Categories
Uncategorized

Protect Your Docker Hosts With These Techniques

Add Your Heading Text Here

Share it:

Although docker has made it possible for engineers to build and deploy enterprise software without worrying about package dependencies, there are security problems related to docker technology due to the fact that instances of docker or docker containers share the same kernel.

In this brief post, we outlined five ways to protect your docker hosts from attacks such as DOS Attacks,  Image malware, illegal root privileges, and so on.

  • How to Avoid Kernel System Attacks In a Docker Ecosystem:

To avoid kernel system attacks, install and run docker on VM to avoid direct access to  the kernel. Installing docker on VM makes it difficult for attackers to get access to kernel and manipulate kernel security settings.

  •     How to Avoid Excessive Memory Usage by Programs Running on Containers

Some programs running on containers can use excessive memory instead of making use of allocated memory. This usually happen when malware reside on the same host with legitimate programs. You can make use of cgroups or control groups to limit containers or application instances to a number of resources.

Cgroups or Control groups is technology implemented in  Unix operating system.  You can use it to limit programs to a set of resources.

Make sure you are using the latest version of docker engine

  •   How to Avoid Container Attack Escalation

Usually docker containers run as root users or ‘admin’ users. Hence any malicious program that is able to get access to containers running on a docker host can move further to manipulate kernel security features. It is advisable to run and manage docker host on virtual machines.

Running docker host on virtual machines makes it extra difficult for attackers to escalate attacks to the kernel.

  •   The main concept of docker technology is to allow implementation of micro-service architecture. Hence, it is quite risky to run all services in a single container. You can separate services and run each service in a different container and make use of docker swarm to scale services to avoid impromptu ‘services shutdown’ .
  •   Finally you can make use of  Clair to assess container images. 
Categories
Uncategorized

OSX/Shlayer

Add Your Heading Text Here

Share it:

OSX/Shlayer is a potentially unwanted application that downloads and installs software on the computer.

Although malware that disguises itself as an update to Adobe Flash Player is nothing new, some of the latest incarnations of fake Flash Player installers have an unusual method of downloading additional content.

OSX/Shlayer spreads via BitTorrent file sharing sites, appearing as a fake Flash Player update when a user attempts to select a link to copy a torrent magnet link.

Torrent sites are notorious for distributing malware and adware, sometimes through misleading advertisements, and sometimes through Trojan horse downloads that claim to be “cracks” or that may contain infected copies of legitimate software.

Even if you don’t use torrent sites, you may encounter other sites that claim you need to update Flash Player; in most cases, this is actually an attempt to install malware on your computer.

BROWSER INDICATORS:

On some of the malware distribution pages, the fake Flash Player alerts are customized to your browser. If you’re using Mozilla Firefox, you may see an upward-facing arrow appear pointing to the browser toolbar that indicates that there is a recent download available to open.

If you’re using Google Chrome, you may see a pop-up message pointing to the bottom-left corner of the browser window where newly available downloads appear. Ironically, Google Chrome has its own built-in version of Flash Player that users don’t need to update manually; it gets updated automatically whenever Google issues an update for Chrome itself.

WHAT MALWARE DOES IF INSTALLED:

The primary goal of OSX/Shlayer is to download and install adware onto an infected Mac. Although “adware” may not sound like a big deal, it can be a lot more harmful than the name implies.

At least one variant of the malware also appears to exhibit an interesting behavior: It checks whether one of several Mac anti-virus products is installed.

HOW MAC USERS CAN PROTECT THEMSELVES FROM OSX/SHLAYER:

Avoid any “Flash Player” update alerts you may encounter on the Web; in most cases, these are actually false warnings intended to trick you into downloading and installing malware.

If you use Google’s Chrome browser, it already has a built-in version of Flash Player, so you’ll never need to obtain a newer version of the plugin from a third party.

If you use Apple’s Safari browser, or Mozilla Firefox or other third-party Web browsers, you should bookmark https://get.adobe.com/flashplayer/ and only obtain Flash Player updates via that bookmark—that is, if you even need Flash Player in the first place.

