VMware released Workstation 15.5 Pro last night with security patches, bug fixes, performance enhancements and some added features. This release fixed an annoying bug that was preventing me from installing Kali (unless I used the pre-built image) on one of my portable machines. You can update from the built-in updater or download directly for Windows or Linux.
Uncategorized
Help for Metasploitable
Some of you were having an issue getting Metasploitable running in VirtulBox. Found this link:
I just worked through it and verified technique works.
Data Breach Leaks 198M Car Buyers’ Personal Data
Unsecured Database does it again. Perfect article for a week that we are doing reconnaissance. This is one of the biggest car sales referrers on the market. It is amazing the amount of money that was spent on infrastructure, marketing, and analytics. So much commerce so little care. “The unsecured database held 198 million records, including names, email addresses, phone numbers, street addresses and “other sensitive or identifiable information exposed to the public internet in plain text,” noted Fowler, who added that data, such as IP addresses, ports, pathways and storage info, could be used to further navigate the network.”
Article2: Thousands of Google Calendars Possibly Leaking Private Information Online
I found this interesting because it is related to our assignment of “reconnasaince”. The article states the vulnerabilities of public share of google calendars. Avinash Jain, a security researcher from India said that it is convenient for organizations to share public calendars; however, these contain plenty of sensitive information such as event names, event details, location, or even meeting links which anyone can use Google search hacking query to gain this public information. In addition, hackers will use phishing technique in order to send a fake invitation link via google calendar to steal private information.
Source: https://thehackernews.com/2019/09/google-calendar-search.html
SOHOpelessly Broken 2.0
An independent security consulting firm (ISE) in 2013 tested popular router and NAS devices and discovered 53 new CVEs. That study was entitled SOHOpelessly Broken as 100% of the devices had a vulnerability. This year, 13 new SOHO routers and NAS devices have been tested to see if vendors have enhanced their security over the years. SOHOpelessly Broken 2.0 vulnerabilities resulted in 125 CVEs. The research concludes that common devices deployed in small office and home office settings are likely to be susceptible to exploits that can cause serious damage despite the enhanced attention IoT device companies have paid to security since 2013. Although they have used a responsible disclosure process, it is still very worrying as many individuals do not update their firmware frequently. It should also be noted that many vendors use the same code throughout their entire product line, meaning many other related devices will share vulnerabilities.
Ecuador’s biggest data breach?
The news broke out today that an IT firm’s manager has been arrested after personal details of almost ENTIRE population of Ecuador was left exposed online. “Personal records of more than 20 million adults and children, both dead and alive, were found publicly exposed on an unsecured Elasticsearch server by security firm vpnMentor, which made the discovery during its large-scale mapping project. For a country with a population of over 16 million people, the breach exposed details of almost every Ecuadorian citizen, including President Lenín Moreno as well as WikiLeaks CEO Julian Assange, who was given political asylum in the country in 2012.” This is some serious stuff.
What happened?
Per the article “The unsecured Elasticsearch server, which was based in Miami and owned by Ecuadorian company Novaestrat, contained 18GB cache of data appeared to have come from a variety of sources including government registries, an automotive association called Aeade, and an Ecuadorian national bank called Biess. The cache reportedly contained everything from full names, gender, dates and places of birth, phone numbers and addresses, to marital statuses, national identification numbers (similar to social security numbers), employment information, and details of education. The cache also contained specific financial information related information to accounts held with the Ecuadorian national bank Biess, including person’s bank account statuses, current balances and credit type, along with detailed information about individuals’ family members.”
From what I read it seems that the government and its telecom agencies are going to take strict actions against the private companies. Ecuador is also amidst passing a new data privacy law which they have been apparently working on for almost a year now.
Source Article Link: https://thehackernews.com/2019/09/ecuador-data-breach.html
Google Warns LastPass Users Were Exposed To ‘Last Password’ Credential Leak
Google Project Zero is a team of highly talented security analysts with a brief to uncover zero-day vulnerabilities. If a vulnerability is found, Project Zero reports to the vendor concerned and starts a 90-day countdown for a fix to be issued before full public disclosure is made. LastPass is also in the security business, being one of the most popular password management solutions with more than 16 million users, including 58,000 businesses. Project Zero has just disclosed that a security vulnerability left some of those 16 million users exposed to the risk of credential compromise as, in an ironic twist, LastPass could leak the last password used to any website visited.
https://www.forbes.com/sites/daveywinder/2019/09/16/google-warns-lastpass-users-were-exposed-to-last-password-credential-leak/#5e161ec64600
LastPass Patches Bug Leaking Last-Used Credentials
LastPass is a password manager that stores encrypted passwords online and provides users easy access to them through a web interface, browser plugins and smartphone apps. The vulnerability allowed an attacker to exploit a flaw in Chrome and Opera extensions to expose the last credentials filled by LastPass. It was eventually patched. To me, this vulnerability really highlights the biggest flaw of password managers. The tool that is supposed to protect you is actually the thing that can cause the most harm. I’m interested to know if anyone in class has experience with password managers and if you would recommend using one.
https://www.securityweek.com/lastpass-patches-bug-leaking-last-used-credentials
Kali ISOs and VMs (Continue)
<https://www.youtube.com/watch?v=pSJScUhJgJI>
I used the Kali ISO image to build Linux in VMware Workstation, configured 2oGB disk and 4GB memory, and then followed all default choices throughout the process. However, I got stuck at booting screen with “_” flashing after the installation before log-in. I found this video and eventually got it fixed. When you get to the “GRUB boot loader” menu, you should choose “/dev/sda” instead of the default choice “Enter device manually”. If you got the same problem, that should solve it. Excuse me for not having tried VirtualBox and pre-built Kali image yet. Therefore, I have no solution to problem regarding those.
The Power of Social Engineering
Social engineering and spear-phishing combined with malware and vulnerabilities show us guarding valuable data, systems with technologies are never sufficient. End-user training and cybersecurity awareness programs are equally important.
See the hack just came to light in recent years:
Such hacks would never happen if training and cybersecurity awareness programs are in place and required for all employees.