Do I’ve worked out I don’t want to be a pen tester...

But still want to study security...

Onward, I guess...

Mildly frustrated by the speed throttling when using intruder on the community version of Burp Suite.

Occasionally more than mildly frustrated.

The number of times I’ve ignored it and made my own script because of this is more than I’d like. I think I’ve only used it to completion once because of how slow it sends out requests.

Brute forced some usernames and passwords today (for a server with which I had permission to pen test) and got some flags. Feeling a little proud, but I think I’m missing a few more flags. Tried brute forcing for the page ID of a draft page, but after a bit of research, it seems that I might not be able to do that. Testing on the same platform, but different domain, I found that the platform redirects to the 404 page when trying to preview a draft page outside of the editor - which I am not allowed to access.

Oh well…

Verbose error messages are a hacker’s best friend.

I can’t imagine many of you have downloaded the Australian COVIDsafe app, but for those of you that did, please check to see if it needs any updates. There are security vulnerabilities in older versions that need to be patched. The app will likely not update itself as auto updates require the app to be inactive. Since the app works in the background most of the time, this may never happen.

When you pixelate a photo, is that similar to a hash?

Network IPS / IDS

Network Intrusion Protection/Detection Systems (IPS/IDS) are pretty cool. They are able to monitor all network traffic, inspecting packets in search of anomalies. This mainly uses the signatures of known threats and compares them to the packet's contents. A detection system only informs the business of the threat, whilst the protection system blocks the traffic if it is detected. Possible threats include malware traffic and scanning activity.

The logs provided by such a system include the packet data, session data, the action taken, and the source and destination IPs and ports. This is a large amount of data is quite informative for a security operations team.

A stronger security posture would use an IPS, but practically, if traffic is constantly being stopped, this can delay business. And if a business is delayed, it is effectively loosing money, so many enterprises opt for an IDS, which only informs the security team of all potentially malicious traffic, rather than completing blocking or dropping it. At least, if you are informed, you are still able to respond.

Monitoring the detections and decisions of the system inform the company of their specific threat landscape. If a threat is detected in the analysis of another security system, the IPS/IDS log scan provide much more detailed information on what that threat is doing, even if the system itself didn't detect and respond to that activity.

...crowd sourced information is only as good as the data that goes into it...

Dick O'Brien - Symantec Cyber Security Brief

"...and we should be always on the lookout for attempts to manipulate it.”

Domain Controllers

Domain controllers (DC) are the gate keepers to servers and resources found on a network. End users must be authenticated through the domain controller, providing their username and password, before then accessing these resources. Within the DC, it is determined what each user is allowed to access. Usually this limits the amount a user can see, but it also can grant high privileges to users, allowing them to access all the resources it gate-keeps.

This device is a major target of attacks, since if you can corrupt the DC so that it believe you have access to everything, it will let you through to the protected resources on the network.

Logging all the access attempts means that security will be able to identify which users are attempting to access the network and whether they succeeded. Users that fail to enter the correct password within a specified number of attempts can have their access locked temporarily until the user's identity can be confirmed elsewhere.

This needs to be watched for irregular behaviour. This could be users accessing the domain controller at strange times or from unrecognised IPs to users failing to enter the password correctly regularly, even if spaced out. This activity can then be correlated with other security device logs to recognise and address threats.

Endpoint Protection

So, I'm feeling lazy about actually putting this in blog speak. So here's my short write up.

Endpoint Protection is an enterprise security solution which addresses malware, like anti-viruses, but also covers a wider scope, allowing for centralised security management, data encryption, and data access hierarchies. This is important since companies have a much wider array of endpoints that need to be defended. Commonly these include PCs, workstations, tablets, smart phones, and servers.

Endpoint security also makes sure to defend against internal threats. Physical ports on devices could have a USB mouse inserted, which should work as expected. However, if a USB drive is inserted into a server port, it is likely that you don't want the server to interact with the drive and lose potentially sensitive data.

Endpoints can also be vulnerable if their software is outdated, since they may have known vulnerabilities. An endpoint security management system allows for software patches to be made to all devices connected to the network at once, removing these known vulnerabilities.

Just like anti-virus software, endpoint protection needs to be monitored and maintained. This security solution provides file signatures and combined with other security solutions, can help recognised with attacks have come from and what their intent was. Recognising the kind of malware attacks being made on the company can help when designing the security architecture of the company.

A great tip for sysadmins and developers ;)

Anti Viruseseses

So I did some reading up on Anti-Viruses...

