Archive for April, 2015


April 20, 2015

What is a 0 day exploit? It’s basically an exploit to break into an IT system like any other exploit. The important difference is that those 0 day exploits have not yet been discovered by the vendors (like Microsoft, Apple) or they are know but no patches to fix the flaws are yet available.

For a long time there has been an underground market where security researchers sell exploit to cash rich individuals and governments. Even on the clear web there are numerous companies offering those services. Recently a new 0 day exploit platform has emerged on the Dark Web. Security Analysts however are not in the clear yet on whether it’s genuine exploits being sold there or whether it’s a scam rip off.

The only way to find this out really, would be to buy an exploit. Serious vulnerability zero day exploits are usually traded for sums in the hundreds of thousands, so it’s surprising that an exploit for iTunes is offered a lot cheaper. It may be a scam, but who knows!

http://thehackernews.com/2015/04/underground-exploit-market.html

Share


Social Engineering always wins

Author: Martin Voelk
April 19, 2015

As IT systems become more and more hardened, many script kiddies turn to easier alternative methods – mainly Social Engineering. Social Engineering is exploiting the weaknesses and the human layer, but getting someone to reveal a password over the phone, clicking on a “free voucher PDF” to win something or simply holding the doors open for someone they don’t even know. The possibilities are endless and unfortunately the success rates are 95% – 100%. Kevin Mitnick himself says: There is no cure for stupidity.

We try to educate our customers and employees as best as we can, but in every Penetration Testing engagement we are asked to do by our clients, we have at least 1 success due to social engineering techniques. Whenever people think they can win a $20 dollar voucher or get anything free, they will almost always click a malicious PDF just arrived in their Inbox, not matter how spammy it may look like. People will almost always plug a USB stick in when they receive a free USB from a nice stranger. People will almost always believe that the IT Support is really on the other line of the phone. The list goes on and on.

Here an interesting article from world’s famous Kevin Mitnick:

http://recode.net/2015/03/26/why-kevin-mitnick-the-worlds-most-notorious-hacker-is-still-breaking-into-computers/

 

Share

April 18, 2015

Companies invest a lot in IT Security equipment these days, but more than often especially small and medium sized businesses fail on physical and human security.

Many of our assessment contain an onsite piece where we are tasked to enter restricted areas and photograph the progress we made. Whilst social engineering (pre-texting, tail gaiting) is responsible by far the most successful security breaches, simple plain lock picking works in so many cases.

Businesses (and individuals) think that a standard door lock, cabinet lock etc. will do. Unfortunately even the most basic lock picks are often successful against standard locks. For us it’s shocking to see that companies invest hundreds of thousands of dollars in latest Firewall, IPS and DDoS solutions and then have their cabinets locked with basic rack locks in standard rooms. More often Racks are even not locked at all. In more than 50% of the cases neither the server rooms, nor the racks are locked. Better security exists when hosted in Data Centers but that’s normally only affordable for larger clients.

We highly recommend to have Physical Security evaluated on a regular basis. You may have read our previous articles around the IT Security (or better lack of IT Security) in Latin America, but we must say that Latin America is ahead and far advanced when it comes to Physical Security around the SMB markets and those breaches are not as frequent as in other countries due to tight physical security.

For Physical Security Audits, Pentesters can purchase Lock Picks in online shops such as:

http://hackerwarehouse.com/product-category/lock-picks/

 

Share

Cisco is one of the leading Network manufacturers in the world. They moved on from traditional Routing & Switching to Security, Unified Communications, Storage, Wireless and many other areas of IT. Not surprisingly a lot of the Network infrastructure is powered by Cisco products.

In order to test some of the Security aspects of Cisco products, there are a few free tools out there which you will find below.

