Another piece of news about #Vulners (such a day). Well-known CDN provider #Cloudflare has just released the open-source network vulnerability scanner Flan Scan. What does it use under the hood to detect vulnerabilities? Yep, Vulners. 😉
"#FlanScan is a thin wrapper around #Nmap that converts this popular open source tool into a vulnerability scanner with the added benefit of easy deployment."
"We found that the “vulners” script, available on NSE, mapped the detected services to relevant CVEs from a database, which is exactly what we needed."
"The vulners script works by making API calls to a service run by vulners.com which returns any known vulnerabilities for the given service."
Features:
* Easy Deployment and Configuration (#docker, #kubernetes)
* Pushing results to the Cloud (Google Cloud Storage Bucket or an S3 bucket)
* Actionable Reports
The PDF reports look pretty good by the way 👍🏻
"#FlanScan is a thin wrapper around #Nmap that converts this popular open source tool into a vulnerability scanner with the added benefit of easy deployment."
"We found that the “vulners” script, available on NSE, mapped the detected services to relevant CVEs from a database, which is exactly what we needed."
"The vulners script works by making API calls to a service run by vulners.com which returns any known vulnerabilities for the given service."
Features:
* Easy Deployment and Configuration (#docker, #kubernetes)
* Pushing results to the Cloud (Google Cloud Storage Bucket or an S3 bucket)
* Actionable Reports
The PDF reports look pretty good by the way 👍🏻
Continuing the topic about perimeter services. As I mentioned earlier, I don’t think that the external perimeter services should be considered as a fully functional replacement for custom Vulnerability Management processes. I would rather see their results as an additional feed showing the problems your current VM process has. Recently I tested the Detectify’s Asset Inventory (Monitoring) solution, which provides such feed by automatically detecting the issues with your second, third (and more) leveled domains and related web services. Here's what they provide, and my basic API usage examples.
I tried the new #Kali Linux 2019.4 today. #XFCE as default desktop environment and fun "undercover" mode with Win10 GUI camouflage is great, but I was more interested in how #OpenVAS (it is now called #GVM) is supported there. The only available version is pretty old, #OpenVAS9.
However, it's old, but not obsolete (c). I was impressed by the setup script that updated plugins, made all the necessary configurations and launched OpenVAS fully automatically. Even problems with updating SCAP Data (because of rsync) did not cause the crash. The browser just opened and I could start scanning immediately. Those who tried to launch OpenVAS manually know how painful it is. In Kali it's amazingly user friendly. 🙂
root@kali:~# apt search openvasThe delay is two major versions (current - GVM11) and two years. It seems that if you want the latest version, you must build the code yourself or use unofficial builds. 😔
...
openvas/kali-rolling 9.0.3kali1 all
remote network security auditor - dummy package
...
However, it's old, but not obsolete (c). I was impressed by the setup script that updated plugins, made all the necessary configurations and launched OpenVAS fully automatically. Even problems with updating SCAP Data (because of rsync) did not cause the crash. The browser just opened and I could start scanning immediately. Those who tried to launch OpenVAS manually know how painful it is. In Kali it's amazingly user friendly. 🙂
A nice facepalming topic about HackerOne's own bug bounty program:
"On November 24, 2019, a Security Analyst tried to reproduce a submission to HackerOne’s program, which failed. The Security Analyst replied to the hacker, accidentally including one of their own valid session cookies". 🤦🏻♂️
Yep, it was in the curl request. This "hacker" successfully accessed the account of the analyst and got access to some vulnerability reports of HackerOne's customers ("bug bounty as a service"). He then submitted this issue and the company decided to pay him $20k bounty. Not bad, hah?
It is now debated whether this was the right decision to pay (I think it was). But IMHO it's more important to point out that "bug bounty as a service" might be dangerous. In fact it's a set of the most critical bugs of your organization, some of which, of course, have not been disclosed and fixed. And you can't really control who has access to them and how. So maybe it’s better to run it inhouse, although the costs will be higher. 😉
"On November 24, 2019, a Security Analyst tried to reproduce a submission to HackerOne’s program, which failed. The Security Analyst replied to the hacker, accidentally including one of their own valid session cookies". 🤦🏻♂️
Yep, it was in the curl request. This "hacker" successfully accessed the account of the analyst and got access to some vulnerability reports of HackerOne's customers ("bug bounty as a service"). He then submitted this issue and the company decided to pay him $20k bounty. Not bad, hah?
It is now debated whether this was the right decision to pay (I think it was). But IMHO it's more important to point out that "bug bounty as a service" might be dangerous. In fact it's a set of the most critical bugs of your organization, some of which, of course, have not been disclosed and fixed. And you can't really control who has access to them and how. So maybe it’s better to run it inhouse, although the costs will be higher. 😉
Last year I made a basic presentation for students about web vulnerabilities. And I noted that the #XSS example won't work in #Chrome, because of XSS Auditor component. But it's not an issue anymore!
