by zer0x0ne — on


some of my favourite websites: null byte the hackers news hackaday pen test partners cso online infosec writers security week xkcd

wonder how to - null byte

Retrieved title: Null Byte « WonderHowTo, 3 item(s)
How to Phish for Social Media & Other Account Passwords with BlackEye

Social media accounts are a favorite target for hackers, and the most effective tactics for attacking accounts on websites like Facebook, Instagram, and Twitter are often based on phishing. These password-stealing attacks rely on tricking users into entering their passwords into a convincing fake webpage, and they have become increasingly easy to make thanks to tools like BlackEye. BlackEye is a tool to rapidly generate phishing pages that target social media websites, making it much easier to phish targets of opportunity on the same network. After redirecting a target to the phishing page... more

Hacking macOS: How to Turn Forums into C&C Servers to Control MacBooks

An attacker can repurpose public MyBB forums to act as command-and-control servers. It only takes a few lines of code to configure a MacBook to fetch commands and send responses to websites they don't even own. Before you keep reading, know that our project is not geared toward beginners. General knowledge of HTTP request headers and POST and GET requests, as well as some experience with creating variables, functions, and conditional statements in Bash, will be helpful when following along. What Is a Command & Control Server? Botnets are a collection of compromised internet-connected... more

How to Steal Usernames & Passwords Stored in Firefox on Windows 10 Using a USB Rubber Ducky

A lot of people still trust their web browsers to remember every online account password for them. If you're one of those users, you need to adopt a more secure way of managing passwords, because browser-stored passwords are hacker gold mines. With a USB Rubber Ducky and physical access to your computer, they can have a screenshot of all your credentials in their inbox in less than 60 seconds. With virtually all services moving to the internet, more and more passwords are needed to manage accounts, perform actions, interact, and view content. All of these web services have different arbitrary... more

the hackers news

Retrieved title: The Hacker News, 3 item(s)
Multiple DDoS Botnets Exploited 0-Day Flaws in LILIN DVR Surveillance Systems

Multiple zero-day vulnerabilities in digital video recorders (DVRs) for surveillance systems manufactured by Taiwan-based LILIN have been exploited by botnet operators to infect and co-opt vulnerable devices into a family of denial-of-service bots. The findings come from Chinese security firm Qihoo 360's Netlab team, who say different attack groups have been using LILIN DVR zero-day

Mukashi: A New Mirai IoT Botnet Variant Targeting Zyxel NAS Devices

A new version of the infamous Mirai botnet is exploiting a recently uncovered critical vulnerability in network-attached storage (NAS) devices in an attempt to remotely infect and control vulnerable machines. Called "Mukashi," the new variant of the malware employs brute-force attacks using different combinations of default credentials to log into Zyxel NAS, UTM, ATP, and VPN firewall

How CISOs Should Prepare for Coronavirus Related Cybersecurity Threats

The Coronavirus is hitting hard on the world's economy, creating a high volume of uncertainty within organizations. Cybersecurity firm Cynet today revealed new data, showing that the Coronavirus now has a significant impact on information security and that the crisis is actively exploited by threat actors. In light of these insights, Cynet has also shared a few ways to best prepare for the


Retrieved title: Hackaday, 3 item(s)
Hackaday Links: March 22, 2020

Within the span of just two months, our world of unimaginable plenty and ready access to goods manufactured across the globe has been transformed into one where the bare essentials of life are hard to find at any price. The people on the frontline of the battle against COVID-19 are suffering supply chain pinches too, often at great risk to their health. Lack of proper personal protective equipment (PPE), especially face masks, is an acute problem, and the shortage will only exacerbate the problem as healthcare workers go down for the count. Factories are gearing up to make more masks, but in the meantime, the maker and hacker community can pitch in. FreeSewing, an open-source repository of sewing patterns, has a pattern for a simple face mask called the Fu that can be made quickly by an experienced threadworker. Efficacy of the masks made with that pattern will vary based on the materials used, obviously; a slightly less ad hoc effort is the 100 Million Mask Challenge, where volunteers are given a pattern and enough lab-tested materials to make 100 face masks. If you know how to sew, getting involved might make a difference.

