Author: michael

Categories
Uncategorized

How to Automate Pentesting with Ansible ( PART 1- Installation & Configuration)

Add Your Heading Text Here

Share it:

In this day and age, devops tools such as Ansible has made it quite possible for security engineers to automate penetration testing. Although it is quite possible to do the same task with bash shell scripting, it becomes tedious when security engineers are supposed to test hosts on different distributions (such as Suse, CentOS and Redhat) .  We can use ansible to pentest different Linux distributions in the same environment using playbooks.

Today we will focus on how to install ansible on a controller machine in preparation for the main task ahead. There is no need to install ansible on the remote server ( i.e managed machine) we will connect to shortly.

There are several ways of installing ansible. You can choose to install ansible by compiling source code into the usr/local directory, use apt-get utility of Ubuntu or yum or dnf utility of CentOS  to install ansible binary program or install ansible using pip.

For this tutorial, we will install ansible on the controller machine using apt-get and configure it afterwards.

Open your terminal and type the following code:

apt-get install ansible  

Usually ansible is installed into the /etc directory. i.e system configuration directory. After you have installed ansible on your Linux machine, type the following command at the terminal:

cd /etc/ansible 

Inside the ansible directory, type the command below to view files in the ansible directory:

ls ansible  

Open the file ‘hosts’ and assign hostname(s) or IP address(es) of remote server you intend to pentest. The ‘host’ file is an inventory file which contains IP address(es) of web servers, database or other infrastructure ansible needs to connect to via ssh. You can choose to open it with any text editor.

leafpad hosts

Now enter the IP address(es) or hostname(s) of remote server(s)  in the format below. Please don’t try to connect to the IP address because it is not valid.

Next, save and close the hosts file. Open the file ‘ansible.cfg’ to make minimal changes. Because we don’t to connect to remote servers  passwordless, uncomment host key_checking by ansible by deleting the # sign beside host key_checking

Now save and close ansible.cfg file.

Finally,  let’s check whether we have configured ansible correctly by connecting to remote server using the ping module. The command below simply tells ansible to connect to the ip address(you must replace the place holder with a valid IP address) using the ping module (i.e -m ping). In addition, -k flag prompts user2 for password before connecting to the target.

ansible   -m  ping -k -u user2

BAM!  Ansible is working correctly. Tomorrow, We will illustrate how we can automate information gathering of a target with ansible.

#ISA_informs

#ISA_ltd 

Latest Post
Categories
Categories
Uncategorized

Turning Your Smartphone Into a Spyware Zoo

Add Your Heading Text Here

Share it:
Sometimes even a completely innocent-looking site with a good reputation can be harmful — criminals may find and exploit a vulnerability. For example, they can use the site for drive-by attacks, causing each visitor to download a file automatically (and unwittingly) as soon as they get to the site. For example, Android users interested in current events in the Middle East are at risk of getting a whole menagerie — ZooPark spyware — on their phones.  
 
The current, fourth version of this Trojan can steal almost any information from your smartphone, from contacts to call logs and info you enter by keyboard. Here is the list of data that ZooPark can collect and send to its owners:  
 
 
  • Contacts
  • User account information
  • Call history
  • Call audio recordings
  • Text messages
  • Bookmarks and browser history
  • Browser search history
  • Device location
  • Device information
  • Information on installed apps
  • Any files from the memory card
  • Documents stored on the device
  • Information entered using the on-screen keyboard
  • Clipboard information
  • App-stored data (for example, data from messaging apps such as Telegram, WhatsApp, and imo, or the Chrome browser)

In addition, ZooPark can take screenshots and photos, and record videos on command. For example, it can take a picture of the phone’s owner from the front camera and send it to its command center. 

ZooPark Trojan spyware is used for targeted attacks — in other words, it’s not sent out randomly to ensnare just anyone; it aims for a specific audience. As we said, the criminals behind ZooPark target those who are interested in specific topics — in this case, Middle Eastern politics.  

How To Avoid a Zoo:   

  •        Update your operating system and important apps as updates become available. Many safety issues can be solved by installing updated versions of software.  
  •       Use mobile antivirus software to block suspicious links and apps.

