the basics of hunting for bugs, including how to find and report them. It also includes a number of case studies of successful bug bounty hunting, detailing methods and strategies.

In chapter 24 of the Expert Techniques section, Vicki goes deeper into discussing multiple API attack techniques.

Overall, Bug Bounty Bootcamp is an informative and well-written guide that should be of interest to anyone considering a career in API hacking through bug bounty hunting.

Book #5 : Real-World Bug Hunting: A Field Guide to Web Hacking

Link: Real-World Bug Hunting: A Field Guide to Web Hacking

Book Review

“Real-World Bug Hunting” is a brilliant resource for anyone who aspires to be a professional bug hunter. The book is written by Peter Yaworski, who is himself a professional bug hunter.

He begins by delving into the mindset of a bug hunter – what drives them to find vulnerabilities in software and systems? He then provides an overview of the bug hunting process, from identifying potential targets to writing up a report. The bulk of the book is devoted to teaching readers how to find and exploit common web application vulnerabilities.

Yaworski provides clear and concise explanations of each vulnerability, along with examples of real-world exploits. He also offers advice on how to avoid getting caught by security teams and how to maximize the value of your findings. “Real-World Bug Hunting” is an essential read for anyone who wants to make a career out of finding bugs.

Conclusion

These five books are essential readings for anyone interested in hacking APIs. They provide detailed information on how to find and exploit vulnerabilities, as well as defensive tactics and strategies. If you want to be a successful API bug bounty hunter, then these books will also give you the tools and techniques you need to get started.

InfoSec Books

So You Want to Write an Infosec Book? | Chris Sanders

Tags: API books, InfoSec books

Sep 28 2022

How Can WAF Prevent OWASP Top 10?

Category: next generation firewall,Web SecurityDISC @ 9:11 am
How Can WAF Prevent OWASP Top 10?

The OWASP Top 10 security risks point out the common vulnerabilities seen in web applications. But it does not list the set of attack vectors that WAFs (Web Application Firewalls) can simply block. This is but a myth often propagated by many a security vendor. OWASP Top 10 protection is the joint responsibility of the security vendor and the application developers.

There is a lot that an effective security solution and WAF can do to secure OWASP vulnerabilities. But in some cases, the security solution may not be able to give complete coverage against it and requires the developers/ organizations to take preventive action. 

In this article, we help you understand how a comprehensive, intelligent, and fully managed WAF can augment OWASP Top 10 protection. 

A Quick Introduction to WAF 

WAF is the first line of defense between the web application and the web traffic, filtering out malicious requests and bad traffic at the network edge. The best WAFs are part of larger security solutions that combine deep, intelligent scanning, bot management, API protection, etc., with OWASP protection. They also leverage self-learning AI, behavioral and pattern analysis, security analytics, global threat feeds, and cloud computing in combination with human expertise. 

WAFs and OWASP Top 10 Protection

Broken Access Control 

To effectively prevent this OWASP vulnerability, organizations must fix their access control model. WAFs can help organizations by 

  • Proactively identify attack vectors leveraged by attackers to exploit vulnerabilities such as design flaws, bugs, default passwords, vulnerable components, etc. 
  • Testing for the insecure direct object reference, local file inclusions, and directory traversals
  • Providing visibility into the security posture, including access control violations
  • Implementing custom rate limiting and geo limiting policies.

Cryptographic Failures

The encryption of everything, in rest and transit, is necessary for OWASP Top 10 protection against cryptographic failures. WAFs, augment protection by testing for weak SSL/TLS ciphers, insufficient transport layer protection, crypto agility, sensitive information sent via unencrypted channels, credentials transmitted over encrypted channels, etc. Organizations can then fix any issues that are identified. 

Injections

User input sanitization, validation, and parameterized queries are critical to prevent this risk. For OWASP protection against injections, WAFs use a combination of whitelist and blacklist models to identify all types of injection – command, SQL, code, etc. 

WAFs leverage behavior, pattern, and heuristic analytics and client reputation monitoring to proactively detect anomalous behavior and prevent malicious requests from reaching and being executed by servers. They use virtual patching to instantly secure injection flaws and prevent attackers’ exploitation. 

