6 C
Tuesday, November 21, 2017
Home Tags Penetration Testing

Tag: Penetration Testing

In September 2017, we discovered a new targeted attack on financial institutions.
Victims are mostly Russian banks but we also found infected organizations in Malaysia and Armenia.
We're already used to the fact that complex cyberattacks use 0-day vulnerabilities, bypassing digital signature checks, virtual file systems, non-standard encryption algorithms and other tricks.
Sometimes, however, all of this may be done in much simpler ways, as was the case in the malicious campaign that we detected a while ago – we named it 'Microcin' after microini, one of the malicious components used in it.

Neutralization reaction

Corporate information security services often turn out to be unprepared: their employees underestimate the speed, secrecy and efficiency of modern cyberattacks and do not recognize how ineffective the old approaches to security are.

And if there is no clear understanding of what sort of incident it is, an attack cannot be repelled. We hope that our recommendations about identifying incidents and responding to them will help information security specialists create a solid foundation for reliable multi-level business protection.
“Red Teamrdquo; members were fired as they stepped off stage after presenting internal attack tool.

APT Trends report Q2 2017

Since 2014, Kaspersky Labrsquo;s Global Research and Analysis Team (GReAT) has been providing threat intelligence reports to a wide-range of customers worldwide, leading to the delivery of a full and dedicated private reporting service. Prior to the new service offering, GReAT published research online for the general public in an effort to help combat the ever-increasing threat from nation-state and other advanced actors.
Kaspersky Lab is currently tracking more than a hundred threat actors and sophisticated malicious operations in over 80 countries.

During the first quarter of 2017, there were 33 private reports released to subscribers of our Intelligence Services, with IOC data and YARA rules to assist in forensics and malware-hunting.
Open-source Metasploit penetration testing framework gets new hardware support, enabling researchers to target IoT.
New hardware bridge extends penetration testing tools capabilities into physical world.
Oracle is patching a long list of different vulnerabilities in its software portfolio.

This time, it's the Oracle E-Business Suite that is getting the most patches. Oracle is out with its first Critical Patch Update (CPU) for 2017 and it's a big one.
Want to make a cool $20,000? All you have to do is hack the Nintendo 3DS, a handheld console that’s been out for a few years already.

A listing on HackerOne spells everything out: Hackers will receive a cash payment for discovering a vulnerability in the system, which does let gamers make purchases and stores private information like your age and gender.

There’s a range for this, of course—some discoveries will pay $100.

Also, anyone who files a report must follow the exact template. It makes you wonder—why would a major Japanese corporation offer a reward like this? Why is it even worth the expense, especially when you know they have internal security researchers? Many companies, including Apple, Uber, and Yelp, regularly offer bounties. One report said Apple would pay as much as $200,000 if you find an exploit in the new iPhone.

The expense is obviously worth it or the bounty programs—and sites like HackerOne—wouldn’t exist. “The main advantage is that you get researchers that think like a hacker and will try to find vulnerabilities like a hacker,” says Alvaro Hoyos, the CSO at OneLogin, an identity and access management company. “This helps you identify issues that either your internal or external penetration testing teams might miss, not just because of that hacker frame of mind, but also because you have a greater quantity of researchers constantly testing your systems.” Chris Roberts, the chief security architect at Acalvio Technologies, an endpoint protection company, says the rise of hacking bounties is due to how the community has become more organized and helpful.
Sites like BugCrowd and BugSheet have made it easier for larger firms to post a bounty, accept research findings, and pay the researcher. He tells CSO that he has been paid about $3,000 to $5,000 to find a vulnerability, although in some cases the company only gives him a warm thanks.
In some cases, a bounty for his team has run as high as $25,000 to find a bug a hacker could expose. Challenges in offering a bounty Roberts noted that companies are not always prepared to offer a bounty or set up the bounty program. One big challenge is finding the right bounty amount to match the vulnerability. “This can lead to some unpleasant exchanges with researchers,” he says. “You will have to properly manage the input, the responses and the findings—even though you are now hoping that your IT security budget is lower. You will have to staff up to work through the submitted results or risk the wrath of people getting fed up not getting a response.” In some cases, hackers will not want to be identified and may not want to work with a corporate legal team once a bug is discovered, he says. Not all researchers want to read through a complex reporting template that spells out every detail.

