Category Archives: Vulnerability Assessment

SSLv3 and POODLE


October 15, 2014

By Norman Yue (LinkedIn

For those of you paying attention to mailing lists early last night, you may have noticed a curious email come through, regarding a “Truly scary” SSL3.0 vulnerability about to drop – and drop it did today.

The vulnerability, known as POODLE, allows attackers to partially decipher bits of plaintext, such as session cookies, in conjunction with a man-in-the-middle attack where an attacker can modify traffic. The really scary part (imo) is on Page 3 of the whitepaper:

The expected overall effort is 256 SSL 3.0 requests per byte.

This is amazingly low, meaning that depending on the circumstances of exploitation, your typical web app session cookie can be broken in minutes. Continue reading

CVE-2014-6271 (“Shellshock”) and exploit PoC


September 26, 2014

By Andy Yang

(A little bit of background on this post – one of my colleagues, Norman Yue, posted something about the Internet being on fire to LinkedIn yesterday, regarding the bash bug. This blog post tries to explain a bit more about why exactly this is such a big issue, and also provides a proof-of-concept exploitation).

Firstly, the vulnerability itself. The actual vulnerability itself is amusing and unique, but otherwise, isn’t the magical everything-is-owned vulnerability that everyone makes it out to be. To paraphrase, if you are able to set an environment variable through the Bash shell, you can execute commands.

The interesting part is that this vulnerability may have existed for more than 20 years, in an application which is part of pretty much every Unix system since a long time ago. The vulnerable versions start from cpe:/a:gnu:bash:1.14.0 to cpe:/a:gnu:bash:4.3, which covers pretty much every Unix-based operating system available today (and by extension, a tremendous chunk of the Internet). Continue reading

How I got root with Sudo


March 17, 2014

By Sebastien Macke, @lanjelot

Introduction

During security engagements, we regularly come across servers configured with the privilege management software Sudo. As with any software, the principle of least privilege must be closely followed, users must be granted the minimum possible privileges to perform necessary tasks or operations. Therefore to securely configure Sudo, user accounts must be restricted to a limited set of commands that they can legitimately execute with elevated privileges (usually those of the root account).

Out in the real world, we don’t often see Sudo configured according to the principle of least privilege. But when we do, we always uncover a mistake or two that allows us to escalate our privileges to root, at which point it’s game over. We win.

The purpose of this post is to present a series of examples of common mistakes and insecure configurations that we have seen and leveraged on production environments during security assessments and how you can make our team’s life that little bit harder.

Continue reading

The Anatomy of a Security Breach.


January 16, 2014

Securus Global’s approach to minimising your risks…

By now, you have probably read about the Target security breach: (Nothing new… this happens all the time).
http://www.marketwatch.com/story/traffic-at-target-stores-down-after-data-breach-2013-12-22-174855718?reflink=MW_news_stmp
http://www.usatoday.com/story/money/business/2013/12/22/target-breach-suits-and-investigations/4167977/

At Securus Global, we are frequently asked by our clients how hackers compromise companies and in turn, what can be done to minimise the risk of it happening to their own organisation.

By hiring the likes of Securus Global to test your systems in testing, pre-production and/or post production, we’ll be able to highlight any potential exposures you have and issue advice on how to fix them and ways to make you more resistant to such breaches all together.

Better yet, we would rather help you be in a position that your risks are identified beforehand, or even not to be there in the first place.

This is why in early 2014, we’re offering client workshops to explain the anatomy of such attacks and how the hackers are attaining this information from your companies.

These are 1-2 hour informal sessions (no cost), where we talk about what we have seen in the last 10 years, how the attacks are planned and take place but most importantly, what you can do to minimise the chances of this happening to your company. Continue reading

Dumping Windows Credentials


December 20, 2013

By Sebastien Macke, @lanjelot

Introduction

During penetration testing engagements, we often find ourselves on Windows systems, looking for account credentials. The purpose of this post is to walk through some techniques to gather credentials from Windows systems while being as non-intrusive as possible.

The core principles behind the techniques described in this post are:

  • Safety – Avoid causing any downtime, by using tools and techniques which are known to be safe, and will not render a system unstable.
  • Stealthiness – Avoid detection by using tools and techniques that will trigger alerts. Refrain from uploading binaries, turning off the anti-virus, generating suspicious event logs etc.
  • Efficiency – While Bernardo’s blog attempts to cover many of the tools and techniques available for dumping credentials from a Windows host, this post focuses on the most practical way to get the job done. Continue reading

Google data shows value of penetration testing and regular security audits


June 26, 2012

Alongside penetration testing and regular security audits, ensuring safe online browsing practices can be one of the best ways to ensure your business remains protected from external threats.

A new blog post published June 19, from Google principal software engineer Niels Provos, has confirmed just how many malicious websites are out there and posing a danger to internet users.

“We protect 600 million users through built-in protection for Chrome, Firefox, and Safari, where we show several million warnings every day to Internet users,” writes Provos.

“We find about 9,500 new malicious websites every day. These are either innocent websites that have been compromised by malware authors, or others that are built specifically for malware distribution or phishing.”

The new information has been released to commemorate the five year anniversary of Google’s Safe Browsing effort, which is an initiative aimed at ensuring users remain safe while using the internet.

