Wanna learn to be a pentester? This is your week...
In This Issue:
- KringleCon 2018: Even Santa learns how to hack
- Cyberwar is a very real thing, and it can get you very dead in the real world
- Have we become so inured to Microsoft bugs that we simply ignore them now?
- You're not paranoid if they really are out to get you
KringleCon 2018: Even Santa learns how to hack
SANS Penetration Testing, an arm of the SANS Institute, has been putting on a regular holiday hack challenge for the past three years. This year, the holiday hack challenge has evolved into KringleCon, a virtual hacker conference. Here, established and aspiring infosec professionals alike can attend talks, play games, hack things, and build skills- all from the comfort of their nearest anonymous internet access point.
Countermeasure:
Infosec nerds – especially those new to the field – should attend KringleCon. Act quickly, however, there are limited spaces available.
Cyberwar is a very real thing, and it can get you very dead in the real world
Actions have consequences. Even actions taken online. Far too often we feel disconnected from the human impact of our choices, and the Jamal Khashoggi case serves as a chilling reminder of exactly how severe the consequences of our choices can be.
The Washington Post dissects Jamal Khashoggi's brutal murder by Saudi Arabia, detailing the events not only of the incident itself, but all the political, geopolitical, ideological, and socioeconomic conditions that led to the noted journalist's end. It is a must-read, and a sobering reminder that our world is truly a global village. Our words have global reach, and so do the monsters that live within it.
Countermeasure:
This piece should be required reading for anyone in your organization who blogs, uses social media, or in any way can be construed as representing your organization publicly. While this piece focuses on the events leading up to the murder of Jamal Khashoggi, it is worth remembering that everything we put on the internet lives there forever, and it can be seen, used, and abused by anyone, from anywhere in the world. Use this as a cautionary tale: your audience is global. Never, ever forget that.
Have we become so inured to Microsoft bugs that we simply ignore them now?
Jake Williams has an interesting question for the infosec community. "… Microsoft announced there's a remotely exploitable heap overflow in MS DNS on Server 2012R2 and later. Infosec, how are we not talking about this?!" It's a question worth asking.
This particular bug is a lot worse than Microsoft initially let on. Microsoft has listed the exploitability of this bug as "less likely", but that's misleading. Microsoft seems to list almost anything as "less likely" in newer OSes, and this is increasingly a problem for reliably assessing the true severity of a bug. This flaw, for example, is almost trivially exploited (just send a specially crafted DNS request), and could hypothetically result in an attacker gaining local system privileges. There are no known exploits for this flaw at the time of writing, but by the time you read this there almost certainly will be.
While the patch for this is included in the December ‘Patch Tuesday’ update, many systems running Microsoft DNS servers are not regularly rebooted. These include domain controllers, and internet-facing DNS servers. Right now, having an unpatched internet-facing Microsoft DNS server would be a very, very bad thing.
Countermeasure:
Patch and reboot all your windows DNS servers. If you have any DNS servers exposed to the internet, seriously consider front-ending them with something more secure. Review your internal processes for assessing the severity of Microsoft vulnerabilities, and seriously consider not trusting Microsoft's own assessment of the severity of their vulnerabilities.
You're not paranoid if they really are out to get you
China has been blamed for the Marriott data breach. Rumours are circulating that China is putting together a master database of information on foreign citizens. There are a few things to unpack here…
First off, China is absolutely doing this, and anyone who thinks otherwise hasn't learned anything from studying history. Knowledge is power, and data is the easiest path to knowledge in today's world. Secondly, China unquestionably isn’t the only ones doing this. If Snowden didn't teach us that, then there's no help for any of us.
Finally, every government engaged in this is unquestionably building these sorts of databases about their own citizens as well as those of foreign nations. Many large criminal organizations are known to have similar projects underway, several noted hackers and hacking collectives do this, and the world's largest organizations buy, sell, and analyse these sorts of databases on a daily basis. Google, Facebook, Twitter, et al.'s entire empires were built on this sort of data.
Never underestimate what's out there. A recent study found 40,000 credentials for government portals online, and everyone reading this Countermeasure newsletter is likely aware that this is only the tip of the iceberg. Combine databases of data about us, correlate that data using unique user names, e-mail addresses, etc., and you can quickly deduce many things about individuals.
Where do we stay when we travel? When do we travel? Which credit cards do we use to buy what things online? Whom do we buy them for? There are multiple valuable signals in that noise that can be used for everything from blackmail to defeating AI-based geographical login countermeasures for things like e-mail accounts.
Countermeasure:
Learn to search Shodan and other similar services for credentials that have been leaked. Regularly change the critical credentials. Use known-compromised credentials as honeypots. Consider automating the process by first checking to see what's out there, then changing credentials immediately thereafter (in case Shodan or similar services are compromised).
Regularly assess the potential impact of other data that has leaked. Consider changing up (or even randomizing) which hotels you put key personnel in, which car services they use, and have them regularly change their credit card numbers. Regularity and patterns make you a target, and the higher up the corporate ladder someone is, the more tempting a target they become. Disrupt your patterns to throw off attackers, and keep an eye out for someone trying to exploit previous patterns.
Tweet Threads to Check Out
The House oversight committee's Equifax breach report is analysed in this thread, and the entire thread is a must read. There are numerous valuable insights into both what went wrong at Equifax, and what went wrong in the oversight process:
"Equifax moved the IT security team out from under IT due to "fundamental disagreements." This is highlighted as a shortcoming in the report, but infosec shouldn't be under IT…" – Jake Williams (@Malware Jake)
Phishing occurs via SMS as well, as this thread demonstrates:
"Security tweet: This is what a fairly sophisticated phishing attempt looks like…" – CryptoJ0ules (@CryptoJ0ules)
Here we have a pair of threads about the Zurich / Mondelez case. This case promises to impact all of information security, regardless of result:
"The Zurich / Mondelez case is going to have implications for cyber insurance sales and where CISOs spend money. …" – Lesley Carhart (@hacks4pancakes)
"Zurich American Insurance is claimed to have rejected a claim of damages by NotPetya…" – Maarten Van Horenbeeck (@maartenvhb)
Quick Links
More CPU sidechannel attacks, and some android malware for you this week.
Move over Intel – here comes AMD – Lisa Wallace – State of Security
Android malware steals money from PayPal accounts while users watch helpless – Catalin Cimpanu - ZDNet
What's actually in Australia's encryption laws? Everything you need to know – Stilgherrian – ZDNet
Helpful Infosec Tools
Seriously, if you do anything infosec related, you need to bookmark everything here:
Offensive Security Bookmarks
Pentest Cheat Sheets
Even more pentest bookmarks
Payloads All The Things (Web Application Security attack code)
More pentest cheat sheets
Demiguise - HTA encryption tool (clever file type/content inspection bypass)
Shellcodes database for study cases
r3con1z3r Reconnaissance tool
Redteam Toolkit Essentials
Hat tip to @Trimsray for flagging up many of these tools in a tweet.
Additional Resources
@hackermaderas has assembled his infosec tweets into Twitter moments for easier consumption.
"Startups to watch" infographic.
"How do we detect a phishing email" infographic.