Categories
Internet Security Uncategorized

Time to Install apt-transport-https !!!

Add Your Heading Text Here

Share it:

The apt-get utility that can be exploited by a remote, man-in-the middle attacker to compromise Linux machines.

The flaw, apparently, once again demonstrates that if the software download ecosystem uses HTTPS to communicate safely, such attacks can easily be mitigated at the first place.

The APT utility doesn’t properly sanitize certain parameters during HTTP redirects, allowing man-in-the-middle attackers to inject malicious content and trick the system into installing altered packages.

APT HTTP redirects help Linux machines to automatically find suitable mirror server to download software packages when others are unavailable.

If the first server somehow fails, it returns a response with the location of next server from where the client should request the package.

A malicious mirror—can inject malicious packages in the network traffic and execute arbitrary code on the targeted system with the highest level of privileges, i.e. root.

Since apt-get is part of many major Linux distributions including Debian and Ubuntu, who have also acknowledged the flaw and released security updates, it is highly recommended for Linux users to update their systems as soon as possible.

source: THN

Categories
Uncategorized

Systemd Privelege Escalation Flaw Affects Debian and Redhat Users

Add Your Heading Text Here

Share it:

Security researchers have discovered three vulnerabilities in Systemd, a popular init system and service manager for most Linux operating systems, that could allow unprivileged local attackers or malicious programs to gain root access on the targeted systems.

The vulnerabilities, assigned as CVE-2018-16864, CVE-2018-16865, and CVE-2018-16866, actually resides in the “systemd-journald” service that collects information from different sources and creates event logs by logging information in the journal.

The vulnerabilities, which were discovered and reported by security researchers at Qualys, affect all systemd-based Linux distributions, including Redhat and Debian, according to the researchers.

The first two flaws are memory corruptions issues, while the third one is an out-of-bounds read issue in systemd-journald that can leak sensitive process memory data.

If you are using a vulnerable Linux system, keep tabs on the latest updates by your respective Linux distribution and install the patches as soon as they are released.

Source: theHackernews 

Categories
Uncategorized

The privacy tussle; can there be a win-win?

Add Your Heading Text Here

Share it:

It was a quarter to the hour of eight when I got home with weary and tired legs, surely I was famished and it was kenkey from my favorite vendor, hot pepper and fried eggs on the menu; just when I stuck my thumb into the kenkey Ga-man-style, a notification came through my phone and honestly I thought it’s payment hitting the account (man is hot); but no, it wasn’t in fact it was just a news item, citinewsroom.com has reported a story captioned “Communications Ministry fights BoG over mobile money data” well I chuckled, in my mind I retorted -what’s wrong with my “Ghana people“ again?

I continued with the supper whilst I read the article in full, it caught my eye because it does contain a subject am passionate about, yes! data protection it is, the article stated in part “The Communications Ministry in a series of letters had asked the Bank of Ghana to release the data to a private contractor, Kelni GVG, which has been tasked to verify the amount of revenue generated by telcos.

The Ministry specifically requested for disclosure of customer balances, transaction amounts, date and time of the transactions.

 However, the Bank of Ghana declined to grant the Communication Ministry’s request, arguing in a letter signed by its Secretary, Frances Van-Hein that disclosing such an information will breach the guidelines of Electronic Money Issuers and Data Protection Act.”

So without wasting much time I decide to make a point or two after the food settles my unintended self-imposed fasting. So here we go, it is true that per section 91 of the Data Protection Act 2012, Act 843, the three (3) organs of State are bound by the provisions of the Act, more so when it comes to disclosure. Let just say quickly before I proceed that this is not meant to be a comprehensive lecture on data protection, on the contrary its just a brief touching on key issue I gathered, which is the outright rejection to disclose.

As a practitioner, I will proceed to ask why the data is needed in the first place. Regulatory activities or? Well let me just presume and move on, having said that, section 63 of Act 843 should suffice for regulatory activities in so long as the reason fall under the exemptions provided, let’s assume again that it is for taxation or related purposes, then Section 61(1)(c) of Act 843 further allows for exemption for the purposes of the assessment or collection of a tax or duty or of an imposition of a similar nature.