As people around the world wrap their heads around the new normal of social distancing and the loss of human contact, there’s been an understandable spike in interest in amateur radio. QRZ.com reports that the FCC has recorded an uptick in the number of amateur radio licenses issued since the COVID-19 outbreak, and license test prep site HamRadioPrep.com has been swamped by new users seeking to prepare for taking the test. As we’ve discussed, the barrier for entry to ham radio is normally very low, both in terms of getting your license and getting the minimal equipment needed to get on the air. One hurdle aspiring hams might face is the cancellation of so-called VE testing, where Volunteer Examiners administer the written tests needed for each license class. Finding a face-to-face VE testing session now might be hard, but the VEs are likely to find a way to adapt. After all, hams were social distancing before social distancing was cool.

The list of public events that have been postponed or outright canceled by this pandemic is long indeed, with pretty much everything expected to draw more than a handful of people put into limbo. The hacking world is not immune, of course, with many high-profile events scuttled. But we hackers are a resourceful bunch, and the 10th annual Open Source Hardware Summit managed to go off on schedule as a virtual meeting last week. You can watch the nearly eight-hour livestream while you’re self-isolating. We’re confident that other conferences will go virtual in the near-term too rather than cancel outright.

And finally, if you’re sick of pandemic news and just want some escapist engineering eye candy, you could do worse than checking out what it takes to make a DSLR camera waterproof. We’ve honestly always numbered cameras as among the very least waterproof devices, but it turns out that photojournalists and filmmakers are pretty rough on their gear and expect it to keep working even so. The story here focuses (sorry) on Olympus cameras and lenses, which you’ll note that Takasu-san only ever refers to as “splash-proof”, and the complex system of O-rings and seals needed to keep water away from their innards. For our money, the best part was learning that lenses that have to change their internal volume, like zoom lenses, need to be vented so that air can move in and out. The engineering needed to keep water out of a vented system like that is pretty impressive.

A NES Motherboard For The Open Source Generation

As the original hardware from the golden era of 8-bit computer gaming becomes a bit long in the tooth, keeping it alive has become something of a concern for enthusiasts. There have been a succession of remanufactured parts for many of the major platforms of the day, and now thanks to [Redherring32] it’s the turn of the NES console.

The OpenTendo is a completely open-source replacement for an original front-loading Nintendo Entertainment System motherboard, using both original or after-market Nintendo CPU and PPU chips, and other still readily available components. It doesn’t incorporate Nintendo’s CIC lockout chip — Drew Littrell wrote a great article on how that security feature worked — but if you really need the authenticity there is also the NullCIC project that can simulate that component.

It’s an interesting exercise in reverse engineering as well as a chance to look at the NES at the chip level. Also for Nintendo-heads, it provides all the component footprints and schematic items in KiCAD format. Will many be built? Given that the NES was the best-selling console of its time there should be no shortage of originals to be found, but that in no way invalidates the effort put into this project. There will be NES consoles somewhere running for decades to come because of work such as this, simply remember that you don’t need to blow in the slot to make it work!

New Part Day: Battery-Less NFC E-Paper Display

Waveshare, know for e-ink components aimed at hobbyists among other cool parts, has recently released a very interesting addition to their product line. This is an enclosed e-ink display which gets updated over a wireless NFC connection. By that description, nothing head-turning, but the kicker is that there is no battery inside the device at all, as it harvests the energy needed from the wireless communication itself.

Just like wireless induction charging in certain smartphones, the communication waves involved in NFC can generate a small current when passing through a coil, located on this device’s PCB. Since microcontrollers and e-ink displays consume a very small amount of current compared to other components such as a backlit LCD or OLED display, this harvested passive energy is enough to allow the display to update. And because e-paper requires no power at all to retain its image, once the connection is ended, no further battery backup is needed.

The innovation here doesn’t come from Waveshare however, as in 2013 Intel had already demoed a very similar device to promising results. There’s some more details about the project, but it never left the proof of concept stage despite being awarded two best paper awards. We wonder why it hadn’t been made into a commercial product for 5 years, but we’re glad it’s finally here for us to tinker with it.

E-paper is notorious for having very low refresh rates when compared to more conventional screens, much more so when driven in this method, but there are ways to speed them up a bit. Nevertheless, even when used as designed, they’re perfectly suited for being used in clocks which are easy on the eyes without a glaring backlight.

[Thanks Steveww for the tip!]

pen test partners

Retrieved title: Pen Test Partners, 3 item(s)
PrivEsc in Lenovo Vantage. Two minutes later


The latest and greatest Lenovo Vantage software which ships with the most recent Lenovo devices is affected by a privilege escalation vulnerability.

