This is what elite hackers get paid!! It takes a few hours to do.
Security World - PenTesting, Security Research, and Threat Assessment
Monday, May 8, 2017
Saturday, April 29, 2017
Hacked!
When people get hacked, they often asked me if I hacked their system (because I work as a profession hacker)? The answer is NO. I don't have time to hack stupid stuff. I don't hack for free. And I don't hack illegally. That's what losers do.
Most often the causes of people being hacked are:
1. they received an email that says they've won $10 million. "Please click here to receive." lol
2. they click on a popup that says their computer is hacked and to install the "anti-virus" software from the popup to clean. often the free "anti-virus" software is the trojan. even if it's not free, it's a scam for people to buy unnecessary software.
3. people are downloading software, music, and movies illegally. STOP IT. that's how people most often get hacked. they often use some kind of torrent software
4. people visiting risky websites and clicking on them.
5. opening an attachment from a friend that contains a funny joke
5. opening an attachment from a friend that contains a funny joke
People should have
a. a restrictive firewall up
b. anti-virus software running
c. update the software on their system to patched versions
d. and don't do any of the silly things listed in 1-5
Tuesday, March 7, 2017
Network Vulnerability Scanners
There are many network vulnerability scanners out there. Many of them are poor quality. For instance, one particular tool lists hundreds of vulnerabilities for a service running on the network simply based on the fact that version banner states it is a certain version. These tools do not check for a vulnerability.
That's right. Many of these tools do not check for a vulnerability. Instead they look at version the number on an Apache web server or a MySQL server and then list hundreds of false positives. The version number could be incorrect and/or patches may have been backported. This is no different than static code analyzers that try to impress users with thousands of findings in fancy demonstrations that are false positives.
These tools are a waste of time and energy. Get yourself a real tool that actually does a vulnerability check.
That's right. Many of these tools do not check for a vulnerability. Instead they look at version the number on an Apache web server or a MySQL server and then list hundreds of false positives. The version number could be incorrect and/or patches may have been backported. This is no different than static code analyzers that try to impress users with thousands of findings in fancy demonstrations that are false positives.
These tools are a waste of time and energy. Get yourself a real tool that actually does a vulnerability check.
Thursday, July 3, 2014
QualysGuard Private Cloud Platform Security Architecture and Pen Test Review
The QualysGuard Private Cloud Platform (QG PCP) makes many promises, one of which is that vulnerability scan data can be hosted by a private cloud platform in a client's data center and under the client's control. If taken at their word, this may seen promising, but the reality is that Qualys still will have to manage this platform remotely. By doing so, they will have access to this data remotely and can pull it down to their site as needed. Needless to say, Qualys requires the client to provide a backdoor to the system.
The Qualys PCP equipment is leased and never sold to the customer. There are many legal issues with this which allows them to access their equipment. They require the customer to give them remote access in order for them to manage it remotely. That is a requirement and not an option. They keep it a big secret how it is managed.
1. Persistent iVPN tunnel
2. VPN remote access account
Qualys still has the means to pull the data back to Qualys through SSH/SCP even though it is hosted on a customer site. In fact, Qualys does not allow the customer to monitor the network traffic being sent back to Qualys. Such requests were flat out refused during a security assessment. What they pull back is their business and the customer has no right to know.
1. Emails were being sent to email server UNENCRYPTED. Yes, one could see the message being sent as well as who the recipients were. Emails were being back to Qualys through the Internet. A lot of sensitive information were sent unencrypted including server names, configuration, scripts, running jobs, listening ports, full internal DNS names.
2. Internet connections from Indonesia were seen accessing the QG PCP even though it was supposed to be in a controlled access network in a data center
3. A lot of failed DNS requests to www.qualys.com and other qualys subdomains, looks like the system has not been fined tuned to be hosted at a client site. The interesting thing is that it tries to do windows updates on its own by accessing the Internet.
4. Undocumented protocols used by the Qualys PCP; namely AppleTalk, CMIP-Man, and Feixin
5. syslog messages sent across the network unencrypted.
Virtual Scanners
Web Application
The Qualys Web Application tests resulted in a number of vulnerabilities.
The Qualys PCP equipment is leased and never sold to the customer. There are many legal issues with this which allows them to access their equipment. They require the customer to give them remote access in order for them to manage it remotely. That is a requirement and not an option. They keep it a big secret how it is managed.
Remote Access
What kind of remote access to the QG PCP do they require?1. Persistent iVPN tunnel
2. VPN remote access account
Qualys still has the means to pull the data back to Qualys through SSH/SCP even though it is hosted on a customer site. In fact, Qualys does not allow the customer to monitor the network traffic being sent back to Qualys. Such requests were flat out refused during a security assessment. What they pull back is their business and the customer has no right to know.