Malicious websites are often used as a way of spreading information-stealing malware software, which can allow cybercriminals to externally access private information, disrupt computer operations or track user activity online.

Google suggests that users who want to protect themselves from online threats pay attention to any official warning messages that pop up.

Furthermore, by selecting the check box that appears on the red warning page, people can assist Google by submitting information on potentially dangerous or unscrupulous websites.

Businesses concerned about the danger of online malware and viruses spreading onto company servers will want to ensure they are running up to date anti-virus software and regularly reviewing vulnerability management reports.

“The threat landscape changes rapidly. Our adversaries are highly motivated by making money from unsuspecting victims, and at great cost to everyone involved,” writes Provos.

However Google has moved to reassure people that it will continue to invest in safe browsing and maintaining internet security in order to deal with evolving cybercrime technology.

Lawsuit argues LinkedIn failed to meet vulnerability management obligations


June 22, 2012

Security breaches like the one that affected professional social networking site LinkedIn on June 6 can be costly, both financially and in terms of lost consumer confidence.

Penetration testing can often prevent such instances and help ensure your company is storing user information securely.

LinkedIn is now facing a class action lawsuit over the aforementioned incident, which saw cyber criminals hack its information database and release 6.5 million user passwords onto a Russian internet forum.

The lawsuit, filed in Canada, asserts that LinkedIn did not meet its obligations of vulnerability management, as it did not salt its passwords – a practice commonly considered standard industry protocol.

"Despite its contractual obligation to use best practices in storing user data, LinkedIn failed to utilise basic industry standard encryption methods. In particular, LinkedIn failed to adequately protect user data because it stored passwords in unsalted SHA1 hashed format," reads the lawsuit.

LinkedIn responded by arguing that no member accounts were breached and that no user has suffered any undue injury relating to the incident.

"Therefore, it appears that these threats are driven by lawyers looking to take advantage of the situation," said LinkedIn.

LinkedIn could potentially find itself liable for $5 million in damages if the lawsuit is successful.

Security audit for commercial sites


June 15, 2012

An interesting note found in a recent online security report has stated that malicious programmers have begun to target specific social websites for drive-by infections.

While in the past scammers would set up their own pages and attempt to drive traffic to them to gain control over a victim’s machine or network, there has been a shift in recent years towards compromising legitimate URLs.

According to the Malicious Code Trends section in Symantec’s Internet Security Threat Report 2011 – published back in April 2012 – approximately 61 per cent of all sites listed as containing shadowy programs are “actually regular web sites that have been compromised and infected with malicious code”.

The top five sites for these kinds of attacks are blogs, personal sites, business or economics pages, online shopping venues and educational references.

It could be that the largest of these – the blogs and personal communications sector at 19.8 per cent – are the least well defended because they tend to be utilised by their owners as a communications platform and journal rather than a money-making enterprise.

This theory seems to be backed up by the fact that the second-largest proportion of legitimate sites infected with malware is personal hosting services on 15.6 per cent – a result that seems to follow a noticeable trend.

It could be that the activities the pages are meant to support have a direct effect on the amount of effort that is put into ensuring their safety for visitors.

People who are in charge of commercial sites and sales channels – ten per cent and seven per cent respectively – are more experienced with controlling how their back end is accessed and how to defend against malicious activities.

The difference is that – while it is in everyone’s best interests to protect repeat visitors to online venues – commercial concerns simply have more to lose by allowing their customers and clients to suffer from their lack of in-depth vulnerability management schedules.

That being said, the fact is that 17 per cent of legitimate sites infected with malware belong to enterprises that either trade goods and services or relay economic and financial information to their customers.

This means that every incident of infection has the potential to disrupt their flow of income – be it from advertising revenue or customer transactions.

LinkedIn reassures users that their information is secure


June 14, 2012

Professional social networking site LinkedIn has moved to assure users that their information is secure, following a highly-publicised security breach earlier this month.

“By now, many of you have read recent headlines reporting that 6.5 million LinkedIn hashed passwords were stolen and published on an unauthorised website,” wrote LinkedIn director Vicente Silveira, in a blog post dated June 9.

“We take this criminal activity very seriously so we are working closely with the FBI as they aggressively pursue the perpetrators of this crime.”

Silveira pointed out that no usernames were paired with the leaked passwords, and claimed that he has received no reports of accounts being breached as yet.

He also claimed that LinkedIn recently upgraded its security protocols. Stored passwords are now hashed and salted in order to provide an extra layer of protection, a commonly recognised best-practice in the security industry.

Following the breach, many experts criticised the LinkedIn team for not taking more care in guarding user information.

LinkedIn has responded by pointing out that all compromised passwords were deactivated immediately and that all users whose information was put at risk have been contacted.

However Andrew Conway, from security website CloudMark, is reporting that four per cent of affected LinkedIn users incorrectly marked that email as spam, and did not take heed of the instructions it contained.

Even minor security breaches can have a major impact on a business’s reputation. Customers expect complete security when operating in the online environment and it is the responsibility of the company to ensure its private information is safe.

Penetration testing is often a good way to fully evaluate the security protocols that your business has in place, by finding any potential backdoors and access points before they are exploited by cyber criminals.

Blogger Vincenzo Cosenza recently released his world map of social network popularity, and found LinkedIn to be the second most popular online networking option in Australia, behind only Facebook.