Whilst Vantage has been released since circa 2016, the software replaced Lenovo Solutions Centre (LSC) as the recommended platform management and system update tool for Lenovo devices. LSC was end of life’d back in November 2018, you may remember us reporting a privilege escalation in LSC last year.

The core of the issues lies with a directory traversal bug which can be exploited through manipulating application and plugin names to cause untrusted execution of arbitrary executables or DLL’s that are in control by an unprivileged account.

If you have got the Lenovo Vantage software running on your devices then you are advised to update to the latest version from Lenovo. The issues have been assigned CVE-2020-8319 and CVE-2020-8324.

CVE-2020-8319 and CVE-2020-8324

Lenovo Vantage depends on a service called System Interface Foundation Service. This service performs all sorts of Lenovo specific behaviours through an intricate system of plugins. These plugins perform anything from performing system updates to simple battery gauge readings and generally map to features found within the Vantage software.

Each plugin has a signed PackageManifest.xml file within its installation directory describing the plugin contract that it has to offer in addition to whether the plugin should run under the user privilege context or SYSTEM context. On my test laptop there appeared to be 5 plugins available that run under the SYSTEM context, one of which was the LenvoAppScenarioSystem plugin.

Plugin Manifest File:

The Contract

As mentioned, each plugin offers a contract to the underlaying service, which in turn is exposed over an IPC mechanism open to any user via a UMDF driver interface.  Each plugin offers many functions within the contract that is exposed over the IPC interface.  In addition to the plugin contract, the service itself has its own internal contract for performing updates and other general software maintenance tasks.  One such command offered by the internal contract is Install-PendingUpdates.

Typically, when new plugin updates are downloaded from Lenovo, they are eventually placed inside the %PROGRAMDATA%\Lenovo\ImController\Plugins folder with the same name as the plugin and an underscore appended.

For example, if we take the LenvoAppScenarioSystem plugin, the final pre update folder location would end up being PROGRAMDATA%\Lenovo\ImController\Plugins\LenovoAppScenarioSystem_.

Once the update folder has been prepared, a plugin update timer is fired every 2 minutes or roughly 180 seconds that will overwrite the files in the existing plugin folder at PROGRAMDATA%\Lenovo\ImController\Plugins\LenovoAppScenarioSystem.

Good things come in threes twos

So, why chose the LenovoAppScenarioPluginSystem plugin to attack.  The answer to this is twofold.  The first reason is that Lenovo Vantage plugins can run under the context of the user or system account as mentioned within the first part of this blog post.  As its name suggests, the LenovoAppScenarioPluginSystem plugin runs under the SYSTEM context.

The second reason is signature checking.  Lenovo have put efforts in place to prevent non Lenovo signed plugins from executing.  Let’s say for example, a path traversal exploit is found, and a plugin is updated with a malicious equivalent, the idea here is to prevent the plugin from executing 😉.

OK, so let’s talk turkey.  How can we exploit the LenovoAppScenarioPluginSystem plugin? We use the UDMF driver interface to send a specially crafted request to the command broker.


Due to the unchecked package name attribute, the ImController service now searches for the plugin download location at %PROGRAMDATA%\Lenovo\LenovoAppScenarioPluginSystem_.  As you’ve probably already guessed, this location is writable by unprivileged users.  The folder is then copied to PROGRAMDATA%\Lenovo\ImController\Plugins\LenovoAppScenarioSystem_ ready for the timer to kick off and place the plugin into its final resting place.

The chain is broken

With a mechanism now in place to replace plugin files using an unprivileged account, we now need a way to bypass the signature checks.  Prior to any plugin DLL being loaded by the plugin broker service, the DLL is checked to ensure that it is signed by a Lenovo certificate.  If the DLL is not signed by a valid Lenovo certificate, the broker refuses to load the plugin and the request fails.

