Sunday, May 19, 2019

2019-019-Securing your RDP and ElasticSearch, InfoSec Campout news


https://static1.squarespace.com/static/556340ece4b0869396f21099/t/5cc9ff79c830253749527277/1556742010186/Red+Team+Practice+Lead.pdf


https://www.reddit.com/r/netsec/comments/bonwil/prevent_a_worm_by_updating_remote_desktop/

 

https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/

https://security.berkeley.edu/resources/best-practices-how-articles/system-application-security/securing-remote-desktop-rdp-system



https://www.bleepingcomputer.com/news/security/unsecured-survey-database-exposes-info-of-8-million-people/

https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-security.html

https://www.elastic.co/blog/found-elasticsearch-security

https://dzone.com/articles/securing-your-elasticsearch-cluster-properly

Auth is possible, using reverse proxy… this is basic auth :( https://github.com/Asquera/elasticsearch-http-basic

 

Here’s one that uses basic auth and LDAP: https://mapr.com/blog/how-secure-elasticsearch-and-kibana/

2fa setup: https://www.elastic.co/guide/en/cloud/current/ec-account-security.html

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Here is a new episode of Brakeing Down Security Podcast!

Sunday, May 5, 2019

2019-017-K8s Security, Kamus, interview with Omer Levi Hevroni


K8s security with Omer Levi Hevroni (@omerlh)

 

service tickets -

Super-Dev

 

Omer’s requirements for storing secrets:

 

Gitops enabled

Kubernetes Native

Secure

    “One-way encryption”

 

Omer’s slides and youtube video:

https://www.slideshare.net/SolutoTLV/can-kubernetes-keep-a-secret

https://www.youtube.com/watch?v=FoM3u8G99pc&&index=14&t=0s

 

We’ve all experienced it: you’re working on a task, adding some code, and then you need to store some sensitive configuration value. It could be an API key, client secret or an encryption key ― something that’s highly sensitive and must be kept secret. And this is where things get messy. Usually, secret storage is highly coupled with how the code is deployed, and different platforms have different solutions. Kubernetes has a promise to simplify this process by using the native secret object, which, as the name implies, can be used to store secrets or sensitive configurations. Unfortunately, Kubernetes secrets are fundamentally broken, and a developer who tries to use them will definitely have some issues. But no need to worry ― there are solid alternatives for storing secrets securely on Kubernetes platform. One solution is to use Kamus, an open-source, git-ops solution, that created by Soluto, for managing secrets on Kubernetes. Kamus can encrypt a secret so it can be decrypted only by your app on runtime - and not by anyone else. The first part of this session will cover the challenges faced when using Kubernetes secrets (from a usability and security point of view). The second part will discuss some of the existing solutions (Sealed Secrets, Helm Secrets and others), their pros, and cons, and then feature Kamus: how it works, what problems it solves, how it differs from other solutions, and what threats it can help mitigate (and what threats it can’t). The talk will cover all that is required to know so you can run Kamus on your own cluster and use it for secret management. Join me for this session to learn how you can build a Kubernetes cluster than can keep a secret ― for real. Speakers Omer Levi Hevroni

 

Kubernetes Secrets

    Bad, because manifest files hold the user/password, and are encoded in Base64

        Could be uploaded to git = super bad

https://kubernetes.io/docs/concepts/configuration/secret/

https://docs.travis-ci.com/user/encryption-keys/

 

Kamus threat model on Github: https://kamus.soluto.io/docs/threatmodeling/threats_controls/

https://medium.com/@BoweiHan/an-introduction-to-serverless-and-faas-functions-as-a-service-fb5cec0417b2

    FaaS is a relatively new concept that was first made available in 2014 by hook.io and is now implemented in services such as AWS Lambda, Google Cloud Functions, IBM OpenWhisk and Microsoft Azure Functions.”

Best practices: https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/

https://github.com/owasp-cloud-security/owasp-cloud-security

https://www.omerlh.info/2019/01/19/threat-modeling-as-code/

https://telaviv.appsecglobal.org/

 

https://github.com/Soluto/kamus

 

https://kamus.soluto.io

 

Infosec Campout = www.infoseccampout.com


Here is a new episode of Brakeing Down Security Podcast!