Source: Kaspersky Lab Blog

Latest Post
Categories
Categories
Uncategorized

SynAck Ransomware Hunts Enterprise Windows Users

Ransomware red button on keyboard, 3D rendering

Add Your Heading Text Here

Share it:

SynAck is a ransomware noted for demanding $3,000 from users before decrypting users’ files. Before encrypting a user’s files, SynAck ensures it has access to its important file targets by killing some processes that would otherwise keep the files in use and off limits.

The victim sees the ransom note, including contact instructions, on the logon screen. Unfortunately, SynAck uses a strong encryption algorithm, and no flaws have been found in its implementation, so there is no way yet to decrypt the encrypted files.

SynAck is distributed mostly by Remote Desktop Protocol brute force, which means it’s mostly targeted at business users. The limited number of attacks thus far — all of them in the USA, Kuwait, and Iran — bears out this hypothesis.

How SynAck Ransomware Operates:

It  employs a rather complicated Process Doppelgänging technique.  It is the first ransomware seen in the wild to do so. Process Doppelgänging was first presented at Black Hat 2017 by security researchers.

The technique “Process Doppelgänging” relies on some features of the NTFS file system and a legacy Windows process loader that exists in all Windows versions since Windows XP, letting developers create fileless malware that can pass off malicious actions as harmless, legitimate processes.

Before SynAck start to encrypt files on users’ machine, it checks if it’s installed in the right directory. If it’s not, it doesn’t run — that’s an attempt to avoid detection by the automatic sandboxes various security solutions use.

Secondly, SynAck checks if it’s installed on a computer with a keyboard set to a certain script — in this case, Cyrillic — in which case it also does nothing.

Tips to Avoid Ransomware:

  •  If you do not use Windows Remote Desktop in your business processes, disable it.
  • Back up your data regularly. Store backups on separate media not permanently connected to your network or to the Internet.

Source: Kaspersky Lab Blog 

Latest Post
Categories
Categories
Uncategorized

DIFFERENCE BETWEEN SSL CERTIFICATES

Add Your Heading Text Here

Share it:

Today we are going to learn the difference between the three main types of SSL certificates. Before we proceed to illustrate the difference between the three main types, let’s find out what’s SSL.

SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browserThis link ensures that all data passed between the web server and browsers remain private and integral.

IS SSL IS SECURE OR ANOTHER WAY TO CALM USER’S FEAR?   

Although SSL is used by major payment platforms such as MasterCard, AmericanExpress, SlydePay, and others to inform users that their activities such as money transaction are not being monitored by malicious users. However, you have heard of how malicious users break into secured websites daily to steal users’ credentials.

Thus, SSL is a way of informing users to trust you with their credentials or data. But in details, you should not actually trust them but be willing to abide by basic cybersecurity rules.

THREE MAIN TYPES OF SSL CERTIFICATES:

Extended Validation Certificate:

EV certificates are trusted by browsers and most expensive in comparison to the other types. Only legal entities that have provided all required documents can obtain this extended certificate. This type of certificate shows the name of organisation as well as location to appear in green in  the address bar, next to a padlock.

Organization Validation Certificate:

If a website has a DV or OV certificate, the browser displays a gray or green padlock with the word SECURE and the letters HTTPS in the address bar. Organization Validation certificate simply means connection to the domain is secure and it actually belongs to the organisation.

Domain Validation Certificate:

For  Domain Validation certificate, an individual must show or prove they own the domain. This certificate allows  secure connection to be established. It does not reveals  information about the organization to which it belongs. Moreover, no documents from an individual are required to issue it.

#ISA_informs

#ISA_ltd

Latest Post
Categories
Categories
Uncategorized

Time to Patch Your Drupal Sites

Add Your Heading Text Here

Share it:

As notified in advance two days back, Drupal has now released new versions of its software to patch yet another critical remote code execution (RCE) vulnerability, affecting its Drupal 7 and 8 core.

