This month’s newsletter is chockablock full of technical blog posts from our security consultants, alongside our usual industry wrap-up; SG in the community and a mention of current career opps going at Securus.
View the original version online here
SSLv3 and POODLE
For those of you paying attention to mailing lists early last night, you may have noticed a curious email come through, regarding a “Truly scary” SSL3.0 vulnerability about to drop – and drop it did today.
The vulnerability, known as POODLE, allows attackers to partially decipher bits of plaintext, such as session cookies, in conjunction with a man-in-the-middle attack where an attacker can modify traffic. The really scary part (imo) is on Page 3 of the whitepaper:
In light of the Shellshock vulnerability, one of our top Security Consultants – Andy Yang, has written a blog post to explain why Shellshock is such an issue, alongside providing a proof-of-concept exploitation;
Firstly, the vulnerability itself. The actual vulnerability itself is amusing and unique, but otherwise, isn’t the magical everything-is-owned vulnerability that everyone makes it out to be. To paraphrase, if you are able to set an environment variable through the Bash shell, you can execute commands.
The interesting part is that this vulnerability may have existed for more than 20 years, in an application which is part of pretty much every Unix system since a long time ago. The vulnerable versions start from cpe:/a:gnu:bash:1.14.0 to cpe:/a:gnu:bash:4.3, which covers pretty much every Unix-based operating system available today (and by extension, a tremendous chunk of the Internet).
Our comments were also featured in The Register in their review of Shellshock titled – ‘Bash bug: Shellshocked yet? You will be … when this goes WORM’.
Read full article and our opinion here: http://www.theregister.co.uk/2014/09/25/shell_shocked_not_yet/
Security Consultants, Julian Berton recently presented a lightning talk at Ruxcon 2014, on a cross-site scripting issue we discovered on a client engagement, and two interesting ways in which we could bypass the WAF present (as well as Firefox’s cross-site scripting filter).
The cross-site scripting issue we found was fairly standard at first, with an initial URI like the following:
This generates a page like the screenshot below, with the reference number pulled from a vulnerable parameter in a URI, with the “jquery.query.get()” function.
“Young ICT Explorers” is an initiative now it’s in 4th year that helps foster and grow interest in young people in ICT.
Our Director, Drazen Drazic was invited to be a judge in this years event and he came out very impressed;
“There’s some very bright kids out there doing some amazing things. Unlike most adults, they don’t have to “try” to think outside the square – they just do it! I was blown away by most of the entries and how far the kids got in terms of development. There’s definitely going to be some entrants whose submissions will progress to the next level!”
Photos from the Nth QLD judging. Well worth a look:
Helping ICT develop in Australia is a passion of Drazen’s. He’s been working with many universities over the years in course content development, lecturing to students on our field of information security and continues to quietly drive a mentoring program for people trying to break into our industry.
Industry Wrap Up
- Microsoft is opening a bug bounty (where they pay researchers for security vulnerabilities) for their online services. While this might not be lucrative as some other bug bounty programs, it’s always nice to see security enthusiasts being properly rewarded for vulnerability identification.
- Here’s an interesting write-up of how master passwords can be extracted from the “LastPass” Key Management Software. It is also a timely reminder than in some situations, the services which you trust to look after security functionality like passwords may themselves be affected by various security issues.
- OWASP recently released Version 4 of the OWASP Testing Guide. It’s an interesting read for both people who want to get into web application security, and is a useful baseline checklist for security teams working to ensure the security of their own products and/or services.
Securus Global is a looking to expand our rapidly growing team!
We have a sound reputation for excellence in delivery and expect quality in all we do. You will not get lost in the crowd here and will have opportunities for growth that are only limited by yourself.
We are currently looking for;
The above roles will be based in either Sydney or Melbourne CBDs.
If you believe you have what we’re looking for, let us know by contacting firstname.lastname@example.org.
Also be sure to checkout our tech team’s blog and other industry news that we publish regularly on our website here: https://www.securusglobal.com/community/