Sunday, April 28, 2019

2019-016-Conference announcement, and password spray defense


Agenda:

 

Announce the conference

CFP: up soon

CFW: up soon

Campers: Friday night/Saturday night

    Like “toorcamp”, but if it sucks, you can drive home… :D

 

Limiting tickets, looking for sponsors

To support the conference and future initiatives:

“Infosec Education Foundation”

    501c3 non-profit (we are working on the charity part)

 

www.infoseccampout.com

Password spraying

https://github.com/dafthack/DomainPasswordSpray

 

Stories:

 

https://blog.stealthbits.com/using-stealthdefend-to-defend-against-password-spraying/

 

http://blog.quadrasystems.net/post/password-spray-attacks-and-four-sure-steps-to-disrupt-them

 

https://www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing

 

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/simplifying-password-spraying/

 

Detecting one to many…..and at what point/threshold during an attack would it be a PITA for the redteam to slow down to

 

Annoying NXLog CE limitation

 

Log-MD can help detect?  Yep

 

CTF Club is happening again

    Pinkie Pie is running it.

    Saturdays at 2 -3 pm

 

 


Here is a new episode of Brakeing Down Security Podcast!

Sunday, April 21, 2019

2019-015-Kevin_johnson-incident_response_aftermath


Announcements:

https://www.workshopcon.com/

    SpecterOps (red Team operations) and Tim Tomes (PWAPT)

 

Bsides Nashville

 

https://blog.secureideas.com/2019/04/we-take-security-seriously-and-other-trite-statements.html

 

“We take security seriously and other trite statements“

 

Wordpress infrastructure (supply chain failure)

    WordPress plugin called Woocommerce was at fault.

    Vuln late last year: https://www.bleepingcomputer.com/news/security/wordpress-design-flaw-woocommerce-vulnerability-leads-to-site-takeover/

    “According to new research by Simon Scannell, a researcher for PHP Security firm RIPS Tech, when WooCommerce is installed it will create a Shop Manager role that has the "edit_users" WordPress capability/permission. This capability allows users to edit ANY WordPress user, including the Administrator account.”

 

https://blog.ripstech.com/2018/wordpress-design-flaw-leads-to-woocommerce-rce/

 

You (Kevin) discovered the admin accounts, but could not remove them. Was that when you considered this an ‘incident’?

 

Timeline:
[2019-03-22 09:03 EST] Kevin assigns members of the Secure Ideas team with reconnaissance and mapping of the AoM system. Kevin reminds these members that Secure Ideas doesn’t have permission to test AoM. They are advised not to do anything that could harm the AoM’s production environment.”

    What is the line they should not cross in this case?

 

You did not have access to logs, you asked that an audit plugin be installed to be able to view logs. Is that permanent, and why did they not allow access to logs prior to?

 

[2019-03-22 13:11 EST] AoM Support fixes the audit log plugin access. AoM Support has found that a purchase of a course through a Woocommerce plugin resulted in users being granted admin access. AoM Support provides specific order numbers. They have also done an analysis of the database backups from the last 60 days and believe that the attackers did not do anything after they got access. AoM Support announces that the Secure Ideas training site will be set up on a separate server and Secure Ideas will be granted a new level of access.

 

Seems like working with AoM wasn’t difficult. Was giving you access to your own instance, and allowing you to administer it a big deal for them?

 

Lessons Learned? Anything you’d do differently next time?

    Update IR plan?

    Did they reach out for additional testing?

    Did the people who got admin get removed?

    Consult with AoM on better security implementation? Your env wasn’t damaged, but did they suffer issues with other customers? *answered*

 

https://www.wordfence.com/

 

https://en.wikipedia.org/wiki/Gremlins

 

Gas Station skimmer video - https://www.facebook.com/michellepedraza.journalist/videos/2135141863465247/

 

https://www.helpnetsecurity.com/2019/04/12/cybersecurity-incident-response-plan/

https://www.guardicore.com/2018/11/security-incident-response-plan/

 

https://www.zdnet.com/article/security-risks-of-multi-tenancy/

 

Upcoming SI events

IANS forum (Wash DC)

ShowmeCon

Webcasts

ISC2 security Congress (Wash DC)

 

Patreon

Slack

Twitter handles

iTunes

Google

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 


Here is a new episode of Brakeing Down Security Podcast!

Sunday, April 14, 2019

2019-014-Tesla fails encryption, Albany and Sammamish ransomware attacks.


Announcements:
WorkshopCon Training with SpecterOps and Tim Tomes

www.workshopcon.com

redteam operations with SpecterOps

PWAPT with Tim Tomes

 

Source Boston: [Boston, MA 2019 (April 29 – May 3, 2019) (https://sourceconference.com/events/boston19/)Trainings: April 29 - April 30, 2019 | Conference: May 1 - 3, 2019

 

Cybernauts CTF meetup in Austin Texas at Indeed offices, 23 April at 5pm Central time.



https://nakedsecurity.sophos.com/2019/04/02/wrecked-teslas-hang-onto-your-unencrypted-data/

 

My last car sync’ed the contact list.

Video is a different story, but safety for the vehicle and owner, they’ll probably continue to store it.

