Recent blog posts

In the previous blog post here, we described the GHOST Linux glibc vulnerability in details and its repercussions to the affected systems in terms of risk.

...

Posted by on in General

Hi everybody and welcome back to the NopSec Blog!

...

Usually I am not particularly a big fan of security doom scenarios,  but looking at this week’s security news and the usual New Year’s security predictions I have to admit that I grew a bit concerned about the overall info security outlook. Here is the canvas:

...

Posted by on in General

Overview

Heartbleed (CVE-2014-0160) is a vulnerability with a CVSSv2 base score of only 5.0/10.0. Though its CVSS score is relatively low, Heartbleed has definitely been one of the most severe security events the Internet has never seen. It is found in the Open SSL cryptographic software library, which is omnipresent on the Internet, and it exploits a buffer over-read weakness in the library, a situation where more data can be read than should be allowed (http://en.wikipedia.org/wiki/Heartbleed). More than a half-million servers were found exposed to this vulnerability, which accounts for 30 – 70% of the Internet. 

...

Posted by on in General

Overview

Here at NopSec, we have a growing system that we need to monitor and proactively fix issues in before they affect our customers. Previously, we monitored our system with a combination of AWS Cloudwatch along with good old linux tools (tail, grep, top, etc.). This is fine when your system only has a handful of instances, but will quickly become unsustainable as you scale up.

...

Posted by on in General

If you’re a security researcher or penetration tester you’re probably already well aware of the extensive array of tools available to help you. OpenVAS, Qualys, Nessus, Arachni, Burp, Wapiti, Skipfish, w3af … the list goes on and on. Choosing which tool to use may not be a simple task and should wind up raising even more questions to be answered. What are you looking to accomplish? What features (and support) do you need? Do you need customization? And most importantly, as a hacker how dirty do you want to get your hands to attain that perfect solution? For a recent initiative we decided to pursue a route that balanced commercial support and reputation with just enough openness to fit it to specific needs. That route is Burp by Portswigger.

...

Posted by on in General

Parameter injection is one of the most common classes of web application vulnerabilities exploited in the wild.  This class of vulnerability implies that attackers inject known malicious strings into Hypertext Transfer Protocol (HTTP) request parameters in an attempt to cause unexpected application behavior.  This class of vulnerability encompasses a large variety of attack methods including, but not limited to, cross-site scripting (XSS), SQL injection (SQLi), local file includes, and path traversal.

...

11.1 – Wireless Network Tests and Identification of Rogue Access Points

Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on a quarterly basis.

...

Posted by on in General

The term “security breach,” and other similar phrases, have become commonplace. This year alone we have seen the data of millions of people illicitly accessed and stolen from the networks of giants like Target, eBay, and JPMorgan Chase. Each week there seems to be a new report on some company falling prey to ever-ready attackers.

...

Posted by on in General

NopSec is proud to be featured in the "Finovate Debuts" series, which highlights first time presenters at one of the three annual Finovate conferences. Finovate is a boutique banking technology research firm that also brings together financial technology innovators in events in Europe and the United States. The piece focuses specifically on NopSec's Unified VRM and how it allows banks to proactively secure their systems against hackers through the identification and prioritization of vulnerabilities.

...

Google security researchers Bodo Moller, Thai Duong and Krzysztof Kotowicz recently uncovered a vulnerability in SSL 3.0 that could allow secure connections to be compromised by attackers.

...

Call it good timing. After all the horrendous cyber security news of the past weeks, it feels great about that our industry is joining forces, strengthening partnership alliance within the infosec community, and collaborating at Qualys’ annual security conference in Las Vegas this week.

...

Posted by on in General

It is no secret that hackers have been making the rounds, targeting organizations of all sizes, from national retailers to local financial institutions, using familiar exploits like Heartbleed and Shellshock to execute their hits. This recent spate of malicious attacks has shown just how vulnerable our Internet-based world is.

...

Posted by on in General

If you are like us at NopSec one of the companies that operators on Amazon AWS cloud, this past couple of days resembled a lot more a perilous path. A series of reboot of the entire Amazon cloud forced us and most AWS-based cloud providers to spend long hours in the office or remotely to make sure things were in order after the reboot.

...

Posted by on in General

History

A remotely exploitable vulnerability has been discovered by Stephane Chazelas[1] in bash on Linux and OS X systems. The vulnerability has the CVE identifier CVE-2014-6271 and has been given the name Shellshock by some.

...

Threat intelligence is an increasing popular buzzword in security magazine articles and blogs. It also is becoming more prevalent in product and services offerings from security vendors. The value of threat intelligence is that it can provide timely information on real-time threats and help improve detection and mitigation response times. When paired with your vulnerability management process, threat intelligence becomes a powerful way to quickly prioritize remediation.

