Jump to content
OpenSecurity.global

Kevin Beaumont

Members
  • Content Count

    205
  • Joined

  • Last visited

  • Days Won

    20
  • Invited by

    DarkOverlord

Everything posted by Kevin Beaumont

  1. 2.137.127.2 is continuing to scan the internet for this. Also on AbuseIPDB: https://www.abuseipdb.com/check/2.137.127.2
  2. I mean.. why are the passwords output, regardless of the bug? This does not feel okay, it seems super ‘completely insecure and deliberately backdoored’ to me.
  3. It's a good question, you could argue it's 'just' scanning. But a 'home' IP yada, if they're finding stuff I imagine they're changing the path.
  4. CVE-2019-11510, impacting Pulse Secure SSL VPN, is being exploited in the wild. I've seen it being exploited today, a few hours ago for first time, via BinaryEdge. Timeline 24th April 2019 - Vendor advisory. 14th August 2019 - TLP Rainbow post. 20th August 2019 - exploit posted publicly. 22nd August 2019 - exploitation in wild. Pulse Secure is one of the "Zero Trust" secure SSL VPN systems where you get pwned by 1996 ../../ exploits.
  5. CVE-2018-13379 is being exploited in the wild on Fortigate SSL VPN firewalls. These exist as a perimeter security control, so it's a bad vulnerability. Using BinaryEdge.io I can see scanning activity from last night for first time for this vulnerability: The scanning traffic is taking place across the whole internet it appears, spray and pray style. The vulnerability is ridiculously easy to exploit, it's a 1996 style pre-auth ../ webserver exploit to read plain text administrator credentials: Timeline May 24th 2019 - Vendor posts advisory - https://fortiguard.com/psirt/FG-IR-18-384 June 4th 2019 - Vendor updates advisory to correct impacted versions August 9th 2019 - Blog explaining the different vulnerabilities in FortiOS, including this one. August 14th 2019 - Exploit appears on GitHub and exploitation details posted in TLP Rainbow. August 17th 2019 - Another exploit, checks if vulnerable before exploit. August 21nd 2019 - Exploitation seen in wild.
  6. Or VirtualBox. OpenSecurity runs on a single server with 2gb of RAM btw and a crap processor.
  7. yeah that's a good way of doing it. Personally I use Microsoft Authenticator, which lets you add Google Authenticator tokens - and backs up to iCloud on iOS. It's obviously still flawed as you can recover iCloud via SMS, of course.
  8. Join with a bunch of numbers at the end, and I'll strip them off as I see 'em. It was to stop people signing up as Dave and such.
  9. There's a few of these 😄 already seen exploit traffic in honeypot btw.
  10. Yeah it really does depend on the tooling. I found Rapid7 poor for reporting as it’s too rigid, I basically ended up being unable to provide mgmt with the numbers in a format they wanted (rightly) because the tool didn’t support it.
  11. Vulnerability management, or patch management? For patch management I'd just use WSUS for Windows systems, it shows what you need. For vulnerability management, if you're using something like Rapid7 I'd risk accept Spectre and Meltdown style vulns so they don't appear in reporting, and produce reports from the rest.
  12. Every company I've worked as has had a manual spam mailbox thingy, due to spam filtering not working as well as it should. It's good for us as Microsoft are so bad at securing Azure and Office365 we get O365 phishing hosted by Microsoft getting through, keeps me in a job.
  13. I work in a SOC where people forward spam to be blocked 😄
  14. At work I've just been upgraded from a laptop running 32-bit Windows 7 with 4gb of RAM (3gb usable due to 32-bit). I've now got 8gb of RAM, ooooo. At home I have a Chromebook with 2gb of RAM and a gaming PC built in 2011 with an AMD processor from when AMD were more terrible than they are now.
  15. Aye, for me it’s a similar one to hype execs have nowadays about AI replacing the need for security people. Yeah: but no.
  16. My view is: won't happen. Automation is and will continue to happen, e.g. most (but not all) orgs have invested in SCCM etc to automate PC deployment for example, but they still need people to build those images for deployment, set the Group Policy etc. I think sysadmins will end up doing slightly more interesting work.
  17. It’s a bit of tricky risk one - it’s pretty easy to get around things like AppLocker if you know what you’re doing. You can run AV with VDI, last two jobbings have done it. That said application whitelisting is quite often more successful than AV, make of that what you will.
  18. Some people have used the one time name change to change to nicknames. That wasn't the intention of the feature, which also had a banner describing why it is there. If it keeps getting abused it will get removed.
×
×
  • Create New...

Important Information

We use cookies as we're cookie monsters. Privacy Policy