Jump to content
OpenSecurity.global

Kevin Beaumont

Members
  • Content Count

    205
  • Joined

  • Last visited

  • Days Won

    20
  • Invited by

    DarkOverlord

Everything posted by Kevin Beaumont

  1. I've emailed Akamai, it appears to be some kind of managed multi CDN solution. Data contains IP address, request URL, browser agent, date and time. Screenshot, not exhaustive obviously.
  2. Indictment PDF: https://www.dropbox.com/s/z7u5rxcdajuvw6t/19718675504.pdf?dl=0 A bunch of things stand out: Why did the WAF account apparently have access to the S3 storage buckets? Why wasn't the data of hundreds of millions of people's credit checks encrypted? Should that kind of data have been left for so long in cloud buckets? Why didn't they notice all these S3 buckets being sync'd to a random VPN IP address? It happened 4 months ago. Why didn't they notice the Gitlab pages listing their config? Why didn't they notice until somebody random emailed them to tell them? I don't know if more details will go public (they probably don't want it to get to trial for obvious reasons). I guess lessons learned from outside looking in is: - Monitoring. Ingest your cloud logs. Alert against them. Monitor sites like Github and Gitlab for obviously sensitive information, e.g. usernames, bucket names etc. And yes, this is the kind of incident that would (and still will) catch many orgs with their pants down, Capital One aren't alone. It looks like the same person behind this one hit other fintech orgs too, looking at their online files - I'm going to guess they haven't noticed yet either.
  3. The browser just uses whichever certificate it has been provided via the network and validates it as usual, e.g. if the cert is signed by a CA it trusts and the certificate is valid, it doesn't show a warning. I don't have a link to hand re the Kazakhstan certificate but the website is reachable, it just tells you have to install it on different devices.
  4. I guess you could have a break glass admin account outside of MFA policy - then use that to reconfigure things if things go wrong. If you use Conditional Access I guess you could whitelist everything to bypass MFA then.
  5. For me it's basically the same as what do you do if Office365 goes offline again - you wait for MS to fix it sadly.
  6. If somebody/something is intercepting the traffic at network layer, it can present whatever certificate it wants. So say on a corporate network, you intercept the traffic and rewrite it to use a custom CA signed certificate - that way the client end trusts it, and you can see inside the traffic.
  7. For Internet Explorer, Edge and Chrome you just inject it into the Windows CA store, you can do this with Group Policy. For Firefox, https://wiki.mozilla.org/CA/AddRootToFirefox In the case of Kazakhstan they just get people to manually import it.
  8. haha, this has done what I've been working on in my spare time - I have been working on a TCP-over-DoH tunnel, which does TCP tunnels within DNS-over-HTTPS, so basically you get an encrypted tunnel through Google's servers. Mine was shite though, I'll have to try this.
  9. Another option is take Microsoft up on the "free" security updates to Windows Server 2008 R2 when using Microsoft Azure. Microsoft still support Windows Server 2003 in Azure, so it's kinda a legacy cash cow for them... maybe hence why they don't want to solve the on premise time bomb.
  10. If you’re deploying at a greenfield site Azure Sentinel is pretty good as it’s very easy to get up and running, and cheap. And they have good built in threat detection and such. The struggle with Splunk has been very real for me. I think it’s too big for many orgs.
  11. SIEM solutions save my ass all the time, as does AV - it's the only way to have some insight and basic control in an organisation of this size, as I can't reinvent how the company does IT from within a Security Operations function. Problems occur around how companies deploy these technologies - e.g. with AV they often fail to set and enforce sane defaults (e.g. Windows Defender customers often don't turn on the MAPS telemetry - which is the best feature for protection) and look after the installations (e.g. in a company a few year into its current AV journey, you will often find hundreds+ of broke AV installations due to lack of disk space etc. With SIEM you'll find companies who spend big to splurge everything into the system, and then have no real detection rules.
  12. If it’s Palo-Alto, assuming you have SSL decryption set up (set it up) you can just block the application dns-over-https - Palo Alto use application classification where they look at the traffic and decided what it is, and they have definitions for the RFC standard for this. Also keep your Palo-Alto upgraded 😅
  13. No, the browser just uses whatever cert it is told to use.
  14. When the person browses to Facebook, we intercept the traffic and rewrite it with our own certificate. So the browser uses our cert.
  15. This is how enterprises monitor SSL traffic - e.g. here we install a self-signed root CA on every endpoint, and then intercept traffic. Browsers have never protected against it. So as I'm browsing this at work in Chrome I see a valid certificate, but if I look it is signed by somebody else (i.e. my work): This site is also served with TLS 1.3, which many people in InfoSec think can't be intercepted - but it can as we do it. TLS 1.3 has become another one of those InfoSec urban myths.
  16. The site is just off the shelf stuff with minor tinkering. I like PHP though, I think it's pretty easy to pick up. It has a bad security reputation but you can harden it - e.g. here AppArmor is running on the webserver, and the PHP config disables unused and risky functions.
  17. Nothing wrong with PHP. Bias notice: this site is coded in PHP.
  18. There's technical thing on how they're doing it here: https://censoredplanet.org/kazakhstan Amusing one is it's pitched as preventing malware and fraud, but the list of censored sites is all stuff allowing communication interception and news site altering. Shocked!
  19. So lots of ISPs (including in the UK) proxy HTTP traffic - eg every BT customer and ADSL customer using OpenReach network go through transparent proxy. In Kazakhstan they’re also now proxying all HTTPS traffic, by requiring all devices have a root CA installed to allow transparent decryption. This is how SSL/TLS interception works in the enterprise, it allows them to sniff any encrypted traffic as needed.
  20. Yeah they’re selling the exploit, maybe Dave Aitel can create the next WannaCry.
  21. Hi, I'm Kevin. I am currently the Security Operations Centre Manager at a company in Manchester. I started my career back in the late 90s, and was a founding member of the Teenage Mutant Hero Turtles fan club, Laceby Village, Grimsby, North East Lincolnshire division. I haven't not had a job since then thankfully, and I've had the pleasure to worth for four big companies doing big security, usually on a small budget. I love security, probably because it's the black and white TV era - it's new, it's not fully formed, there's a lot to learn and a lot to create as the industry isn't very mature still. It's also mildly terrifying because of those things.
×
×
  • Create New...

Important Information

We use cookies as we're cookie monsters. Privacy Policy