Daily Archives: January 13, 2019

Ep. 113 – Nutrition Facts for Online Information with Clint Watts

Misinformation is a powerful tool. As we enter 2019 we invite on a fascinating guest, Clint Watts, who has spend his career learning all about how to use it and how it is used. – Jan 14, 2019

Contents Download Get Involved

Download

Ep. 113 – Nutrition Facts for Online Information with Clint Watts

Miro Video Player

Get Involved

Got a great idea for an upcoming podcast? Send us a quick message on the contact form!

Enjoy the Outtro Music? Thanks to Clutch for allowing us to use Son of Virginia as our new SEPodcast Theme Music

And check out a schedule for all our training at Social-Engineer.Com

Check out the Innocent Lives Foundation to help unmask online child predators.

The post Ep. 113 – Nutrition Facts for Online Information with Clint Watts appeared first on Security Through Education.

What You Need to Know About Secure Mobile Messaging in Healthcare

With the majority of people using smartphones these days, texting is all but a given when trying to communicate with your friends or family. But what about your doctor? A recent study determined that 96 percent of physicians use text messaging for coordinating patient care. This can raise eyebrows and red flags. Anyone with a […]… Read More

The post What You Need to Know About Secure Mobile Messaging in Healthcare appeared first on The State of Security.

Internal App Leaked NASA Project And Employee Details



A misconfiguration flaw in an internal App JIRA of the US National Aeronautics and Space Administration (NASA) exposed the sensitive internal data including the personal information of some current and former employees.

NASA has sent an internal memo to all employees stating that an unknown intruder has gained access to their servers, in which personal information of employees was stored.


 The breach was first discovered on October 23, and since then the agency is working with them to examine the servers to determine the scope of the potential data exfiltration and identify potentially affected individuals.”

According to the report, the exact number of people affected by this breach is not known. However, the agency has taken all the preventive action to further control the damage.

“Those NASA Civil Service employees who were on-boarded, separated from the agency, and/or transferred between Centers, from July 2006 to October 2018, may have been affected,” Bob Gibbs, NASA Assistant Administrator said in the memo.

"Once identified, NASA will provide specific follow-up information to those employees, past and present, whose PII was affected, to include offering identity protection services and related resources, as appropriate," he said.

Meanwhile, the full investigation of the matter  "will take time."

Man whose DDoS attacks took down entire country’s Internet jailed

By Waqas

A court in London has sentenced a British and Israeli cyber criminal Daniel Kaye aka “BestBuy and Popopret” to two years and eight months in prison for conducting large scale DDoS attacks on Lonestar Cell MTN disrupting country’s Internet and causing tens of millions of dollars in damages. Kaye (30) was charged for DDoS attacks against British and German […]

This is a post from HackRead.com Read the original post: Man whose DDoS attacks took down entire country’s Internet jailed

Over 30 Thousand Patient Records Exposed; Third-Party Breach To Blame




Cyber-cons recently targeted another health target. ‘Managed Health Services of Indiana Health Plan’ in recent times went public regarding the third-party data breach they had gotten imperiled by, which exposed 31,000 patients’ personal details out in the open. 


This breach was the result of one of the two security incidents that the institution had to face.



There are two major healthcare programs, namely, ‘Indiana’s Hoosier Healthwise’, and ‘Hooseir Care Connect Medicaid’ which this organization runs.


The MHS were informed about the breach by one of its vendors. The information was regarding someone having illegitimately gained access to their employees’ email accounts.


Disconcertingly, according to the reports, the unauthorized accessed had occurred between the month of July and September, last year.


During the investigation initiated by the MHS, it was found out that patients’ personal data including their names, insurance ID numbers, dates of birth, dates of services provided and their addresses were all potentially out in the open.


As the investigation unfolded, it was discovered that the incident was caused due to a phishing attack on the vendor’s system.


Rapid steps were taken by the vendor to counter the attack by the aid of a computer forensic company.