Telemetry data is for changing road conditions, navigation, etc

Enable encryption at rest… or pop a fuse to scram the data when/if an accident is detected

    Level of difficulty, no fuse, requires hardware upgrade

    Encryption at rest, ensuring HTTPS on all incoming/outgoing.

 

https://www.bleepingcomputer.com/news/software/major-browsers-to-prevent-disabling-of-click-tracking-privacy-risk/

    Annoying “do you want notifications from this site?”

    Like an annoying RSS feed… ‘Hey, we added a new banner ad!’


https://www.phoronix.com/scan.php?page=news_item&px=Linux-Improve-CPU-Spec-Switches

    Why add the switches to allow vulnerabilities?

    Slippery slope  --disable-dirtycow?

 

https://www.bleepingcomputer.com/ransomware/decryptor/planetary-ransomware-decryptor-gets-your-files-back-for-free/

 

https://www.wamc.org/post/details-still-few-city-albany-s-ransomware-attack

Threat intelligence and software detections…

Got an email… *Story Time from Mr. Boettcher*

Twitter: why do companies not allow copy/paste in password fields? Tesla


Here is a new episode of Brakeing Down Security Podcast!

Sunday, April 7, 2019

2019-013-ASVSv4 discussion with Daniel Cuthbert and Jim Manico - Part 2


Announcements:

SpecterOps and Tim Tomes are giving training at WorkshopCon https://www.workshopcon.com

Rob Cheyne Source Boston - https://sourceconference.com/events/boston19/

Austin Cybernauts meetup - https://www.eventbrite.com/e/cybernauts-ctf-meetup-indeed-tickets-58816141663

SHOW NOTES:

Architecture is not an implementation, but a way of thinking about a problem that has potentially many different answers, and no one single "correct" answer.

https://github.com/OWASP/ASVS

“is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. “

 

#ASVS team:

  • Daniel Cuthbert @dcuthbert
  • Andrew van der Stock
  • Jim Manico @manicode
  • Mark Burnett
  • Josh C Grossman

 

https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.pdf

https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.docx

 

https://drive.google.com/file/d/17-NDN7TWdC-vZLbsKkkBFhrYmUhF6907/view?usp=sharing

 

https://www.owasp.org/images/3/33/OWASP_Application_Security_Verification_Standard_3.0.1.pdf - old version

http://traffic.libsyn.com/brakeingsecurity/2015-046_ASVS_with_Bill_Sempf.mp3  - Older BrakeSec Episode

 

ASVS Page 14 - “If developers had invested in a single, secure identity provider model, such as SAML federated identity, the identity provider could be updated to incorporate new requirements such as NIST 800-63 compliance, while not changing the interfaces of the original application. If many applications shared the same security architecture and thus that same component, they all benefit from this upgrade at once. However, SAML will not always remain as the best or most suitable authentication solution - it might need to be swapped out for other solutions as requirements change. Changes like this are either complicated, so costly as to necessitate a complete re-write, or outright impossible without security architecture.”

 

What are the biggest differences between V3 and V4?


Why was a change needed? 

https://xkcd.com/936/ - famous XKCD password comic

David Cybuck: Appendix C:  IoT

    Why was this added?

    These controls are in addition to all the other ASVS controls?

How do they see section 1 architecture and section 14, configuration --- in the context of rapid deployment, infrastructure as code, containerization.

 

You added IoT, but not ICS or SCADA?

    https://www.owasp.org/index.php/OWASP_ICS_/_SCADA_Security_Project

 

BrakeSec IoT Top 10 discussion:

http://traffic.libsyn.com/brakeingsecurity/2019-001.mp3

http://traffic.libsyn.com/brakeingsecurity/2019-002-aaron_guzman_pt2.mp3

 

Seems incomplete… (Section 1.13 “API”)

    Will this be added later?

    What is needed to fill that in? (manpower, SME’s, etc?)

 

3 levels of protection… why have levels at all?

    Why shouldn’t everyone be at Level 3?

    I just don’t like the term ‘bare minimum’ (level 1)--brbr

 

Threat modeling blog (leviathan): https://www.leviathansecurity.com/blog/the-calculus-of-threat-modeling

Adam Shostack ThreatModeling Book: https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998

https://www.owasp.org/images/archive/6/65/20170626175919!TM-Lessons-Star-Wars-May-2017.pdf

https://www.youtube.com/watch?v=2C7mNr5WMjA

Cost to get to L2? L3?

https://manicode.com/ secure coding education

 

https://www.blackhat.com/presentations/bh-usa-09/WILLIAMS/BHUSA09-Williams-EnterpriseJavaRootkits-PAPER.pdf

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Here is a new episode of Brakeing Down Security Podcast!