Google completely removed #XSSAuditor in Chrome 78 due to false negatives (bypasses and bugs) and some false positives. If you use Chrome, you can check it yourself using this test site.
#Chrome78 was rolled out in October and now it is the most widely used version of the web browser (38.51%). And this means XSS will become a very convenient attack vector for cybercriminals and pentesters once again!
Google completely removed #XSSAuditor in Chrome 78 due to false negatives (bypasses and bugs) and some false positives. If you use Chrome, you can check it yourself using this test site.
#Chrome78 was rolled out in October and now it is the most widely used version of the web browser (38.51%). And this means XSS will become a very convenient attack vector for cybercriminals and pentesters once again!
Microsoft Patch Tuesday for December 2019 seems pretty interesting.
6 critical RCEs. IMHO, the most promising for attackers are CVE-2019-1462 in Microsoft PowerPoint (malicious file), CVE-2019-1484 in Windows Object Linking (malicious file) and CVE-2019-1485 in VBScript (malicious websites or embed ActiveX control in application or Microsoft Office document). But also RCEs in Hyper-V (from guest on the host system!), Win32k Graphics and Git for Visual Studio.
To elevate the privileges, there is CVE-2019-1458, that has been exploited in the wild.
See the reviews in Tenable and Qualys blogs.
#RCE #EoP #Kaspersky
6 critical RCEs. IMHO, the most promising for attackers are CVE-2019-1462 in Microsoft PowerPoint (malicious file), CVE-2019-1484 in Windows Object Linking (malicious file) and CVE-2019-1485 in VBScript (malicious websites or embed ActiveX control in application or Microsoft Office document). But also RCEs in Hyper-V (from guest on the host system!), Win32k Graphics and Git for Visual Studio.
To elevate the privileges, there is CVE-2019-1458, that has been exploited in the wild.
See the reviews in Tenable and Qualys blogs.
#RCE #EoP #Kaspersky
I don’t know if you heard, but we have a huge IT scandal here in Russia. In a nutshell: 15 years ago, one smart guy worked as a system administrator in a large Russian Internet company (kind of Russian Yahoo) and in his spare time he was developing an open source web server. Now this web server is the most widely used in the world, and the company behind it, created by this guy 8 years ago, was recently bought by F5 Networks for $670 million. Everything looked fine until yesterday, when police raided the office of Nginx Inc. in Moscow, and this guy sysadmin/founder/developer Igor Sysoev was interrogated and can now spend 6 years in prison. This happened because the company where he worked for 10 years (Nov 2000 – May 2011), Rambler, somehow claims the rights to #nginx. Despite the fact that Sysoev worked on it in his spare time, the project is open source and he was a system administrator there, not a software developer. How do you like it?
So why am I so angry about this situation and can't ignore it. Well, I never met Igor and didn't even use Nginx a lot. Of course, Nginx is one of the most successful open source projects created in Russia (the only comparable is Postgres). But it is much more than that!
You know, there is not much joy in the life of an IT professional. And one of the greatest pleasures is to KNOW that after 8-9-10 hours of full time work, you can work on your OWN pet project and DREAM that someday it can develop into something valuable. What Rambler is doing now is an attack on what is sacred to many IT professionals: midnight coding with red eyes, the right to do whatever you want with your own creation (even release it for free under BSD license), the dream about a better life.
Different countries have different laws regulating the intellectual property of things created by man in his free time. Thanks to the Russian Labor Code, developers have all the intellectual rights in such situations by default. But if this particular case will show that it does not mean anything, and the former employer can claim the rights to any of your further successful projects (most of startupers had once worked full time), this will really cause enormous damage to the country. This will kill people’s passion for creating something new, this will make investment in Russian companies much more risky, and emigration among qualified IT professionals will certainly increase.
So please support Nginx, this is important. I see the following actions that everyone can do quite safely and easily:
- spread the message, show your attitude;
- tell your PR team that now is a good time to demonstrate that YOUR company is friendly to open source and developers, and not at all like Rambler;
- tell your HR/recruiting team that now is a good time to attract good technical experts from #Rambler;
- if you work in Rambler and don't like the situation, perhaps you may consider changing the job (if you are a security guy, contact me if you need help with this) or at least ask to increase your salary. 😉
The idea is to show that such actions are not only very harmful for PR, but also destroy the HR brand.
So why am I so angry about this situation and can't ignore it. Well, I never met Igor and didn't even use Nginx a lot. Of course, Nginx is one of the most successful open source projects created in Russia (the only comparable is Postgres). But it is much more than that!
You know, there is not much joy in the life of an IT professional. And one of the greatest pleasures is to KNOW that after 8-9-10 hours of full time work, you can work on your OWN pet project and DREAM that someday it can develop into something valuable. What Rambler is doing now is an attack on what is sacred to many IT professionals: midnight coding with red eyes, the right to do whatever you want with your own creation (even release it for free under BSD license), the dream about a better life.