Some of the information in the email accounts that were affected was laid out pretty bare to be accessed. The email accounts “hacked” were the main source of information.


The easiest trick to harvesting personal data is performing a phishing attack. The phishing attack anywhere in the entire chain could affect all the people involved.


As a result of the overall effect on the chain, 31,ooo people got affected and had their data exposed and out in the open.


 Reportedly, this has been the 4th in the list of attacks made on the health plans, that too in the last month alone.


It gets evident after such an attack, that the health-care industry exceedingly requires better management and security cyber systems.

Man accused for hacking Pippa Middleton’s iCloud account wanted in US

A stay-at-home father once accused of hacking into the iCloud account of Duchess of Cambridge's sister, Pippa Middleton, is now wanted by U.S. authorities for allegedly blackmailing healthcare companies.

Nathan Wyatt was accused of stealing more than 3,000 pictures which were then hawked to several newspapers in the following weeks, according to The Sun. Middleton asked for an order barring publication of any photos or material leaked from her iCloud account. Wyatt was, however, cleared of hacking Middleton's iCloud account in 2016 after she and her husband took the case to the High Court. But police found he hacked US law firm during probe and he was jailed.

Wyatt, 37, was arrested upon release from prison over similar charges in US. He is now fighting extradition over blackmail claims on firms in Missouri.

Wyatt allegedly used the name The Dark Overlords to demand ransoms for data he stole from four companies.

Wyatt has already served 3 years for blackmailing a law firm in the U.K. and for unrelated credit card fraud charges.

Wyatt is now facing extradition to the U.S. at Westminster magistrates’ court later this month. The prosecuting attorney Daniel Sternburg said Wyatt set up multiple accounts to extort the companies and is being charged in the conspiracy.

Howto install Bitwarden in a LXC container (e.g. Proxmox)

As many of you know me, I’m quite serious about security and therefore a believer in the theory that a service which is not reachable (e.g. from the Internet) cannot be attacked as easily as one that it. Looking at password managers this makes choosing not that easy. Sure there is Keepass and the descendants, but they have the problem that the security is based solely on the master password and the end device security. Knowing friends that use Google Drive for syncing the password file between their devices, I looked at that option, but it was not right for me (e.g. Browser integration, 2FA, …).

Password managers like Lastpass or 1Password are also not the right solution for me. Yes, I believe that their crypto is good, and they never see the passwords of their users, but the 2FA is only as good as the lost password/2FA reset feature is. I’ve read and seen to many attacks on that to rely on it.

All of this leads to Bitwarden, it provides the same level of functionality as Lastpass or 1Password but is OpenSource and can be hosted on my own server. Not opening it up to Internet and using it from remote only via VPN (which I have anyway) make for a real small attack surface. This blog post shows how I installed it within a Proxmox LXC container, which I did to isolated it from other stuff and therefore there are no dependencies, if I need to upgrade something. I don’t like to install anything on the Proxmox host itself. As this is my first try, and I run into a problem with an unprivileged container and docker within it, this setup works currently only with a privileged container. I know this is not that good, but in this case it is a risk I can accept. If you find a solution to get it running in an unprivileged container please send me an email or write a comment.

LXC container

After creating the LXC container (2Gb RAM, >5GB HD) with Debian 9, don’t start the container at once. You need to add following to /etc/modules-load.d/modules.conf

aufs
overlay

And if you don’t want to boot load the modules with

modprobe aufs
modprobe overlay

If you don’t do this your installation will get gigantic (over 30gb). Now we just need to add following to /etc/pve/lxc/<vid>.conf

#insert docker part below
lxc.apparmor.profile: unconfined
lxc.cgroup.devices.allow: a
lxc.cap.drop:

Now you can start the container and enter it, we’ll check later if all was correct, but we need docker for this.