In fact, when you get a new computer the best practice is to avoid installing Flash Player in the first place. Few legitimate sites require Flash these days, and for the rare site that does, you can view the site in Google Chrome.

If you accidentally download a fake Flash Player update and it comes as a .dmg (Mac disk image) file, don’t double-click it!  Simply drag it to the Trash, and then from the Finder menu (in the top-left corner of the screen, next to the Apple menu) select “Empty Trash…

WHAT TO DO IF YOU’RE INFECTED:

If you suspect that your computer might be infected, you can download VirusBarrier Scanner (free) from the Mac App Store to scan your computer for an existing infection.

We recommend installing antivirus software with real-time scanning protection, such as Intego VirusBarrier X9 (part of the Mac Premium Bundle X9 utility suite), to help block malware before an infection can occur.

Author:  Jerry Amarteifio, systems and endpoint engineer 

Categories
Uncategorized

Citrix Intranet Hacked by Iridium

Add Your Heading Text Here

Share it:

Citrix Systems‘ internal network was hacked by international cybercriminals that may have accessed and downloaded business documents. The company acknowledged the hack in a blog post last Friday.

Stan Black, the chief security and information officer at Citrix, wrote that the company was contacted by the FBI last Wednesday. The FBI told Citrix that it had reason to believe there was a successful attack on the company’s network by foreign parties.

According to Black, no Citrix products or services were compromised.  “It appears that the hackers may have accessed and downloaded business documents. The specific documents that may have been accessed, however, are currently unknown,” Black wrote. He noted that the investigation into the hacks is ongoing.

In the fallout from the attack, Citrix said it has taken action by: starting a forensic investigation; hiring a cybersecurity firm to assist the company; taking steps to secure its internal network; and by continuing to cooperate with the FBI.

Black said that, while not yet confirmed, the FBI believes a technique called password spraying was used to gain access. Password spraying refers to a tactic used by hackers to exploit weak passwords. Once the hacker gains a foothold with limited access they can get around the additional layers of security.

“Citrix deeply regrets the impact this incident may have on affected customers,” wrote Black. He noted that Citrix will continue to post updates and work with law enforcement on understanding the details of the breach.

Last week, only a few days before it was contacted by the FBI, Citrix made several updates to its SD-WAN product to make it more secure.

Source:  sdxcentral 

Categories
Internet Security Uncategorized

Time to Install apt-transport-https !!!

Add Your Heading Text Here

Share it:

The apt-get utility that can be exploited by a remote, man-in-the middle attacker to compromise Linux machines.

The flaw, apparently, once again demonstrates that if the software download ecosystem uses HTTPS to communicate safely, such attacks can easily be mitigated at the first place.

The APT utility doesn’t properly sanitize certain parameters during HTTP redirects, allowing man-in-the-middle attackers to inject malicious content and trick the system into installing altered packages.

APT HTTP redirects help Linux machines to automatically find suitable mirror server to download software packages when others are unavailable.

If the first server somehow fails, it returns a response with the location of next server from where the client should request the package.

A malicious mirror—can inject malicious packages in the network traffic and execute arbitrary code on the targeted system with the highest level of privileges, i.e. root.

Since apt-get is part of many major Linux distributions including Debian and Ubuntu, who have also acknowledged the flaw and released security updates, it is highly recommended for Linux users to update their systems as soon as possible.

source: THN

Categories
Uncategorized

Systemd Privelege Escalation Flaw Affects Debian and Redhat Users

Add Your Heading Text Here

Share it:

Security researchers have discovered three vulnerabilities in Systemd, a popular init system and service manager for most Linux operating systems, that could allow unprivileged local attackers or malicious programs to gain root access on the targeted systems.

The vulnerabilities, assigned as CVE-2018-16864, CVE-2018-16865, and CVE-2018-16866, actually resides in the “systemd-journald” service that collects information from different sources and creates event logs by logging information in the journal.

The vulnerabilities, which were discovered and reported by security researchers at Qualys, affect all systemd-based Linux distributions, including Redhat and Debian, according to the researchers.

The first two flaws are memory corruptions issues, while the third one is an out-of-bounds read issue in systemd-journald that can leak sensitive process memory data.