And, if the program is not configured properly (say, having a test environment only for the researchers), real attacks might be hard to discern. Hoyos says one potential challenge to a bounty is that it can call attention to the new service, gadget, or app.
It could alert a criminal hacker that a company like Apple or Uber knows there could be a vulnerability, even if that’s not necessarily true. “If your company lacks the resources to close out bugs being reported in a timely manner, you are, in theory, letting more and more third parties know an exploitable bug exists,” says Hoyos. “Chances that none of those third parties will disclose that bug to a malicious actor or abuse it themselves goes up as more of them become aware.

This of course is assuming the worst possible outcome and knowing what you don’t know is still extremely valuable.” Paul Innella, the CEO of TDI, a cybersecurity company, says some bounty programs go awry—hackers discover an exploit, and instead of letting the company know and collecting the reward, the sell the discovery on the Dark Web.

The bounty program created a new problem. What to expect from both sides Offering a bounty—or being the researcher who looks for the exploits—is also challenging because in many ways the temptation is to offer a bounty instead of hiring security professionals, running your own penetration tests, and setting up a security infrastructure. “If you’re using this methodology because you don’t understand your corporate defenses, meaning you’re not equipped to detect attacks and act upon them, then offering a bounty is not for you,” says Innella. “Bounty programs should be used by companies with robust cyber defenses and considered a part of regimental cybersecurity testing, essentially in an outsourced capacity.” Jumping into ethical hacking to find exploits is not something to take lightly, according to Nathan Wenzler, a security architect at AsTech Consulting. One important point he made: While there is a rise in the number of hacking bounties, there’s also a trend in offering lower amounts. Uber, for example, has paid a total of $819,085 since launching a bounty with a top range of $5,000 to $10,000, but the average is more like $750 to $1,000 per exploit. Still, Paul Calatayud, the CTO at FireMon, a firewall management company, says finding a zero-day exploit for a large enterprise can pay much higher—into the seven-figure amount. That’s a pretty good pay day. This story, "Why companies offer a hacking bounty -- and why there are challenges" was originally published by CSO.
There are more free information security tools than you can highlight with a fist full of whiteboard pointers. While many are trialware-based enticements designed to lure decision makers to purchase the pricey premium counterparts of these freebies, many are full-blown utilities.

A few important categories include threat intelligence tools, tools to build security in during the development stage, penetration testers, and forensics tools. Threat intelligence tools include AlienVault’s Open Threat Exchange, which collects and shares online threat intelligence as well as the Hailataxii and Cymon.io threat exchanges.

There are a variety of SAST (Static Application Security Testing) tools for security testing software applications that developers write using different languages whether C/C++, Ruby on Rails, or Python.

For penetration testing, we present the Nmap Security Scanner and the broadly useful Wireshark network protocol analyzer.
Specific forensics products include the GRR remote forensic framework, and Autopsy and SleuthKit, which analyze hard drives and smartphones, and the Volatility Foundation’s open source framework for memory analysis/forensics.
Guns, bullets, and malware samples—all now controlled under the Wassenaar Arrangement.Aurich Lawson reader comments 0 Share this story If you work involves exploiting vulnerabilities in software, congratulations—you're potentially an arms merchant in the eyes of many governments. Your knowledge about how to hack could be classified as a munition. A United States delegation yesterday failed to convince all of the members of the Wassenaar Arrangement—a 41-country compact that sets guidelines for restricting exports of conventional weapons and "dual use goods"—to modify rules that would place export restrictions on technologies and data related to computer system exploits.

And while the US government has so far declined to implement rules based on the existing convention, other countries may soon require export licenses from anyone who shares exploit data across borders—even in the form of security training. The changes governing "intrusion software" were adopted by the Wassenaar plenary in 2013, and they were set to be implemented by member countries last year.

