Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

CloudTweaks News

The Meaning Of Secure Business Agility In The Cloud
CloudTweaks News
As cloud continues to accelerate business delivery and shift away the balance of power from IT and InfoSec to business users, organizations need to find ways to ensure that security is part of a business process rather than an afterthought. Today's ...

 

Apple has squashed a bug in its iOS operating system that made it possible for hackers to impersonate end users who connect to websites that use unencrypted authentication cookies.

The vulnerability was the result of a cookie store iOS shared between the Safari browser and a separate embedded browser used to negotiate "captive portals" that are displayed by many Wi-Fi networks when a user is first joining. Captive portals generally require people to authenticate themselves or agree to terms of service before they can gain access to the network.

According to a blog post published by Israeli security firm Skycure, the shared resource made it possible for hackers to create a booby-trapped captive portal and associate it with a Wi-Fi network. When someone with a vulnerable iPhone or iPad connected, it could steal virtually any HTTP cookie stored on the device. Skycure researchers wrote:

Read 1 remaining paragraphs | Comments

 

A MIKEY-SAKKE message is sent from the initiator to responder. (credit: benthamsgaze.org)

A security scheme that Britain's spy agency is promoting for encrypting phone calls contains a backdoor that can be accessed by anyone in possession of a master key, according to an analysis published Tuesday by a security expert at University College in London.

The MIKEY-SAKKE protocol is a specification based on the Secure Chorus, an encryption standard for voice and video that was developed by the Communications Electronics Security Group, the information security arm of the UK's Government Communications Headquarters. British governmental officials have indicated that they plan to certify voice encryption products only if they implement MIKEY-SAKKE and Secure Chorus.

According to Steven J. Murdoch, a Royal Society University Research Fellow in the Information Security Research Group of University College, MIKEY-SAKKE contains a backdoor that allows communications to be decrypted in bulk. It can be activated by anyone who has access to a master private key that's responsible for generating intermediate private keys. Because the master key is required to create new keys and to update existing ones, network providers must keep the master key permanently available.

Read 3 remaining paragraphs | Comments

 
Cisco Security Advisory: Cisco Modular Encoding Platform D9036 Software Default Credentials Vulnerability
 
[SECURITY] [DSA 3450-1] ecryptfs-utils security update
 
Cisco Security Advisory: Cisco Unified Computing System Manager and Cisco Firepower 9000 Remote Command Execution Vulnerability
 
[CVE-2016-1926] XSS in Greenbone Security Assistant &#8805; 6.0.0 and < 6.0.8
 

When you are performing a penetration test, you need to learn how your target is working: What kind of technologies and tools are used, how internal usernames are generated, email addresses format, ... Grabbing for such information is called the reconnaissance phase. Once you collected enough details, you can prepare your different scenarios to attack the target.All pentesters have their personal toolbox that has been enhanced day after day. In many cases, there is no real magic: to abuse or get around a security control x, use the tool y. Butthere is also a question of chance...Lucky people can discover security issuesby chance. This also applies to bad guys.

A goldmine for the pentester are temporary directories. Almost all software use temporary files to perform their tasks. Users like to use them to exchange files with colleagues.Ill give you two real examples:

In a recent mission, I took control of a workstation connected to the Windows domain then I started to collectjuicy data bybrowsingall the fileshares. The customer implemented access controls and access to files was restricted at group level (Example: only the IT team was able to access the I: drive containing technical documentation about the infrastructure). However, some people exchanged IT related files via the T: share and they were still available during the pentest.

Another one?When pivoting from workstationto workstationon a LAN, I discovered a screenshot on a users desktop. This screenshot was a domain controller admin page which listed all the domain administrators. I just had to track them and, once a valid session found, to extract the users password with Mimikatz to get domain admin privileges.

On Linux systems, the /tmp directory is usually cleaned at boot time or via a cron (files older than x days are removed) but other places like /var/tmp, /usr/local/tmp are not cleaned by default! It is easy to schedule the following command at regular interval. It will delete files from /tmp that haven

On Ubuntu, files in /tmp are cleaned at book time via the variable TMPTIME= in /etc/default/rcS. Be sure to check your Linux distribution to know how it takes care of /tmp.For Windows, its even worse, there is no automatic deletion of files stored in %TEMP%."> rd %TEMP% /s /q"> PS C:\ $days = (Get-Date).AddDays(-7)PS C:\ $path = T:\PC C:\">Some best practices:

    efinition, temporary files must have a very short life time.
  • Do NOT share sensitive data via fileshares (database dumps, backups, passwords lists, ...)
  • Once you finished to work with temporary files, dont forget to delete them.
  • If you need to exchange files with colleagues via a shared folder, keep in mind thatoftenother people could read them.
  • Change the permissions to restrict access to authorized users/groups only viachmod / chown on UNIX or icacls on Windows (or the GUI).
  • Encrypt sensitive data (internally, a password protected zip file will be enough in most cases).
  • On Unix, use umask to change the default permissions of created files.

Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

 
Internet Storm Center Infocon Status