Cisc0wn

https://github.com/nccgroup/cisco-SNMP-enumeration

Cisco Auditing Tool

http://tools.kali.org/vulnerability-analysis/cisco-auditing-tool

Cisco Global Exploiter

https://github.com/pwnieexpress/pwn_plug_sources/tree/master/src/cisco-global-exploiter

Cisco OCS

http://tools.kali.org/vulnerability-analysis/cisco-ocs

Cisco TORCH

http://www.hackingciscoexposed.com/?link=tools

Yersinia

http://www.yersinia.net

Share

April 17, 2015

Up to 70 million servers may be vulnerable to this newly published vulnerability. You should patch your systems immediately.

https://www.trustedsec.com/april-2015/ms15-034-range-header-integer-overflow/

Share

April 17, 2015

The Cisco ASA is a very popular firewall and not only that, it’s also Cisco’s flagship VPN concentrator after discontinuing the VPN 3000 Concentrator a few years ago.

Many Admins may know this problem. The ASA was inherited by the previous engineer(s), nothing has been documented – the usual. Now the company wants to migrate the ASA to a newer model and the question arises? Who has the PSK for the VPN (Pre-Shared Key). The “show run” output will show *** which is not any good 🙂

There is an easy way of recovering the key. Good for Admins!! Bad for Security!! A lot of Cisco Admins believe that the PSKs are not recoverable on the ASA or PIX – wrong. They can be easily recovered:

show run

tunnel-group MARTIN ipsec-attributes
ikev1 pre-shared-key *****

more system:running-config

tunnel-group MARTIN ipsec-attributes
ikev1 pre-shared-key cisco

🙂

Share

April 16, 2015

A lot of people reach out to us asking us for free Penetration Testing programs. Well we found one, signed up – and surprisingly enough – it’s really free! Whilst it certainly doesn’t come anywhere near to the Offensive Security Training or personal Pentesting Training, it’s a great resource for those starting out in Pentesting.

http://www.cybrary.it/course/ethical-hacking/

Share

Perimeter Firewall Best Practices

Author: Martin Voelk
April 16, 2015

A lot of businesses have perimeter firewalls these days, which is a good thing. However, they must be configured appropriately to provide effective threat protection. Regardless whether you have a Cisco ASA, Juniper SRX, SonicWall, PaloAlto or any other vendor in there – a few best practices apply to them all. Here a 15 bullet point cheat sheet for Firewall Best Practice:

15 Best Practices for Firewalls

  • Software versions checked and up to date.
  • Configuration kept off-line, backed up, access to is limited.
  • Configuration is well-documented, commented.
  • Users and passwords configured and maintained (AAA) and Password encryption in use
  • Access restrictions imposed on Console, Aux, VTYs. Unneeded network servers and facilities disabled. Necessary network services configured correctly (e.g. DNS) Unused interfaces and VTYs shut down or disabled.
  • Risky interface services disabled.
  • Port and protocol needs of the network identified and checked. Access lists limit traffic to identified ports and protocols.
  • Rules block reserved and inappropriate addresses.
  • Static routes configured where necessary.
  • Routing protocols configured to use integrity mechanisms.
  • Logging enabled and log recipient hosts identified and configured.
  • Firewall’s time of day set accurately, maintained with NTP.
  • Logging set to include consistent time information.
  • Logs checked, reviewed, archived in accordance with local policy.
  • SNMP disabled or enabled with good community strings and ACLs. -> or SNMPv3
Share

Effective BYOD Security App

Author: Martin Voelk
April 15, 2015

Only recently Apple started cracking down on Anti Virus Apps by starting removing them from the App Store as apparently no viruses or malware exists for Apple….hust hust. (http://www.businessinsider.com/apple-antivirus-app-store-crack-down-intego-virusbarrier-2015-3).  A slight dose of arrogance must have overcome Apple by doing so. Just to clarify for everyone: We are not in the boat with any vendor and we report from a pure Security standpoint without any Bias towards or against one vendor or the other. Fact is that there are tons of viruses and malware out there specifically targeting Apple iOS. So anyone saying there are no viruses or malware on iOS is WRONG. Only recently we stumbled across interesting code snippets on the dark web to exploit iOS 8.x.

Now this is clarified we would like to show our readers a very good mobile application which enhances security a lot. The company producing this App is called zImperium. It counter-tackles ARP spoofing attempt in a Wireless Cell but also is an ideal component for any BYOD setup. It protects agains Host and Network Attacks alike and is a very robust endpoint security solution overall. Here the link: https://www.zimperium.com/zips-mobile-ips

Share