8.7 C
London
Wednesday, September 20, 2017
Home Tags Penetration Testing

Tag: Penetration Testing

Neutralization reaction

Corporate information security services often turn out to be unprepared: their employees underestimate the speed, secrecy and efficiency of modern cyberattacks and do not recognize how ineffective the old approaches to security are.

And if there is no clear understanding of what sort of incident it is, an attack cannot be repelled. We hope that our recommendations about identifying incidents and responding to them will help information security specialists create a solid foundation for reliable multi-level business protection.
“Red Teamrdquo; members were fired as they stepped off stage after presenting internal attack tool.

APT Trends report Q2 2017

Since 2014, Kaspersky Labrsquo;s Global Research and Analysis Team (GReAT) has been providing threat intelligence reports to a wide-range of customers worldwide, leading to the delivery of a full and dedicated private reporting service. Prior to the new service offering, GReAT published research online for the general public in an effort to help combat the ever-increasing threat from nation-state and other advanced actors.
Kaspersky Lab is currently tracking more than a hundred threat actors and sophisticated malicious operations in over 80 countries.

During the first quarter of 2017, there were 33 private reports released to subscribers of our Intelligence Services, with IOC data and YARA rules to assist in forensics and malware-hunting.
Open-source Metasploit penetration testing framework gets new hardware support, enabling researchers to target IoT.
New hardware bridge extends penetration testing tools capabilities into physical world.
Oracle is patching a long list of different vulnerabilities in its software portfolio.

This time, it's the Oracle E-Business Suite that is getting the most patches. Oracle is out with its first Critical Patch Update (CPU) for 2017 and it's a big one.
I...
Want to make a cool $20,000? All you have to do is hack the Nintendo 3DS, a handheld console that’s been out for a few years already.

A listing on HackerOne spells everything out: Hackers will receive a cash payment for discovering a vulnerability in the system, which does let gamers make purchases and stores private information like your age and gender.

There’s a range for this, of course—some discoveries will pay $100.

Also, anyone who files a report must follow the exact template. It makes you wonder—why would a major Japanese corporation offer a reward like this? Why is it even worth the expense, especially when you know they have internal security researchers? Many companies, including Apple, Uber, and Yelp, regularly offer bounties. One report said Apple would pay as much as $200,000 if you find an exploit in the new iPhone.

The expense is obviously worth it or the bounty programs—and sites like HackerOne—wouldn’t exist. “The main advantage is that you get researchers that think like a hacker and will try to find vulnerabilities like a hacker,” says Alvaro Hoyos, the CSO at OneLogin, an identity and access management company. “This helps you identify issues that either your internal or external penetration testing teams might miss, not just because of that hacker frame of mind, but also because you have a greater quantity of researchers constantly testing your systems.” Chris Roberts, the chief security architect at Acalvio Technologies, an endpoint protection company, says the rise of hacking bounties is due to how the community has become more organized and helpful.
Sites like BugCrowd and BugSheet have made it easier for larger firms to post a bounty, accept research findings, and pay the researcher. He tells CSO that he has been paid about $3,000 to $5,000 to find a vulnerability, although in some cases the company only gives him a warm thanks.
In some cases, a bounty for his team has run as high as $25,000 to find a bug a hacker could expose. Challenges in offering a bounty Roberts noted that companies are not always prepared to offer a bounty or set up the bounty program. One big challenge is finding the right bounty amount to match the vulnerability. “This can lead to some unpleasant exchanges with researchers,” he says. “You will have to properly manage the input, the responses and the findings—even though you are now hoping that your IT security budget is lower. You will have to staff up to work through the submitted results or risk the wrath of people getting fed up not getting a response.” In some cases, hackers will not want to be identified and may not want to work with a corporate legal team once a bug is discovered, he says. Not all researchers want to read through a complex reporting template that spells out every detail.

And, if the program is not configured properly (say, having a test environment only for the researchers), real attacks might be hard to discern. Hoyos says one potential challenge to a bounty is that it can call attention to the new service, gadget, or app.
It could alert a criminal hacker that a company like Apple or Uber knows there could be a vulnerability, even if that’s not necessarily true. “If your company lacks the resources to close out bugs being reported in a timely manner, you are, in theory, letting more and more third parties know an exploitable bug exists,” says Hoyos. “Chances that none of those third parties will disclose that bug to a malicious actor or abuse it themselves goes up as more of them become aware.