Network Sniffer
Network monitoring had to be done outside of the QG PCP as Qualys did not allow internal network sniffing. This traffic analysis did show a few weaknesses.1. Emails were being sent to email server UNENCRYPTED. Yes, one could see the message being sent as well as who the recipients were. Emails were being back to Qualys through the Internet. A lot of sensitive information were sent unencrypted including server names, configuration, scripts, running jobs, listening ports, full internal DNS names.
2. Internet connections from Indonesia were seen accessing the QG PCP even though it was supposed to be in a controlled access network in a data center
3. A lot of failed DNS requests to www.qualys.com and other qualys subdomains, looks like the system has not been fined tuned to be hosted at a client site. The interesting thing is that it tries to do windows updates on its own by accessing the Internet.
4. Undocumented protocols used by the Qualys PCP; namely AppleTalk, CMIP-Man, and Feixin
5. syslog messages sent across the network unencrypted.
Firewall Rule Analysis
Firewall rule analysis shows that SSH is allowed into the platform through VPN firewall as well as HTTP(S) protocols.Internet Access
The Qualys PCP itself does access network traffic in and
out of the controlled access network environment as seen in the diagram below.
1.
The
Qualys PCP Service Network requires outbound communication for
a.
NTP
– Time Synchronization
b.
DNS
– Name Resolution
c.
SMTP
– Email
d.
WHOIS
– External Internet
e.
Daily
Vulnerability Updates - External Internet.
WHOIS pulls
information from the Internet and Daily Signature Updates are pulled from
Qualys through the Internet on port 443. In effect, the PCP is pulling information
from Qualys through the Internet to retrieve updates. A man-in-the-middle attack could intercept
the update and instead return a malware update to the Qualys PCP provided that
a vulnerability exists in the platform.
2.
The
physical scanners communicate to the Qualys PCP. This requires that inbound port 443 be opened
on the PCP. Physical scanners in the DMZ
also need to communicate to the PCP on port 443. Access to the PCP from the DMZ increases the
risk.
3.
Qualys
SOC accesses the PCP through iVPN and VPN connections from the Internet for maintenance and support.
A
sniffer placed on a virtual scanner showed that it chose to use SSLv3, which is
deprecated, by default on some servers to communicate to the Qualys PCP. In particular, it uses SSLv3 with RC4-MD5. MD5 is obsolete. Qualys documentation claims they use TLSv1 and the latest modern secure protocols.
Application Analysis
Perl API
Application
analysis was done by running Perl scripts against the qualysapi server and testing for vulnerabilities.
The server itself was found to be vulnerable by accepting login
credentials for API requests via base64 encoding and passed through plaintext
HTTP. This could result of loss and
capture of Qualys Admin credentials which could result in access to vulnerability scan results.
Web Application
The Qualys Web Application tests resulted in a number of vulnerabilities.
Qualys PCP Internal
Additional vulnerabilities were found inside the Qualys PCP infrastructure itself. It was found to be very insecure.Friday, April 18, 2014
Yahoo's Downfall
I predicted Yahoo's downfall in 2008 and told my coworkers about it. The prediction had nothing to do with looking at financials. It was being displeased with how crappy the Yahoo service is. I pretty much was using yahoo for more than 4 years and got fed up with it and switched to Google. A bad service isn't going to last. Now the question really is if Marissa Mayer can save them?
Yahoo in Turmoil
Yahoo in Turmoil
Monday, March 17, 2014
Having a Safe Online Shopping Experience
Online shopping can be quite fun but it can also be quite dangerous as the Internet is full of scam websites posing as legitimate websites. Some of these fraudulent websites are so well done that it looks legit.
Here are some pointers on having a safe online shopping experience:
1. Stick with well known and trustworthy companies when giving them your credit card and personal information. Such companies are Google, Amazon, Microsoft, and a few others.
2. If there is a site that is not on the trusted list, do a google search for the name of site plus the words scam fraud reviews. For example, google this: badwebsite.com scam fraud reviews. Look and see if there are any/many bad reviews. Some good reviews could be fraud as well, so use best judgement and common sense.
3. Make sure you have anti-virus with Internet protection from malicious websites turned on. This does *not* guarantee 100% protection from malicious websites nor from virus infection but it certainly increases your chances. Firewall is turned on.