Docker and Docker Composer

Some requirements for docker

apt install apt-transport-https ca-certificates curl gnupg2 software-properties-common

and now we can add the repository for docker

curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable"

and now we can install it with

apt-get update apt-get install docker-ce

The Docker Composer which is shipped with Debian is too old to work with this docker, so we need following:

curl -L "https://github.com/docker/compose/releases/download/1.23.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose

and add /usr/local/bin/ to the path variable by adding

PATH=/usr/local/bin:$PATH

to .bashrc and calling it directly in the bash to get it set without starting a new bash instance. I know that a package would be better, couldn’t find one, so this is a temporary solution. If someone finds a better one, leave it in the comments below.

Now we need to check if the overlay stuff is working by calling docker info and hopefully you get also overlay2 as storage driver:

Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 0
Server Version: 18.06.1-ce
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file

Bitwarden

Now we just need following:

curl -s -o bitwarden.sh https://raw.githubusercontent.com/bitwarden/core/master/scripts/bitwarden.sh
chmod +x bitwarden.sh
./bitwarden.sh install
./bitwarden.sh start
./bitwarden.sh updatedb

And now you’re done, you’ve your own password manager server which also supports Google Authenticator (Time-based One-time Password Algorithm (TOTP) as second factor. Maybe I’ll write a blogpost how to setup a Yubikey as 2FA (desktop and mobile) later.

Windows Applocker Policy – A Beginner’s Guide

Hello Friends!! This article is based on “Microsoft Windows – Applocker Policy” and this topic for System Administrator, defines the AppLocker rules for your application control policies and how to work with them.

Table of Content

Introduction to Applocker

  • What is applocker Policy?
  • Who Should Use AppLocker?
  • What can your rules be based upon?

Configure the Applocker to Allow/Deny Execution of an App

  • Configure Enforcement rule
  • Create Default Rules

Modify Executable Default Rules to Allow an App

  • Rule conditions
    • Publisher
    • Path
    • File Hash

Modify Windows Installer Default Rules to Allow an App

Modify Script Default Rules to Allow an App

Creating New Rules to Block an APP

Introduction to Applocker

What is applocker Policy?

Windows applocker is a function that was introduced in home windows 7 and windows server 2008 r2 as a method to restrict the usage of unwanted Programs. Windows AppLocker lets administrators to control which executable files are denied or allowed to be run. With this policy, administrators are able to generate rules based on file names, publishers or file location on unique identities of files and to specify which users or groups can execute those applications.

What can your rules be based upon?

The AppLocker console is ordered into rule collections, those are executable files, scripts, Windows Installer files, packaged apps and packaged app installers, and DLL files. These collections allow you to easily distinguish the rules for different application types. The following table lists the file formats that are included in each rule collection.

Who Should Use AppLocker?

AppLocker is a worthy for organizations which have to accomplish any of the following jobs:

  • Check which applications are allowed to run inside the company.
  • check which users are allowed to run licensed program.
  • offer an audit log of what program customers were running.
  • prevent trendy users from installing software per user.

Configure the Applocker to Allow/Deny Execution of an App

In the Group Policy Object Editor at Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker, the Windows AppLocker settings exist.

Configure Enforcement Rule

Use the enforcement setting for each collection to configure to Enforce rules, rules are enforced for the rule collection and all events are audited.

  1. Select the Configured check box for the rule collection that you are editing, and then verify that Enforce rules is selected.
  2. Click OK.

Open Advance tab and enable the DLL rule collection.

Create Default Rules

AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection.

  • Open the AppLocker console.
  • Right- click the appropriate rule type for which you want to generate default rules automatically. You can automatically create executable rules, Windows Installer rules, script rules, and packaged application rules.
  • Click Create Default Rules.

Executable Default Rule Types Include:

  • Allow members of the local Administrators group to run all apps.
  • Allow members of the Everyone group to run apps that are located in the Windows folder.
  • Allow members of the Everyone group to run apps that are located in the Program Files folder.

