Category Archives: Technical Risk Assessment

Bypassing WAFs with SVG


October 13, 2014

By Julian Berton (LinkedIn)

Recently, I presented a lightning talk at Ruxcon 2014, on a cross-site scripting issue we discovered on a client engagement, and two interesting ways in which we could bypass the WAF present (as well as Firefox’s cross-site scripting filter).

The cross-site scripting issue we found was fairly standard at first, with an initial URI like the following:

localhost:4000/apply_thankyou?uuid=d77a9190-4ace-11e4-b775-bd2f6eee9714&userId=542e239cc6f6f28004c4dae0&result=HC999|SUCCESS

This generates a page like the screenshot below, with the reference number pulled from a vulnerable parameter in a URI, with the “jquery.query.get()” function.

xss_blogpost_Image1

Continue reading

CVE-2014-6271 (“Shellshock”) and exploit PoC


September 26, 2014

By Andy Yang

(A little bit of background on this post – one of my colleagues, Norman Yue, posted something about the Internet being on fire to LinkedIn yesterday, regarding the bash bug. This blog post tries to explain a bit more about why exactly this is such a big issue, and also provides a proof-of-concept exploitation).

Firstly, the vulnerability itself. The actual vulnerability itself is amusing and unique, but otherwise, isn’t the magical everything-is-owned vulnerability that everyone makes it out to be. To paraphrase, if you are able to set an environment variable through the Bash shell, you can execute commands.

The interesting part is that this vulnerability may have existed for more than 20 years, in an application which is part of pretty much every Unix system since a long time ago. The vulnerable versions start from cpe:/a:gnu:bash:1.14.0 to cpe:/a:gnu:bash:4.3, which covers pretty much every Unix-based operating system available today (and by extension, a tremendous chunk of the Internet). Continue reading

Open Source and Software Trust


November 20, 2013

By Norman Yue – Chief Technology Officer

Recently, I stumbled across an interesting blog post about trusting security software on Reddit (http://blog.cryptographyengineering.com/2013/10/lets-audit-truecrypt.html). This got me thinking, and kicked off a few conversations – to be honest, pretty much any open source software can be backdoored, and a good number of open source software packages have been/still are. It doesn’t need to be an obvious backdoor – simply omitting a security control, or rendering it weaker than it could be, could be just as effective (and much, much more difficult to detect during a source code audit).

For an attacker, the payoff is potentially huge, depending on the particular software being backdoored (just imagine if a tool such as nmap, or some FIM software, was to be backdoored). The cost can range from the attacker putting his hand up to “maintain” an open source WordPress plugin, to going after something unrelated and ending up with access to the source code repository of a popular security tool in his/her lap. Continue reading

Will QA change web penetration testing?


October 17, 2012

Originally published in PentesterLab, on 7/8/2012 by Louis Nyffenegger. http://blog.pentesterlab.com/2012/08/will-qa-change-web-penetration-testing.html

First, let’s go back a little and think about the 2 main limitations of web scanners:

  • Coverage: it’s really hard to write a spider that will cover a full website, you need to write a tool that will understand a website and know exactly what to do and what data to submit (email when an email address is expected, name when an name is expected…)
  • Scanner quality: it’s really hard to write a web scanner that will avoid false positive and won’t provide any false negative. It’s particularly hard on production systems where error messages are/should be turned off, you often need to apply some crazy logic to find if a bug is there.

Continue reading

Data breach highlights security risks


June 12, 2012

Data breaches can have devastating consequences – and one recent incident overseas has illustrated the extent of the damage this type of negligence can cause.

A security breach at one UK health trust has highlighted the importance of keeping data protected – and underscored the risks that enterprises of all types can face when they fail to do so.

The UK Information Commissioner’s Office (ICO) reported this week that one publicly-funded healthcare organisation inadvertently leaked the details of 59 palliative care patients to an external source over a three-month period.

This sensitive information contained details about individuals that was intended for the St John’s Hospice and included information about their family life, medical treatment and instructions for resuscitation.

In March 2011, Central London Community Healthcare NHS Trust began faxing these details to the wrong recipient – with a total of 45 faxes sent over a three-month period.

In June last year, the recipient informed the healthcare provider that it had been receiving – and destroying – this sensitive data.

Checks carried out by the ICO revealed that there were insufficient measures in place to ensure that information was being correctly delivered to the right people, and as such, the healthcare body was fined a total of GBP90,000 (approximately $144,635) for the data breach.

Having the right security processes in place, according to the ICO’s head of enforcement, is essential – especially when it comes to protecting sensitive data such as medical records.

Stephen Eckersley said: “The fact that this information was sent to the wrong recipient for three months without anyone noticing makes this case all the more worrying.”

While this incident occurred overseas, it serves as an important reminder of the consequences of data breaches – both from a financial standpoint as well as the damage to an organisation’s reputation.

Enterprises that deal with sensitive information – whether this is in the form of medical details, financial records or other personal information – may wish to have their security processes assessed through penetration testing.

This can help to expose vulnerabilities in your system before they are discovered by malicious parties, who can cause significant embarrassment, reputation damage and financial losses to your organisation.

If your business is also evaluating new technologies, you might want to arrange for a security due diligence assessment to be carried out. This can identify any compliance gaps and allow your decisionmakers to make an informed choice about how best to proceed.

Aus-US alliance to combat cyber crime


June 11, 2012

A new collaboration between Australia and the United States will improve cyber security standards at home – as well as across the globe, according to Nicola Roxon.

