FIP: First Infosec Podcast

Hi, friends Happy to share with you the 9th episode of First Infosec Podcast Today’s guest Hammad Amjad (OSCP, CPSA, CRT) We will discuss Pentesting and Cybersecurity Certifications Watch First Infosec Podcast on YouTube Follow FIP page on Instagram here First Infosec Podcast scan the QR to get the link The post FIP9: About Pentesting and Cybersecurity Certifications with Hammad Amjad (OSCP, CPSA, CRT) appeared first on infosec.tinc.kz.

What are Cryptographic Failures Cryptographic Failures also known as lack of cryptography lead to exposure of sensitive data. Notable Weakness Enumerations included are CWE-259: Use of Hard-coded Password, CWE-237: Broken or Risky Crypto Algorithm, and CWE-331 Insufficient Entropy. First of all, we need to determine what data need protection. For instance, passwords, credit card numbers, health records, personal information, and business secrets. All these data need an extra layer of security. Here are the most important things to consider: What data need protection while avoiding cryptographic failures Do not send data in clear text format. Avoid such protocols as HTTP, SMTP, and FTP. They have to be used with TLS protection. Pay attention to internal traffic between load balancers, web servers, or back-end systems. Ensure that your applications don’t use any old or weak cryptographic protocols. Generate strong cryptographic keys and avoid reusing them. Implement proper key management and rotation. Crypto keys shouldn’t be stored in code repositories. Validate properly server certificate and the trust chain. Use passwords only where cryptographic keys can not be used. Do not use weak hash functions such as MD5 or SHA1. Recommendations on how to prevent cryptographic failures How to prevent Cryptographic Failures This list of recommendations is a minimum requirement. All data processed, stored, or transmitted by application have to be classified. Distinguish sensitive data according to privacy laws, regulatory requirements, or business needs. Minimize sensitive data. Discard unnecessary data or use PCI DSS-compliant tokenization. Use only up-to-date and strong standard algorithms and protocols. Encrypt the transition of all data by using TLS protocols. Enforce encryption using HTTP Strict Transport Security. Do not cache responses containing sensitive data. Store passwords using strong adaptive and salted hashing functions. For instance, scrypt, bcrypt, Argon2. In cases where Initialization Vectors are used, generate them with a Cryptographically secure pseudo-random number generator (CSPRNG). Always use authenticated encryption instead of just encryption. Do not use deprecated cryptographic functions and padding schemes. For instance, MD5, SHA1, PKCS number 1 v1.5. For more information visit OWASP Top 10 Website Link The post FIP8: Cryptographic Failures (OWASP Top 10) appeared first on infosec.tinc.kz.