If you are using a vulnerable Linux system, keep tabs on the latest updates by your respective Linux distribution and install the patches as soon as they are released.

Source: theHackernews 

Categories
Uncategorized

The privacy tussle; can there be a win-win?

Add Your Heading Text Here

Share it:

It was a quarter to the hour of eight when I got home with weary and tired legs, surely I was famished and it was kenkey from my favorite vendor, hot pepper and fried eggs on the menu; just when I stuck my thumb into the kenkey Ga-man-style, a notification came through my phone and honestly I thought it’s payment hitting the account (man is hot); but no, it wasn’t in fact it was just a news item, citinewsroom.com has reported a story captioned “Communications Ministry fights BoG over mobile money data” well I chuckled, in my mind I retorted -what’s wrong with my “Ghana people“ again?

I continued with the supper whilst I read the article in full, it caught my eye because it does contain a subject am passionate about, yes! data protection it is, the article stated in part “The Communications Ministry in a series of letters had asked the Bank of Ghana to release the data to a private contractor, Kelni GVG, which has been tasked to verify the amount of revenue generated by telcos.

The Ministry specifically requested for disclosure of customer balances, transaction amounts, date and time of the transactions.

 However, the Bank of Ghana declined to grant the Communication Ministry’s request, arguing in a letter signed by its Secretary, Frances Van-Hein that disclosing such an information will breach the guidelines of Electronic Money Issuers and Data Protection Act.”

So without wasting much time I decide to make a point or two after the food settles my unintended self-imposed fasting. So here we go, it is true that per section 91 of the Data Protection Act 2012, Act 843, the three (3) organs of State are bound by the provisions of the Act, more so when it comes to disclosure. Let just say quickly before I proceed that this is not meant to be a comprehensive lecture on data protection, on the contrary its just a brief touching on key issue I gathered, which is the outright rejection to disclose.

As a practitioner, I will proceed to ask why the data is needed in the first place. Regulatory activities or? Well let me just presume and move on, having said that, section 63 of Act 843 should suffice for regulatory activities in so long as the reason fall under the exemptions provided, let’s assume again that it is for taxation or related purposes, then Section 61(1)(c) of Act 843 further allows for exemption for the purposes of the assessment or collection of a tax or duty or of an imposition of a similar nature.

Generally, and as a rule of principle, the provisions of the law do not apply to data in so long as the data subjects cannot be identified from the set of attributes, which calls for anonymization or pseudo-anonymization. Well primarily once you properly anonymized data, then data subjects behind the attributes cannot be identified and that means the issues of privacy do not arise. This also means the systems disclosing and receiving the information respectively should envisage this in their technology; either as an added functionality or in-built with something called “privacy-by-design”, but then like I keep saying in various forums; if we build systems that are not resilient to the inherent risk and how to manage same; then due diligence can be construed as negligible if not nonexistent. As I doze off now, and hoping am not missing the point, the exemptions under Act 843 are not blank cheques, it is exemption to disclose the information therefore all other principles under the law applies with full-force, i.e. accountability, lawfulness of processing, specification of purpose, compatibility with further processing, quality of the data, openness, security safeguards and data subject participation.

The provisions of the Act 843 will override the Electronic Money Issuers (2015) Guidelines to the extent that the latter is a substantive law. It can also be a matter of regulator-to-regulator mutual understanding and of course measures of alternative effect under the context of the laws to create a controller-controller or controller-processor relationship and capture the lawful terms of use in a data transfer or exchange agreement as envisioned under the Act 843.

If the truce won’t work, well I will just sleep soundly by recommending that under section 66, of Act 843 one can coerce the other with a court order to do the needful; but rightly so with lawful justification lest the court throws you out for want of lawful justification.

As the night settles into its late hours may we be reminded that data protection however is a fundamental human right, it’s regulations governing data processing is not an outright show-stopper but a business enabler with the potential of appreciating the currency of the digital consumer; this currency is “trust” and therefore further providing competitive business edge, and in as much as one party as a regulator has the right of refusal over the other it is also the case that this refusal cannot be absolute in the face of lawfully justified exemptions. Let the parties re-look their positions.

