Good Morning,
This week we talked about firewall rules and the differences between the configurations on Windows and that of Unix/Linux. The concepts were the same between both styles of operating systems; however logging configurations to notify us via logs entries were drastically different.
Thinking of the tools we have used so far what were some similarities between these two operating systems?
In The News:
- This week; I’ll leave it to all of you to find interesting things in the news…
The slides from this week: Week_13
https://www.us-cert.gov/ncas/alerts/TA18-106A
This was just released yesterday. CHANGE ROUTER DEFAULTS!
Sorry for the caps but this is important.
Russian State-Sponsored attacks are being tracked by the Department of Homeland Security. You may think it won’t happen to you, but they are scanning the entire internet for devices with these open ports.
Check out https://censys.io
It’s that quick to scan devices on the internet. FYI, this is a waterdown version. Censys is now a paid product, it was a part of the ZMAP project. I used the full version before it went paid. Much more information with paid.
You should use it to scan your ipaddresses to see what is exposed to the internet.
Windows Servers Targeted for Cryptocurrency Mining via IIS Flaw
https://www.bleepingcomputer.com/news/security/windows-servers-targeted-for-cryptocurrency-mining-via-iis-flaw/
Hackers are using CVE–2017–7269 to take over servers. This is a vulnerability discovered by two Chinese researchers in March 2017 that affects IIS’ WebDAV service. At the time it was discovered last year, the flaw was a zero-day, being under heavy exploitation for almost nine months, since June 2016.
Microsoft initially said it was not planning to fix the flaw because IIS 6.0 was end-of-life, and so were the operating systems that shipped with IIS 6.0 by default —Windows XP and Windows Server 2003.
But the vulnerability shared some common traits with the EXPLODINGCAN NSA exploit leaked in April 2017 by the Shadow Brokers, and it eventually received a fix in mid-June 2017.
Since then, it’s been used by at least one threat actor to deploy Monero miners on Windows servers still running the old IIS 6.0 version.
Just one more reason to ensure you don’t have Windows XP running!!
With the recent upswing in crypto currencies over the past year, It’s no wonder that these type of operations are picking up as well. Hackers are beginning to exploit any weakness they can find to harness as much computing power as possible to mine crypto-currencies. It’s just one more thing that cyber professionals need to keep in mind to secure their environments in todays ever-changing world.
Scott,
Nice article to ponder upon how safe our windows systems are. More than 30% organizations in the fortune companies use Windows Servers to run their internal systems and I am surprised how this was being allowed to be shipped even after the vulnerability was discovered by Chinese researchers. Microsoft should have rather immediately patched the existing systems using servers or stopped shipment of new machines.
Could Russia and West be heading for cyber-war?
http://www.bbc.com/news/technology-43788114
There is a stalemate going on in cyber warfare as Russia vs The UK & US position themselves in cyber position to attack each other. Russia has been known to place it’s aims on gaining knowledge and positioning itself to be able to easily attack infrastructure systems in other countries, while the US and UK position themselves in a similar manner against Russia. It’s like a cold-war only in a cyber world. This scenario and article highlight the real world needs for cyber security professionals. When governments face off with each other, similar to real bomb and bullets combat, it’s not only the governments who suffer. Businesses and innocent bystanders often get caught up in the mix. A government could intend to hack or implant malicious code or viruses onto an infrastructure system, however all the different vendors and partners whom are connected to that utility may become infected as well. Even if a company is not high risk on its own, it’s association to others can increase the risk and make it a target in and of itself.
This is how it feels to face a major cyber attack
https://www.zdnet.com/article/this-is-how-it-feels-to-face-a-major-cyber-attack/
These classes are good introductions into the world of cyber-security and some, in my opinion focus on way too technical things. That being said, the only true real world experience is to actually live through these types of things. We can examine and learn from the mistakes of others whom have been through an attack as well to better prepare ourselves. The article depicts observations and experiences from employees at the UK National Health Service as well as Parliament when attacks happened. Among other things, a major issue brought up is that they wish that the procedures and disaster recovery plans were more thoroughly tested to prevent confusion and miscommunications during an attack.
Found an article where a casino was hacked through a fish tank water temperature thermometer. With the world of IoT growing, this is just another example of someone getting hacked through a 3rd party device installed with an Operating System that wasn’t patched, or probably had default login and password enabled. They used it to grab the high roller’s database. Doesn’t look like the name of the Casino is be disclosed at this time.
https://www.dailydot.com/debug/casino-hack-fish-tank/?utm_content=casino-hack-fish-tank&utm_medium=syndication&utm_source=LinkedIn&utm_name=linkedin-syndication
Sev Shirozian
Similarities between these two operating systems:
Both Windows and Linux Operating systems have the concept of privileged users. In case of Linux it’s a root user and it the case of Windows its and Administrator.