Those changes were intended to prevent repressive regimes from gaining access to commercial malware—such as the code sold by the Italy-based Hacking Team to Sudan, and the surveillance tools from Blue Coat that were resold to Syria's Assad regime and used to catch dissident bloggers. But when the language of the new controls were passed to the Commerce Department by the State Department for implementation, the new language quickly caused consternation.
Security researchers and industry revolted at the proposed rules, calling them too broad in their definition of "intrusion software." Harley Geiger, the director of public policy at the security testing software firm Rapid7, explained: The US proposed an implementation rule [for the controls].

But it did so knowing there were problems.
So during the course of this year, they did not put forth an implementing rule because they said they did not want to put forth a rule until the problems were resolved. It soon became apparent there was no way to reconcile the concerns raised by security experts with the language of the control agreed upon by the Wassenaar members.
So the US moved to renegotiate the restrictions in March as the new round of negotiations began.

That renegotiation collapsed yesterday. Katie Moussouris, a member of the US Wassenaar delegation, CEO of Luta Security, and former chief policy officer at the bug bounty company HackerOne, said the problem lied in the language of the controls themselves.
She told Ars Technica: It's the words.

Finding precise enough language that translates well into 41 countries' domestic export laws is the challenge here.
It shouldn't surprise anyone that it will take longer than a few months of renegotiation to get consensus on the revised words. Moussouris noted that some of the changes the US wanted were approved, including "more precise 'command and control' terminology that is now in the Arrangement." The previous language could have been construed to include "more routine software," she said—including security software that is purely defensive.

The new language tightens the definition to specifically cover software that controls remote malware. Geiger agreed that there had been some beneficial changes to the Wassenaar Arrangement's language. "But those [changes] were minor," Geiger noted.

The key control language remains in place, and other countries have already begun implementing export controls based on it. Moussouris explained: There has already been a chilling effect on security researchers that we've observed over the past few years, since many are not sure how they are affected. Non-disclosure and decreasing participation among researchers based in Wassenaar countries in international exploitation competitions like Pwn2own has already been observed. As of yet, since the rules have not been implemented in the US, they've had no direct impact on US security firms.

But the rules have been a hindrance for companies with a presence in multiple countries, Geiger said. "US organizations would not have to get export licenses," he explained, "but if they're working with people in another country to receive, that person would be bound by a different set of rules.
If you're working with a partner in another country, it slows down the exchange of information." Geiger said that it could potentially affect companies trying to move data about exploits they were trying to defend against from operations in one country to another—potentially slowing their ability to respond to new threats. "The ongoing uncertainty among security practitioners and researchers will delay the passing between defenders many important exploitation techniques and malicious command and control software samples," Moussouris agreed. "The presence of these controls in their current form only serves to increase disadvantages of defenders by introducing uncertainty and potential delays in passing vital samples and analysis." Now it will be left to the incoming Trump administration to decide how, or if, to implement rules based on the existing agreement, or to return to the negotiating table to hammer out universally acceptable language that fixes the problems with the controls.

And in the meantime, security researchers and companies will have to lobby the governments that are going ahead with rules based on the control to give them more freedom to move information—or deal with the headaches of applying for export licenses.

This could apply to things like training courses for penetration testing and other skills that deal with exploits—companies are likely to run into restrictions about who they can allow to attend those classes, since passing the information to someone from out of the country could be considered the same as exporting a munition without a license. Moussouris is relatively confident that the US will return to the table to reform the restrictions. "It is impossible to predict the next administration's choices here," she said. "But if our new leadership listens to any of the tech giants who were sitting around the table at the recent tech summit, they would all unanimously support the ongoing renegotiation of the Wassenaar Arrangement, as did the bipartisan Congressional Cybersecurity Caucus co-chaired by Congressman Langevin.

This isn't just about clearing the operational path for security research or security tech companies; this is about all technological defense, and the need for Internet defenders to work together in real time across borders."