Archive

Archive for the ‘General’ Category

Cloud Database Leak Exposes 425GB of Financial Data

March 20, 2020 Leave a comment

A financial startup (known as a fintech) has put almost half a terrabyte of data in a cloud based storage for use in a mobile app.

Security specialist with concerns for the inevitable future of OpenAPI for banking have been screaming about this nightmare for years. What do we do for the 100s of 1000s of people who have now lost their financial data?

Steps should be taken to encrypt this data at rest to address this very situation WHEN it happens and not allow the use of data by fintechs without these controls. Allowing banks to encrypt all data before it is shared and sharing the keys to registered companies may be the only sure way to prevent this in the future.

https://www.infosecurity-magazine.com/news/cloud-leak-exposes-425gb-financial/

Categories: General

Think Open Source Software is secure, think again?

March 13, 2020 Leave a comment

So you thought that when all the source code was available for everyone to see, you would have a better chance of finding bugs right?

It turns out that just because everyone can read it, that doesn’t mean anyone will do anything about it? I mean, this software is created by volunteers, modified by volunteers and used by anyone who wants to use it. Who said anything about making sure it was secure?

Over 10 times as many as a decade ago!
Categories: General

Forbes: Jack Welch, Former General Electric CEO And Chairman, Dies At 84

March 2, 2020 Leave a comment

A titan in the world of management and a hero to us all.

Forbes: Jack Welch, Former General Electric CEO And Chairman, Dies At 84. https://www.forbes.com/sites/lisettevoytko/2020/03/02/jack-welch-former-general-electric-ceo-and-chairman-dies-at-84/

Categories: General

NTLMv2 – no problems

February 29, 2020 Leave a comment

I really like when someone takes the time to show how fragile our networks really are.

Use a sniffer to collect your favourite ntlmv2 challenge and plug it into your monster hashcat box. Plug it in and turn it up on high until it warms the room and soon…

Out comes your one of your corporate colleagues password! (Serve warm) 🤟

https://research.801labs.org/cracking-an-ntlmv2-hash/amp/?__twitter_impression=true

Categories: General

Cert pinning bypass on okHttp

February 24, 2020 Leave a comment

One of the security controls that mobile makes strong use of is certificate pinning.

There is a library that is commonly used by a lot of application development teams called okHttp.

Mix these two together and you have a pretty good recipe for success but what if your application isn’t built to prevent an advisary from tampering with it?

Learn how to bypass this library and defeat certificate pinning in this article.

https://captmeelo.com/pentest/2020/02/24/bypass-okhttp-cert-pinning.html

Categories: General

Hackers Were Inside Citrix for Five Months — Krebs on Security

February 23, 2020 Leave a comment

https://krebsonsecurity.com/2020/02/hackers-were-inside-citrix-for-five-months/

To understand why guessing a password for one of your users is so easy is to understand that your organization is only as strong as its weakest link.

Even an organization that provides security solutions like Citrix can be a victim.

Learning how to educate our users on password hygiene, investing in multi factor methods of authentication and making an investment into FIDO (https://fidoalliance.org) may be the only way we will see a return on investment in cybersecurity.

Categories: General

Docker Registries Expose Hundreds of Orgs to Malware, Data Theft | Threatpost

February 10, 2020 Leave a comment

If you were wondering how an attacker can gain access to your organization when you were so careful to validate your software and your laptops and your employees, what out for how they run your software.

Docker base images have long been the target of the more sophisticated attacker now. Let’s face it, creating and setting up tomcat to run your platform isn’t really something that any development team can do so why not use a prebuilt image? It can be so easy to setup a repository and start with a known good base image but watch out for the wolf in sheep’s clothing.

https://threatpost.com/docker-registries-malware-data-theft/152734/

Categories: General

Certificate Expiry – Doh

February 8, 2020 Leave a comment

Don’t you just hate when that happens – you have a nice, professional website that is generating revenue for your company and someone forgets to renew the TLS certificate!

Packt Publishing sure does today when it seems clear that almost all of its visitors will not be able to connect to their website.

It happens to many of us and it is due to poor certificate management. Microsoft Teams announced that they had surpassed Slack as the number one platform for messaging and collaboration but recently experienced an outage due to an expired certificate. Imagine how that affected their reputation and think of the brand impact that could have resulted in incalculable loss!

Whether you have 1 SSL/TLS Certificate protecting your website or you have setup an extensive server farm both inside and outside your organization, managing certificate renewal can bite you in the A$$.

Think strongly about a certificate management program that can alert you to thinks like certificate expiry for items like websites, Internet of Things and even network devices. With the push to ensure that we adopt https everywhere, you will need to manage certificates for almost every endpoint we use for mail, for file and print services and of course for all of the applications that use web based browsers. Even some of the desktop application are just shells that use a custom shell to deliver http based content so you may also have outage associated with certificates for some of the popular applications like Slack and Teams on your desktop.

Prevent outage by discovering and being aware of all of your certificates before someone else tells you!

Categories: General Tags: ,

Are you a Secure Programmer?

December 27, 2019 Leave a comment

Happy New Year to those of you who read this blog, and to those folks who remember my predictions about going over 20,000 unique CVEs in 2019, I trust you may agree that 2019 was a banner year for vulnerabilities. Lucent/Alcatel are among the vendors who have CVEs that have taken us over 20,000 this year (CVE-2019-20047, 20048).

It’s time to ask yourself, are the hackers getting better at ‘hacking’ or are coders just getting worse? If we are going to examine how the last half of a decade has had more than 10,000 unique vulnerabilities each year and that number keeps increasing, we will all need to come to the conclusion that programmers just don’t know how to create programs that are secure by default!

Here is a chance for some of the best and brightest programmers to change course and learn how to avoid these vulnerabilities once and for all.

A California University (UCDavis) has created an online course that can help teach the Principles of Secure Coding. In a series of four courses, developers can learn about the fundamentals, identify vulnerabilities and walk on the wildside as they learn how to hack just like the a blackhat!

Take one, two or the set of four courses and really understand how pentesters can exploit how code works so you can learn how to avoid many of the common pitfalls. https://www.coursera.org/specializations/secure-coding-practices

Categories: General Tags: , ,

OMG, I use that site!

November 20, 2019 Leave a comment

In what is clearly becoming so sad it is now funny, another popular online store was hijacked. Macy’s fell victim to a third party inclusion vulnerability and like so may big retailers before them, some of you may be victim to the scorge of the Magecart gang.

Not even the FBI can help these retailers (or more likely they don’t listen or don’t care) as more and more of them unwittingly become infected.

CyberSecurity is now becoming the most important thing to worry about as a service provider AND as an online shopper. Be careful where you tread…

More details are available from Bleeping Computer.

Categories: General Tags: ,