4. Be careful of malicious and suspicious websites. Don't think you are invulnerable and click on any site you want. There is such a thing as drive by downloads that some anti-virus will not detect. Yes, just by visiting a bad website, you could be infected and compromised even with all anti-virus, anti-malware turned to the max. Be careful of what websites you visit. If you google illegal software and music downloads, then most of the sites that turn up are bad websites. If you google buying illegal drugs, there's a 99.9% chance you will run into a scam site.
5. Use McAfee Secure Search which filters out malicious sites or sites that have been hacked from your search results. This is a McAfee Site Advisor plugin for your browser. Google Safe Browsing is a similar service. Having used both McAfee Secure Search and Google Safe Browsing, they seem to block out only a portion of malicious sites. So many scam websites were still shown in the search results. Unfortunately, it does not screen out all bad websites so you must still exercise caution.
6. Verify the reliablility and trustworthiness of the website by entering the web site address into:
7. How long has the website been up? If it's been up for less than 3 years and has no bad ratings, there could be a cause for concern. Usually bad ratings take a few years to show up. Most bad websites change their domain names every 6 months to avoid being blacklisted and having bad reviews written about them. It's like how companies involved in fraud constantly change their names to avoid known detection. lol.
8. Look for a few good ratings on the website that sound legit. This step requires some common sense. :) Beware that there are a lot of fraud review sites set up by scam companies. Make sure that the reviews you are reading are from a well known and respected community boards with a variety of opinions. If some web site claims or reviews sound too good to be true, then it probably is. Be careful in those situations.
9. When in doubt, don't buy.
10. Assuming nothing bad shows up so far, see if the site allows paying through a safe payment system such as Amazon Payments. See if the website has that option. If it does not, it may not be worth doing business with. This way you are not sending your credit card information to them but you are sending PII (personal identifiable information) to them and that should be done with caution when sending such information to unknown random website on the Internet. By the way, you are not likely to get your money back if you use Paypal and got scammed.
Best of luck to you. While this is no guarantee you will have a safe and enjoyable online shopping experience, it certainly improves your chances by a dramatic factor. If this sounds like too much work, then just stick with point #1 and stay with well known trusted sites.
Here are some pointers on having a safe online shopping experience:
1. Stick with well known and trustworthy companies when giving them your credit card and personal information. Such companies are Google, Amazon, Microsoft, and a few others.
2. If there is a site that is not on the trusted list, do a google search for the name of site plus the words scam fraud reviews. For example, google this: badwebsite.com scam fraud reviews. Look and see if there are any/many bad reviews. Some good reviews could be fraud as well, so use best judgement and common sense.
3. Make sure you have anti-virus with Internet protection from malicious websites turned on. This does *not* guarantee 100% protection from malicious websites nor from virus infection but it certainly increases your chances. Firewall is turned on.
4. Be careful of malicious and suspicious websites. Don't think you are invulnerable and click on any site you want. There is such a thing as drive by downloads that some anti-virus will not detect. Yes, just by visiting a bad website, you could be infected and compromised even with all anti-virus, anti-malware turned to the max. Be careful of what websites you visit. If you google illegal software and music downloads, then most of the sites that turn up are bad websites. If you google buying illegal drugs, there's a 99.9% chance you will run into a scam site.
5. Use McAfee Secure Search which filters out malicious sites or sites that have been hacked from your search results. This is a McAfee Site Advisor plugin for your browser. Google Safe Browsing is a similar service. Having used both McAfee Secure Search and Google Safe Browsing, they seem to block out only a portion of malicious sites. So many scam websites were still shown in the search results. Unfortunately, it does not screen out all bad websites so you must still exercise caution.
6. Verify the reliablility and trustworthiness of the website by entering the web site address into:
- McAfee Site Advisor. http://www.siteadvisor.com
- scamadvisor.com
- scamvoid.com
- scamanalyze.com
- ripoffreport.com
- complaintsboard.com
7. How long has the website been up? If it's been up for less than 3 years and has no bad ratings, there could be a cause for concern. Usually bad ratings take a few years to show up. Most bad websites change their domain names every 6 months to avoid being blacklisted and having bad reviews written about them. It's like how companies involved in fraud constantly change their names to avoid known detection. lol.
8. Look for a few good ratings on the website that sound legit. This step requires some common sense. :) Beware that there are a lot of fraud review sites set up by scam companies. Make sure that the reviews you are reading are from a well known and respected community boards with a variety of opinions. If some web site claims or reviews sound too good to be true, then it probably is. Be careful in those situations.
9. When in doubt, don't buy.
10. Assuming nothing bad shows up so far, see if the site allows paying through a safe payment system such as Amazon Payments. See if the website has that option. If it does not, it may not be worth doing business with. This way you are not sending your credit card information to them but you are sending PII (personal identifiable information) to them and that should be done with caution when sending such information to unknown random website on the Internet. By the way, you are not likely to get your money back if you use Paypal and got scammed.
