Blog de Seguridad de la Información de S2 Grupo
After the first two posts of the story [1] [2] where we told you about Johnny’s intentions and John’s security, in this post we are going to tell you the outcome, and give you an idea of the two characters in the story.
Johnny:
“Here I am, waiting for my boss to execute the “program” that he has asked me for and that I have prepared for him with special affection”. [Read more…]
After what was seen in the first post of this story in this one we will keep telling you what happens and we will meet the boss. Put yourselves again in that situation that Johnny told us about in the first part.
“Hello, allow me to introduce myself. I’m John, Johnny’s boss. I am aware that I have many enemies among which are surely my competitors or even my own employees. Physically, no one can touch me, I always go with my bodyguards. But technologically, anyone could try to attack my team with the objective of stealing valuable information”.
That’s why, in addition to the corporate antivirus, I decided to add one more layer of security on my computer with Sysmon & Wazuh. [Read more…]
I suggest imagining the following fictitious situation:
I am Johnny, a disgruntled employee. My boss has exploited me, he does not stop sending me tasks, he does not pay me the extra hours and, in addition, he never thanks me for the work I do … One day, fed up with the situation, I said to myself: “he’s going to find out what’s what”. And I started planning: I’m going to hack his computer and steal all the sensitive information he has. But how? After thinking the matter over: I know! I’m going to see if in the results of the internal vulnerability audits, to which I have access, his computer has some security flaw that can be exploited.
Darn! He has everything patched … and I don’t have any money for a 0 day. What I can do?
One day my boss asked me if I knew of any free program to decompress files in Windows operating systems and… [Read more…]
Usually, whenever we are auditing a web application with a poorly programmed backend, we might find SQL Injection vulnerabilities. We will mainly encounter Blind, Error-based or -if we get lucky- Union-based injections. However, it is not quite usual to find an SQLi out-of-band vulnerability.
These do not only rely on a vulnerable application, but also on being able to exfiltrate information from a different band than the website.
The fact that the results are sent through a completely different way, along with the variety of shapes that these may take; makes it quite difficult to use automated tools to exploit these kinds of vulnerabilities. Even so, in situations where the server responses are not stable or are too unreliable, it might be worth trying to exfiltrate information this way.
As an example, lets take a look at an injection found in an audit I performed recently.
This time, the vulnerability was quite weird, as the name of the parameter was sql*** –which shouted injection from miles away- but the website itself wasn’t either returning any errors nor being affected by time-based techniques. Yet, our best friend Burp active scan seemed convinced that an SQLi was going on at that specific parameter.
[Read more…]
Yesterday, CCN-CERT published the communiqué related to the re-launch of the CSIRT.es group, a forum that brings together the response teams to Spanish incidents or areas of action in Spain, and whose objective is to centralize the exchange of information and facilitate coordination between these very teams.
CSIRT.es currently consists of more than twenty teams and, as indicated in the press release, public and private actors from different sectors are represented, with different objectives … but they have many points in common; the main one, by definition, to provide a response capability to a given community. And that capability today cannot work if it is intended to operate independently and isolated from other teams: it necessarily requires direct collaboration with third parties. Beyond forums such as FIRST or TF-CSIRT, we believe that a point that enables collaboration between CSIRT and areas of action in Spain is more than interesting and necessary. [Read more…]
The tendency to “be permanently connected” places at our disposal a series of tools with which to “make our lives more comfortable” but this, in turn, exposes us to multiple threats that may negatively affect us as individuals or in our organizations. It is possible to think that this question is too internalized by those who dedicate themselves directly or indirectly to the world of security. However, the reality leads us to discover that the number of anecdotes and news related to security incidents continues to grow and, in many cases, the protagonists are precisely those who dedicate themselves to security.
In today’s post we put the focus on the impact that the information collected and published through the Strava tool has caused.
[Read more…]
Today at SAW we are not going to talk about security but about religion. About the true religion, the good one: about Unix. And about its gods: Kernighan, Ritchie, Thompson … we could cite a few. And about the tools that, in the seventies, these gods sent to us poor mortals, like the manna fallen from heaven for the chosen people.
The thing is that these gods created a real operating system, with some technically wonderful tools and a very simple philosophy: simple capabilities that combined make complex tasks. Perfection. Life is Unix running a script. More than forty years have gone by and we, poor mortals who were the chosen people, what have we done all this time? Trying to dishonor that divine legacy with artificial and useless layers (“of abstraction”, they call them, to try to make sense of them) that introduce two unnecessary problems in any “modern” technological environment: complexity, and therefore probability of error, and slowness.
Exemplary is the “true” executable, in line with the story recently commented by Rob Pike on Twitter:
$ >mytrue;chmod +x mytrue
$ ./mytrue
$ echo $?
0
$
A program whose only purpose is to always return 0. An empty executable. EMPTY. There can be nothing simpler that works, and has been for forty years … well, that’s where we mortals come in. Year 2018:
In the previous part of this series on blockchain security we looked at the risks associated with deploying autonomously executing smart contracts on a public blockchain. We also introduced some high-profile examples of attacks on smart contracts that have caused the loss of large sums of money and changed the way we look at business interactions on the blockchain.
In this episode we will review some known issues and vulnerabilities.
Using unsafe private keys is really a case of user error, rather than a vulnerability. However, we mention this nevertheless, as it happens surprisingly often, and certain players have specialized in stealing funds from unsafe addresses.
What usually happens is that development addresses (such as those used by testing tools, such as Ganache/TestPRC) are used in production. These are addresses generated from publicly known private keys. Some users have even unknowingly imported these keys into wallet software, by using the original seed words used in private key generation.
Attackers are monitoring these addresses and any amount transferred to such an address on the main Ethereum network tends to disappear immediately (within 2 blocks).
[Read more…]
In keeping with our campaign of detection and documentation of IoT botnets, a few days ago we found another threat not classified before. It was first uploaded to the VirusTotal platform on November 3 and is only detected as malicious by 4 antiviruses.
During the article, two variants of the malware will be analyzed, which differ fundamentally in their propagation. The first one was detected in our honeypot systems (specifically for the SPARC architecture). The second one is a variant of the first, which was found under the Intel x86_64 architecture, and which the Netlab360 malware lab echoed a few days ago.
As no records of its identification were found, we decided to classify it as Linux.Okiru, due to the name of its binaries.
[Read more…]
(This entry has been prepared in collaboration with Ana Marzo, from Equipo Marzo, which provided a good part of the information).
Just a couple of weeks ago Ana March, from Equipo Marzo, an attorney for whom I have great professional respect, contacted me to tell me about the publication, not expected (at least by me), of a new regulation of the Commission related to the NIS Directive, which I have called in a display of originality NIS implementation regulation.
At least it caught me by surprise (and I am sure that some of our readers will see the same thing), since I expected a transposition of the directive, not a regulation emanating directly from the Commission (which does not mean, of course, that we will not enjoy our own NIS-compliant legislation, as the legislator must be kept busy…). Given that, although in different areas, we had both coincided at the same client that fitted into the concept of digital services provider and could therefore be affected, we asked ourselves about the applicability of the regulation to this specific client. For example, is an online newspaper affected? And an online sales website? An online bingo? And the purchase-sale between individuals? Deriving the answer to these questions is the subject of this entry.
[Read more…]