For security, Windows uses Access Control Lists and Linux uses the concept or read/write/executable permissions.
Both Windows and Linux Operating Systems can support both Type 1 and Type 2 hypervisors.
Both Windows and Linux have native firewalls installed on them, Windows Firewall and iptables.
Both Windows and Linux can have a Graphic User Interface. Windows has one by default with Linux you can use gnome or KDE.
Samba Vulnerability could usher in another WannaCry Worm
https://www.silicon.co.uk/security/samba-security-vulnerability-213007/
Even before the world recovered from the most popular ransom ware, WannaCry virus, a new flaw has been discovered in the Samba networking protocol which may possibly make thousands of computers vulnerable to security risks like WannaCry virus. U.S. Department of Homeland Security, urged system administrators to take action of closing this back door as it could provide a flaw which can upload malicious files on to a server or system and used to execute remotely.
What is Samba? – Well it is a free networking protocol to UNIX, Linux and Windows. We need to concern more about Samba than WannaCry as it can exploit many more operating systems based on UNIX or Linux. Samba has already released a patch to fix the risk, but it is completely system administrator’s choice to download and apply.
“All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it,” said samba’s advisory. This is a security concern that should be taken care of, but there are no reported attacks as of now.
Identity Management Category Privileged Identity Management
https://securityboulevard.com/2018/04/identity-management-category-privileged-identity-management/
Over the years, there were several markets evolved in different sectors of identity management space. There is an increase in number that some have emerged and some have disappeared on their way. The category privileged identity management of identity management category may be adding to the disappearing ones. Let’s dig up some information about IAM to witness this.
The identity management was started with the LDAP protocol in early 1990s with X.500 directory used in conjunction with Directory Access Protocol (DAP). As this X.500 was not widely adopted, it was not the easiest to implement yet it provided IT admins to securely authenticate user to resources. As IT world started to change with the affordability of desktop computers and the Internet, LDAP was developed to replace DAP in order to work with smaller bandwidths that these new IT resources make use of. Although LDAP caught up to be working well, IT organizations still experimenting to network their MS Windows PCs together, but two major identity management innovations of LDAP protocol namely Microsoft Active Directory (AD) and OpenLDAP. They both enabled the IT admins to overcome the problem of access to windows machines, applications, and even the network.
End to end cybersecurity from gateway to endpoints
http://techwireasia.com/2018/04/end-to-end-cybersecurity-from-gateway-to-endpoints/
Hackers rely more on online crime as it is less risky in terms of detection and the criminal’s personal safety. It is far safer to the cybercriminal than robbing a bank involving too many entities to be considered. As many hacking attacks are directed towards the endpoint, therefore it can be considered as one of the vital component of cybersecurity. We can consider these attacks as such examples:
” Data deletion – ransom ware threatens the user of deleting his entire data to pay a huge amount as a bounty, and even encrypting it if the user denies to their demands.
” Resource enslavement – programming a bot and releasing it onto the endpoint can be more profitable crimes.
In order to overcome these risks, we can consider these two security solutions:
KASEYA – It offers network management-as-a-service, a new wave of service based solutions combining with its pay-as-you-use pricing.
WATCHGUARD – It is available as a physical installation of hardware or cloud-based devices and offers its services to a wide range from single pieces of desktop technology to rack-mounted powerhouses.
iOS Trustjacking – A Dangerous New iOS Vulnerability
https://www.symantec.com/blogs/feature-stories/ios-trustjacking-dangerous-new-ios-vulnerability
This article is about a new attack called TrustJacking which affects IPhone and IPad users. There is an iTunes Wi-Fi sync feature in iOS that allows users to sync their iPhones or iPads to a computer. So, if you enable this feature by mistake while you are connected to any public computers, then the computer owner can gain control of your device if the computer and the iOS device are connected to the same network, even when you have disconnected the device from the computer.
This is something that has actually been on my mind a lot lately. It’s truly a bit traumatizing that this can even be enacted without your knowing on your own computer and have images or videos sent elsewhere of your phone usage. After reading this article, I downloaded SEP Mobile and am actually in the process of downloading a security update on my iPhone as I write this.
I hate to admit that I had always fallen into the group who just says “I have an apple, I don’t need protection.” but after everything I’ve learned, I now know that it’s not the case in reality. Time to get protected.
https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-c358fd5e249a
Piercing the Veil: Server Side Request Forgery to NIPRNet access
Interesting story of a White Hat breaking into NIPRNET, which is the Dept. of Defense’s secure (?) private network using a server side request forgery vulnerability found in Jira (bug tracking / software dev project mgmt). Worth a read for anyone interested in Pentesting.
Lessons here? Ethical hacking, bug bountys are an important part of security. Also, having a staff that is interested in security outside of just “my job” and following news (in this case the exploit was mentioned on twitter and the ethical hacker noticed it). Further reinforcement that human resources are a crucial part of security.