December 2, 2016

Misconfigured Amazon S3 storage buckets exposing private data

amazons3(LiveHacking.Com) – Some recent research has shown that thousands of Amazon customers are configuring their storage services incorrectly leading to potentially sensitive data being exposed on the Internet.  Amazon offers a cloud storage solution called Amazon Simple Storage Services, or S3 for short. This storage can be used to storage almost anything and is often used by businesses for private data like backups, company documents and logs files and for public content like web page graphics and PDF files.

Amazon organizes the S3 storage in local containers called “buckets” which have a predictable URL (http://s3.amazonaws.com/[bucket_name]/ or http://[bucket_name].s3.amazonaws.com/) and are either marked as private or public. A bucket public is one where any user can obtain a list of all the files in the bucket. Trying to access a private bucket will result in an access denied error, but accessing a public bucket will list the files in the container.

A tester a Rapid7 has performed some research to try to ascertain how many S3 buckets have been  misconfigured. The initial search for buckets revealed 12,328 buckets in total, of which 1,951 were publicly accessible. That means that 1 in 6 S3 buckets are open. According to the research these buckets contained some 126 billion files! It is unrealistic to test the access rights to so many files, but by testing a sample of 40,000 files Rapdi7 gained access to sales records and account information; affiliate tracking data; employee personal information and member lists across various spreadsheets; and video game source code and development tools for a mobile gaming firm!

The findings underline one of the core principles of computer security. Any security protection which isn’t configured correctly is the same as no security protection! For those using S3 the message is clear, check the permissions. Amazon have some useful information on protecting data stored in Amazon S3.

 

Ex-black hat hacker claims to have full backup for one of Yahoo’s domains

(LiveHacking.Com) –  A reformed black hat hacker, who now works as an ethical security researcher and penetration tester, has found zero-day vulnerabilities in several online services including some provided by Adobe, Microsoft, Yahoo, Google, Apple and Facebook. Since the tester, who goes by the name Virus_HimA, ceased black hat activities he started reporting the vulnerabilities to the vendors instead. According to his post on Pastebin, companies like Google reacted quickly to the reported flaws, but others like Adobe and Yahoo moved very slowly and in some cases didn’t even bother to reply to the disclosure emails they were sent.

As a result Virus_HimA has declared his intention to “teach both of them a hard lesson to harden their security procedures.” This is the better of two evils acording to the ex-hacker. “It would make a disaster if such companies vulnerabilities was privately used in the underground and they never know about it! not only their customers been affected but the vendors themselves also suffer from such exploits,” he wrote.

As part of his penetration activities, Virus_HimA claims to have access to:

  • Full files backup for one of Yahoo domains
  • Full access to 12 of Yahoo Databases
  • Knowledge of a reflected-XSS (Cross Site Scripting) vulnerability

The researcher has promised never to use, share, sell or publish any of the Adobe or Yahoo data and exploits anywhere, but rather is keen to establish his reputation. To this end when he released a small sample of data from Adobe, he specially chose to publish critical email addresses including those with a .mil  ending. This got Adobe’s attention which quickly started investigating the case, shut-down the vulnerable web site and emailed him asking for vulnerability details. Apparently Adobe are now working on a patch.

Analysis

This isn’t the first time a frustrated researcher has resorted to public exposure to get a large online business to move quicker with regards to security issues. Back in November PayPal were embroiled in a dispute with a security researcher who reported errors under PayPal’s security bounty scheme. A few weeks later Skype had to move quickly to fix an account hijacking flaw after it was posted online. The problem was that Skype had been made aware of the flaw some three months before hand.

The ethicality of such public exposure is questionable, however until some of the big online companies start to take these private disclosures more seriously they will continue to happen.

New Version of Metasploit Targets IPv6 Risks

(LiveHacking.Com) – Rapid7 has released a new version of Metasploit, its popular penetration testing toolkit, with new functionality to assess the security of IPv6 enabled systems. With Metasploit 4.2 users can test whether IPv6 addresses on their network are vulnerable to cyber-attacks. The framework includes hundreds of working remote exploits for a variety of platforms and the new IPv6 tests are important for organizations that have not methodically implemented an IPv6 network but rather has allowed it to creep in as operating systems and devices starting enabling IPv6 functionality by default.  For example, the default setting in Windows 7 and Windows Server 2008 is to give a higher priority to the IPv6 interface, rather than the IPv4 address, for management traffic and network shares.

“The number of IPv6-enabled systems has quadrupled over the last three years, broadening the attack surface for cyber attackers, with over 10% of the world’s top web sites now offering IPv6 services,” said HD Moore, CSO of Rapid7 and chief architect of the Metasploit Project.

Since IPv6 runs in parallel with IPv4 it is often not as well managed as an existing IPv4 network. It is essential that companies perform security assessments to audit IPv6-enabled internal and external hosts. Rapid7 cite the example of organizations who have blocked zone transfers on their DNS servers for IPv4, but left this common flaw wide open on IPv6. Another real world example is the use of firewalls that have been correctly configured to  filter IPv4 traffic but that accept all IPv6 traffic. Further more, some older Intrusion Prevention Systems (IPS) may even be completely unaware of IPv6 traffic.