Welcome to the First Infosec Podcast – your guide to the world of Informational Security. This is episode number seven and today we will talk about Broken Access Control. In 2017 Broken Access Control was in the fifth position. Since then this security risk become far more prevalent. Most spread Common Weakness Enumerations include CWE-200 Exposure of Sensitive Information to an Unauthorized Actor, CWE-201 Insertion of Sensitive Information Into Sent Data, and CWE-352 Cross-Site Request Forgery. Access Control restricts the actions of users according to their permissions. If it fails something bad like unauthorized information disclosure, modification, destruction of all data, and performing a business function outside the user’s limits can happen. CWE for Broken Access ControlHere are the most common access control vulnerabilities: Violation of the principle of least privilege or deny by default, where access should only be granted for particular capabilities, roles, or users, but is available to anyone. Bypassing access control checks by modifying the URL (parameter tampering or browsing), internal application state, or the HTML page, or by using an attack tool modifying API requests. Permitting viewing or editing someone else’s account, by providing its unique identifier (insecure direct object references). Accessing API with missing access controls for POST, PUT, DELETE. Elevation of privilege. Acting as a user without being logged in or acting as admin when logged in as a user. Metadata manipulation, such as replaying or tampering with a JSON Web Token (JWT) access control token, or a cookie or hidden field manipulated to elevate privileges or abusing JWT invalidation. CORS misconfiguration allows API access from unauthorized/untrusted origins. Force browsing to authenticated pages as an unauthenticated user or to privileged pages as a standard user. How to prevent Broken Access Control Access controls have to be implemented in trusted server-side code, so the attacker can not modify the access control check or metadata. Here are some rules to follow: Deny by default, except for public resources. Implement access control mechanisms once and re-use them throughout the application, including minimizing Cross-Origin Resource Sharing usage. Model access controls should enforce record ownership rather than accepting that the user can create, read, update, or delete any record. Requirements for the business limits of unique applications must be provided by domain models. Disable web server directory listing and delete file metadata (for example, .git) and backup files from web roots. Log access control failures, and alert admins when appropriate (for instance, repeated failures). Rate limit API and controller access to minimize the harm from automated attacks. Invalidate stateful session identifiers on the server after logout. Stateless JWT tokens have to be short-lived so that the window of opportunity for an attacker is minimized. For longer-lived JWTs it’s highly recommended to follow the OAuth standards to revoke access. Example Attack Scenarios Scenario #1: The application uses unverified data in a SQL call that is accessing account information: pstmt.setString(1, request.getParameter("acct")); ResultSet results = pstmt.executeQuery( ); An attacker simply modifies the browser’s ‘acct’ parameter to send whatever account number they want. If not correctly verified, the attacker can access any user’s account. <https://example.com/app/accountInfo?acct=notmyacct> Scenario #2: An attacker simply forces browses to target URLs. Admin rights are required for access to the admin page. <https://example.com/app/getappInfo> <https://example.com/app/admin_getappInfo> If an unauthenticated user can access either page, it’s a flaw. If a non-admin can access the admin page, this is a flaw. This is all for today. Thanks for your attention. I hope you enjoyed the episode. If so click the like button, leave a review, and share the episode with your friends. Also, you can follow the channel and check out other episodes. If you want me to dive deeper into some topic, please, write us an email to infosec at tinc dot kz. If you want visit offisial OWASP website The post FIP7: Broken Access Control appeared first on infosec.tinc.kz.

Welcome to The First Infosec Podcast – your guide to the world of Informational Security. This is episode number 6 and today we will overview OWASP Top 10. The OWASP Top 10 is a list of the ten most critical security risks to web applications. The document was developed for companies to help them secure the code of their products. OWASP Top 10 The official website is here. Every item on the list is a whole class which can include a number of vulnerabilities. Well, let’s get straight to the list. Top security risks by OWASP Top 10 On the top of the list is Broken Access Control. Access control of web applications limits users’ actions according to their permissions. Failures often lead to unauthorized information disclosure, modification, or destruction of data. The second on the list is Cryptographic Failures. Lack of cryptography leads to exposure of sensitive data. For instance, passwords, information about payments, health records, personal information, business secrets, etc. That, in turn, leads to violations of General Data Protection Regulations or financial data protection such as PCI Data Security Standard (PCI DSS). The third on the list is Injection. The most common injections are SQL, NoSQL, OS command, Object Relational Mapping, and LDAP injection. The concept is identical among all interpreters. These cases take place when user-supplied data is not validated, filtered, or sanitized by the application. The fourth on the list is Insecure Design. The category focuses on risks related to design and architectural flaws, threat modeling, and secure design patterns. It’s important to note that an insecure design cannot be fixed by even the best implementation by definition. The fifth on the list is Security Misconfiguration. They come from unnecessary features left enabled, default accounts, unchanged passwords, unset security settings in the application frameworks, etc. OWASP Top 10 Vulnerable and Outdated Components is sixth on the list. Your application is prone to be vulnerable when you don’t know the versions of all used components including nested dependencies; the software is vulnerable, unsupported, or out of date; the compatibility of packets is not tested. It’s important to regularly scan your app for vulnerabilities. The seventh on the list is Identification and Authentication Failures. The process of confirmation of the user’s identity, authentication, and session management is critical to protect against this class of attacks. Default, weak, and well-known passwords, as well as brute force attacks, can be included here. Also, Software and Data Integrity Failures are eighth on the list. Nowadays most applications rely on libraries and plugins, but not all of them test the integrity of these libraries before using them. For example, attackers can break into CDN and modify libraries used by the target application which can lead to total compromise. The ninth on the list is Security Logging and Monitoring Failures. Security Logging can help to identify breaches that already occurred. It can help to minimize damage and prevent such attacks in the future. Monitoring Failures, in turn, leave a chance for attackers to stay undetected. Last but not least, Server-Side Request Forgery is tenth on the list. SSRF means that an attacker can force a web application to make a request to third-party resources. Such requests can be addressed to protected networks of the vendor, VPNs, etc. Please leave a review and share the episode on social media. If you have any questions or want me to dive into some topic, please, write an email to infosec at tinc dot kz. The post Overview of OWASP Top 10 appeared first on infosec.tinc.kz.