The Australian attorney-general, who is also the minister for emergency management, stated last week (May 18) that recent discussions between US and Australian policymakers in Canberra spelled good news for cyber security management.

Roxon said: “Countries everywhere are increasingly reliant on critical infrastructure such as telecommunications, which enables online activities that contribute to global commerce and trade and play an increasingly important role in national security.”

She added that while such activities have a widespread benefit to the Australian and US economies, they also pose new risks and challenges when it comes to cyber security management.

The two nations will work closely in the coming years to actively combat malicious activity in the online space – and will meet regularly to discuss effective strategies for cyber security co-operation. The May 18 statement of cyber security intent follows a number of other statements jointly signed between the United States and Australia that will foster greater collaboration when tackling international crime.

According to Roxon, the latest collaboration will primarily centre around digital control systems and other aspects of critical infrastructure.

Under the new agreement with the United States, the two countries will create collaborative education and training opportunities , as well as an exchange of information – such as IT and cyber security best practices.

National cyber incident response teams in both nations will also work closely with one another to share information and awareness on specific cyber security incidents and issues. Representatives from Australia and the US will meet annually for progress reviews – identifying successes and challenges.

Earlier this year, Roxon also announced the creation of an Australian branch of CREST – the Council of Registered Ethical Security Testers.

This represents another significant collaboration with international security efforts – CREST Australia is affiliated with CREST Great Britain, which requires its members to meet competency requirements by passing a series of exams.

CREST Australia’s role is to create and enforce the ground rules for Australian cyber security testing – a move that will ensure penetration testing and other work carried out by security professionals is carried out to a recognised standard.

In March, Roxon asserted that the creation of CREST Australia would establish clear and uniform cyber security testing standards.

The evolving nature of cybercrime


May 15, 2012

As with any criminal undertaking, if there is a measurable profit available to malicious parties they are likely to spend more time on perfecting their skills.Data theft and other cybercrimes are becoming much more organised as the practices and procedures required to gain access to sensitive information becomes more complex.

This is because the vulnerability management activities performed by professional security managers forces malicious parties to rethink their strategies – slowing them in their tracks.However, over time and through collaboration, online criminals are able to develop new and innovative approaches to discover penetration avenues.

Of course, this in turn forces the hand of security experts to review and upgrade their defences yet again – or face the consequences that come with complacency.In short, managing vulnerabilities requires careful use of resources in order to ensure that the constant cycle of penetration attempts and security upgrades does not become the digital equivalent of an arms race.

This is because the cost of protecting information assets should reflect their potential value to both the company concerned and its stakeholders. Making valuable data out of reach of malicious parties effectively puts an end to what could otherwise be an expensive cycle – with careful planning and regular review, the costs soon become an investment in security rather than a drain on resources.

Technical Risk Assessments | Penetration Testing

New businesses need to be extra diligent


May 14, 2012

As a new business begins operations, there inevitably comes along scenarios that test the capacities of the employees concerned.

While it is highly unlikely that a manager will be able to plan for every scenario, it may be possible to ensure that the systems in place are capable of handling a wide range of issues that may arise.

When it comes to asset vulnerability management, ensuring that the policy frameworks and responsibilities are in line with best practice procedures can be a powerful step in the right direction to prepare for incident management. Not only does this mean that employees are aware of how best to handle a situation, it also means that they know where they can find more information on what to do next should an incident escalate.

Regular reviews of internal practices can help to ensure that staff activities are still aligned to protect the safety and security of the business’ information assets, while external audits of a firm’s defences can help to highlight any gaps before they become an issue.In this way a new enterprise can continue to securely deliver its products and services in the knowledge that it has been diligent in covering potential breach avenues.

The two-pronged approach to effective digital security


May 13, 2012

Raising the issue of system audits, it is common for people inside a business to consider one of two key topics – online precautions or internal business protocols. However, the truth is that these two areas have a much closer relationship than may be immediately apparent.While internal policies help managers to control how sensitive information is stored, transmitted and processed, these rules and regulations do not directly protect the firm from dedicated external threats. Conversely, the deployment of a firewall, antivirus software and spam filters can provide a good level of protection from probing attacks, but do little to reduce the impact of a breach should it occur.

This is why specialist security audit firms suggest that a two-pronged approach be taken when the decision is made to review an enterprise’s defences – as a comprehensive review will deliver more of an insight into potential problems than a piecemeal plan. A sound report will allow managers and IT specialists to begin collating a defensive strategy that covers all the bases – not just external threats or internal processes

Managing the use of employee flash drives


May 10, 2012

As the price of memory used in USB flash drives plummets, the capacities of the devices seems to grow at an equal rate, improving their usefulness across a range of applications.In turn this makes the ubiquitous ‘memory stick’ something of a baseline commodity that is used in almost every industry to transfer data and documents from one machine to another without using wireless connection, content management systems or other digital options. However, this same level of familiarity makes USB drives something of a target for malicious activities, both as a source of valuable details and as a point of injection for future attacks. A common practice is to pick up a device, check it for information, and then return it with a hidden installer that activates when it is plugged into a victim’s machine. In response, many firms issue blanket bans on the use of such devices across their in-house facilities – the reasoning being that if no information is stored or received on flash memory sticks, there is no chance of them falling into the wrong hands. While this approach may have its merits, it is often does not work for the business and so it still pays to have vulnerability management plans in place should the potential for a security breach arise