Metasploit 4.2 is available immediately from rapid7.com. The new features are available in both the open source and commercial editions of Metasploit.

 

 

Rapid7 Introduces Metasploit Community Edition

(LiveHacking.Com) – To coincide with the second anniversary of Rapid7’s acquisition of the Metasploit project, it has announced that as of version 4.1 of Metaploit, there will now be a Metasploit Community Edition, a free commercial product that is available for both personal and professional use. Metasploit Community Edition includes the same network discovery, data import, and Nexpose integration as its Metasploit Pro counterpart.

Rapid7 are releasing the Metasploit Community Edition to address the growing gap between two types of users: The security researchers and developers who want a powerful platform to build custom tools and exploits using the console interface and the security and IT professionals that use the Metasploit Framework to conduct security assessments and verify vulnerabilities.

The free Community Edition provides a simple path for identifying targets, selecting an exploit, and launching it. Sessions can be managed through the user interface and have full access to the extensive post-exploit modules built into the Metasploit Framework.

“The best way to tackle the increasing information security challenge is to share knowledge between practitioners, open source projects and commercial vendors,” said HD Moore, Rapid7 CSO and Metasploit chief architect. “With that in mind, we’ve combined the Metasploit Framework with Rapid7’s commercial development to bring together the best of both worlds – the collaboration of security researchers around the world with quality-tested and stable commercial features. The new Metasploit Community Edition will greatly help security professionals seeking to understand risk and improve their security programs without needing to increase budgets.”

Metasploit Community Edition is available today as part of the Metasploit 4.1 release.

New Service Brings Crowdsourcing to Penetration Testing

(LiveHacking.Com) – Crowdsourcing, a term first used back in 2006, has proved a popular way to outsource tasks to large groups or communities (i.e. “the crowd”), where small actions by large numbers can achieve quick results. This idea has now been adopted in the area of penetration testing. Hatforce.com is a new service which rewards ethical hackers for performing penetration tests for willing clients.

The idea is simple. A client signs up to the Hatforce.com web site and offers a financial reward, say $70, for every vulnerability found in their web site or software. Ethical hackers then sign up to Hatforce.com and sign a legal agreement giving them the authority to “hack” the clients resource. If any vulnerabilities are found then they are paid.

The idea of asking “the crowd” to engage in security related tasks was popularized by Google with its Chromium Security Awards scheme. Under Google’s scheme software developers are rewarded for finding security related bugs in Google’s Chrome browser and in the WebKit HTML and Javascript engine. To date Google has paid out hundreds of thousands of dollars in rewards and some people like Sergey Glazunov have become semi-famous for their consistent work in find security holes.

Metasploit 4.0 Released With 20 New Exploits

(LiveHacking.Com) – The first iteration of the 3.x series of Metasploit was released five years ago. Now after uncountable hours of coding and testing, the Metasploit Framework 4.0 has been released. This new release ships with 716 exploit modules, 361 auxiliary modules, and 68 post modules. As well as 20 new exploits, 3 new auxiliary modules, and 14 new post modules since V3.7.2.

Metasploit Framework 4.0 comes with an abundance of new features and bug fixes. There are 14 new post modules including new password-stealing post modules. Adding to Metasploit’s extensive payload support, Windows and Java Meterpreter now both support staging over http and Windows can use https.

Six of the twenty new exploits came via the recent Exploit Bounty where contributors were paid $500 or $1000 (in the form of American Express gift cards) for creating any exploit module for an item from Metasploit’s top 5 or top 25 exploit lists.

Also new in V4.0 is a consolidated pcap interface. The pcaprub extension ships with the Linux installers as of this release and support for Windows will come soon. Modules that used Racket for generating raw packets have been converted to Packetfu, which provides a smoother API for modules to capture and inject packets.

Metasploit 4 is available to download from the project’s site where you can also find update instructions. Full details of this release can be found in the Release Notes.

Netsparker Version 1.9.0.5 Released

Mavituna Security Ltd has released a new version of Netsparker, Web Application Security Scanner. According to Mavituna Security blog, the Netsparker version 1.9.0.5 has two new security tests and many new features as follow:

New Redirect Tests

This release introduces 2 new security tests, which confirm whether redirects in the web application are working as expected. If the application sends a redirect back but keeps processing the page this generally indicates a bug. The impact of the bug can vary from “Authentication Bypass “ to a simple forgotten line in the code. However, it almost always indicates a bug that needs to be addressed.

New Features

  • Microsoft Live ID, SSO Authentication Support
  • Vulnerability Summary added to reports
  • Summary Report added to Sitemap. When you click name of the website that you are scanning from the sitemap Netsparker now shows a summary report of the current scan.