Different countries have different laws regulating the intellectual property of things created by man in his free time. Thanks to the Russian Labor Code, developers have all the intellectual rights in such situations by default. But if this particular case will show that it does not mean anything, and the former employer can claim the rights to any of your further successful projects (most of startupers had once worked full time), this will really cause enormous damage to the country. This will kill people’s passion for creating something new, this will make investment in Russian companies much more risky, and emigration among qualified IT professionals will certainly increase.
So please support Nginx, this is important. I see the following actions that everyone can do quite safely and easily:
- spread the message, show your attitude;
- tell your PR team that now is a good time to demonstrate that YOUR company is friendly to open source and developers, and not at all like Rambler;
- tell your HR/recruiting team that now is a good time to attract good technical experts from #Rambler;
- if you work in Rambler and don't like the situation, perhaps you may consider changing the job (if you are a security guy, contact me if you need help with this) or at least ask to increase your salary. 😉
The idea is to show that such actions are not only very harmful for PR, but also destroy the HR brand.
ZDNet
Russian police raid NGINX Moscow office
Russian search engine Rambler.ru claims full ownership of NGINX code.
A small update on #Zbrunk. First of all, I created a new API call that returns a list of object types in the database and number of this types for a certain period of time. Without it, debugging was rather inconvenient.
$ curl -k https://127.0.0.1:8088/services/searcher -d '{"get_types":"True", "search": {"time":{"from":"1471613579","to":"1471613580"}}, "output_mode": "json", "max_count":"10000000", "auth_token":"8DEE8A67-7700-4BA7-8CBF-4B917CE23512"}'
{"results": ["test_event"], "results_count": 1, "all_results_count": 0, "text": "Types found", "code": 0}
I also added some examples of working with Zbrunk http API from #python3. Rewriting them from pure curl was not so trivial. 😅 Flask is rather moody, so I had to abandon the idea of making requests exactly the same as in Splunk. 😓 But the differences are cosmetic. It is now assumed that events will be passed to collector in valid json (not as a file with json events separated by '\n'). I also send all params of requests as json, not data. But for the compatibility reasons previous curl examples will also work. 😉GitHub
zbrunk/tests/zbrunk_examples.py at master · leonov-av/zbrunk
Universal data analysis system. Contribute to leonov-av/zbrunk development by creating an account on GitHub.
Lol, #Rapid7 released an album with short infosec versions of Christmas songs. It's even better than last year. My favourite are:
"You better control
You better comply
You better safeguard
We're telling you why
Auditors are coming to town"
and
"Do you want to build a plugin?
C'mon, let's code away
Old apps won't cut it anymore
They're such a bore
Let's automate today"
😁 #haxmas
https://www.rapid7.com/info/haxmas
"You better control
You better comply
You better safeguard
We're telling you why
Auditors are coming to town"
and
"Do you want to build a plugin?
C'mon, let's code away
Old apps won't cut it anymore
They're such a bore
Let's automate today"
😁 #haxmas
https://www.rapid7.com/info/haxmas
Rapid7
2020 Rapid7 HaXmas: Infosec Resources with a Holiday Twist
Fa-la-lall in love with Rapid7’s "Elf on the Stealth" video, festive blog series, and cybersecurity history calendar, as part of our annual HaXmas series.
I don't know if you heard, but starting from 2020.01.01 Splunk will have a bug in timestamp processing. Well, this "two digit" year format seems strange and ugly, and maybe it will not affect your apps directly, but it seems like a good idea to update Splunk server or at least datetime.xml.
The problem exists with regular expressions in this file:
Don't forget to restart the server:
# ls -al /opt/splunk/etc/datetime.xml
-r--r--r--. 1 splunk splunk 8178 Jan 25 2018 /opt/splunk/etc/datetime.xml
You can check that the file is buggy like this (based on the changes mentioned in the article):# cat /opt/splunk/etc/datetime.xml | grep "\\d|\[901\]"
<text><![CDATA[(20\d\d|19\d\d|[901]\d(?!\d))]]></text>
To fix this, you can upgrade Splunk to the latest version, but IMHO it's safer and easierto update only datetime.xml. Take datetime.zip file and upload it to the server:$ scp datetime.zip user@splunk:/home/user/datetime.zipReplace the file on the server:
# unzip datetime.zipThe output of
Archive: datetime.zip
inflating: cfg/datetime.xml
# cp /home/user/cfg/datetime.xml /opt/splunk/etc/datetime.xml
# cat /opt/splunk/etc/datetime.xml | grep "\\d|\[901\]"
should be empty.Don't forget to restart the server:
# systemctl stop splunk.service
# systemctl start splunk.service