Also, Download Your Copy of OWASP Top 10 2022 Playbook

Insecure Design 

By integrating the WAF and the security solution right into the early stages of software development, organizations can continuously monitor and test for security weaknesses. For instance, organizations can identify insecure codes, components with known vulnerabilities, flawed business logic, etc., in the early SDLC stages by deploying a WAF and fixing them. This helps build secure-by-design websites and apps.  

Security Misconfigurations 

For OWASP Top 10 protection against security misconfigurations, WAFs use a combination of fingerprinting analysis and testing. They fingerprint web servers, web frameworks, and the application itself and test error codes, HTTP methods, stack traces, and RIA cross-domain policies to look for security misconfigurations. 

WAFs use automated workflows to intelligently detect misconfigurations, including default passwords, configurations, unused features, verbose error messages, etc. They virtually patch these misconfigurations to prevent exploitation by threat actors. They offer real-time visibility into the security posture and insightful reports, enabling organizations to keep hardening their security posture. 

Vulnerable and Outdated Components 

The intelligent scanning capabilities of WAFs enable organizations to continuously detect vulnerable and outdated components. Here, again instantaneous virtual patching helps secure these OWASP vulnerabilities until fixed by developers. 

Identification and Authentication Failures

Organizations must implement effective session management policies, strong password policies, and multi-factor authentication for OWASP Top 10 protection against identification and authentication failures. Intelligent WAFs leverage their strong technological capabilities to accurately identify these failures. 

They leverage their bot detection capabilities – workflow validation, fingerprinting, and behavioral analysis – to prevent brute force attacks, credential stuffing, and other bot attacks resulting from the exploitation of broken authentication and session management. 

Software and Data Integrity Failures

WAFs are equipped to detect these OWASP security risks effectively using their continuous scanning and pen-testing capabilities. They use a combination of negative and positive security models to prevent this risk. 

Security Logging and Monitoring Failures

The best WAFs offer ongoing logging and monitoring features and complete visibility into the security posture. They offer cohesive dashboards that can be used to generate customizable and visual reports, gain critical insights and recommendations to improve security, etc. 

Server-Side Request Forgery (SSRF)

For protection against SSRF, implementation of positive rules, user input validation, etc., by the organizations is critical. WAFs, on their end, can be configured to block unwanted website traffic by default, encrypting responses, preventing HTTP redirections, etc. 

OWASP Top 10 security risks

Web Application Firewall WAF A Complete Guide

Tags: Next-Gen WAF protection, OWASP Top 10, WAF

Sep 28 2022

Time to Change Our Flawed Approach to Security Awareness

Category: Security AwarenessDISC @ 8:52 am

Defend against phishing attacks with more than user training. Measure users’ suspicion levels along with cognitive and behavioral factors, then build a risk index and use the information to better protect those who are most vulnerable.

Digital chain

Our approach to security awareness is flawed. And we must change it.

As Russian tanks creaked into Ukraine, CEOs and IT managers throughout the United States and much of the free world started sending out emails warning their employees about impending spear-phishing attacks.

It made sense: Spear-phishing was what Russians had used on Ukrainians many times in the past half of a decade, such as when they shut down the country’s electrical grid on one of its coldest winter nights. It was also what the Russians had used against the Democratic National Committee and targets across the US.

At one end, the email missives from CEOs were refreshing. People were serious about the threat of phishing, which wasn’t the case in 2014 when I started warning about its dangers on CNN.

At the other end, it was sobering. There wasn’t much else organizations had figured out to do.

Sending messages to warn people was what AOL’s CEO resorted to back in 1997, when spear-phishing first emerged and got its name. Budding hackers of the time were impersonating AOL administrators and fishing for subscribers’ personal information. That was almost three decades ago, many lifetimes in Internet years.

In the interim, organizations have spent billions on security technologies and countless hours in security training. For context, a decade ago, Bank of America (BoA) was spending $400 million on cybersecurity. It now spends $1 billion per year on it. Yet thousands of its customer accounts in California were hacked last year.