Permit me to leave you with some thoughts:

“Privacy – like eating and breathing – is one of life’s basic requirements.” ― Katherine Neville

Desmond Israel

Lead Consultant @ Information Security Architect

Categories
Uncategorized

Making two-factor authentication much stronger in two easy steps

Add Your Heading Text Here

Share it:

Disabling lock-screen notifications on iPhone:

iPhone users have a bit more flexibility in notification settings. First of all, you can set up notification previews in general:

  • Open Settings;
  • Go to Notifications;
  • Tap on Show Previews at the very top if you want to turn off lock-screen notifications all at once.
  • Select When Unlocked or Never

In iOS, you can fine-tune the balance of convenience and privacy. If you prefer to keep some notification previews on your lock screen and hide only those that contain sensitive information, you can choose another approach and set up this option individually for each app:

  1. Again, open Settings;
  2. Go to Notifications;
  3. Tap on the app in question, for example, Messages;
  4. Scroll down to the option for showing previews and select either When Unlocked or Never.

Disabling lock-screen notifications on Android:

Android settings can vary a bit depending on version and device — and there’s quite a number of them. With that said, it’s impossible to make an ultimate guide, so poke around a bit if necessary.

  1. Open Settings;
  2. Go to Apps & Notifications, then Notifications;
  3. Choose On the lock screen;
  4. Choose either Don’t show notifications or Show notifications but hide sensitive content.

Most Android versions don’t allow you to set up lock-screen notifications individually for each app; however, in Samsung’s version of the OS you can do it.

Don’t forget to protect your SIM card:

Removing notifications from your lock screen is a good start, but our job isn’t done yet. You see, it isn’t a phone that actually receives text messages, but rather a tiny piece of plastic no one thinks about much: a SIM card. It’s incredibly easy to remove a SIM card from one phone, insert it into any other phone, and receive your calls and messages — including messages with 2FA one-time codes.

It’s pretty easy to protect yourself from that kind of information theft — just set up a PIN code request for your SIM card. Here’s how to do it on an iPhone:

  1. Open Settings;
  2. After a fair bit of scrolling, tap on Phone;
  3. Go to SIM PIN;
  4. Switch SIM PIN on;
  5. Enter your current PIN. If you never set one, use the default code set by the operator — you can find it in your SIM starter kit;
  6. Tap on Change PIN to use custom code instead of the default one;
  7. Enter your current PIN;
  8. After that enter your new PIN code, and enter it once again for confirmation.

For Android (again, it may be slightly different in your phone):

  1. Go to Settings, then Security & Location;
  2. Choose SIM card lock and Lock SIM card;
  3. When prompted, enter the SIM PIN. If you didn’t set one up, find the default SIM PIN in the documentation from your SIM card;
  4. Choose Change SIM PIN;
  5. Enter the old PIN;
  6. Enter a new PIN (and again, for confirmation).

Now every time your phone is restarted or the SIM card is inserted in another phone, you’ll need to enter the PIN code, or else it won’t start. You’re set — at least as far as two-factor authentication codes go.

source:  kaspersky

Categories
Uncategorized

Mobile Malware and Where to Find Them

Add Your Heading Text Here

Share it:

Our smartphones and tablets know almost everything about us — from contact details to bank card numbers and current location. This information is a goldmine for cybercriminals. As a result, the Web is full of all kinds of pests out to grab anything lying around (or carelessly typed).

Spyware

Spyware is the name given to programs that, yes, spy on people. Like hidden cryptominers, spyware tries to lie low on your smartphone for as long as possible, which tends to make it very difficult to detect.

Some types of spyware steal data — anything from user names and passwords to photos and geolocation data; other types stick to the spy game, recording audio, shooting videos, and so on.

Here’s what such malware is capable of:

  • Stealing your e-mails and text messages (both SMS and IM) and forwarding them to cybercriminals,
  • Recording phone conversations,
  • Sending your device’s GPS coordinates to scammers,
  • Revealing your browser history and clipboard contents,
  • Stealing personal or work documents, or any files from your phone,
  • Turning on the microphone and/or camera and sending out secretly recorded photos, audio, and video,
  • Stealing social media and online bank account details,
  • Collecting system information.

