October 2014 Newsletter


October 15, 2014

This month’s newsletter is chockablock full of technical blog posts from our security consultants, alongside our usual industry wrap-up; SG in the community and a mention of current career opps going at Securus.

View the original version online here

SSLv3 and POODLE

For those of you paying attention to mailing lists early last night, you may have noticed a curious email come through, regarding a “Truly scary” SSL3.0 vulnerability about to drop – and drop it did today.

The vulnerability, known as POODLE, allows attackers to partially decipher bits of plaintext, such as session cookies, in conjunction with a man-in-the-middle attack where an attacker can modify traffic. The really scary part (imo) is on Page 3 of the whitepaper:

Read more: https://www.securusglobal.com/community/2014/10/15/sslv3-and-poodle/

CVE-2014-6271 (“Shellshock”) and exploit PoC bashimages

In light of the Shellshock vulnerability, one of our top Security Consultants – Andy Yang, has written a blog post to explain why Shellshock is such an issue, alongside providing a proof-of-concept exploitation;

Firstly, the vulnerability itself. The actual vulnerability itself is amusing and unique, but otherwise, isn’t the magical everything-is-owned vulnerability that everyone makes it out to be. To paraphrase, if you are able to set an environment variable through the Bash shell, you can execute commands.

The interesting part is that this vulnerability may have existed for more than 20 years, in an application which is part of pretty much every Unix system since a long time ago. The vulnerable versions start from cpe:/a:gnu:bash:1.14.0 to cpe:/a:gnu:bash:4.3, which covers pretty much every Unix-based operating system available today (and by extension, a tremendous chunk of the Internet).

Read more: https://www.securusglobal.com/community/2014/09/26/cve-2014-6271-shellshock-and-exploit-poc/

Our comments were also featured in The Register in their review of Shellshock titled – ‘Bash bug: Shellshocked yet? You will be … when this goes WORM’.

Read full article and our opinion here: http://www.theregister.co.uk/2014/09/25/shell_shocked_not_yet/

Bypassing WAFs with SVG blog-image3

Security Consultants, Julian Berton recently presented a lightning talk at Ruxcon 2014, on a cross-site scripting issue we discovered on a client engagement, and two interesting ways in which we could bypass the WAF present (as well as Firefox’s cross-site scripting filter).

The cross-site scripting issue we found was fairly standard at first, with an initial URI like the following:

localhost:4000/apply_thankyou?uuid=d77a9190-4ace-11e4-b775-bd2f6eee9714&userId=542e239cc6f6f28004c4dae0&result=HC999|SUCCESS

This generates a page like the screenshot below, with the reference number pulled from a vulnerable parameter in a URI, with the “jquery.query.get()” function.

Read more: https://www.securusglobal.com/community/2014/10/13/bypassing-wafs-with-svg/#more-4228

The Next Generation 15067131959_39d170dd8b_m

Young ICT Explorers” is an initiative now it’s in 4th year that helps foster and grow interest in young people in ICT.

Our Director, Drazen Drazic was invited to be a judge in this years event and he came out very impressed;
“There’s some very bright kids out there doing some amazing things. Unlike most adults, they don’t have to “try” to think outside the square – they just do it! I was blown away by most of the entries and how far the kids got in terms of development. There’s definitely going to be some entrants whose submissions will progress to the next level!”

Photos from the Nth QLD judging. Well worth a look:
https://www.flickr.com/photos/yicte/sets/72157647213602578/

Helping ICT develop in Australia is a passion of Drazen’s. He’s been working with many universities over the years in course content development, lecturing to students on our field of information security and continues to quietly drive a mentoring program for people trying to break into our industry.

Industry Wrap Up

  • Microsoft is opening a bug bounty (where they pay researchers for security vulnerabilities) for their online services. While this might not be lucrative as some other bug bounty programs, it’s always nice to see security enthusiasts being properly rewarded for vulnerability identification.
    http://technet.microsoft.com/en-US/security/dn800983
  • Here’s an interesting write-up of how master passwords can be extracted from the “LastPass” Key Management Software. It is also a timely reminder than in some situations, the services which you trust to look after security functionality like passwords may themselves be affected by various security issues.
    http://www.martinvigo.com/a-look-into-lastpass/
  • OWASP recently released Version 4 of the OWASP Testing Guide. It’s an interesting read for both people who want to get into web application security, and is a useful baseline checklist for security teams working to ensure the security of their own products and/or services.
    https://www.owasp.org/images/1/19/OTGv4.pdf

Careers @ Securus teamimages

Securus Global is a looking to expand our rapidly growing team!
We have a sound reputation for excellence in delivery and expect quality in all we do. You will not get lost in the crowd here and will have opportunities for growth that are only limited by yourself.
We are currently looking for;

The above roles will be based in either Sydney or Melbourne CBDs.
If you believe you have what we’re looking for, let us know by contacting jobs@securusglobal.com.

Securus Global Community worldmap

Connect, Follow or Like us on social media to stay up to date with everything SG related: LinkedIN / Twitter / Facebook.

Also be sure to checkout our tech team’s blog and other industry news that we publish regularly on our website here: https://www.securusglobal.com/community/

Leave a Reply

Your email address will not be published. Required fields are marked *