But there was something different about the LenovoAppScenarioPluginSystem plugin, it had dependencies on other DLL’s, and specifically a native DLL called TouchScreenContronlDLL.dll.  Analysing the plugin, it was found to import the native DLL using the DllImport attribute.

namespace Lenovo.Modern.Plugins.SmartSetting.AppScenarioSettingPluginSystem
    public class DependDll
        public static bool GetTouchScreenStatus()
            int num = 0;
                num = DependDll.GetTouchStatus();
            return num == 2;

        public static int SetTouchScreenStatus(bool isOpen)
            if (isOpen)
                return DependDll.TouchScreenContronl(1);
            return DependDll.TouchScreenContronl(0);

        public static extern int TouchScreenContronl(int ops);

        public static extern int GetTouchStatus();

Unfortunately, due to this minor oversight by Lenovo developers, the chain of trust within this Lenovo plugins eco system was broken.  Since no additional certificate checks were performed on DLL’s loaded by the plugin itself, we now have a valid attack chain.  Replacing TouchScreenContronlDLL.dll with our own malicious version prior to deploying our custom plugin update would enable us to obtain privilege escalation to SYSTEM.

2 minutes later

The final step of the analysis was to determine how to call the exported GetTouchStatus function when utilising the LenovoAppScenarioPluginSystem.  It was found that each plugin can expose their own contracts to the contract broker, and below is the contract exposed by the plugin in question.

LenovoAppScenarioPluginSystem exposed contract:

With the contract now known, a broker request executing the Get-TouchScreenState command should eventually lead to the loading of the native DLL TouchScreenContronlDLL.dll which is under our control.

Now that we have all the information needed, some questionable C# code 30 minutes later and a meterpreter reverse shell, this led to fully automated privilege escalation vulnerability after waiting around 2 minutes for the update timer to trigger.

Disclosure and fix

Lenovo released an update to System Interface Foundation on the 16th of March 2020.  The fix should already be installed for those that have Lenovo Vantage set to automatically update.  Checks are now performed to determine if the package name is valid and the additional native DLL’s are now checked for a Lenovo certificate prior to loading the DLL.

  • 16th Jan 2020 – Details sent to Lenovo PSIRT and tracked with id LEN-30401.
  • 17th Jan 2020 – Lenovo development team confirmed vulnerability.
  • 11th March 2020 – Lenovo assign CVE-2020-8319 and CVE-2020-8324 to internal issue LEN-30401.
  • 16th March 2020 – Lenovo release update to System Interface Foundation fixing both CVE’s.
  • 19th March 2020 – Fixes confirmed to be effective.

Introduction to Bluetooth Low Energy

Bluetooth Low Energy (BLE) is used by almost everyone in our everyday lives, from wireless headphones, to car stereos, computer keyboards and mice, and other everyday items.

Even though this standard is popular there seems a general lack of understanding of how it works and what certain terms mean. I’m going to explore some of the basic concepts and key terms to help demystify this technology.

BLE works over a short range using radio waves, in a central / peripheral configuration. This means that one central device (i.e your phone) will send data to the peripheral devices, (such as your wireless headphones).

To do this, the devices need to connect together. This is achieved by the devices advertising themselves over three different channels which are regularly scanned by the connecting device. There are three main different types of connections within BLE, these are connected, pairing and bonding. These have slightly different meanings:


Connected is an unencrypted one-time connection. This provides a simple connection without any security features.


Pairing is a one-time connection. During the pairing process security features are exchanged including temporary security keys so that the data is secure between the two devices. This however is only a temporary connection so once the Bluetooth is turned off, or gone out of range, the device is free to connect to any other device.


Bonding is a more permanent solution so once the pairing has been complete the devices then store the security keys and use them for all future communication. This means that for every subsequent connection after the initial pairing no keys are being transmitted between the devices.

When looking at BLE there are a few different tools that can be used to enumerate it, the most popular of these are:

  • Hciconfig – To configure Bluetooth interface
  • Hcitool – Used for scanning and discovery
  • Bleah – Can be used to enumerate Bluetooth devices
  • Gatttool – Interacting with the Bluetooth device
  • Bettercap – Interacting with the Bluetooth device
  • Bluepy – The python library for communicating directly with BLE

To start Bluetooth hacking all you need is a USB dongle, or a raspberry pi with a Bluetooth module (model 3 or Zero)

When enumerating a device, there are a few different headings which will often appear:


The handles are the locations in memory where the data is stored.


The characteristic is a UUID which refers to the same location in memory as the handle.


This is the information about what is allowed at each handle location. These are primarily:

  • Read
  • Write
  • Notify
  • Indicate
  • Broadcast


This is the data stored at that memory address location, it can be a message, or piece of code.