And BoA isn’t alone. This year, Microsoft, Nvidia, Samsung, LG, and T-Mobile — which recently paid out a $350 million settlement to customers because of a breach in 2021 — were hacked. All fell victim to spear-phishing attacks. No question that the employees in these companies are experienced and well-trained in detecting such attacks.

Flawed Approach

Clearly, something is fundamentally flawed in our approach, when you consider that after all this, email-based compromises increased by 35% in 2021, and American businesses lost over $2.4 billion due to it.

A big part of the problem is the current paradigm of user training. It primarily revolves around some form of cyber-safety instruction, usually following a mock phishing email test. The tests are sent periodically, and user failures are tracked — serving as an indicator of user vulnerability and forming the backbone of cyber-risk computations used by insurers and policymakers.

There is limited scientific support for this form of training. Most point to short-term value, with its effects wearing off within hours, according to a 2013 study. This has been ignored since the very inception of awareness as a solution.

There is another problem. Security awareness isn’t a solution; it’s a product with an ecosystem of deep-pocketed vendors pushing for it. There is legislation and federal policy mandating it, some stemming from lobbying by training organizations, making it necessary for every organization to implement it and users to endure it.

Finally, there is no valid measurement of security awareness. Who needs it? What type? And how much is enough? There are no answers to these questions.

Instead, the focus is on whether users fail a phishing test without a diagnosis of the why — the reason behind the failures. Because of this, phishing attacks continue, and organizations have no idea why. Which is why our best defense has been to send out email warnings to users.

Defend With Fundamentals

The only way to defend against phishing is to start at the fundamentals. Begin with the key question: What makes users vulnerable to phishing?

The science of security already provides the answers. It has identified specific mind-level or cognitive factors and behavioral habits that cause user vulnerability. Cognitive factors include cyber-risk beliefs — ideas we hold in our minds about online risk, such as how safe it might be to open a PDF document versus a Word document, or how a certain mobile OS might offer better protection for opening emails. Many such beliefs, some flawed and others accurate, govern how much mental attention we pay to details online.

Many of us also acquire media habits, from opening every incoming message to rituals such as checking emails and feeds the moment we awake. Some of these are conditioned by apps; others by organizational IT policy. They lead to mindless reactions to emails that increase phishing vulnerability.

There is another, largely ignored, factor: suspicion. It is that unease when encountering something; that sense that something is off. It almost always leads to information seeking and, armed with the right types of knowledge or experience, leads to deception-detection and correction.

It did for the former head of the FBI. Robert Muller, after entering his banking information in response to an email request, stopped before hitting Send. Something didn’t seem right. In the momentary return to reason caused by suspicion, he realized he was being phished, and changed his banking passwords.

By measuring suspicion along with the cognitive and behavioral factors leading to phishing vulnerability, organizations can diagnose what makes users vulnerable. This information can be quantified and converted into a risk index, with which they can identify those most at risk, the weakest links, and protect them better.

Doing this will help us defend users based on a diagnosis of what they need, rather than a training approach that’s being sold as a solution — a paradigm that we know doesn’t work.

After billions spent, our best approach remains sending out email warnings about incoming attacks. Surely, we can do better. By applying the science of security, we can. And we must — because spear-phishing presents a clear and present danger to the Internet.

https://www.darkreading.com/vulnerabilities-threats/time-to-change-our-flawed-approach-to-security-awareness

The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer

Security Awareness For Dummies

Tags: Security Awareness

Sep 28 2022

3 types of attack paths in Microsoft Active Directory environments

Category: Windows SecurityDISC @ 8:37 am
3 types of attack paths in Microsoft Active Directory environments

Attack path types

From the perspective of a defender, there are three types of attack paths:

  • Ones that can be fixed in minutes
  • Ones that take days or weeks to resolve, and
  • Ones that can’t be fixed without significant structural changes or breaking critical software.

Here’s some background to help understand why they break down into those categories.

Identity attack paths are the adversary’s favorite target for lateral movement and privilege escalation. They allow an adversary with initial access to go from a low-privileged user to a high-value target or full takeover of the environment by exploiting misconfigurations and user behaviors within a directory service like Active Directory or Azure Active Directory. These paths are numerous and exploiting any single attack path is difficult for defenders to detect, as attackers often use legitimate tools and credentials and their activities thus appear identical to normal user activity.

