Defense

How to audit sensitive file changes using out of…

Defending critical assets

In the wake the of the British Airways breach I thought I would shed some light on a technique to help detect and alert (help respond) to events that may affect critical business processes by modifying critical or sensitive files. We are going to start with a simple scenario using out of the box tools.

Auditing Critical Files

Windows Server comes with a number of security features including object access auditing, in this post we are going to take a brief look at enabling monitoring of sensitive data files. The example we are going to use are monitoring for changed to the web.config file used my .net web applications.

To start with in our example machine, we are going to need to enable audit object access either using local policy or preferably group policy (it should be noted you need to think about log volume, collection and retention/rotation). Read more “How to audit sensitive file changes using out of the box Windows Tools”

Breach

British Airways breach

Not what you want to see when you’ve just paid for a holiday!

As reported across major news networks over the world, British Airways has suffered a data breach that not only includes customer data but also includes payment details. Details from 380,000 customers have been accessed by an unauthorised third party. More details can be found on news sites such as:

https://www.theregister.co.uk/2018/09/06/british_airways_hacked/

https://www.bbc.com/news/uk-england-london-45440850

It’s likely that attackers have compromised a web service which is linked to payment services, however no specific details have been released yet so until then we can only speculate.

In this post we look at the information reported by British Airways, guidance for customers from BA, ourselves and NCSC but also we discuss the steps business’s should be taking to ensure they have a strong security posture, especially where customer data is concerned. Read more “British Airways breach”

Guides

My OSCP Diary – Week 1

A long time ago in a more civilised age

I’ve been working on the technology industry for the last 17 years, planning, designing, building and operating solutions since I was able to access the internet. I’ve been working the last 10 years as a consultant architect (across a number of domains) working with clients to understand their businesses, their technology needs, current deployments, gaps, road map and create solutions to enable their businesses, but you can’t do that if you introduce risks to businesses by creating unnecessary and unwanted security risks.

I’ve delivered services directly for and as part of a supply chain for a large range of organisation verticals from global media organisations, logistic firms, retail, telecommunications, media & entertainment through to local authorities, central government agencies, armed forces and the metropolitan police. Read more “My OSCP Diary – Week 1”

Defense

How to write a bad password policy!

The authentication dilemma

I’ve worked with a lot of organisations over the years and seen lots of ways of doing certain things. Policy implementation is one of those! I’m in a fortunate position where I get to see different people’s policy documents, their systemic implementations and even interview staff to see how these work on the ground. So, I thought I’d write about password policies!

Humans like to be efficient and people also struggle to deal with the huge volume of identify management and authentication solutions they are presented with. Just think, how many passwords are required in everyday life?

  • Multiple 4-digit PIN codes for debit and credit cards etc.
  • Online banking sign in credentials (more PINS)
  • Gym padlock PIN combo (usually 4 characters)
  • Passwords for home computer
  • PIN code or password for mobile phone access
  • Passwords of phrases for telephone services e.g. to access your mobile phone account services
  • Social media credentials

The list goes on and on! Then let’s add in corporate IT services….

Anyone who’s worked in an office will have seen familiar sites of the following:

  • Password on post it notes
  • Password shared with colleagues
  • Password sellotaped to keyboard (either on top or underneath)
  • Passwords shouted across the office
  • Passwords written down on white boards

Read more “How to write a bad password policy!”

Threat Intel

Threat Week 04-08-2018

Welcome to another threat update, this week we look at some interesting twitter dumpster fires and a highly targeted ransomware campaign

Unbackable wallets – would you trust your funds with this device?

You got root sir but that’s not a hack! The world turns upside-down and inside out when @cybergibbons and a band of hackers go on rage mode at the claims from John McAfee and BitFi that their wallet is un-hackable and the ‘restrictions’ placed on the bug bounty.

https://twitter.com/officialmcafee/status/1024385313966379010

Use a password manager, no really!

@ingnl caused some fun when they recommend not using password managers which went down well with the twitter infosec community. Just so everyone is aware, we recommend using a password manager.

Read more “Threat Week 04-08-2018”

Defense

Office 365 Attack Simulator Overview

Probably the most common attack vector!

Phishing is very likely the most common attack vector, in fact so common that the following stat is called out:

“a 2016 study reports that 91% of cyberattacks and the resulting data breach begin with a phishing email”

Setting up the Social Engineering toolkit or custom phishing solution takes a little time, luckily Microsoft have added in attack simulation features into Office 365! This let’s in house teams perform a range of simulated attacks in safe manner against your organisation. In this post we are going to run through the steps required to create and run a phishing attack simulation!

Read more “Office 365 Attack Simulator Overview”

Defense

A day out phishing

A common tactic for threat actors is to leverage weaknesses in human behaviour. Over the years a combination of poor configuration has led people to ‘click YES’ syndrome. A common vector for attackers is to send emails with document attachments using either embedded macros or abusing Office document OLE functionality.

Below we have a live sample of a phishing document. As you can see it’s been styled in a similar fashion to the Office user interface. Read more “A day out phishing”

Threat Intel

July Threat Update

Welcome to another Threat Week update, today we are going to look at some of the active threats in the wild and in the news.

Top Threats

Attack Vectors

Common attack vectors are still the usual suspects. Phishing, drive by infections, insecure internet exposed services (e.g. FTP, RDP, SSH, web services etc.) We’ve seen phishing attacks using legitimate services such as Zoho CRM to hijack their mail domain to bypass mail filters, so again good education plus technical controls are the best defence against these attacks.

Firewall Analysis

Xservus run a vulnerable lab which hosts honeypots, web services and is used to detect threats. The following graph showcases external threats detected. Read more “July Threat Update”

Hacking

Hail Hydra – RDP brute forcing with HYDRA

Securing services requires a broad range of knowledge of operating systems, networking, protocols and offensive capabilities. So I thought I would demonstrate some testing methods to show how a control is effective in blocking certain types of attack, so here’s some offensive and defensive guidance to limit RDP attacks. Please remember this is for educational purposes, do NOT break the law and only use these techniques where you have permission! #whitehat

Overview

This document provides a sample of the internal (white box) testing process and procedure for testing RDP controls against brute force attacks.

Test Objectives

  • Demonstrate only authorised users can access the service
  • Demonstrate Remote Desktop Services has a hardened configuration
  • Demonstrate a brute force attack

Method

  1. Scope Evaluation
  2. Testing
    1. Enumeration
    2. Vulnerably Assessment
    3. Exploitation
  3. Report Results

Read more “Hail Hydra – RDP brute forcing with HYDRA”

Reviews

Defending your cheque book as well as your endpoints

Since almost before time began (ok so 1974 – Rabbit) malware and viruses have existed on computers, since then the volume and level of sophistication of attacks has dramatically increased. You are no longer defending against viruses, you are defending against attacks from a whole range of threat actors. Aside from backups, antivirus is often one of the first and last lines of defence on systems, as such over the years a range of products and services have arisen (and far more opinions) in the antivirus space, so much so that now we have solution stacks named endpoint detection and response. So, to get to the point, the threat landscape is vast (this year alone there has been 6 million new malware samples discovered – https://www.av-test.org/en/statistics/malware/)

A new Superhero?

Windows defender was always an underdog in this space, if you google “Windows 10 defender reviews” you will see a range of star ratings such as, 3 out of 5, 2.5 out of 5, 2 out of five etc.

Security has never been more in focus with business, however there is always a driver to ensure costs are controlled and value is being added, so I thought I would write about Windows 10 defender and look at some of the reasons you may want to drop your 3rd party solution. Read more “Defending your cheque book as well as your endpoints”

Copyright (c) Xservus Limited