Best of luck to you. While this is no guarantee you will have a safe and enjoyable online shopping experience, it certainly improves your chances by a dramatic factor. If this sounds like too much work, then just stick with point #1 and stay with well known trusted sites.
Friday, March 14, 2014
Things to Consider Before Accepting a New Job
While the promise of significantly higher pay may be enticing to some, here are a couple of things to consider before taking a job offer. Most people just take a new job and hope for the best without a clear strategy.
1. What are their expectations? Are their expectations significantly greater than that of your current employer? Are you willing to do that?
2. What is the corporate culture? Is it a sweat shop culture or laid back culture?
3. Will you be able to balance life and work at this new job? For those who have a lifestyle outside of work.
4. How is the manager and his managerial style? How does he/she treat people? Some people grow up being treated with contempt and disrespect from their parents and have not learned how to behave in any other way and now treat the people they manage the same way. They have not grown up emotionally and still operating like a poorly behaved child in a professional environment managing others. Does this person seem to have a temper problem and yell at people a lot? Are they a slave driver with whip in hand? Do you think you will be able to communicate issues to this manager? Does this manager able to get things done? Does the manager's personality mesh with yours? It's good to talk to the boss face to face to get a gut instinct if this is a person you can trust or does he/she look like they lie a lot to promote themselves? Does he/she seem sleazy and shifty-eyed? Does this person seem ethical or underhanded? Will they throw you under the bus when the going gets tough?
5. Do the coworkers look like people you would want to spend time working with
6. Will you have to relocate? Do you like the new city? Does the new city have a lifestyle you could enjoy? How will this affect your personal life?
7. Is it a company you can trust? Does it have questionable HR practices that may affect you personally?
8. What is the turnover rate for the team? Do they have a hair trigger for firing people? How likely are you able to keep this job and still be happy?
9. Outside of money, does this job meet your career aspirations? Will this take you where you want to go? Will it advance your career or is it a dead end job?
10. Will you enjoy the job? Do you think you can be happy with this job?
11. Are you taking this job, which you may not like, only for more money? Consider adjusting your lifestyle so that your expenses are lowered.
12. Is this company's future stable? Is it a startup? Are you able to financially handle the risk that this startup may go out of business or be laid off if their profit expectations are not met? Small companies sometimes go through a massive hiring frenzy followed shortly thereafter by a massive firing fiesta. Long term contracts at large companies (Fortune 20) are often more stable than full time positions at small companies (not Fortune 1000).
1. What are their expectations? Are their expectations significantly greater than that of your current employer? Are you willing to do that?
2. What is the corporate culture? Is it a sweat shop culture or laid back culture?
3. Will you be able to balance life and work at this new job? For those who have a lifestyle outside of work.
4. How is the manager and his managerial style? How does he/she treat people? Some people grow up being treated with contempt and disrespect from their parents and have not learned how to behave in any other way and now treat the people they manage the same way. They have not grown up emotionally and still operating like a poorly behaved child in a professional environment managing others. Does this person seem to have a temper problem and yell at people a lot? Are they a slave driver with whip in hand? Do you think you will be able to communicate issues to this manager? Does this manager able to get things done? Does the manager's personality mesh with yours? It's good to talk to the boss face to face to get a gut instinct if this is a person you can trust or does he/she look like they lie a lot to promote themselves? Does he/she seem sleazy and shifty-eyed? Does this person seem ethical or underhanded? Will they throw you under the bus when the going gets tough?
5. Do the coworkers look like people you would want to spend time working with
6. Will you have to relocate? Do you like the new city? Does the new city have a lifestyle you could enjoy? How will this affect your personal life?
7. Is it a company you can trust? Does it have questionable HR practices that may affect you personally?
8. What is the turnover rate for the team? Do they have a hair trigger for firing people? How likely are you able to keep this job and still be happy?
9. Outside of money, does this job meet your career aspirations? Will this take you where you want to go? Will it advance your career or is it a dead end job?
10. Will you enjoy the job? Do you think you can be happy with this job?
11. Are you taking this job, which you may not like, only for more money? Consider adjusting your lifestyle so that your expenses are lowered.
12. Is this company's future stable? Is it a startup? Are you able to financially handle the risk that this startup may go out of business or be laid off if their profit expectations are not met? Small companies sometimes go through a massive hiring frenzy followed shortly thereafter by a massive firing fiesta. Long term contracts at large companies (Fortune 20) are often more stable than full time positions at small companies (not Fortune 1000).
Subscribe to:
Posts (Atom)