This of course is assuming the worst possible outcome and knowing what you don’t know is still extremely valuable.” Paul Innella, the CEO of TDI, a cybersecurity company, says some bounty programs go awry—hackers discover an exploit, and instead of letting the company know and collecting the reward, the sell the discovery on the Dark Web.

The bounty program created a new problem. What to expect from both sides Offering a bounty—or being the researcher who looks for the exploits—is also challenging because in many ways the temptation is to offer a bounty instead of hiring security professionals, running your own penetration tests, and setting up a security infrastructure. “If you’re using this methodology because you don’t understand your corporate defenses, meaning you’re not equipped to detect attacks and act upon them, then offering a bounty is not for you,” says Innella. “Bounty programs should be used by companies with robust cyber defenses and considered a part of regimental cybersecurity testing, essentially in an outsourced capacity.” Jumping into ethical hacking to find exploits is not something to take lightly, according to Nathan Wenzler, a security architect at AsTech Consulting. One important point he made: While there is a rise in the number of hacking bounties, there’s also a trend in offering lower amounts. Uber, for example, has paid a total of $819,085 since launching a bounty with a top range of $5,000 to $10,000, but the average is more like $750 to $1,000 per exploit. Still, Paul Calatayud, the CTO at FireMon, a firewall management company, says finding a zero-day exploit for a large enterprise can pay much higher—into the seven-figure amount. That’s a pretty good pay day. This story, "Why companies offer a hacking bounty -- and why there are challenges" was originally published by CSO.
There are more free information security tools than you can highlight with a fist full of whiteboard pointers. While many are trialware-based enticements designed to lure decision makers to purchase the pricey premium counterparts of these freebies, many are full-blown utilities.

A few important categories include threat intelligence tools, tools to build security in during the development stage, penetration testers, and forensics tools. Threat intelligence tools include AlienVault’s Open Threat Exchange, which collects and shares online threat intelligence as well as the Hailataxii and Cymon.io threat exchanges.

There are a variety of SAST (Static Application Security Testing) tools for security testing software applications that developers write using different languages whether C/C++, Ruby on Rails, or Python.

For penetration testing, we present the Nmap Security Scanner and the broadly useful Wireshark network protocol analyzer.
Specific forensics products include the GRR remote forensic framework, and Autopsy and SleuthKit, which analyze hard drives and smartphones, and the Volatility Foundation’s open source framework for memory analysis/forensics.
Guns, bullets, and malware samples—all now controlled under the Wassenaar Arrangement.Aurich Lawson reader comments 0 Share this story If you work involves exploiting vulnerabilities in software, congratulations—you're potentially an arms merchant in the eyes of many governments. Your knowledge about how to hack could be classified as a munition. A United States delegation yesterday failed to convince all of the members of the Wassenaar Arrangement—a 41-country compact that sets guidelines for restricting exports of conventional weapons and "dual use goods"—to modify rules that would place export restrictions on technologies and data related to computer system exploits.

And while the US government has so far declined to implement rules based on the existing convention, other countries may soon require export licenses from anyone who shares exploit data across borders—even in the form of security training. The changes governing "intrusion software" were adopted by the Wassenaar plenary in 2013, and they were set to be implemented by member countries last year.

Those changes were intended to prevent repressive regimes from gaining access to commercial malware—such as the code sold by the Italy-based Hacking Team to Sudan, and the surveillance tools from Blue Coat that were resold to Syria's Assad regime and used to catch dissident bloggers. But when the language of the new controls were passed to the Commerce Department by the State Department for implementation, the new language quickly caused consternation.
Security researchers and industry revolted at the proposed rules, calling them too broad in their definition of "intrusion software." Harley Geiger, the director of public policy at the security testing software firm Rapid7, explained: The US proposed an implementation rule [for the controls].

But it did so knowing there were problems.
So during the course of this year, they did not put forth an implementing rule because they said they did not want to put forth a rule until the problems were resolved. It soon became apparent there was no way to reconcile the concerns raised by security experts with the language of the control agreed upon by the Wassenaar members.
So the US moved to renegotiate the restrictions in March as the new round of negotiations began.

