A failed Risk Management

I have created a small self-explanatory diagram that explains how front-line defences are often useless while your internal security architecture is not up to the mark.

SOC Monitoring Mindmap

This COVID-19 pandemic significantly influenced the worldwide economy. The rapid interruption to organization businesses around the globe has left organizations attempting to keep up security and business resilience.

Often in this fast shift, SOC divisions cannot monitor and track events coming from multiple sources, tools, and departments because they have no visibility into the threat environment or too much visibility in their infrastructure, which often leads them to false-positive incidents.

Guidelines for Corporate Email Audit

Many security firms often provide audit assurance to their clients. As a part of their many activities, auditing corporate email system is one of their principal activity. In this article, I have 40 guidelines which an auditor or manager can use to audit their clients' corporate email system. It includes some technical and more procedural guidelines.

Auditing remote access process and procedures

In this article, I am going to share a small checklist that will help auditors and testers to provide assurance on remote access processes and procedures for any company. This is not a technical article but controls defined in this list can be well-reviewed by managers and to be discussed with clients. For each part, if they want to go in-depth, they can.

Integrate Threat Intelligence program into your daily security operations - Phase 3 - Effectiveness of the Analysis Process

This is the fourth article of 5 articles series on integrating threat intelligence into daily security operations. If you have not gone through the first three articles, then I highly recommend you reading that as all articles are connected to one another in a proper sequence. In this article, I am going to talk about the effectiveness of the analysis process. Here is article 1, article 2 and article 3.

Integrate Threat Intelligence program into your daily security operations - Phase 2 - Collecting Intelligence

This is the third article of 5 articles series on threat integrating threat intelligence into daily security operations. If you have not gone through the first two articles, then I highly recommend you reading that as all articles are connected to one another in a proper sequence. In this article, we are going to talk about phase 2 in which we will discuss what would be the intelligence collection strategy, methods and procedures. Here is article 1 and article 2.

Integrate Threat Intelligence program into your daily security operations - Phase 1 - Planning and Preparation

From the last article located at here, we have now a majority of information to start the preparation and planning. In this article, I am going to explain how we can initiate the project and start preparing plans and procedures. This can be done in two phases.

Initial meetings with internal team to discuss the current threat landscape of an organisation.

Review observations that can help to prepare a perfect plan.

Integrate the Threat Intelligence program into your daily security operations - Phase 0 - Introduction

There is a huge amount of the increasing use of sophisticated malware, and often organisations fail to understand the real intent of such activities by a large group of hackers, nation-sponsored attacks, organized cybercrimes, cyber terrorists. These attacks result in revenue disruption, damaging public and private reputation and demolishing business processes and workflow.

Intelligence is staying ahead of the next threat targeting to your organisation by implementing protective measures to protect your brand reputation, data, people, process and technology infrastructure. I am assuming whoever reading this article has a little bit of background knowledge on threat intelligence terminology.

Just having a Threat intelligence product itself is not sufficient, data should be collected, classified and correlated with hacking tools, tactics and techniques.

Stealing NTLM hash with BadPDF - A Technique to bypass AV and Endpoint protections

On April 26, 2018 checkpoint research team discovered the malicious exploit which can be embedded in PDF files to send further to the victims. After opening the malicious PDF file, victim’s machine will leak NTLM hash via SMB protocol.

I created the malicious PDF and tested on my personal machine which was fully equipped with cutting edge end-point protection technology. It leaked NTLM hash to the attacker. If SMB protocol is opened on victim’s machine, it will leak the hash through it.

I thought disabling SMB protocol will patch this issue. So I turned off the SMB protocol on the machine, downloaded the PDF via the web browser and opened it through the Chrome browser only. In that case, the browser made an HTTP request to attacker’s machine for leaking the NTLM hash value.

Android OS/Phone Security Hardening Guide

In this article, I am going to list down all security features which can be hardened for any Android phone operating system in order to improve the security of user phone. I believe that there are plenty of articles available online for the same, however, they are missing one or other thing. Hence, my try here is to list down every possible feature that we can use to improve Android phone security.

Datasploit usage using docker container - OSINT

Datasploit performs automated OSINT on a domain / email / username / IP and find out relevant information from different sources. Easy to contribute OSINT Framework. Code for Banner, Main and Output function. Datasploit automatically do rest of the things for you. Useful for Pen-testers, Bug Bounty Hunters, Cyber Investigators, Product companies, Security Engineers, etc.Collaborate the results, show them in a consolidated manner. Tries to find out credentials, api-keys, tokens, sub-domains, domain history, legacy portals, usernames, dumped accounts, etc. related to the target. Can be used as library, automated scripts or standalone scripts.Can generate lists which can be feeded to active scan tools.Generates HTML, along with text files.