Defenders will want to eliminate as many attack paths as possible, but some are easier than others to fix. From our experience, these Identity Attack Paths can be grouped into three main categories:

Quick fix

A decent percentage of attack paths in the average enterprise AD environment can be fixed in minutes simply by changing configurations.

For example, one of my favorite attack paths to fix is non-Domain Admins with ownership rights over Domain Controllers. This attack path is a common byproduct of automation accounts that join systems to the domain. It can also happen when someone promotes a computer to a Domain Controller (DC). Promoting a system to a Domain Controller does not change the security owner of the object in Active Directory. Therefore, “Bob” could have created a server in the directory and sometime later that system is promoted into a DC – now Bob owns a DC. Anyone that can get access to Bob now has a path to compromise a DC.

Here’s why this is my favorite attack path: your internal business applications don’t typically use the “owner” relationship to function. That means that unlike other ACL rights like “GenericWrite,” you can be confident that changing the owner of an object to the Domain Admins group should not cause unforeseen issues within the environment. This can be done by finding each Domain Controller object in Active Directory Users and Computers, right-clicking it and selecting “Properties,” then “Security,” then “Advanced,” then “Change” and changing ownership to the Domain Admins group.

There are examples of this that are quite obvious once you see them. A couple weeks ago I found a “WIFIAuth” user object that had full control over the entire domain. No enterprise system is going to need such a gross overuse of privilege to function and is another obvious misconfiguration that can be remediated immediately.

Some of these remediations can have dramatic results, removing thousands of attack paths with just a few hours of work.

Moderate fix

The next category is attack paths that take days or weeks of work to fix.

These might require additional research by the analyst team, a more complicated remediation process, require changes in behavior, or make it more difficult for other business users to do their job. Fixing these might involve weighing the risks of the attack path versus the side effects of the remediation or doing more work to make sure the remediation has as little impact as possible. Here’s a couple examples:

A service account with GenericWrite over a Domain Controller. To answer how this should be remediated you need to understand what the service is doing and how often this is occurring. This can typically be answered by using Windows Event Logs. For most actions exercising an Access Control Entry (ACE) right in Active Directory, a corresponding Windows Event log will be generated. Before remediating the issue, it’s important to collect these logs and see if that service is using that right. If not, removing that right will remove that path from the adversary. However, if the service is in use, then it should be reviewed to see if it should, in fact, be run on a Domain Controller. Perhaps it can be segmented in some way (for example, by only using Tier Zero accounts on Tier Zero systems).

Another example is Domain Administrators (DA) logging in to servers or workstations with their DA credentials. DA credentials should be limited to use within Domain Controllers or other Tier Zero systems. Admins should have other credentials for modifying servers or workstations. This fix may take some time as it involves changing user behavior and a GPO will have to be pushed to the environment to create a new group for “Workstation Admins” and “Server Admins” for access on both respectively (Domain Admins have access this access by default, which is why they’re commonly used in this way). Abusing DA logins is an extremely common way to abuse the domain, so while the fix may take some adjustment, the security payoff is worth it.

Won’t fix

The final category is attack paths that probably won’t be fixed. Fixing these paths usually requires such a significant amount of change to fix that other mitigating controls may be preferable.

For example, consider on-premises Microsoft Exchange. Exchange has a history of requiring a ton of privileges, which basically made a compromise of Exchange equal to compromise of AD itself. While this has gotten better over the years and Microsoft explains how to reduce these permissions, Exchange Server can only be completely segmented by introducing a split permission model. The work here can be very tedious, break other integrations, and cause issues when reaching out to support. For this reason, many of our customers choose not to fully implement split permissions but pursue one of the following:

  • Introduce a DENY ACE on Tier Zero accounts blocking this access
  • Use this finding to fast-track their transition to Office 365
  • Deploy compensating monitoring controls around these specific accounts

Any of the three are valid approaches as security is a risk management process.

Active Directory

Active Directory Administration Cookbook:

« Previous PageNext Page »