Jump to content

Kevin Beaumont

  • Content Count

  • Joined

  • Last visited

  • Days Won

  • Invited by


Kevin Beaumont last won the day on January 21

Kevin Beaumont had the most liked content!

Community Reputation

100 Excellent

Personal Information

  • Bio
    Security Operations Centre Manager, once got punched in the arm by Lucy Lawless.

Recent Profile Visitors

3,304 profile views
  1. I've fixed the issue where email invites were broken, and a bunch of other under the hood issues.

  2. Nice reference to you and Marcus on Microsoft Defender Security Centre, Kev... I see you continue to keep a low profile 🙂 Don't forget my offer to find your house and be there with a cup of tea when you wake up.

  3. I think as usual with Chrome stuff, as no code is disclosed nobody will know the deets.
  4. Cheers. It looks like you need to have a pretty specific config to end up vulnerable to this.
  5. I had to start the site in DR, we lost about an hour's new posts, if anybody made them.  Sorreeeee.

  6. Moving this topic public as the issue has made the media: https://news.sky.com/story/job-applicants-worried-as-hundreds-of-thousands-of-cvs-exposed-online-11836935
  7. For a home Mac I wouldn’t bother.
  8. That probably isn’t the use cases for HIBP, eg they don’t provide passwords.
  9. I did a PoC with it at Crabbers back in 2016, but didn't reach the pentesting phase I'm afraid. I aborted out of it for cost reasons more than anything, and at the time the product functionality wasn't very broad (I bet it has improved a lot since). With Windows 10 nowadays it has lots of exploit protection built in, e.g. at current jobbing we have all the different exploit prevention technology turned on with Group Policy in Windows 10 pilot:
  10. I haven't seen anything in my honeypots, just the usual RDP bruteforce stuff.
  11. There's some more background on how a group used this used to hack Twitter and claim bug bounty: https://blog.orange.tw/2019/09/attacking-ssl-vpn-part-3-golden-pulse-secure-rce-chain.html
  12. For some reason the vendor is lying press about the scale of the issue, saying a majority of customers have patched. Interesting response plan.
  13. Some logs you can retrieve with this remotely: https://host/dana-na/../dana/html5acc/guacamole/../../../../../../data/runtime/logs/log.admin.vc0?/dana/html5acc/guacamole/ https://host/dana-na/../dana/html5acc/guacamole/../../../../../../data/runtime/logs/log.access.vc0?/dana/html5acc/guacamole/ As an attacker you can use these to figure out to some degree if the box has been tampered with already. Note that to have a hope of figuring out exactly what attackers tampered with, you need to manually (it is disabled by default) enable "Unauthenticated Web Requests" logging under System -> Logs/Monitoring in the Pulse Secure admin centre. As a result of this many orgs compromised before they installed the patch will not realise if attackers have created backdoors, and they may still be compromised. I recommend turning on logging, and looking at the admin logs - it won't catch everything (because HTTP requests aren't logged) but you might find other signs of tampering. Shoutout to Alyssa Herrera who continues to figure out this vulnerability.
  • Create New...

Important Information

We use cookies as we're cookie monsters. Privacy Policy