Archive

Archive for April, 2018

Web servers are still vulnerable…

April 28, 2018 Leave a comment

In a survey published on an often referenced support site for developers (Stack Overflow), they recently confirmed that JavaScript is the most popular programming language for the 6th year in a row. Almost 70% of the respondents claim that they visit searching for help on this subject so it may not come as a surprise that JavaScript is also the primary cause of vulnerabilities on websites today.

In a blog post from the vendor that brings us one of the most popular tool for hacking websites and finding vulnerabilities, Portswigger writes a great article in which they detail a number of methods that can be used to abuse JavaScript and to bypass cross site scripting mitigation by most frameworks.

There are thousands of ways that can be used to bypass XSS in websites and web developers should already know this. XSS is the number one method to compromise a browser which, in combination with privilege escalation can allow an attacker to take over your computer. Even script kiddies can capture session tokens or cookies from websites without proper security controls that can be used to login as you without even knowing your password. Here is a list of the risks in order of importance for an attacker;

  1. Account hijacking
  2. Credential stealing
  3. Sensitive Data Leakage
  4. Drive by Downloading
  5. Keyloggers/Scanners
  6. Vandalism

Don’t ignore these risks on your websites, public facing or not. If you login to a website often in your organization and it is vulnerable to cross site scripting, teach your users how to identify security risks that could be used to harvest credentials and expose them to malicious attacks. You may also want to make sure that your sites are tested to ensure they are not vulnerable to this type of attack. With Phishing attacks being the number one method that pentesters gain access to your organization, xss is the primary method being used.

 

Categories: security, Work related Tags: ,

Key services for encryption?

April 16, 2018 Leave a comment

In an effort to ensure that hackers do not load vulnerable versions of firmware, Apple uses a key service to enable testing versions of their newest firmware. This affords users the ability to try out the new firmware while they collect statistics, crash logs and other metrics. After a period of time when they are certain all of the platforms have stabilized, they remove the signing key for the older version to prevent users from upgrading/downgrading to that version.

ipsw-downgrade-iphone-6

Earlier this year, a mistake was made that allowed several older versions to be ‘available’ so that users who wanted to downgrade to older vulnerable versions could do it for a short period of time. The mistake was reversed pretty easily by removing those signatures from the public facing server.

Imagine if you could use this type of service for encryption? Encrypt your entire hard drive with a key from a remote system so that each time you need to boot it, you fetch the key and if available, you continue to boot. If it is not available, perhaps because the image was stolen and you choose to remove the signing key, anyone who came across this image would not be able to decrypt it? Imaging using this in a highly volatile infrastructure like the cloud?

Well, the fine folks from RedHat have now done this with the Linux Unified Key Setup (LUKS) system. With RHEL 7.5 there is a new service called Network Bound Disk Encryption (NBDE) that will auto magically mount your LUKS enabled root partitions using a third party key service. Loose your disk image and you don’t have to worry about someone else booting it up and/or mounting and decrypting the data on it.

Now that is smart! – https://rhelblog.redhat.com/tag/nbde/

 

Categories: General