Week 9’s reading contains OWASP top 10 Web Application Security Risk. The number one Web Application Vulnerability is Injection. Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. A successful attack may result in the unauthorized viewing of user lists, the deletion of entire tables and, in certain cases, the attacker gaining administrative rights to a database, all of which are highly detrimental to a business.
Week 09: Web Application Hacking
Week 9: In the News Web Application
Windows 10, iOS, Chrome, Firefox and Others Hacked at Tianfu Cup Competition
https://thehackernews.com/2020/11/windows-10-ios-chrome-firefox-and.html
This article is interesting to show that these applications vulnerabilities following the outcome of a bunch of hackers at a competition and the Patches for all the demonstrated bugs demonstrated are expected to be released in the coming days.
Multiple software products from Adobe, Apple, Google, Microsoft, Mozilla, and Samsung were successfully pwned with previously unseen exploits in Tianfu Cup 2020, the third edition of the international cybersecurity contest held in the city of Chengdu, China.
The hacking was done against these list of platforms
- Adobe PDF Reader
- Apple iPhone 11 Pro running iOS 14 and Safari browser
- ASUS RT-AX86U router
- CentOS 8
- Docker Community Edition
- Google Chrome
- Microsoft Windows 10 v2004
- Mozilla Firefox
- Samsung Galaxy S20 running Android 10
- TP-Link TL-WDR7660 router
- VMware ESXi hypervisor
Accessing Google User’s Account Information using GHunt
GHunt is an open-source intelligence (OSINT) tool which can be used to explore the data that are created by the Google account (Pritchard, 2020). GHunt is an OSINT tool which uses an open source information to compile data of a user identities and activities. GHunt can be used to analyze the uses data by just having the users email address. GHunt can extract the users name, YouTube channel, and other Google Services.
GHunt tool was being developed by Thomas Hertzog. GHunt can be used by white hat and penetration tester to find out if the email address found during an testing can leak any other information. Individual and business can use this tool to identify how much of their information is available publicly.
References:
Pritchard, S. 2020. GHunt OSINT tool sniffs out Google users’ account information using just their email address. Retrived from: https://portswigger.net/daily-swig/ghunt-osint-tool-sniffs-out-google-users-account-information-using-just-their-email-address
Week 9 Presentation
In the News – Week 9 – FBI, CISA: Russian hackers breached US government networks, exfiltrated data
US government said that Russian state-sponsored hacking group has successfully breached US government networks. The Russian hacker group was identified as Energetic Bear. The group has been targeting numerous US state, local, territorial, and tribal government networks since February 2020. The hacker group appeared to have breached the government servers by combining VPN appliances and Windows bugs.
The Russian attackers used publicy known vulnerabilities to breach networking equipment, pivot to internal networks, elevate privileges, and steal data. The targeted devices included Citrix access gateways (CVE-2019-19781), Microsoft Exchange email servers (CVE-2020-0688), Exim mail agents (CVE 2019-10149), and Fortinet SSL VPNs (CVE-2018-13379).
Once in, the attackers used the Zerologon vulnerability in Windows Servers (CVE-2020-1472) to access and steal Windows Active Directory (AD) credentials. The group then used these credentials to roam through a target’s internal network. Some of the data that was exfiltrated included:
- Sensitive network configurations and passwords.
- Standard operating procedures (SOP), such as enrolling in multi-factor authentication (MFA).
- IT instructions, such as requesting password resets.
- Vendors and purchasing information.
- Printing access badges.
https://www.zdnet.com/article/fbi-cisa-russian-hackers-breached-us-government-networks-exfiltrated-data/#ftag=RSSbaffb68
Week 9 Readings – OWASP Top 10
This week’s readings had us view the OWASP top 10. The OWASP (Open Web Application Security Project) is a super informative site. It essentially outlines the top 10 web attacks the attackers are utilizing against web servers today. This is useful as it gives you an idea of how attackers are exploiting environments. It also helps IT departments assess their own externally facing servers for vulnerabilities.
Questions for the class:
SQL Injection is the number 1 threat on the OWASP top 10, how do SQL injections work?
On Wednesday morning (ET), around 2,034 BTC ($21.6 million) from the 2016 Bitfinex hack moved into a few unknown wallets. The action was caught by the Btcparser program as five transactions with around 400 BTC each moved for the first time in four years. Around August of 2016 a very popular digital currency exchange Bitfinex. Most of the stolen bitcoins sat idle for a little less than four years, but in 2020 the hacker has been moving lots of coins in batches. The 2016 Bitfinex hack was one of the biggest cryptocurrency trading platform hacks when it happened. At the time, Bitfinex was one of the largest cryptocurrency platforms around. When the hack happened, Bitcoin price fell by 20%, affecting global cryptocurrency trades.
https://www.goodwinlaw.com/publications/2016/09/the-aftermath-of-the-bitfinex-hack