Defense
Active directory sits at the heart of most organisations and would be considered a crown jewel information system. Here we take a whirlwind tour of deploying and running Ping Castle, an active directory auditing and assessment tool.
Read more “Security Awareness Week – AD Audits using Ping Castle”
Defense
When a post starts like this:
“On May 14, Microsoft released fixes for a critical Remote Code Execution vulnerability, CVE-2019-0708, in Remote Desktop Services – formerly known as Terminal Services – that affects some older versions of Windows. In our previous blog post on this topic we warned that the vulnerability is ‘wormable’, and that future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.” – https://blogs.technet.microsoft.com/msrc/2019/05/30/a-reminder-to-update-your-systems-to-prevent-a-worm/
“Microsoft is confident that an exploit exists for this vulnerability” Read more “CVE-2019-0708 – BlueKeep”
Defense
‘Red Teaming’ the latest phrase in the cyber security world that brings a shudder down my spine! Now don’t get me wrong, adversary simulation is awesome, it’s a great tool and when wielded correctly brings massive value to enhancing your security posture… but alas, they aren’t always deployed in a business aligned and value driven position.
They sound ‘sexy’ and any pentester is going to jump at the chance to do one, let alone the sales and marketing teams will be grinning as they will come in with higher revenue but also will increase their case study portfolio for delivered red teams! (I’m not knocking this, it’s the reality of doing business).
Having witnessed a number of these take place against organizations who I don’t feel are ready for them, I thought I would write a piece on things I would recommend having in place before conducting a ‘red team’ assessment. Read more “Things to do before you conduct a ‘red team’ assessment”
Defense
So, you have deployed Office 365, you’ve setup multi-factor authentication and deployed password managers so that your users can safely use MFA where it is supported but fall back to app passwords where it’s not. Great stuff… except by default you aren’t quite as secure as you would think!
Default Office365/Exchange Online Config
Now this is great for HTTP based communication methods. but email isn’t restricted to HTTP only. When we investigate the default deployment configuration we see that IMAP and POP3 are both enabled. The below screenshot shows the default mailbox feature configuration:
Now as we know, both IMAP and POP3 do not support a second or multi-factor authentication by default, so in the GUI you should disable those (unless you have a really specific business reason that means you MUST use these) Read more “Defending Office 365 against MFA bypass using IMAP”
Defense
Ok in this scenario we care going assume SQL login credentials (sqluser) are exposed and that firewall rules are wide (so we have layer 3 connectivity to the target).
We have loaded Metasploit and will be using the msssql_enum modue
Now that we have configured our target options we can run the module:
Defense
I was on Twitter the other day (when am I not? 😉) and a post caught me eye, an industry friend’s post caught my eye, challenging the audience to identify their location (specifically which station they are at!), this I thought might be a cool challenge. The first post below is from Paul (Gaming Works) which gives a limited amount of information and a nice image:
Read more “Using Open Source Intelligence in cool and scary ways”
Defense
Well with the year winding down you’ve probably seen that Microsoft just released an out of band security patch:
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8653
CVE-2018-8653 is described as:
“A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.”
Read more “Happy Bugmass 2019! Critical vulnerability patched”
Defense
Ok, so I ordered a Kensington VeriMark fingerprint reader to see how for a few British pounds (or whatever currency you use!) you can add fingerprint authentication to a Windows desktop in minutes!
So this is being conducted with 0 reading of docs (because it’s fun to research just how simple you can a) enable security or b) mess things up when you don’t RTFM!. The next step on my uncharted journey, I plugged in the device to a spare USB port and didn’t see a failed driver installation toast, so we are looking good (note the sensor is the largest rectangle surface on the device, not the one with a cool blue LED)
Now I hit the windows key and typed finger and Win10 prompted me for the settings pane (that was lucky!) Read more “Using Windows Hello to enable fingerprint authentication”
Defense
Yesterday I published a quick blog which looked at what we could do an out of the box Windows server to monitor file integrity and audit/alert upon actions such as modify or deletes. This is however rather clunks and not really for business use, so next stop the open source world! Today we are going to look at OSSEC! Now before some people go mad about security and open source…. OSSEC is used in Alien Vault’s solution, is compliant with PCI and is used worldwide by loads of organisations and universities etc. Open source tools and security go hand in hand, stop with your crazy talk! Now we’ve got that rant over with let’s get onto the fun business!
OSSEC is an open source host intrusion detection solution which we can use to upgrade our auditing and alerting solution to be more feature rich and provide a centralised solution, for more info on OSSEC please visit their website – https://www.ossec.net/ Read more “Upgrading our file integrity monitoring solution using open source technologies – Part 1”
Defense
In the wake the of the British Airways breach I thought I would shed some light on a technique to help detect and alert (help respond) to events that may affect critical business processes by modifying critical or sensitive files. We are going to start with a simple scenario using out of the box tools.
Windows Server comes with a number of security features including object access auditing, in this post we are going to take a brief look at enabling monitoring of sensitive data files. The example we are going to use are monitoring for changed to the web.config file used my .net web applications.
To start with in our example machine, we are going to need to enable audit object access either using local policy or preferably group policy (it should be noted you need to think about log volume, collection and retention/rotation). Read more “How to audit sensitive file changes using out of the box Windows Tools”