For example, the Trojan spyware Skygofree starts recording audio when the owner of the infected device is in a place selected by the spyware operators; it also harvests browser history, user names, passwords, and card numbers. It then connects to Wi-Fi all by itself and transfers the booty.

Keyloggers

Spyware can be general-purpose or specialized. For example, keyloggers are malware programs that log keystrokes on the keyboard. Sure, modern phones have only virtual keys, but that’s even better for keyloggers. Some masquerade as alternative keyboards, making it child’s play to pick up what the user taps.

Banking Trojans

Another specialized breed of spyware, banking Trojans steal data linked to bank cards and apps. These monsters are quite popular with hackers because they provide a direct route into other people’s accounts.

Banking Trojans come in a variety of flavors, and in many cases they combine an array of functions. For example, many can overlay the banking app interface with their own, making it seem as though the user is entering data in the banking app while in fact giving it to the Trojan, which logs the details and feeds them into the banking client so that the user suspects nothing. Also, in many cases, mobile banking Trojans intercept SMS messages from banks containing confirmation codes or information about withdrawals.

Source:    Kaspersky Lab

Categories
Uncategorized

HACKERS STEAL 50 MILLION FACEBOOK USERS’ ACCESS TOKEN USING ZERO-DAY FLAW

Add Your Heading Text Here

Share it:

As of the second quarter of 2018, Facebook had 2.23 billion monthly active users.  In the third quarter of 2012, the number of active users had surpassed one billion, making it the first social network ever to do so. Active are those which logged into Facebook during the last 30 days.

Facebook is already under heavy fire since the revelation that consultancy firm Cambridge Analytica had misused data of 87 million Facebook users to help Donald Trump win the US presidency in 2016.

And now, the recent revelation which was reported on Friday 9/28/2018, having a zero-day flaw residing in the “View As” feature located on users timeline.

The feature has been disabled and a reset done on compromised (50 million) accounts and other (40 million) accounts

What the view as a feature means on Facebook:

After clicking to view, Facebook will direct you to your Facebook page that people who aren’t your Facebook friends can see.

If you can see certain posts and photos, this means those posts and photos are available for public eyes because you posted with a public privacy setting.

Facebook has admitted that an unknown hacker or a group of hackers exploited a zero-day vulnerability in its social media platform that allowed them to steal secret access token for more than 50 million accounts.

The vulnerability allows hackers to steal secret access tokens that could then be used directly access users’ private information without required their original account password or validating two-factor authentication code.

Attack was discovered three days ago (on 25 September) and an investigation is ongoing. Meanwhile, the vulnerability has been patched.

These recent revelation has once again underlined the failure of the social-media giant to protect its users’ information while generating billions of dollars in revenue from the same information. 

Categories
Uncategorized

How to Automate Pentesting with Ansible ( Part 2- Information Gathering)

Add Your Heading Text Here

Share it:

Today we will look at how ansible modules allows security engineers to check extensive information of a remote server such as active interfaces (i.e eth0, or wlan0), which security feature is implemented inside the kernel ( whether Apparmor or SELinux), how many partition(s) exist on the hard disk and so on.

Although ansible, as a devops tools, is primarily used for configuration management, server provisioning, and application deployment to production environment just like puppet and the rest, some its modules can be used to gather information. Information gathered by ansible modules could be very useful to security engineers.

Before we start to automate information gathering using ansible module, let’s briefly look at how we can get access to ansible modules and arguments related to these  modules. To find all modules used by ansible, open the terminal and type the following command: ansible-doc  -l

As you can shown in the screenshot above, the previous command we typed at the terminal displayed modules supported by ansible.

Finally, lets use the setup module in ansible to gather information about the target without any infosec tools. Type the command below at the terminal:

ansible -m setup -k -u user2

The command above simply instructs ansible to connect to the target via the IP address provided in the placeholder as user2 and retrieve information related to the target. The -k flag prompts user2 for the password.

Voila, via the setup module, ansible retrieved extensive information of the target less than a minute. Tomorrow, we will continue to automate information gathering with ansible.

#ISA_informs

#ISA_ltd