Currently my favorite city in the USA is Riviera Beach, Florida. 🙂 The story is wonderful (pastebin for those who have problems with access to the site). The city administration was paralyzed by #cryptolocker, because some employee of the local police department clicked on malicious link in email. And of course there were no backups. The situation is ordinary. But the decision is rather unusual, the city council decided to pay ransom $ 600,000 in Bitcoins to get their data back. Without any guarantee that the data will be decrypted and against the direct recommendations of the FBI.

There are no technical details, but if multiple servers were affected there should be problems with network segmentation and unpatched servers (probably, the lack of MS17-010 patch). But none of these problems were mentioned in media. In the media, consil representatives say they need to buy new desktops, laptops and backup system. With such attitude, it probably won't be the last time they encounter such problems. 😏

And, of course, the most intriguing is whether or not they will pay the ransom and get the decryption key. If they spend so much money for nothing, it will be legendary! 🤩

PS: An interesting fact is that they actually bought a new backup system before the incident for $798,419, but it was not deployed on time. 😉 #ransomware

Vulnerability detection plugin vulners.nse is now part of the Nmap. The most famous network scanner in the world! Officially! It took two years since the initial plugin release. Congratulations to the #Vulners Team! Great job!

Everything that I wrote earlier about the new behavior of #Nessus 8.5 after the license expiration, turned out to be true.

#Tenable also edited the GUI a little bit. They separated Report (HTML and CSV) and Export (Nessus v2 XML and Nessus DB). Now you can make report for selected hosts or vulnerabilities in more natural way. They also added these cool buttons to the scan results pages (it may be added some versions before, but I didn’t notice): you can snooze a vulnerability for some time, edit it's criticality or even delete entire host from the scan. And all this you can do for several selected vulnerabilities and hosts. Pretty cool.

They also switched off the limits for Host Discovery scans in Nessus Pro Eval and Nessus Essentials (!!). Well, for Nessus Pro Eval it's not so great, because we remember the time when there were no limits in trial version at all. 😉 But it makes free Nessus Essentials much more useful for organizations.

A few words about the Reuters "Yandex was hacked" article.

1. It is rather sad that modern journalistic investigation may be based on some information from 4 anonymous sources without any proofs. Thy only interesting details are: Western intelligence (yep, once again) as an attacker, Regin malware as a tool, network access for several weeks as a result, user authentication methods in Yandex Email service as a goal. The representative of Yandex responded like "there was an attack at the end of 2018, but our IT security guys successfully dealt with it". So, there is nothing to discuss in any serious way.

2. It seems meaningless to spend so many resources on hacking a free Email service. On the other hand, as we have seen from the scandalous email leaks, important communication in the Russia can be really conducted through free email services Yandex.ru and Mail.ru and even without any encryption. 🙈 I won't give any examples, but you can google it easily. A universal way to access these emails it might be, theoretically, a very tasty goal for any intelligence service.

3. However, from the same email leaks (and, more importantly, details of the criminal case [wiki: eng, rus - much more informative]) we can see easier and more reliable ways of accessing such emails (phishing, fake Wi-Fi hot spots, fake BTS - rus), than trying to attack the Email service directly.

HBO released tv series #Hackerville (nickname of the Romanian city Râmnicu Vâlcea, a famous center of cybercrime). From the trailer it seems that the series will NOT be technically accurate 😝 (OMG, is it too difficult and expensive to hire technical consultant?!), but in any case, it might be fun to watch. 🙂

What I like the most about software vulnerabilities is how "vulnerability", as a quality of a real object (and the computer program is real), literally appears from nothing.
Let's say we have a fully updated server. We turn it off, lock it in a safe and forget about it for half a year. Six months later, we get it, turn it on. It is the same and works absolutely the same. But now it is also exposed to dozens of critical vulnerabilities that, with some (un)luck, can be exploited by any script kiddie. New important characteristic of the material object appeared from nowhere, isn't this magnificent? 🤩 #fridaytalk

Of course, this only happens because many people constantly and comprehensively study software products. But we know so little about it, that it seems almost like magic. For example, do you know how many security researchers analyze Windows or Linux kernel (hundreds, thousands, maybe more)? Who pays them? What is their main motivation? Do they always report what they found to the software vendors?

As for the last question, it seems rather naive to think that all the researchers send their most valuable findings to the vendors even for the bounty. Especially those researchers who work for governments and criminal groups. In my opinion, publicly known vulnerabilities which cause us so much trouble with patching are only the smallest part of all existing vulnerabilities. And it's scary to think what is going on in the main private zone, where all wunderwaffens and all rings-to-rule-them-all should be. 😉

We mainly know how the #NSA processes 0-day vulnerabilities and exploits. Many thanks to #EFF and other organizations who forced them to disclose "Vulnerabilities Equities Policy and Process for the United States Government" (2017). There are no technical details or valuable statistics in it, only some descriptions of bureaucratic procedures, but it shows the attitude. Do you think that in other countries governments deal with vulnerabilities in more ethical way and report them to vendors immediately? I don't think so.