That renegotiation collapsed yesterday. Katie Moussouris, a member of the US Wassenaar delegation, CEO of Luta Security, and former chief policy officer at the bug bounty company HackerOne, said the problem lied in the language of the controls themselves.
She told Ars Technica: It's the words.

Finding precise enough language that translates well into 41 countries' domestic export laws is the challenge here.
It shouldn't surprise anyone that it will take longer than a few months of renegotiation to get consensus on the revised words. Moussouris noted that some of the changes the US wanted were approved, including "more precise 'command and control' terminology that is now in the Arrangement." The previous language could have been construed to include "more routine software," she said—including security software that is purely defensive.

The new language tightens the definition to specifically cover software that controls remote malware. Geiger agreed that there had been some beneficial changes to the Wassenaar Arrangement's language. "But those [changes] were minor," Geiger noted.

The key control language remains in place, and other countries have already begun implementing export controls based on it. Moussouris explained: There has already been a chilling effect on security researchers that we've observed over the past few years, since many are not sure how they are affected. Non-disclosure and decreasing participation among researchers based in Wassenaar countries in international exploitation competitions like Pwn2own has already been observed. As of yet, since the rules have not been implemented in the US, they've had no direct impact on US security firms.

But the rules have been a hindrance for companies with a presence in multiple countries, Geiger said. "US organizations would not have to get export licenses," he explained, "but if they're working with people in another country to receive, that person would be bound by a different set of rules.
If you're working with a partner in another country, it slows down the exchange of information." Geiger said that it could potentially affect companies trying to move data about exploits they were trying to defend against from operations in one country to another—potentially slowing their ability to respond to new threats. "The ongoing uncertainty among security practitioners and researchers will delay the passing between defenders many important exploitation techniques and malicious command and control software samples," Moussouris agreed. "The presence of these controls in their current form only serves to increase disadvantages of defenders by introducing uncertainty and potential delays in passing vital samples and analysis." Now it will be left to the incoming Trump administration to decide how, or if, to implement rules based on the existing agreement, or to return to the negotiating table to hammer out universally acceptable language that fixes the problems with the controls.

And in the meantime, security researchers and companies will have to lobby the governments that are going ahead with rules based on the control to give them more freedom to move information—or deal with the headaches of applying for export licenses.

This could apply to things like training courses for penetration testing and other skills that deal with exploits—companies are likely to run into restrictions about who they can allow to attend those classes, since passing the information to someone from out of the country could be considered the same as exporting a munition without a license. Moussouris is relatively confident that the US will return to the table to reform the restrictions. "It is impossible to predict the next administration's choices here," she said. "But if our new leadership listens to any of the tech giants who were sitting around the table at the recent tech summit, they would all unanimously support the ongoing renegotiation of the Wassenaar Arrangement, as did the bipartisan Congressional Cybersecurity Caucus co-chaired by Congressman Langevin.

This isn't just about clearing the operational path for security research or security tech companies; this is about all technological defense, and the need for Internet defenders to work together in real time across borders."
Enlarge / Georgia politician Brian Kemp reads at a Holocaust remembrance ceremony in the state.Georgia.gov reader comments 31 Share this story Accusations that the US Department of Homeland security tried to hack Georgia's voter registration database are running rampant.

But until officials from that state's Secretary of State office provide basic details, people should remain highly skeptical. The controversy erupted after Georgia Secretary of State Brian Kemp sent and publicly released a letter addressed to DHS Secretary Jeh Johnson.
In it, Kemp made a series of statements so vague in their technical detail that it's impossible to conclude any kind of hacking or breach—at least as those terms are used by security professionals—took place. "On November 15, 2016, an IP address associated with the Department of Homeland Security made an unsuccessful attempt to penetrate the Georgia Secretary of State's firewall," Kemp wrote. "I am writing you to ask whether DHS was aware of this attempt and, if so, why DHS was attempting to breach our firewall." Kemp continued: The private-sector security provider that monitors the agency's firewall detected a large unblocked scan event on November 15 at 8:43 AM.