Generally, and as a rule of principle, the provisions of the law do not apply to data in so long as the data subjects cannot be identified from the set of attributes, which calls for anonymization or pseudo-anonymization. Well primarily once you properly anonymized data, then data subjects behind the attributes cannot be identified and that means the issues of privacy do not arise. This also means the systems disclosing and receiving the information respectively should envisage this in their technology; either as an added functionality or in-built with something called “privacy-by-design”, but then like I keep saying in various forums; if we build systems that are not resilient to the inherent risk and how to manage same; then due diligence can be construed as negligible if not nonexistent. As I doze off now, and hoping am not missing the point, the exemptions under Act 843 are not blank cheques, it is exemption to disclose the information therefore all other principles under the law applies with full-force, i.e. accountability, lawfulness of processing, specification of purpose, compatibility with further processing, quality of the data, openness, security safeguards and data subject participation.

The provisions of the Act 843 will override the Electronic Money Issuers (2015) Guidelines to the extent that the latter is a substantive law. It can also be a matter of regulator-to-regulator mutual understanding and of course measures of alternative effect under the context of the laws to create a controller-controller or controller-processor relationship and capture the lawful terms of use in a data transfer or exchange agreement as envisioned under the Act 843.

If the truce won’t work, well I will just sleep soundly by recommending that under section 66, of Act 843 one can coerce the other with a court order to do the needful; but rightly so with lawful justification lest the court throws you out for want of lawful justification.

As the night settles into its late hours may we be reminded that data protection however is a fundamental human right, it’s regulations governing data processing is not an outright show-stopper but a business enabler with the potential of appreciating the currency of the digital consumer; this currency is “trust” and therefore further providing competitive business edge, and in as much as one party as a regulator has the right of refusal over the other it is also the case that this refusal cannot be absolute in the face of lawfully justified exemptions. Let the parties re-look their positions.

Permit me to leave you with some thoughts:

“Privacy – like eating and breathing – is one of life’s basic requirements.” ― Katherine Neville

Desmond Israel

Lead Consultant @ Information Security Architect

Categories
Uncategorized

Making two-factor authentication much stronger in two easy steps

Add Your Heading Text Here

Share it:

Disabling lock-screen notifications on iPhone:

iPhone users have a bit more flexibility in notification settings. First of all, you can set up notification previews in general:

  • Open Settings;
  • Go to Notifications;
  • Tap on Show Previews at the very top if you want to turn off lock-screen notifications all at once.
  • Select When Unlocked or Never

In iOS, you can fine-tune the balance of convenience and privacy. If you prefer to keep some notification previews on your lock screen and hide only those that contain sensitive information, you can choose another approach and set up this option individually for each app:

  1. Again, open Settings;
  2. Go to Notifications;
  3. Tap on the app in question, for example, Messages;
  4. Scroll down to the option for showing previews and select either When Unlocked or Never.

Disabling lock-screen notifications on Android:

Android settings can vary a bit depending on version and device — and there’s quite a number of them. With that said, it’s impossible to make an ultimate guide, so poke around a bit if necessary.

  1. Open Settings;
  2. Go to Apps & Notifications, then Notifications;
  3. Choose On the lock screen;
  4. Choose either Don’t show notifications or Show notifications but hide sensitive content.

Most Android versions don’t allow you to set up lock-screen notifications individually for each app; however, in Samsung’s version of the OS you can do it.

Don’t forget to protect your SIM card:

Removing notifications from your lock screen is a good start, but our job isn’t done yet. You see, it isn’t a phone that actually receives text messages, but rather a tiny piece of plastic no one thinks about much: a SIM card. It’s incredibly easy to remove a SIM card from one phone, insert it into any other phone, and receive your calls and messages — including messages with 2FA one-time codes.