Who is Web Pentester? Web Pentester is an information security specialist who conducts an assessment of web applications or websites by simulating hackers’ attacks. Most people who want to become ethical hackers start from the web. I think there are two main reasons why you should start from the web. First, a lot of learning materials are available for free. I will give you some examples a little bit later. Second, you can start making money while you still learning. For example, you can register on Bug Bounty platforms and practice and earn money simultaneously. Recources for web pentesters Now I want to share with you topics and resources which deserve your attention. And the first one is OWASP Top 10. It’s a list of the 10 most common web application security risks. The last and actual version was released in 2021. Each item on the list is well explained by overview, description, how to prevent, and example attack scenarios. OWASP Top 10 2017 vs 2021After that, I would recommend Web Security Testing Guide by OWASP. It’s a wonderful project with an accent on how to test web applications and how to find vulnerabilities. It includes more detailed information and specific requests for exposing vulnerabilities. Web Application Security Testing Guide by OWASPThe next resource I would recommend is Web Security Academy by PortSwigger. It’s an online academy from creators of one of the most popular tools among pentesters BurpSuite. Web Security Academy by PortSwiggerIt’s a great resource to learn how to find vulnerabilities in web applications. The Academy offers to newcomers a learning path. All topics are divided into 3 categories: server-side topics, client-side topics, and advanced. After completing all labs you can try their certification and become Burp Suite Certified Practitioner. Bug Bounty platforms for web pentesters Ok let’s talk about Bounties)) Participating in Bug Bounty programs is a great opportunity to hack real-world applications ethically and get paid for found vulnerabilities pretty good money. There are a lot of different platforms but I want to mention the three most popular: HackerOne, Bugcrowd, and SynAck. Finally, I want to say that if you’ve chosen to be a penetration tester or ethical hacker remember that you need to learn new things constantly because Informational Technologies evolve very rapidly. Along the way try to have fun cause eventually the whole life is all about. The post Web Pentesters. How to get into pentest? appeared first on infosec.tinc.kz.

Ports make communication between devices possible. Devices connected to a network send and receive data through TCP/UDP ports. For example, emails are sent through port 25 when websites work through port 80. Usually, ports refer to TCP and UDP ports which, in turn, are part of the Transport Layer of the Internet Protocol Suite. Leave a comment if you want me to talk more about TCP and UDP protocols in a separate video for our YouTube channel. Port numbers range from 0 to 65535. The range is divided into Well-known ports, Registered ports, and Dynamic ports. Well-known ports are from 0 to 1023, Registered ports are from 1024 to 49151, and Dynamic ports are from 49152 to 65535. Difference between open and closed TCP/UDP port Ports can not exist by themselves, behind a port there is a running service. When some service is running on a computer it opens a certain port, which means that the service is ready to accept connections. If that service stops then the corresponding port becomes closed, which means that all connections will be rejected. How to determine service running on a TCP/UDP port? There are too many ports (over 65000), so you can’t learn by heart all of them. Previously I used search engines to find a service running on a port. However, it can be tedious, so I created Telegram Bot named First Port Helper Bot. You just send to it a protocol name and a port number. For example, you send “tcp 8080” or “u 53” and the bot responds to you with a service name associated with the port. Risks of open TCP/UDP port Open ports can expose vulnerable services to bad guys. If the service or application running on the port is vulnerable, hackers can exploit the vulnerabilities. This means that the whole computer or system will be compromised. For instance, attackers scan your computer and find open TCP ports 139 and 445. Because 139 and 445 are Well-known ports attackers assume that SMB service is running on the scanned computer. If your SMB service is old-versioned or vulnerable, attackers can leverage it and get full control over your computer. How to mitigate risks of open TCP/UDP ports Access ports through a secure Virtual Private Network also known as VPN. While using VPN you don’t expose your ports to the Internet. For example, you need RDP for remote administration of computers. However, it’s too risky to leave open the RDP port which is TCP 3389 to the Internet, so you configure VPN. Now users need to connect to your VPN first before they can access RDP. Scan your network for open ports regularly. Often unused ports leave open due to different reasons. For instance, an administrator can open a certain port on a firewall during network tests and forget to close it. Implement network segmentation. It means that you divide your network into multiple segments. For example, nowadays many organizations use CCTV cameras and need access to them from anywhere. So you can site all cameras into a separate network segment. Even if the cameras will be hacked, attackers will have no access to your main network. Outro This is all for today. Thanks for your attention. I hope you enjoyed the video if so click the like button, subscribe, leave a comment and share the episode with your friends. See you soon!) Video on YouTube: What is a TCP/UDP port? Why open ports are potential risks?The post What is a TCP/UDP port? Why open ports are potential risks? appeared first on infosec.tinc.kz.

