The basic security principle of keeping the attack surface as small as possible is still as important as ever, however you define your perimeter. Keeping an eye on the attack surface of the network perimeter, is not an obsolete activity, it is as important today as it was twenty years ago.
When undertaking penetration testing against Internet facing systems, we often see information exposure vulnerabilities. These expose information regarding the systems under test that can, in isolation, be considered low risk as they are not directly exploitable to obtain access to systems or sensitive data.
If you manage Microsoft Exchange and OWA in your environment and you are undergoing an external penetration test or Cyber Essentials assessment, you will often be faced with the Client Access Server Information Disclosure vulnerability identified by Nessus (https://www.tenable.com/plugins/nessus/77026) or other vulnerability scanners.
I find myself writing this blog today as there are only a few references on the internet to user enumeration attacks via timing discrepancies, despite almost every site I've tested in my career being vulnerable to the weakness.
The issue is fairly obvious from the title; an application log-in response takes differing amount of times depending on whether or not the user is valid. But why?
This is a technical blog post on using trusted online services as a delivery and command and control (C2) channels in simulated attack scenarios. Written by Geoff Jones - Director and Simulated Attack Specialist at Cyberis.
Who Needs Rep?
Larger organisations often employ reputational filtering of web traffic to defend against delivery of malicious code and the exfiltration of data if a compromise were ever to occur. It's an effective control provided by many next-generation firewalls and web proxies, including newer cloud-based solutions such as Zscaler.
Today's announcement (https://www.krackattacks.com/) of the KRACK attacks against WPA2 represents a serious security concern for all wireless networks. The de facto wireless encryption standard, which has resisted hacking attempts for 14 years, has finally fallen. Both personal and enterprise versions of the protocol are vulnerable.
Another week, another ransomware outbreak. On Tuesday, we saw another variant of ransomware spreading, worm-style, across unsecured networks within large organisations. As with the WannaCry outbreak in May, large global corporations have been affected, and infections have spread from their initially-compromised hosts across internal networks. NotPetya hasn't received as much press as WannaCry did, but from a security perspective it does, at the moment, look far more interesting.
Sanitisation of user input is essential for preventing SQL injection, regardless of the format of the supplied data. Today I'm going to look at SQL injection through a more obscure injection point: serialized PHP arrays. Taking inspiration from a finding in a recent test, I've created a small app which allows the user to upload a CSV file. This file is then converted to a PHP array, serialized and returned to the user as a hidden form field. Finally, this is posted back to the application where the supplied data is inserted into the MySQL database.
Outsourcing infrastructure to cloud service providers has fundamentally changed the face of information technology and corporate architectures in the last decade or so.
Flexible, fast-paced development. Rapid deployment. Scalability. Resilience. Minimisation of in-house hosted infrastructure. The growth of microservices and mobile technologies.
Another ransomware attack hits, this time on a scale never seen before. The spread has gone viral across a large and crucial network – the network underpinning the UK's National Health Service.
There are three main differences between this attack and previous ransomware incidents.