It’s pretty easy to protect yourself from that kind of information theft — just set up a PIN code request for your SIM card. Here’s how to do it on an iPhone:

  1. Open Settings;
  2. After a fair bit of scrolling, tap on Phone;
  3. Go to SIM PIN;
  4. Switch SIM PIN on;
  5. Enter your current PIN. If you never set one, use the default code set by the operator — you can find it in your SIM starter kit;
  6. Tap on Change PIN to use custom code instead of the default one;
  7. Enter your current PIN;
  8. After that enter your new PIN code, and enter it once again for confirmation.

For Android (again, it may be slightly different in your phone):

  1. Go to Settings, then Security & Location;
  2. Choose SIM card lock and Lock SIM card;
  3. When prompted, enter the SIM PIN. If you didn’t set one up, find the default SIM PIN in the documentation from your SIM card;
  4. Choose Change SIM PIN;
  5. Enter the old PIN;
  6. Enter a new PIN (and again, for confirmation).

Now every time your phone is restarted or the SIM card is inserted in another phone, you’ll need to enter the PIN code, or else it won’t start. You’re set — at least as far as two-factor authentication codes go.

source:  kaspersky

Categories
Uncategorized

Mobile Malware and Where to Find Them

Add Your Heading Text Here

Share it:

Our smartphones and tablets know almost everything about us — from contact details to bank card numbers and current location. This information is a goldmine for cybercriminals. As a result, the Web is full of all kinds of pests out to grab anything lying around (or carelessly typed).

Spyware

Spyware is the name given to programs that, yes, spy on people. Like hidden cryptominers, spyware tries to lie low on your smartphone for as long as possible, which tends to make it very difficult to detect.

Some types of spyware steal data — anything from user names and passwords to photos and geolocation data; other types stick to the spy game, recording audio, shooting videos, and so on.

Here’s what such malware is capable of:

  • Stealing your e-mails and text messages (both SMS and IM) and forwarding them to cybercriminals,
  • Recording phone conversations,
  • Sending your device’s GPS coordinates to scammers,
  • Revealing your browser history and clipboard contents,
  • Stealing personal or work documents, or any files from your phone,
  • Turning on the microphone and/or camera and sending out secretly recorded photos, audio, and video,
  • Stealing social media and online bank account details,
  • Collecting system information.

For example, the Trojan spyware Skygofree starts recording audio when the owner of the infected device is in a place selected by the spyware operators; it also harvests browser history, user names, passwords, and card numbers. It then connects to Wi-Fi all by itself and transfers the booty.

Keyloggers

Spyware can be general-purpose or specialized. For example, keyloggers are malware programs that log keystrokes on the keyboard. Sure, modern phones have only virtual keys, but that’s even better for keyloggers. Some masquerade as alternative keyboards, making it child’s play to pick up what the user taps.

Banking Trojans

Another specialized breed of spyware, banking Trojans steal data linked to bank cards and apps. These monsters are quite popular with hackers because they provide a direct route into other people’s accounts.

Banking Trojans come in a variety of flavors, and in many cases they combine an array of functions. For example, many can overlay the banking app interface with their own, making it seem as though the user is entering data in the banking app while in fact giving it to the Trojan, which logs the details and feeds them into the banking client so that the user suspects nothing. Also, in many cases, mobile banking Trojans intercept SMS messages from banks containing confirmation codes or information about withdrawals.

Source:    Kaspersky Lab

Categories
Uncategorized

HACKERS STEAL 50 MILLION FACEBOOK USERS’ ACCESS TOKEN USING ZERO-DAY FLAW

Add Your Heading Text Here

Share it:

As of the second quarter of 2018, Facebook had 2.23 billion monthly active users.  In the third quarter of 2012, the number of active users had surpassed one billion, making it the first social network ever to do so. Active are those which logged into Facebook during the last 30 days.

Facebook is already under heavy fire since the revelation that consultancy firm Cambridge Analytica had misused data of 87 million Facebook users to help Donald Trump win the US presidency in 2016.

And now, the recent revelation which was reported on Friday 9/28/2018, having a zero-day flaw residing in the “View As” feature located on users timeline.