On April 26 Microsoft 365 Defender Research Team disclosed new privilege escalation vulnerabilities in Linux also known as Nimbuspwn. The vulnerabilities were found in a systemd unit called networkd-dispatcher. Fixes for the vulnerabilities available as CVE-2022-29799 and CVE-2022-29800. Let’s consider what it means – Privilege Escalation. In most cases, during penetration tests, attackers get first control with a level of access lower than they need. Here comes privilege escalation. They attempt to get a higher level of access or to obtain more permissions on informational systems. For example, attackers broke through a web application and have access as the www-data user. They then apply different privilege escalation techniques to become root or a user with administrative privileges. There are two types of privilege escalation: Horizontal PrivEsc and Vertical PrivEsc. In the first case, an attacker expands his privileges by taking over another account and misusing the legitimate privileges granted to the other user. This type is also known as lateral movement. In the second case, an attacker attempts to gain more permissions or access with an existing account they have compromised. For example, an attacker takes over a regular user account on a network and attempts to gain administrative permissions or root access. How actually PrivEsc can be realized? There are 5 most common vectors. 1. Credential exploitation for Privilege Escalation Single-factor authentication leaves the door wide open to attackers planning on performing privilege escalation. If attackers obtain a privileged user’s account name – even without the password – it is a matter of time before they obtain the password. Once they obtain a working password, they can move laterally through the environment undetected. Even if the attacker is detected and the organization resets the password or reimages the affected system, the attacker may have a way to retain a persistent presence – for example, via a compromised mobile phone or rootkit malware on a device. This makes it important to thoroughly eradicate the threat and continuously monitor for anomalies. 2. Vulnerabilities and Exploits Attackers can perform privilege escalation by exploiting vulnerabilities in the design, implementation, or configuration of multiple systems – including communication protocols, communication transports, operating systems, browsers, web applications, cloud systems, and network infrastructure. The level of risk depends on the nature of the vulnerability and how critical is the system in which the vulnerability is discovered. Only a small fraction of vulnerabilities allow vertical privilege escalation. However, any vulnerability that can allow an attacker to change privileges should be treated with high severity. 3. Misconfigurations Privilege escalation very commonly results from misconfiguration, such as failure to configure authentication for a sensitive system, mistakes in firewall configuration, or open ports. 4. Malware and Privilege Escalation Attackers can use many types of malware, including trojans, spyware, worms, and ransomware, to gain a hold on an environment and perform privilege escalation. Malware can be deployed by exploiting a vulnerability, can be packaged with legitimate applications, via malicious links or downloads combined with social engineering, or via weaknesses in the supply chain. 5. Social Engineering Social engineering is used in almost all cyber attacks. It relies on manipulating people into violating security procedures and divulging sensitive or personal information. It is a very common technique used by attackers to gain unauthorized access and escalate privileges. Social engineering is highly effective because it circumvents security controls by preying on human weaknesses and emotions. Attackers realize that it is much easier to trick or manipulate a privileged user than break into a well-defended security system. You can read about Nimbuspwn disclosure from Microsoft here. The post Nimbuspwn. What is Privilege Escalation? appeared first on infosec.tinc.kz.