Drupal is a popular open-source content management system software that powers millions of websites, and unfortunately, the CMS has been under active attacks since after the disclosure of a highly critical remote code execution vulnerability.

The new vulnerability was discovered while exploring the previously disclosed RCE vulnerability, dubbed Drupalgeddon2 (CVE-2018-7600) that was patched on March 28, forcing the Drupal team to release this follow-up patch update.

According to a new advisory released by the team, the new remote code execution vulnerability (CVE-2018-7602) could also allow attackers to take over vulnerable websites completely.

Since the previously disclosed flaw derived much attention and motivated attackers to target websites running over Drupal, the company has urged all website administrators to install new security patches as soon as possible.

  • If you are running 7.x, upgrade to Drupal 7.59.
  • If you are running 8.5.x, upgrade to Drupal 8.5.3.
  • If you are running 8.4.x, which is no longer supported, you need first to update your site to 8.4.8 release and then install the latest 8.5.3 release as soon as possible.

It should also be noted that the new patches will only work if your site has already applied patches for Drupalgeddon2 flaw.

Drupal website admins are highly recommended to update their websites as soon as possible.

Source:  thehackernews.com

Latest Post
Categories
Categories
Uncategorized

How Hackers Rely On Vulnerable Routers to Distribute Android Banking Trojan

Add Your Heading Text Here

Share it:

In order to trick victims into installing the Android malware, dubbed Roaming Mantis, hackers have been hijacking DNS settings on vulnerable and poorly secured routers.

DNS hijacking attack allows hackers to intercept traffic, inject rogue ads on web-pages and redirect users to phishing pages designed to trick them into sharing their sensitive information like login credentials, bank account details, and more.

Once modified, the rogue DNS settings configured by hackers redirect victims to fake versions of legitimate websites they try to visit and displays a pop-up warning message, which says—”To better experience the browsing, update to the latest chrome version.”

It then downloads the Roaming Mantis malware app masquerading as Chrome browser app for Android, which takes permission to collect device’ account information, manage SMS/MMS and making calls, record audio, control external storage, check packages, work with file systems, draw overlay windows and so on.

If installed, the malicious app overlays all other windows immediately to show a fake warning message (in broken English), which reads, “Account No.exists risks, use after certification.”

Roaming Mantis then starts a local web server on the device and launches the web browser to open a fake version of Google website, asking users to fill up their names and date of births.

To convince users into believing that they are handing over this information to Google itself, the fake page displays users’ Gmail email ID configured on their infected Android device, as shown in the screenshots.

You are advised to ensure your router is running the latest version of the firmware and protected with a strong password.

You should also disable router’s remote administration feature and hardcode a trusted DNS server into the operating system network settings. 

Source:  thehackernews.com

 

Latest Post
Categories
Categories
Uncategorized

Does Malware Comes From Porn Sites ?

Add Your Heading Text Here

Share it:

There is indeed a risk of infection on porn sites and adult content apps, but that’s also true for sites completely unrelated to porn.

Possibly the most common advice for avoiding computer viruses is to avoid adult sites. You’ve probably heard the tropes — dogs, fleas, porn, viruses. But is there any truth to them? Let’s investigate.

To state the obvious, adult content is rather popular. A report by SimilarWeb suggests that three of the world’s 20 most visited sites are porn-related.

Two of them are breathing down the necks of front runners Facebook, YouTube, and search giants Google and China’s Baidu.

And sandwiched between Instagram and Yandex, in 14th place, is PornHub. We were amazed to learn that in 2017 the site got a staggering 28.5 billion hits. That’s more than 81 million a day!

Cybercriminals are not overly bothered about other people’s business models. The popularity of XXX sites has not gone unnoticed.  Every now and then they hack porn resources or the advertising platforms that host banners on them .

Now, malicious porn sites do exist — sites created to defraud or infect visitors. But they tend to be small-scale, not well-known. And then there are players and other apps for viewing adult content that phish for data.

You can avoid dangers on porn sites by doing the following:

Although we have provided solutions to avoid malware on porn sites, for safety reasons we advise you not to browse on porn sites.