The feature has been disabled and a reset done on compromised (50 million) accounts and other (40 million) accounts

What the view as a feature means on Facebook:

After clicking to view, Facebook will direct you to your Facebook page that people who aren’t your Facebook friends can see.

If you can see certain posts and photos, this means those posts and photos are available for public eyes because you posted with a public privacy setting.

Facebook has admitted that an unknown hacker or a group of hackers exploited a zero-day vulnerability in its social media platform that allowed them to steal secret access token for more than 50 million accounts.

The vulnerability allows hackers to steal secret access tokens that could then be used directly access users’ private information without required their original account password or validating two-factor authentication code.

Attack was discovered three days ago (on 25 September) and an investigation is ongoing. Meanwhile, the vulnerability has been patched.

These recent revelation has once again underlined the failure of the social-media giant to protect its users’ information while generating billions of dollars in revenue from the same information. 

Categories
Uncategorized

How to Automate Pentesting with Ansible ( Part 2- Information Gathering)

Add Your Heading Text Here

Share it:

Today we will look at how ansible modules allows security engineers to check extensive information of a remote server such as active interfaces (i.e eth0, or wlan0), which security feature is implemented inside the kernel ( whether Apparmor or SELinux), how many partition(s) exist on the hard disk and so on.

Although ansible, as a devops tools, is primarily used for configuration management, server provisioning, and application deployment to production environment just like puppet and the rest, some its modules can be used to gather information. Information gathered by ansible modules could be very useful to security engineers.

Before we start to automate information gathering using ansible module, let’s briefly look at how we can get access to ansible modules and arguments related to these  modules. To find all modules used by ansible, open the terminal and type the following command: ansible-doc  -l

As you can shown in the screenshot above, the previous command we typed at the terminal displayed modules supported by ansible.

Finally, lets use the setup module in ansible to gather information about the target without any infosec tools. Type the command below at the terminal:

ansible -m setup -k -u user2

The command above simply instructs ansible to connect to the target via the IP address provided in the placeholder as user2 and retrieve information related to the target. The -k flag prompts user2 for the password.

Voila, via the setup module, ansible retrieved extensive information of the target less than a minute. Tomorrow, we will continue to automate information gathering with ansible.

#ISA_informs

#ISA_ltd 

Categories
Uncategorized

How to Automate Pentesting with Ansible ( PART 1- Installation & Configuration)

Add Your Heading Text Here

Share it:

In this day and age, devops tools such as Ansible has made it quite possible for security engineers to automate penetration testing. Although it is quite possible to do the same task with bash shell scripting, it becomes tedious when security engineers are supposed to test hosts on different distributions (such as Suse, CentOS and Redhat) .  We can use ansible to pentest different Linux distributions in the same environment using playbooks.

Today we will focus on how to install ansible on a controller machine in preparation for the main task ahead. There is no need to install ansible on the remote server ( i.e managed machine) we will connect to shortly.

There are several ways of installing ansible. You can choose to install ansible by compiling source code into the usr/local directory, use apt-get utility of Ubuntu or yum or dnf utility of CentOS  to install ansible binary program or install ansible using pip.

For this tutorial, we will install ansible on the controller machine using apt-get and configure it afterwards.

Open your terminal and type the following code:

apt-get install ansible  

Usually ansible is installed into the /etc directory. i.e system configuration directory. After you have installed ansible on your Linux machine, type the following command at the terminal:

cd /etc/ansible 

Inside the ansible directory, type the command below to view files in the ansible directory:

ls ansible  

Open the file ‘hosts’ and assign hostname(s) or IP address(es) of remote server you intend to pentest. The ‘host’ file is an inventory file which contains IP address(es) of web servers, database or other infrastructure ansible needs to connect to via ssh. You can choose to open it with any text editor.

leafpad hosts

Now enter the IP address(es) or hostname(s) of remote server(s)  in the format below. Please don’t try to connect to the IP address because it is not valid.

Next, save and close the hosts file. Open the file ‘ansible.cfg’ to make minimal changes. Because we don’t to connect to remote servers  passwordless, uncomment host key_checking by ansible by deleting the # sign beside host key_checking

Now save and close ansible.cfg file.