Hi everyone! My name is T.F. Welcome to the infosec podcast from TINC.KZ – your guide to the world of information security. This is our episode number two and today we will explain how to secure yourself from being hacked. We prepared 5 simple rules, remember that this list is a minimum requirement and can be extended far more. 1. Use strong passwords The main reason of huge amount of hacks is weak passwords. Cyber security researchers created special list of most common used passwords and, sadly, they are too simple. Please do not laugh, but password 123456 is on the first place. Password has to contain different characters. Ideally it should consist of small letters, capital letters, numbers, special symbols such as hash, question mark, exclamation mark, percent, asterisk, etc. The length of password is also extremely important. Minimum requirement is 8 symbols, recommended length is 12 symbols. In general, the longer your password, the better. 2. Enable two-factor authentication Two-factor authentication helps to upgrade security of your account. This feature exist almost on every online platform you use: on different social media (Instagram, Facebook, LinkedIn, Twitter, Google account, etc.). When you will enable two-factor authentication while logging in to your account after typing password you will have to type in special code sent to your mobile phone number. This special code also can be sent to your email, according to settings you configured. So to login to your account you have to know 2 things: your password and random code. 3. Don’t click weird links A lot of people don’t pay much attention to this, but it’s also important. Clicking mailicious link can be very dangerous, because bad guys can implement different attacks through these links. When you click specially crafted link your passwords or another valuable information can be stolen. Remember, when someone sends you a link don’t follow it instantly, put a second thought on it. 4. Don’t install suspicious software Nowadays hackers have big amount of recourses, so they can create software that looks as normal, but in reality it may be designed to steal your passwords, collect personal information, etc. Install software only from official and trusted sources. Better would be if you ask someone with some knowledge in IT sphere to help you with installing required software. 5. Uninstall unnecessary software For a long time working with computers and people I noticed that people tend to keep some programs they used years before but don’t use now. It has a few drawbacks. For example, that soft can be old versioned and may contain some bugs and vulnerabilities. Don’t keep another opportunity such as old soft for bad guys, they love it. This is all for today. Thanks for your attention. Please leave a review, share this episode and tag us on social media. If you have any questions please email us infosec at tinc.kz. The post How to secure yourself from being hacked appeared first on infosec.tinc.kz.

Hi everyone! My name is Tim First. Welcome to the infosec podcast from TINC.KZ – your guide to the world of information security. This is our episode number one and today we will explain why terms information security and cyber security are NOT the same. For most people, the terms informational security and cyber security look similar. But these terms are NOT interchangeable. In its most simple form cybersec deals with defending data in cyberspace, while infosec deals with the security of data in general. Cyber Security Speaking of definitions, cyber security is defending computers, servers, mobile devices, electronic systems, networks and data from malicious attacks wich range from business organizations to personal devices. Cyber security consists of several categories such as network security, application security, information security, operational security, and disaster recovery along with business continuity. Cybersec is designed to repel attacks of viruses, trojans, spyware, ransomware, adware, botnets and etc. Moreover advanced techniques can be used such as SQL injection, phishing, denial of service and others. Informational Security | infosec.tinc.kz Information Security Ok, let’s consider infosec. In simple words information security is the prevention of unauthorized access or alteration during the time of storing data or transferring it from one machine to another. The information can be biometrics, personal data, social media profiles, data on mobile phones, documents, etc. The main purpose of infosec is to cover three main objectives: confidentiality, integrity, availability. Shortly CIA. Let’s repeat again confidentiality, integrity, availability. Confidentiality means that information of high value has to be blocked from unauthorised access. Integrity, in it’s turn, means that any unorderly modification by an unauthorised person needs to be canceled. And of course information of high value has to be accessed anytime by authorised staff. Infosec also includes developing policies such as access control policy, password policy, disaster recovery plans, regulatory complience, etc. In conclusion I have to say that the main focus of cybersec are cybercrimes, cyber frauds and law enforcement. While infosec focuses on unauthorised access, disclosure and disrution. This is all for today. Thanks for your attention. Please leave a review, share this episode and tag us on social media. If you have any questions please email us infosec at tinckz. The post The difference between Information Security and Cyber Security appeared first on infosec.tinc.kz.