To show some of the Bluetooth terms in action, my colleague @tautology0 created a BLE CTF which was first used as a training tool at BSides LDN. The CTF looks at some of the key features of Bluetooth and how to use them.

Let’s get into this…

So after the success of hackgnar BLE challenge that I recently did which can be found here, my colleague told me that he had also created a CTF that was first used as a training tool at Bsides London.

In order to cement some of the BLE hacking knowledge previously learnt, I’m going to do this CTF. If you want to play along, the CTF is available on a sketchy google drive link!

To do the CTF it needs to be written to an SD card and inserted into a pi that has a bluetooth module (so 3 or zero).

One that pi is up and running, connect into your pi running raspbian (or use a USB dongle if you can make it work) and check that the bluetooth module is running.

sudo hciconfig

Once that is confirmed as being up, we can do a scan for all BLE devices

sudo hcitools lescan

There are a few available, but we are interested in the “BSidesLDN CTF”

From this, we now have the MAC address of the device:


Using bleah we can get enumerate the device and see what’s on it.

sudo bleah -b "B8:27:EB:4E:8B:2F" -e

That runs through and we see that the creator of this is trying their hardest to be northern!

So we have a few handles that have data. My understanding is that the flags are “Digit:Code” so I think we already have the second flag


That’s a nice easy win, but where the heck is the first flag?

We can double-check that by doing a read of that 0x000c handle!

Now I’m confident that this is the second flag!

Let’s loop back round and try and find flag 1. Looking at the handles down the side, the values increase by 1, and as they are hex it goes up to 8 then up to f. So there are no gaps on the handles that look to be hiding flag 1.

Parking the first flag for the moment, let’s go and have a look at 3.

As it’s got a write attribute, let’s write some data to it, then see if we can read it back.

gatttool -b b8:27:eb:4e:8b:2f --char-write-req -a 0x000f -n $(echo -n "test" | xxd -ps)

That got written successfully. So if we read that back, we then get the flag!

Moving onto Flag 4, there is a notify characteristic, if we write some data with the –listen flag, this should bring back some data!

However, it did not!

It wrote successfully, but didn’t seem to listen or make any response. Very strange.

Trying to change the type of input:

gatttool -b b8:27:eb:4e:8b:2f --char-write-req -a 0x0012 -n $(echo -n "test" | xxd -ps) --listen

We still don’t get a response.

Reading a little more into notify on BLE, there is what is known as a CCCD which stands for Client Characteristic Configuration Descriptor, to get a notification first we need to set this CCCD to say that we want to get notifications. To do this, we need to write the correct code of 0100 to the CCCD handler, which in this case is 0x0013.

To do this, I headed into the interactive gatttools:

gatttool -I

Then connected to the device:

connect b8:27:eb:4e:8b:2f

Once there, I wrote to the CCCD, with the code of 0100 to say that I wanted notifications.

char-write-req 0x0013 0100

In interactive mode, it doesn’t need the flags, it just has “action” “handler” “data”

Then when writing to 0x0012, we get the answer back!

Using cyberchef to decode this, we get the 4th flag!

With that success, looking at flag 5, it only has the read characteristic. Reading back 0x0016 brings back the known “nowt here”, however this flag has a range of handles, going up to 0x0017, reading this higher range brings back the flag.

gatttool -b b8:27:eb:4e:8b:2f --char-read -a 0x0017|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n'


Flag 6 also only has the read characteristic, reading that we get the Owt here reply.

Doing the same as before and reading one up, we get a new clue!

Ok, so let’s read 0x3000

gatttool -b b8:27:eb:4e:8b:2f --char-read -a 0x3000|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n'


That’s flag 6 done!

So now I guess we really have to loop back round and try to find flag 1!

As there is no obvious gap on the device within the handlers, it can’t be stored there. Thinking about how bluetooth works, before a connection is made, the device must advertise itself. This is what we saw on the lescan at the start. But is there anymore data than just the MAC address and name of the device?

It’s possible to intercept the traffic while the scan, just as it would be with network traffic, so either using wireshark or in this case tcpdump.

Running tcpdump with the bluetooth interface:

sudo tcpdump -i bluetooth1 -s 0

We then run another lescan and watch the data flood in!

So looks like we have our first and final flag. This is sneaky but always worth checking what data is being transmitted at every stage, including the scan and connections!