...

Posted by on in General

With the time, effort and resources that companies dedicate to penetration testing, it can be frustrating (at best) to not be guaranteed a successful outcome. Your organization may be trying to address the challenges of the consumerization of IT and bring-your-own movements, the shift to cloud computing, or simply trying to achieve regulatory compliance. Penetration testing allows you to understand where you need to focus your attention by determining the feasibility of a particular set of attack vectors. So what is the key to a successful penetration test?

...

Posted by on in General

No industry is immune to IT security breaches and it seems that retailers have been in the spotlight of late. Home Depot is the latest company to confirm a cyber-attack. For large publicly traded companies, the impact of a breach is measured by decreased sales revenue, lower stock prices, expenses associated with the breach, and departures of top executives. What are the ramifications for smaller companies?

...

Understanding how to effectively evaluate and select a penetration testing vendor can be a challenging exercise. Frequently the problem comes down to an inaccurate or misaligned definition of “penetration testing services”. To be clear, you need to be sure you are getting a true penetration test and not just a vulnerability scan.

...

A vulnerability assessment, also known as vulnerability testing, is the practice of detecting, classifying, prioritizing, and remediating security vulnerabilities in IT infrastructure and applications. Regulatory compliance, which commonly requires a documented security process, is a considerable driver for vulnerability assessments. Even if your company is not bound by any regulations, a vulnerability assessment should be a regular activity of every organization's security policy.

...

No industry is immune to IT security breaches. Recent breaches at Indiana University, Iowa State, the University of Maryland, and the University of North Dakota cumulatively impacted over 750,000 students, alumni, faculty and staff. In the case of higher educational institutions there is data exposure risk from personally identifiable information, such as social security numbers. It may come as a surprise that a number of these significant data breaches were the result of very simple mistakes.

...

Vulnerability management is the ongoing practice of detecting, classifying, prioritizing, and remediating security vulnerabilities in IT infrastructure and applications. For many companies, the remediation stage is where disappointment and frustration can set in. Prioritizing vulnerability remediation is the only surefire way to significantly reduce the risk of a cyber-attack. And if vulnerabilities are not tracked to remediation, the entire exercise is futile.

...

Security risks to information systems and sensitive data are expanding at a rate that can outpace an organization’s technical resources and expertise. Small to mid-sized companies without sufficient in-house resources to maintain an effective security program may consider outsourcing cyber-security to a managed security service provider (MSSP). Knowing exactly what security functions to outsource is a key decision.

...

Posted by on in General

As penetration testers know, spending nights awake to probe networks, servers and applications is common practice. For companies completing vulnerability scanning for the first time, or even for seasoned IT security veterans, deciding when to run a vulnerability scan is not a straight-forward decision. Most of the time the penetration testing or vulnerability assessment is performed on production applications that need to be hit off-business hours for performance reasons.

...

With any technology investment, budget is a core part of the decision criteria. IT security departments are expected to do more with less and still maintain a secure IT environment. However with IT security solutions, more so than with other IT purchases, cost considerations can have significant impact on a business’ overall risk of a serious security breach.

...

Posted by on in General

This is the time of year when companies gaze into their crystal ball and try to discern what lies ahead. And nobody is better at predictions than an industry analyst. Javvad Malik is a Senior Analyst for the Enterprise Security Practice at 451 Research. He recently posted a tongue-in-cheek video “2014 Information Security Predictions” on his blog, which warned of the imminent ‘Advanced Advance Persistent Threats’. Mr. Malik was kind enough to respond in a more serious manner to my questions regarding the coming year for vulnerability management.

...

According to a reports released by the Information Security Forum and ISACA, cyber-security will continue to be a critical issue for businesses in 2014. Key threats include bring your own device (BYOD) trends, data proliferation, as well as privacy and regulation.

...

Many federal regulations such as GBLA, HIPAA and PCI require an annual penetration test. Customers often ask for our penetration testing services in direct response to a compliance request from an auditor or industry regulator. NopSec recommends a penetration test to determine a baseline of your company's security posture. 

...

Posted by on in General

This is the time of the year that we get a lot of inquiries about performing an annual penetration test. In every organization there are trade-offs of time, resources and budgets. So the inevitable question that arises is, “How much does/should a penetration test cost?” The truthful answer to this question is, it depends.

...

Reports in the news make it clear that the sophistication of cyber-attackers continues to evolve. So why do so many companies rely on an annual penetration test as the only safeguard against a cyber-attack? Some reasons include: lack of resources, limited budgets, insufficient leadership support, and organizational barriers. However, another reason is that the role of penetration testing in overall vulnerability risk management is not well understood.

...