Modify Executable Default Rules to Allow an App

A rule can be configured to use allow or deny actions:

  • ALLOW : You can specify which files are allowed to run in your environment, and for which users or groups of users.
  • DENY : You can specify which files are not allowed to run in your environment, and for which users or groups of users.

Once you have configured default rules as done above, then you can modify it as per your requirement. For example if you want to modify rule :“Allow members of the Everyone group to run apps that are located in the Program Files folder” for specific user or group to allow a specific program file execution, then go its property by making right click on that rule and follow below steps.

Select the file or folder path that this rule should affect. The asterisk (*) can be used as a wildcard in the rules of the path. For example, %ProgramFiles% \* indicates that all files and subfolders within that path.

Rule conditions

Conditions of rules are criteria for AppLocker to identify the applications to which the rule applies. The three main rules are publisher, path and hash of the file.

Publisher

Identifies a digital signature- based application. The digital signature encloses information about the company (the publisher) who created the application.

Wildcard characters can be used as values in the publisher rule fields according to the following specifications:

Advantage:

Frequent updating is not required.

You can apply different values within a certificate.

You can use a single rule to allow a complete product suite.

Within the publisher rule, you can use the asterisk (*) wildcard character to specify that any value should match.

Disadvantage:

While a single rule can be used to allow a complete product suite, all files in the suite must be uniformly signed.

Path

Identify an app in the computer file system or on the network by its location. For well-known paths such as Program Files and Windows, AppLocker uses custom path variables.

Advantages:

Many folders or a single file can be easily controlled.

The asterisk (*) can be used as a wildcard in the rules of the path. For example, %ProgramFiles%\Microsoft Office\* indicates that all files and subfolders within the Microsoft Office folder will be affected by the rule.

Disadvantage:

It could be at risk if a rule that is organized to use a folder path holds subfolders that are writable by local user.

File Hash

Represents the calculated cryptographic hash system of the identified file. For non-digitally signed files, file hash rules are safer than path rules.

Advantage:

Since each file has a unique hash, a file hash condition only applies to one file.

Disadvantage:

Whenever the file is updated (such as security updates or upgrades), the hash of the file changes. Consequently, you have to manually update the rules for file hash.

Modify Windows Installer Default Rules to Allow an App

Windows Installer Default Rule Types Include:

  • Allow members of the local Administrators group to run all Windows Installer files.
  • Allow members of the Everyone group to run all digitally signed Windows Installer files.
  • Allow members of the Everyone group to run all Windows Installer files that are located in the Windows\Installer folder.

Similarly if you want to modify Windows Install default rules, then repeat above steps.

Wildcard characters can be used as values in the publisher rule fields according to the following specifications:

Publisher: The asterisk (*) character used by itself represents any publisher.

Product name: The asterisk (*) character used by itself represents any product name.

File name: Either the asterisk (*) or question mark (?) characters used by themselves represent any and all file names.

File version: The asterisk (*) character used by itself represents any file version. If you want to limit the file version to a specific version or as a starting point, you can state the file version and then use the following options to apply limits:

  • Exactly. The rule applies only to this version of the app
  • And above. The rule applies to this version and all later versions.
  • And Below. The rule applies to this version and all earlier versions.

Open Exceptions and then again select Publisher.

Modify Script Default Rules to Allow an App

Script Default Rule Types Include:

  • Allow members of the local Administrators group to run all scripts.
  • Allow members of the Everyone group to run scripts that are located in the Program Files folder.
  • Allow members of the Everyone group to run scripts that are located in the Windows folder.

Similarly if you want to modify Script default rules, then repeat above steps.

Select the file or folder path that this rule should affect.

Open Exceptions and then again select Publisher.

 

In this way, you can implement Default rules and modify them for Executable file, Script rules or Windows Installer files according to your situation.

Creating New Rules to Block an APP

If you want to make your own rule in order to allow or deny action for any application, you can choose the options ” Create New Rule” below. Let’s say, I want to create a new Executable file rule to restrict command prompt execution for everyone.