Another decent BLE CTF, which looks at slightly different bits and hid flags in some odd places, helping to both cement knowledge and further learn about the workings of BLE!

9 things to consider when staff work from home unexpectedly

Many businesses are reviewing and updating their response plans currently. Some might consider closing offices. This may be an appropriate response, but have you considered the effect on employees that have never worked from home before?

Security considerations can be quite different, as working on a desktop in the controlled environment of an office is very different from a table at home, particularly if it’s the first time.

It’s also important to balance the needs of the organisation and its continued operation with the needs of data protection and security.

Here are a few thoughts that might help you prepare your staff for unexpected remote working:

1. Phishing

We know that scammers take advantage of uncertainty around incidents. Bear in mind that some of your staff won’t be used to working remotely.

Are your staff familiar with using a VPN? If not, have you given them materials to show them what to do and more importantly what not to do? Hopefully they are using a work laptop and not a personal system, but that laptop may be unfamiliar to them.

Two factor authentication for that VPN would be a very good idea, but do you have the time to implement that in a hurry if you haven’t already?

Scammers will be keeping an eye on news reports to identify businesses that have sent staff home.

Staff may be unused to laptops & VPNs, so could be easier to phish

2. Rogue phone & email scams

Again, scammers will be alert to changes through the media. Both opportunistic and targeted attackers may contact your staff, claiming to be from the helpdesk.

They will exploit a chaotic situation to explain away inconsistences in phone number, email format and unusual actions, such as installing software.

Prepare a briefing so that staff know what is and isn’t legitimate contact. What email addresses will you use, plus how does a staff member validate that?

3. Unexpected rogue couriers

Bold scammers may call on staff at their home address with a ‘replacement’ laptop or phone.

In the confusion, it may be difficult for newly remote staff to determine whether they are legitimate or not.

Make sure staff know in advance whether or not to expect couriers to visit

4. Staff migrating to unmanaged personal messaging systems

Whilst it’s admirable that staff will use anything to communicate and keep the organisation operating, it’s easy for WhatsApp and other unmanaged messaging systems to become the norm.

How long before sensitive data is shared on that system?

Do you have a managed messaging system in place that you could migrate to quickly, if needed? What if the corporate VPN was unavailable?

5. Staff using personal email

This is a higher risk if laptops aren’t provided – staff may misinterpret working from home as working from their home PC

It takes moments for sensitive customer data to unintentionally be sent from personal email. How do you recover from that?

Be very clear in your briefing materials to newly remote staff about use of personal email

6. Unmanaged / unauthorised cloud storage

It’s hard enough to keep unmanaged cloud storage and data sharing apps at bay in normal business operation. How do you stop it during times of upheaval and change?

Set a policy in advance that is pragmatic, that enables the organisation to operate, but does not expose data.

7. Invoice fraud may be easier to carry out

Your suppliers may be in a similar position, working from home unexpectedly, making it hard for your accounts payable personnel to validate bank account details for supplier payments.

Suppliers may have failed to plan for home working for their accounts teams, but this should not affect your validation processes.

This creates the perfect opportunity for scammers, giving them the ability to explain away changes in email addresses and phone numbers.

Brief your finance team how to validate payment details in uncertain times

8. IT systems may be less stable

Support staff may be stretched with a sudden increase in remote working. Outsourced support providers may struggle, particularly overseas support organisations that are less able to support their own remote working.

Instability and inability to contact support opens the door to the scammer.

Brief your staff about support protocols, particularly around authenticating inbound phone calls from your support organisation.

9. Bring on Citrix!

One quick solution to the remote working issue may be using a remote desktop. It’s worth ensuring that you have sufficient licences and hardware to support a significant uptick in users though.

Whilst you’re there, be certain that it’s well locked down, or suffer the consequences.

Do consider the consequence of a keylogger running on the remote worker’s personal computer though

infosec writers

Retrieved title: InfoSecWriters.com, 3 item(s)
Risk Management: What is it, Why is it Important, and How to do it?