Anti-Virus software (AV) is a consumer based security solution installed on devices. This software scans the computer and computing activities for malware. Upon detection, it can either quarantine or remove the malicious software. Anti-virus software can also check newly downloaded malware, preventing the malware from ever executing.

AV works by checking the signatures of files, searching for digital code known to be malware. Once detected, the threat is then shared with an anti-virus database. AV can also check the behaviour of programs. For example, it would get suspicious of programs that attempt to stop its processes, initialise on startup, or attempt to download payloads without direction from the user, especially if it is from a suspicious domain.

Some machine learning or a heuristic algorithm is used to compare software with known malware. When a new malware shares a partial signature with known malware, it can be identified and handled. If it behaves suspiciously, it is likely to be quarantine. If confirmed as malware, the AV can update its database to include the new malware.

Obviously it's can run mostly on its own, but you do need to check the quarantine now and again when it prompts you. And if there is something worse on your computer, the logs that the AV provides can help determine where that point of entry was, even if it couldn't completely prevent it. Generally AVs will be slightly over cautious, making them more likely to quarantine something acceptable, but this means it is less likely to miss malware it should quarantine.

If you don't have one... go get one. There's a bunch of free ones to choose from.

strcmp() in PHP

I’m currently working my way through the games at Over The Wire. I came across a challenge where I needed strcmp() to return 0, since it was being used to match a password. 

So I went and looked up the function and came across this website.

There are a few ways to get a false match, but most were out of the scope of the challenge, since I was sending strings. If I could send an array that would be great, but I couldn’t figure out how to do that.

That’s where this blog came in. Just a simple set of brackets made the variable send as if it was an array. Yes, there was an error, but it still passed the if statement. 

So to send an empty array through your browser:

domain.com/?var1[]=

Inconvenience

If you haven't heard, it rained recently in NSW, Australia. More accurately it stormed. Which was wonderful since we were in drought and lots of it went into dams, but did have some repercussions. A bunch of trees fell knocking out power and phone lines, damaging property, and flooding streets. Just so you know, traffic has been a nightmare, but the the train line improved in my area since everyone was avoiding it after the first day.

I take the train in and out of the city during the work week. I walk to my local station using some pedestrian only paths. Being pedestrian only, when a massive gum tree falls and blocks the path, it's a low priority for the city to remove when trees are falling everywhere else. This gum uprooted a little bit of the curb, pulled down some wires, and smashed through someone's roof. It probably had a truck that was at least a metre in diameter and taller than I can reasonably estimate. Massive.

So the Fire and Rescue set up some tape to limit access to the area. Not great for my commute since that route to the station is up to 5 minutes faster than other routes, and if you forget and end up at the blockage, you would loose 10 minutes having to back track. So of course, the people that end up at the tree tried to find another way.

As it was, if you ducked the tape in the park rather than on the path and hopped over a median to an adjacent street, you could duck through the V of a large branch and walk around the tree's roots. But when you went though that branch, you also had to duck some wires tangled with the outer branches. This would be the real reason why there was Fire and Rescue tape. After two days, I stopped caring about the risk, and continued with my normal route with that small detour.

All of that was to say, if safety and security becomes too inconvenient, it just gets ignored. I definitely wasn't the only person using this route. This risk seemed pretty low, so lots of people took it, but that 's not a great security posture to have.

On the brighter side, I saw workers at the tree earlier, and it seems like it's gonna be gone soon, so we can get back to the pedestrian path.

People Are Jailbreaking Used Teslas to Get the Features They Expect https://ift.tt/2OMJLGV

DNS

Domain Name Servers provide the IP address for a requested domain in a URL. This is necessary because routers use the IP to find these web servers and other devices, and don't know what domains belong to each URL. Routers have been programmed this way to reduce their load and delay so that internet traffic flows more easily. But this means the URLs that people supply need to be translated into these IPs.

Having a DNS within a business allows for the internal IP addresses to be kept private. Not waiting for a public DNS can also improve response time of requests. Setting up your own DNS can also allow for content filtering and malware blocking. This content filtering can include advertisements, making for a cleaner browsing experience.

I personally set up a pi-hole on a raspberry pi which pretends to be a DNS, checking if a URL is on a blacklist (of advertisements), and saying that the URL doesn't exist, and if it's not black listed, it forwards the request to a public DNS. This only works when I'm on that network though, since it is listed on a private IP address. (Combine that with uBlock origin and you are all set for ads.)

Fixing bugs in production…