Cyberis Blog

Shutting the Door on the Attacker

There's no such thing as infallible security, and preventing every single security breach is impossible.

But when a breach does happen, the steps an organization takes next will largely determine the damage they suffer, and how the business recovers. A security team's first reaction is often to move to eject the attackers. But is that always the right strategy? Especially when it comes to advanced threats, there is a case for biding your time, and gathering intelligence.

What is Cyber Essentials?

In 2012, HM Government launched the 10 Steps to Cyber Security in an effort to make clear that risks to information should be taken as seriously as financial, regulatory, legal or operational risk. The 10 steps to Cyber Security programme provided guidance on how an organisation might approach the task of making security an integral part of their business.

The Online Extortion Trend

Over the last 12 months, ransomware has rapidly become one of the most prevalent information security threats to a vast number of organisations of any size, as well as the individual consumer. It is a highly lucrative opportunity for criminals and is claiming a growing list of victims. Indeed, at Cyberis, we have experienced a significant upward trend in incident response services and requests for our advice due to ransomware events.

PCI DSS 3.2 Arrival

Another version of PCI DSS was released by the PCI Security Standards Council on 28 April 2016 - PCI DSS v3.2. The SSC comments that the industry should expect more incremental revisions in the future, to address the changing threat and payment landscape.

Tags

Dell Certificate Blunder Not Limited to New Computers

The news that Dell has been bundling a Trusted Certificate Authority to customers of brand new computers has been widely reported in the last few days. If you have not yet caught up with the news, essentially a Dell CA has been bundled with software installed on a new machine, which unfortunately also contains the corresponding private key. This means that anyone who has this private key, which is available to anyone with access to a new Dell computer, can sign any certificate.

Tags

OpenSSL "Heartbleed" Vulnerability

You may have already seen reference to the OpenSSL 'Heartbleed' vulnerability which was published this week (http://heartbleed.com/).

If you have not yet seen this advisory, this is a very serious vulnerability in OpenSSL version 1.0.1 through 1.0.1f inclusive, and when exploited this bug allows a connecting attacker to retrieve sensitive memory contents from affected servers.

Obtaining NTDS.dit Using In-Built Windows Commands

Further to our article on Password Audit of a Domain Controller, we've discovered a couple of short-cuts that greatly simplify the process.

Using the same underlying technique (Volume Shadow Service), there is an in-built command (Windows 2008 and later) that does a backup of the crucial NTDS.dit file, and the SYSTEM file (containing the key required to extract the password hashes), without the need to use VB Script, third-party tools or injecting into running processes.

Vulnerabilities that just won't die - Compression Bombs

Recently Cyberis has reviewed a number of next-generation firewalls and content inspection devices - a subset of the test cases we formed related to compression bombs - specifically delivered over HTTP. The research prompted us to take another look at how modern browsers handle such content given that the vulnerability (or perhaps more accurately, ‘common weakness’ - http://cwe.mitre.org/data/definitions/409.html) has been reported and well known for over ten years.

Tags

Egresser - Tool to Enumerate Outbound Firewall Rules

Egresser is a tool to enumerate outbound firewall rules, designed for penetration testers to assess whether egress filtering is adequate from within a corporate network. Probing each TCP port in turn, the Egresser server will respond with the client’s source IP address and port, allowing the client to determine whether or not the outbound port is permitted (both on IPv4 and IPv6) and to assess whether NAT traversal is likely to be taking place.

Testing .NET MVC for JSON Request XSS - POST2JSON Burp Extension

During a recent application penetration test on behalf of a client, one of the security vulnerabilities discovered was a stored cross-site scripting vector, delivered via a JSON request to a MVC3 controller. The malicious data (in this case a simple script tag proof-of-concept) was written to the database and subsequently echoed back to the user when viewing a number of pages within the application.