Less perks and more pitfalls of cryptocurrency

I was always wondering to invest or not to invest in cryptocurrency. I started looking all articles that exist on the internet. Majority of articles were reflecting the same in terms of advantages and disadvantages. However, after reviewing almost 50 different articles, what I have analyzed is there are more pitfalls with fewer perks.

So I gathered all pitfalls of bitcoin to cover them in the single article. Those are as follows. Thanks to the industry contributors.

Android Kiosk Browser Lock down Security Testing Checklist

 

What is Kiosk Browser Lockdown?

In simple words, if you want to restrict the usability of the device that you are giving to your employee/customer's hand, you can use kiosk browser lockdown facility to make that device single purpose used.

Generally, all finance companies use that at their branches when the customer comes to their branch and any kind of help and representative approaches them with a tablet which has that bank/company's application running on it. Now that device may land into many hands such as a company's all employees and sometimes clients too. So to restrict that device's all functionalities such as settings, other apps on home screen etc.., a company uses kiosk lockdown which can be paid or free software. 

Working with BurpSuite MobileAssistant Tool

Recently on Friday, April 28, 2017, burpsuite has released its new tool dubbed as mobile assistant. Mainly this is released for two purposes. It is designed to change the system wide proxy setting and to bypass ssl certificate pinning. Currently this is available for iOS device 8 and later only. You can found more detail on the official blog referenced below: Here I am going for an in-depth tutorial starting from the setting up the mobile assistant to using it.

CVE-2016-7786 - Sophos Cyberoam UTM - Privilege Escalation

In this small article I am going to share one of my zero day that I found a while back ago in Sophos Cyberoam UTM device. A vulnerability, which was classified as critical, has been found in Sophos Cyberoam UTM CR25iNG 10.6.3 MR-5. This issue affects an unknown function of the file Licenseinformation.jsp of the component Access Restriction. The manipulation with an unknown input leads to a privilege escalation vulnerability. Using CWE to declare the problem leads to CWE-264. Impacted are confidentiality, integrity, and availability.

Network Security VAPT Checklist

Hi Guys, there are very few technical network security assessment checklist. So I thought to share my own on this. Have a look and enjoy. Lets talk about the scope first. If you are given a 1000 machines to perform VAPT, then here is your scope. Single machine can have 65535 ports open. Any single port can deploy any service software from the world. For example FTP can be run on smartftp, pureftpd etc.. Any single FTP software version (for example pureftpd 1.0.22) can have number of vulnerabilities available. So if you multiply all of these, then it is impossible for any auditor to go ahead and probe all ports manually and find services manually. Even if he/she is able to do it, it is impossible to check all vulnerabilities that are pertaining to a single port of a single machine. Hence we have to rely on scanners such as nexpose, nessus, openvas, coreimpact etc. Here are some quick tools and test cases that one can perform on commonly found ports in the network pentest.

Android Application Backup Vulnerabiility Testing

You must be already knowing about android application backup process. Beauty of this vulnerability is it works on non-rooted devices too sometimes. The vulnerability lies within the AndroidManifest.xml file.

Today we are going to test DIVA (Damn Insecure Vulnerable Application) against this vulnerability. First I had diva-beta.apk file. I unzip that using below command:

Android Anti Java Hooking - Adding Layer to your SSL pinning and Root detection

In this article I am going to highlight the importance of why we must implement anti java hooking technique in our application. What are their advantages and disadvantages.

What is android hooking?

Hooking is a process of injecting malicious payload into existing running process. To illustrate that, assume we have root detection feature in our application. Using rootclock 3rd party application if root detection mechanism can be bypassed. Now mostly all these application which bypasses root detection, ssl pinning etc.. they hook into running application process. So how to be safe against these application? Here comes the android anti java hooking technique.

Blocking Adwares on Android - Protect against malwares and privacy

According to Mcafee, "A company from India has released an advertising software developer kit (SDK) called SilverPush that uses your phone’s microphone to listen for near-ultrasonic sounds placed in TV, radio and Web advertisements. Once SilverPush detects the signal, it collects data from your device and sends information about your device back to the advertiser. While this is not a piece of malware, it is a huge concern from a privacy perspective. It collects personal information from your device, including, but not limited to:

Dirty C0w Vulnerability Demo (CVE-2016-5195) - A privilege escalation vulnerability in the Linux Kernel

Mostly I want to present a demo of dirty cow so I am not going to fall in much theory part. Few basic things about dirty cow is mentioned as below.

Why is it called the Dirty COW bug?

"A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system."