Improvements on Security Tests

  • Blind SQL Injection coverage improved
  • Protocol-agnostic Open Redirection checks added
  • LFI security test coverage improved
  • Version information automatically added to all Error Based SQL Injection issues now
  • New XSS checks added to bypass blacklists

Other Improvements and Bug Fixes

  • A Form Parsing bug fixed in Text Parser
  • An error log in Blind Command Injection Engine fixed
  • Some URI Based XSS issues were reported multiple times
  • Minor bugs fixed in the Detailed and XML Reports
  • Typo fixed in CSV Report
  • Set-Cookie headers wasn’t working properly in Redirects
  • Netsparker now supports multiple set-cookies with same cookie name
  • Anti-CSRF token support improved for Form Authentication
  • A bug fixed in profile save with NTLM authentication
  • Naming in certain vulnerabilities changed. New naming uses “Confirmed”, “[Probable]” and “[Possible]”.
  • Several bugs about JavaScript parsing and Form Authentication addressed

Visit Mavituna Security website for more information and educational videos.

 

Source & Picture: mavitunasecurity.com

Metasploit Framework 3.7.0 Released

Two months after the release of the Metasploit Framework 3.6, the Metasploit team has announced the availability of Metasploit Framework 3.7.0. Since V3.6 the developers have focussed on one of the least-visible, but most important pieces of the Metasploit Framework; the session backend. This overhaul increases performance in the presence of many sessions and allows for a larger number of concurrent incoming sessions in a more reliable manner.

Metasploit now ships with 685 exploit modules of which 35 are new, 355 auxiliary modules (15 new), and 39 post modules (17 new).

V3.7 also includes some new features:

  • Support for SMB signing, enabling pass-the-hash and stolen password attacks against Windows 2008 Server environments.
  • The Microsoft SQL Server mixin (and all modules) now supports NTLM authentication.
  • Data import backend has undergone a rewrite, speeding up most import tasks by a factor of four.
  • OS information is now normalized to make fingerprinting more accurate and easier to deal with.

Highlights from the new modules include:

  • Apple iOS Backup File Extraction: Extract sensitive data from iTunes backup files (location, call history, SMS content, pictures, etc).
  • Exploits for two different Adobe Flash vulnerabilities exploited in the wild.
  • Code execution modules for MySQL and PostgreSQL when a valid login is available.
  • Exploit for the Accellion File Transfer Appliance Default Encryption Key flaw found by Rapid7.
  • Over ten new exploits for HP Network Node Manager (plus an HP OpenView exploit).
  • Post-exploitation module for privilege escalation through the .NET Optimizer Service.
  • Post-exploitation modules for stealing stored WinSCP and VNC passwords.

Metasploit Upgraded to V3.6 – Pro Version Has Better PCI DSS Compliance Reporting

Rapid7 has released V3.6 of its penetration testing suite Metasploit. The tools comes in three flavors: Pro, Express and open source. The most significant improvements have been made to the Pro version but Metasploit Express and the open source version have also had several improvements.

Metasploit Pro now generates reports for PCI DSS compliance with pass/fail information for applicable PCI DSS requirements. Also new to the Pro version is a feature that allows users to freely assign tags to assets based on multiple criteria such as compliance, operation workflow and team collaboration on different operational units.

Post-Exploitation modules is a new feature found in all editions. It includes more than a dozen modules that can be run on exploited systems to perform actions such as gathering additional information, pivoting to other networks and elevating system privileges.

This release also adds 15 new exploits making a total of 64 new modules since version 3.5.1 and brings the grand total to 648 exploit modules, 342 auxiliary modules, and 23 post modules.

Metasploit Framework 3.6.0, the open source edition of Metasploit, can be downloaded from here.

An Introduction to NeXpose Community Edition

Rapid7’s NeXpose is a vulnerability management tool which scans your network and identifies vulnerabilities across a wide range of devices and operating systems. NeXpose uses one of the world’s largest vulnerabilities databases to identify the vulnerabilities on your network.

And the great news is that there is a free community edition. The NeXpose Community Edition is a free, single-user version of NeXpose and is powered by the same scan engine as its big brother NeXpose Enterprise and offers many of the same features. The single biggest limitation is that it only works with up to 32 IP addresses, but this makes it perfect for small organizations or for individual use.

NeXpose Community Edition is available for MS Windows Server 2003 SP2 / Server 2003 R2 and several flavours of Linux including Red Hat Enterprise Linux 5, Ubuntu and SuSE Linux Enterprise Server. Note: There isn’t an official Windows XP version as XP has some limitations with regards to raw sockets which NeXpose needs to perform its scans.

It is also worth noting that NeXpose Community Edition needs 4 GB of RAM (on 32-bit machines) or 8 GB of RAM (on 64-bit machines), don’t try using it without the minimum amount of memory otherwise your machine will start swapping heavily.

Once installed and updated to includ the latest list of vulnerabilities, NeXpose Community Edition offers a comprehensive range of tools for scanning and reporting the vulnerabilities on your network.

Rapid7 have some useful YouTube tutorials here: http://www.youtube.com/user/NeXposeTutorials