Then, you will get a wizard that helps you to create an Applocker rule, which will truly based on file attribute such as the file path and digital signature.

NOTE: Install the applications you want to create the rules for on this computer.

Now the action to use  and the user or group that this rule should apply to. A deny action prevent affected file from running.

Select the type of primary condition that you  would like to create. Here we have chose “Publisher” options.

Browse for a signed file to use as a reference for the rule. Here we have browse the cmd.exe and then click on next.

Choose the Publisher as exception and then click Next.

And finally, this will add your rule to restrict the cmd.exe.

Set Application identity to Automatic mode:

Then navigate to “Application identity Property” through Computer Configuration > Policies > Windows Settings > Security Settings > System Services > Application identity.

Then enable “Automatic” option as the service startup mode.

Now update the Group policy with the help of gpupdate command.

Now when you will try to open command prompt “cmd.exe” then you will get services restriction prompt as shown.

Note: If you are configuring these rule on single machine then it will take some time to impose the rule over machine.

Reference: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Windows Applocker Policy – A Beginner’s Guide appeared first on Hacking Articles.

CVE-2019-6250 (debian_linux, libzmq)

A pointer overflow, with code execution, was discovered in ZeroMQ libzmq (aka 0MQ) 4.2.x and 4.3.x before 4.3.1. A v2_decoder.cpp zmq::v2_decoder_t::size_ready integer overflow allows an authenticated attacker to overwrite an arbitrary amount of bytes beyond the bounds of a buffer, which can be leveraged to run arbitrary code on the target system. The memory layout allows the attacker to inject OS commands into a data structure located immediately after the problematic buffer (i.e., it is not necessary to use a typical buffer-overflow exploitation technique that changes the flow of control).

CVE-2019-6250

A pointer overflow, with code execution, was discovered in ZeroMQ libzmq (aka 0MQ) 4.2.x and 4.3.x before 4.3.1. A v2_decoder.cpp zmq::v2_decoder_t::size_ready integer overflow allows an authenticated attacker to overwrite an arbitrary amount of bytes beyond the bounds of a buffer, which can be leveraged to run arbitrary code on the target system. The memory layout allows the attacker to inject OS commands into a data structure located immediately after the problematic buffer (i.e., it is not necessary to use a typical buffer-overflow exploitation technique that changes the flow of control).

The Hacker from the group "Humpty Dumpty" spoke about cooperation with FSB

The former member of the hacker group "Humpty Dumpty" Konstantin Teplyakov gave the first television interview after his release. The court released him on the eve of the New year on parole.

Recall that the leader of the hacker group "Humpty Dumpty" Anikeev previously stated that they had no contact with the FSB. According to Anikeev, his companion Teplyakov carried out random missions, and he (Anikeev) went to St. Petersburg only for personal reasons.

However, Konstantin Teplyakov gave the first TV interview after his release, in which he said that the group really worked under the guidance of the FSB.

According to Teplyakov, only Anikeev was in touch with the FSB officers.

"He regularly went to Moscow or St. Petersburg for consultation, while the rest of the group was abroad."

Anikeev never told his companions information with whom he met in Russia. According to Teplyakov, he took the risks associated with communication with the Authorities and Special Services.

Teplyakov believes that the officers of the Center for Information Security of the FSB could cooperate with Anikeev. Since they were arrested on charges of treason at the end of 2016, at the same time as members of the group " Humpty Dumpty».

Teplyakov also said that a case was opened against the hacker group "Humpty Dumpty" because of the internal conflict in the FSB. "Some departments did not pay attention to our activities, while others were following us. It's just inconsistency."

It is worth noting that both members of the hacker group are already at large. Anikeev was detained in October 2016 and fully pleaded guilty, and in December was detained Teplyakov. Anikeev received two years in prison and was released in August last year. Teplyakov was sentenced to three years in prison and was released last December.