Contributed by Richard Parker
Risk Management is the process whereby an organization identifies the risk, makes an assessment of the risk, identifies any mitigation that can be done to control the risk, and then decides to accept the risk or not to accept the risk. It applies to everything we do such as our personal lives, financial institutions, organizational operations, and information security. It is important in order to ensure the protection of the organization, it’s assets, and more specifically the organization’s Information Technology environment. There are a few variations of the risk management process which have been developed by both commercial and government organizations. All these processes may differ in implementation and labeling but have the same essential core steps. Those steps include identification of the risk, analysis and evaluation of the risk, mitigation of the risk, acceptance of the risk that can’t be mitigated, and monitoring. When done properly, risk management can greatly reduce the amount of risk taken on by an organization and the effects of the risk.
This document is in PDF format. To view it click here.

Rate this article: 
No votes yet

Software Defined Environment: A View for the Security Practitioner

Contributed by Brian S. Rodgers
Exploring and understanding software defined services, hosted locally or off premise in a cloud provider’s data center, is a critical task demands the Information Security (InfoSec) practitioner’s attention. A strong password and sturdy door locks may have once been adequate to secure business computing environments. The modern enterprise network, assailed by threats from many different avenues, demands a more sophisticated approach to security. Many networks have evolved from simple flat networks to complex instantiations including virtual machines, multiple sites, and diversified strata of information; each demanding different protections. Much of the literature reviewed for this effort was focused on either vendor specific offerings or pure academic works. This work will provide a foundation of cloud and software defined services from a vendor neutral position that abstracts details. Further research is required to evolve the body of knowledge for the security implications from the software defined environment and its elastic characteristics.
This document is in PDF format. To view it click here.

Rate this article: 
No votes yet

Social Engineering –The Human Side

Contributed by Mark Heckle
Social Engineering is one of the most widely used methods by cybercriminals to penetrate many networks across the globe. This type of attack is an easy way for criminals to infiltrate the defenses of any organization. Social Engineering attacks seem to be increasing every year due to the lack of awareness and knowledge of end-users. This sensitive data is collected through mobile devices, SMS, emails, or direct contact with a user. While prevention is almost impossible, this paper will examine the definition of social engineering, examples of Social Engineering, methods used by the attacker, the motivators of the attacker, and understanding why humans are easy prey to such attacks. By learning and understanding more about social engineering, it will go a long way in reducing the success of these penetration efforts.
This document is in PDF format. To view it click here.

Rate this article: 
Average: 5 (1 vote)

security week

Retrieved title: SecurityWeek RSS Feed, 3 item(s)
Mozilla to Remove Support for FTP in Firefox

Mozilla is getting ready to remove support for the File Transfer Protocol (FTP) from the Firefox web browser due to security concerns.

read more

Unprotected Database Exposed 5 Billion Previously Leaked Records

An Elasticsearch instance containing over 5 billion records of data leaked in previous cybersecurity incidents was found exposed to anyone with an Internet connection, Security Discovery reports.

read more

Hackers Target UK Fintech Company Finastra

UK-based financial technology company Finastra is investigating a cybersecurity incident that may involve a piece of ransomware infecting some of its systems.

Finastra has over 10,000 employees and it delivers financial software to more than 9,000 customers across 130 countries, including 90 of the top 100 banks.

read more

tech-wreck infosec blog

Retrieved title: Tech-Wreck InfoSec Blog, 3 item(s)
Digital Forensics Investigator: A Road Few Have Traveled


Security Flaws & Fixes - W/E - 3/20/20

Adobe Releases Patches for Acrobat, Photoshop (03/18/2020)
Adobe released a number of security updates for multiple products, including Photoshop, Acrobat, and Reader. Photoshop updated fixed 16 vulnerabilities that could be exploited for arbitrary code execution and six that could lead to disclosure of information. The Acrobat and Reader updates contained fixes for eight flaws that could be exploited for code execution, three for information disclosure, and one for escalating privileges on compromised systems. Other products addressed were ColdFusion, Experience Manager, Bridge, and Genuine Integrity Service. In all, 41 vulnerabilities were patched, 29 of which were considered critical and 11 important. None were under active exploitation.

Researchers Find New Vulnerability in Intel Processors (03/16/2020)
A team of computer scientists who have become adept at identifying security flaws in Intel processors have announced another discovery. The latest flaw, Load Value Injection, is a hardware virus that can be exploited at the software level. A hardware extension, Software Guard Extensions (SGX) Enclaves developed by Intel, was designed to protect the area of a computer processor where sensitive data is processed, meaning it should not be possible to execute code in this area. However, by creating software that can be smuggled or "injected" into a program the victim is running, "the attacker can take over the entire program and acquire sensitive information such as the victim's fingerprints or passwords," according to one of the researchers, Jo Van Bulck of KU Leuven. Help Net Security, notes the vulnerability was discovered and communicated to Intel in April 2019, but the parties agreed not to disclose it for almost a year while Intel developed a patch. "Intel ended up taking extensive measures that force the developers of SGX enclave software to update their applications," said Van Bulck. "End-users of the software have nothing to worry about: they only need to install the recommended updates."