Source: Kaspersky Labs

Latest Post
Categories
Categories
Uncategorized

Flaw in Microsoft Allows Hackers to Steal Your Windows Password

Add Your Heading Text Here

Share it:

A security researcher has disclosed details of an important vulnerability in Microsoft Outlook for which the company released an incomplete patch this month—almost 18 months after receiving the responsible disclosure report.

The Microsoft Outlook vulnerability (CVE-2018-0950) could allow attackers to steal sensitive information, including users’ Windows login credentials, just by convincing victims to preview an email with Microsoft Outlook, without requiring any additional user interaction.

The vulnerability, discovered by Will Dormann of the CERT Coordination Center (CERT/CC), resides in the way Microsoft Outlook renders remotely-hosted OLE content when an RTF (Rich Text Format) email message is previewed and automatically initiates SMB connections.

A remote attacker can exploit this vulnerability by sending an RTF email to a target victim, containing a remotely-hosted image file (OLE object), loading from the attacker-controlled SMB server.

Windows users, especially network administrators  are advised to follow the below-mentioned steps to mitigate this vulnerability.

 

  • Apply the Microsoft update for CVE-2018-0950, if you have not yet.
  • Block NT LAN Manager (NTLM) Single Sign-on (SSO) authentication.
  • Most important, don’t click on suspicious links provided in emails.
Latest Post
Categories
Categories
Uncategorized

Microsoft Office 365 Gets Built-In Ransomware Protection

MONTREAL, CANADA - MARCH 20, 2016 - Microsoft Office 365 on PC screen. Microsoft Office is one of the most popular office suite software.

Add Your Heading Text Here

Share it:

Ransomware has been around for a few years, but it has become an albatross around everyone’s neck, targeting big businesses, hospitals, financial institutions and individuals worldwide and extorting millions of dollars.

Last year, we saw some major ransomware outbreaks, including WannaCry and NotPetya, which wreaked havoc across the world, hitting hundreds of thousands of computers and business networks worldwide.

From small to mid-range businesses, Microsoft Office 365 remains the most widely used and fastest-growing work office suite, so it’s no surprise that it has become a primary target for viruses, ransomware, and phishing scams.

Now, to combat such cyber attacks, Microsoft has announced some new security features for Office 365 that can help users mitigate the damage done by ransomware and other malware infections.

 

File Recovery and Anti-Ransomware

 

  • Files Restore—Microsoft Office 365 now allows users to restore entire OneDrive to a previous point in time within the last 30 days. This feature can be used to recover files from an accidental mass delete, file corruption, ransomware, or any catastrophic event.
  • Ransomware detection & recovery—Office 365 had also introduced a new security feature that detects ransomware attacks and alerts you through an email, mobile, or desktop notification while helping you restore your OneDrive to a point before the malware compromised files.

Source: thehackernews.com

Latest Post
Categories
Categories
Uncategorized

New Zenis ransomware encrypts files and deletes backups

Add Your Heading Text Here

Share it:

Zenis ransomware is a rare example of crypto-malware. Researchers still cant figure out clearly how this ransomware works. This malware does not only encrypts files but deletes backups too.

Zenis affect devices by exploiting Remote Desktop services. Once inside, it begins to encrypt data using AES cryptography.

Whilst encrypting data, Zenis ransomware renames files and appends Zenis-<2_chars>. file extension. Apart from data encryption, it deletes shadow volume copies, disable startup repair, and clear event logs.

Zenis also searches for files that are associated with backups and deleted them immediately.

Zenis ransomware gets into the machines by exploiting  Remote Desktop services connected to the internet directly.

We recommend connecting Remote Desktop Services to the internet via VPN with a strong password. Also, it is quite safer to have anti-malware solution on public-facing machines.

#ISA_informs

#ISA_ltd

Latest Post
Categories
Information Security Architects (ISA) Ltd is one of the leading Data Privacy and Security Practitioners in Ghana West Africa.
Services
Products
Newsletter

Sign up our newsletter for update information, insight and promotion.

Facebook Instagram Twitter Linkedin
Copyright © 2021, All rights reserved. Powered by Lynt Digital.