Can money solve the problem with unreported vulnerabilities? Responsible disclosure may become more attractive to independent researchers if the size of bounty will be comparable to the prices on the black market (now it's not). But individual researchers are not the only actors. What about the armies of government hackers that reverse the code in their barracks day after day for a cup of rice? And what about the vulnerabilities that are in fact backdoors left by the vendors intentionally? I don't see any good and safe solutions for this. This is too far from technologies and is mainly concerns geopolitics and violence.

Once again, it's a big, dangerous world, you know. We see only the smallest part of all existing vulnerabilities and, unfortunately, even with them we can't deal effectively.

NB: #slowpokenews I just found out that Tenable launched the "Cyber Exposure Podcast" in March with Bill Olson and Gavin Millard. Pretty cool show, where they discuss news related to vulnerabilities, vulnerability management and Tenable products. Currently there are 6 episodes available (starting from 4, which is a bit weird) and the latest was published at the end of May. So, more than a month without new episodes, I really hope that they haven't discontinued it. If you guys read it, please don't stop! This is the show I've been looking for a long time. 🙂

PS: I also listen to Paul Asadoorian's Enterprise Security Weekly, but mainly the episodes when they talk about Vulnerability Management, unfortunately this happens relatively rare.

Did you know that Telegram supports Discussion groups for channels? It's like a regular chat group linked with the channel and all the posts from the channel are automatically forwarded to this chat. So you can discuss them, ask questions, flame a little bit, etc. I think that the lack of feedback (especially negative) is the most powerful feature of Telegram channels. 🙂 But, why not to try. So, if you want to talk about Information Security Automation welcome to @avleonovchat 😉

IMHO, these new enormous GDPR fines against data breach victims ("British Airways faces record £183m fine for data breach") will only lead to more efficient blackmailing. The attacker will send messages like "Your data has been stolen, this is sad, but you don't want to lose up to 4% of turnover if this information will become public, right?". It will work even better than cryptolockers, because in case of cryptolocker attack victim at least can accept the data loss, especially if there are some backups.

What is even more dangerous is that in British Airways case it seems like an attack on CDN or third party service: "...website were diverted to a fraudulent site. Through this false site, details of about 500,000 customers were harvested by the attackers."

I just combined a few recent messages from this channel in a post for my blog "The most magnificent thing about Vulnerabilities and who is behind the magic"

#vulnerability #reverseengineering #NSA #hacking #backdoor #VulnerabilityManagement #VulnerabilityDatabase #Concept

Due to the recent CVE-2019-13450 vulnerability in Zoom Client for macOS "remote attackers can force a user to join a video call with the video camera active", I am curious...

BTW, it's a best practice in Mac OS X 10.5 Leopard CIS Benchmark. No kidding 😉

#Greenbone keeps doing weird stuff with #OpenVAS. But some of these I even like. 🙂 Well, I already mentioned that they renamed entire project In GVM and left the name "OpenVAS" only for the oldest part of project, that was forked from the last opensource version of Nessus (btw, a good history page from Greenbone perspective). Even the libs that OpenVAS uses are called gvm-libs. But now it goes further. New OpenVAS logo will have a green "Greenbone" skull. OpenVAS "Open Vulnerability Assessment System" was renamed as "Open Vulnerability Assessment Scanner". And, most importantly, they decided to "turn the scanner service into a command line tool", so it won't be a daemon anymore.

I actually like this last part, because I wasn't able to deal with openvassd from GVM10 installed from the sources. And it's rather unclear how to debug this thing. 😅 So, maybe with command tool I will be more lucky. Future GVM11 will control OpenVAS through the OSP server, which is written in Python (cool!)

I spent a lot of time last week working with the new API of Kaspersky Security Center 11. KSC is the administration console for Kaspersky Endpoint Protection products. And it has some pretty interesting features besides the antivirus/antimalware, for example, vulnerability and patch management. So, the possible integrations with other security systems might be quite useful.

A fully functional API was firstly presented in this latest version of KSC. It’s is documented pretty well, but in some strange way. In fact, the documentation is one huge .chm file that lists the classes, methods of these classes and data structures with brief descriptions. It’s not a cookbook that gives a solution for the problem. In fact, you will need to guess which methods of which classes should be used to solve your particular task.

For the first task, I decided to export the versions of Kaspersky products installed on the hosts. It is useful to control the endpoint protection process: whether all the necessary agents and products were installed on the hosts or not (and why not). So, see the python code with my comments in my blog. 😉

#API #EndpointProtection #Kaspersky #KSC #KSC11 #python #python3