The event was an IP address (216.81.81.80) attempting to scan certain aspects of the Georgia Secretary of State's infrastructure.

The attempt to breach our system was unsuccessful. At no time has my office agreed to or permitted DHS to conduct penetration testing or security scans of our network. Moreover, your Department has not contacted my office since this unsuccessful incident to alert us of any security event that would require testing or scanning of our network.

This is especially odd and concerning since I serve on the Election Cyber Security Working Group that your office created. As you may know, the Georgia Secretary of State's office maintains the statewide voter registration database containing the personal information of over 6.5 million Georgians.
In addition, we hold the information for over 800,000 corporate entities and over 500,000 licensed or registered professionals. As Georgia's Secretary of State, I take cyber security very seriously.

That is why I have contracted with a global leader in monitored security services to provide immediate responses to these types of threats.

This firm analyzes more than 180 billion events a day globally across a 5,000+ customer base which includes many Fortune 500 companies.

Clearly, this type of resource and service is necessary to protect Georgians' data against the type of event that occurred on November 15. The letter uses some scary language, including an "attempt to penetrate" and "breach" the agency's firewall and system plus "security event." However, nowhere does it say what gives rise to such claims.

The phrases "large blocked scan event" and "attempting to scan certain aspects of the Georgia Secretary of State's infrastructure" are vague to the point of being almost meaningless. Many security professionals on social media are interpreting them to mean a computer with an IP address belonging to the DHS sent a request to one or more Internet ports on a Georgia Secretary of State network to see if they provided some sort of response. Such scans allow someone to know if network ports reserved for e-mail, Web traffic, and all sorts of other Internet services are responding to queries from outside services.
Security professionals and blackhat hackers alike use such scans all the time to identify vulnerable networks.

For instance, in the weeks following the 2014 discovery of the Heartbleed vulnerability—arguably one of the most severe security bugs ever to hit the Internet—it was network scans that allowed the public to learn that huge swaths of the Internet remained vulnerable and to identify the 300,000 specific sites that had yet to install a patch. It was the same sort of scan in 2013 that identified more than 81 million IP addresses that were exposing a networking feature known as Universal Plug and Play to the Internet at large.

The setting, which was in violation of guidelines that say UPnP isn't supposed to communicate with devices that are outside a local network, put them at risk of being remotely hijacked by people halfway around the world.

The discovery was only possible by performing a scan on every routable IPv4 address about once a week over a six-month period. As a security researcher and CEO of penetration testing firm Errata Security, Rob Graham regularly scans the entire Internet for insights about vulnerabilities. "I get these letters all the time," he told Ars, referring to the type of letter Kemp sent. While some people argue the practice is unethical or even illegal, Graham has never been sued or prosecuted for it, and Ars isn't aware of any practicing attorneys who say such scans are unlawful. (Graham does agree to stop sending IP addresses upon request by the owners of those addresses.) Playing devil's advocate In fairness, there's no way to be certain Kemp's letter is complaining of a network scan.

The references to penetration testing and attempts to breach the agency's system and to penetrate or breach its firewall raise the possibility of something that went beyond passive scans.
If, for example, the DHS computer attempted to exploit a SQL injection vulnerability that divulged protected data or accounts, such a move could very well run afoul of criminal hacking statutes.

Trying to exploit specific vulnerabilities in the agency's firewall might also be unlawful. Meanwhile, the phrase "large unblocked scan event" is so technically clumsy that security practitioners say it could mean just about anything. The problem with Kemp's letter is that readers have no way of knowing what gave rise to his exceptional claims. Yet despite the vagueness, the Internet is now awash with reports that the DHS tried and failed to hack Georgia's Secretary of State office, an event that if true, would amount to an extremely serious offense.

Georgia Secretary of State officials didn't respond to Ars' request for an interview.
In the absence of crucial details left out of Thursday's letter, there's little that's odd or concerning about the reported November 15 complaint, and there's certainly no evidence of an attempted breach by the DHS at this time.
PowerShell is an enormous addition to the Windows toolbox that gives Windows admins the ability to automate all sorts of tasks, such as rotating logs, deploying patches, and managing users. Whether it's specific Windows administration jobs or security-...