Finally,  let’s check whether we have configured ansible correctly by connecting to remote server using the ping module. The command below simply tells ansible to connect to the ip address(you must replace the place holder with a valid IP address) using the ping module (i.e -m ping). In addition, -k flag prompts user2 for password before connecting to the target.

ansible   -m  ping -k -u user2

BAM!  Ansible is working correctly. Tomorrow, We will illustrate how we can automate information gathering of a target with ansible.

#ISA_informs

#ISA_ltd 

Categories
Uncategorized

Turning Your Smartphone Into a Spyware Zoo

Add Your Heading Text Here

Share it:
Sometimes even a completely innocent-looking site with a good reputation can be harmful — criminals may find and exploit a vulnerability. For example, they can use the site for drive-by attacks, causing each visitor to download a file automatically (and unwittingly) as soon as they get to the site. For example, Android users interested in current events in the Middle East are at risk of getting a whole menagerie — ZooPark spyware — on their phones.  
 
The current, fourth version of this Trojan can steal almost any information from your smartphone, from contacts to call logs and info you enter by keyboard. Here is the list of data that ZooPark can collect and send to its owners:  
 
 
  • Contacts
  • User account information
  • Call history
  • Call audio recordings
  • Text messages
  • Bookmarks and browser history
  • Browser search history
  • Device location
  • Device information
  • Information on installed apps
  • Any files from the memory card
  • Documents stored on the device
  • Information entered using the on-screen keyboard
  • Clipboard information
  • App-stored data (for example, data from messaging apps such as Telegram, WhatsApp, and imo, or the Chrome browser)

In addition, ZooPark can take screenshots and photos, and record videos on command. For example, it can take a picture of the phone’s owner from the front camera and send it to its command center. 

ZooPark Trojan spyware is used for targeted attacks — in other words, it’s not sent out randomly to ensnare just anyone; it aims for a specific audience. As we said, the criminals behind ZooPark target those who are interested in specific topics — in this case, Middle Eastern politics.  

How To Avoid a Zoo:   

  •        Update your operating system and important apps as updates become available. Many safety issues can be solved by installing updated versions of software.  
  •       Use mobile antivirus software to block suspicious links and apps.

Source: Kaspersky Lab Blog

Categories
Uncategorized

SynAck Ransomware Hunts Enterprise Windows Users

Add Your Heading Text Here

Share it:

SynAck is a ransomware noted for demanding $3,000 from users before decrypting users’ files. Before encrypting a user’s files, SynAck ensures it has access to its important file targets by killing some processes that would otherwise keep the files in use and off limits.

The victim sees the ransom note, including contact instructions, on the logon screen. Unfortunately, SynAck uses a strong encryption algorithm, and no flaws have been found in its implementation, so there is no way yet to decrypt the encrypted files.

SynAck is distributed mostly by Remote Desktop Protocol brute force, which means it’s mostly targeted at business users. The limited number of attacks thus far — all of them in the USA, Kuwait, and Iran — bears out this hypothesis.

How SynAck Ransomware Operates:

It  employs a rather complicated Process Doppelgänging technique.  It is the first ransomware seen in the wild to do so. Process Doppelgänging was first presented at Black Hat 2017 by security researchers.

The technique “Process Doppelgänging” relies on some features of the NTFS file system and a legacy Windows process loader that exists in all Windows versions since Windows XP, letting developers create fileless malware that can pass off malicious actions as harmless, legitimate processes.

Before SynAck start to encrypt files on users’ machine, it checks if it’s installed in the right directory. If it’s not, it doesn’t run — that’s an attempt to avoid detection by the automatic sandboxes various security solutions use.

Secondly, SynAck checks if it’s installed on a computer with a keyboard set to a certain script — in this case, Cyrillic — in which case it also does nothing.

Tips to Avoid Ransomware:

  •  If you do not use Windows Remote Desktop in your business processes, disable it.
  • Back up your data regularly. Store backups on separate media not permanently connected to your network or to the Internet.

Source: Kaspersky Lab Blog