Trend Micro Addresses Critical Zero-Day Flaws (03/16/2020)
Trend Micro patched five critical and high severity vulnerabilities in its endpoint security solutions, Apex One and OfficeScan XG for Windows. Two of the flaws, CVE-2020-8467 and CVE-2020-8468, have each seen "at least one active attempt of potential exploitation of this vulnerability in the wild," according to the company's advisory. The first could allow remote code execution on affected installations, while the second could allow an attacker to manipulate certain agent client components. The three additional flaws (CVE-2020-8470, CVE-2020-8598, and CVE-2020-8599) have not been observed in the wild, but all rank 10 out of 10 on the CVSS scale, indicating the highest level of severity. Since exploiting these vulnerabilities generally requires that an attacker has physical or remote access to a vulnerable machine, Trend Micro says that users "are encouraged to review and ensure the product servers and management consoles are restricted to trusted networks and/or users as appropriate."

VMware Identifies Critical Code Execution Flaw (03/16/2020)
VMware says that its Horizon Client, VMRC, and Workstation for Windows as well as its Fusion Mac software contain use-after-free and privilege escalation vulnerabilities. The most serious flaw affects Workstation and Fusion and has been evaluated as critical since a successful exploitation can lead to code execution from the guest or allow attackers to create a denial-of-service condition of the vmnetdhcp service running on the host machine. Important flaws were also identified for Linux Guest virtual machines running on VMware Workstation and Fusion where a local privilege escalation vulnerability was discovered, and for VMware Horizon Client for Windows, VMRC for Windows, and Workstation for Windows. In these cases, the folder containing configuration files for the VMware USB arbitration service was found to be writable by all users. Patches are available to remediate these vulnerabilities in all affected VMware products.

Data Breaches - W/E - 3/20/20

500,000 Legal, Financial Files Leaked from Unused Mobile App (03/17/2020)
More than half a million legal and financial documents were exposed through an app that is no longer in use. Researchers at vpnMentor first uncovered the database containing "highly sensitive" documents, including private legal and financial files, on an Amazon Web Services (AWS) S3 bucket that was not using any form of encryption, authentication, or access credentials. ZDNet reports that "Due to a failure to implement basic security protocols, the database permitted unfettered access to anyone with an Internet connection and the S3 bucket's address." The 425GB worth of data appears to be connected to MCA Wizard, a no longer used app associated with private equity firms Advantage Capital Funding and Argus Capital Funding. Among the information reviewed by the security team were credit reports, bank statements, contracts, legal documents, driver license copies, tax returns, and Social Security information. After unsuccessfully attempting to contact Advantage and Argus, vpnMentor reached out to AWS who closed the data access.

Open Exchange Rates Issues Notice of Data Breach to Customers (03/16/2020)
The vendor of a currency converting API used by more than 80,000 sites, including Shopify, Etsy, and Kickstarter, has fallen victim to a data breach. Open Exchange Rates informed customers that personal and/or business name and address, e-mail addresses, passwords, and IP addresses along with other information was compromised. A copy of the company's message posted on Twitter by security consultant Sylvia von Os, says that "an unauthorized third party was able to gain access to our network, including a database containing user information." The intrusion occurred after "a secure access key for our Amazon Web Services infrastructure was compromised." The breach took place on February 9 but was not discovered until March 2. To address the issue, the company has reset all user passwords and customers have been advised to generate new app IDs.


Retrieved title: xkcd.com, 3 item(s)

To picture 10^18, just picture 10^13, but then imagine you connect the left side of the 3 to close off the little bays.

Coronavirus Worries

Offscreen, bottom left: Whether the custom :coronavirus: Slack react emoji you just added was public domain or whether you should have put a Creative Commons credit somewhere

Coronavirus Research

"Also, reading 500 coronavirus papers in a row and not sleeping? Probably not great for you either, but I haven't found any studies confirming that yet. I'll keep looking."