Author Archives: Alexander Leonov

About Alexander Leonov

Hi! My name is Alexander and I am an Information Security Automation specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it much more often than this site. If you haven't used Telegram yet, give it a try. It's great. You can also discuss my posts or ask a question at @avleonovchat.

IT Security in The New Pope

Lol, IT Security is everywhere. Even in the first episode of “The New Pope” TV series (the sequel of “The Young Pope”, 2016) some monks change credentials in the Vatican’s IT systems under cover of night. This happened after, well, some unexpected changes in the corporate culture and organizational structure. 😁

IT Security in The New Pope

– How did it go?
– Very well. We’ve changed the passwords, only you can log on to the bank accounts. The vault too, only you can get in.
– Tomorrow they’ll be crying.

I hope it won’t be a big spoiler. πŸ˜… The episode was great. πŸ‘ πŸ”₯

0day RCE in Firefox

This seems like a pretty interesting vulnerability CVE-2019-17026 in Firefox (and Thunderbird) in Windows, MacOS and Linux.

A pretty interesting vulnerability in  Firefox  (and Thunderbird)

Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw”.

US-cert informs us that “an attacker could exploit this vulnerability to take control of an affected system“. Yep, it’s RCE.

On the one hand, it’s not a big deal, because Firefox will ask you to update it after the next launch.

Firefox will ask you to update it after the next launch

But if somewhere in your organization the old version of Firefox is used because it is the only version that is supported by some legacy application or plugin, you are in hell. Of course, this old browser may be only installed somewhere and not used, but still try to monitor this and take care. Especially if you use some custom Firefox-based build.

The first Zbrunk dashboard and other news

The long New Year holiday season in Russia was not in vain. I had time to work on Zbrunk. πŸ˜‰ As you can see, I made my first dashboard and added other features.

The first Zbrunk dashboard

No more timestamps in code

I added functions to get Unix timestamps from lines in human-readable time format, e.g. “2019.12.10 13:00:00”.

Instead of a date, you can use words:

  • Today
  • Yesterday
  • N days ago
  • Beginning of Time
  • End of Time

API requests will continue to support only Unix timestamps.

Continue reading

CISO Forum 2019: Vulnerability Management, Red Teaming and a career in Information Security abroad

Today, at the very end of 2019, I want to write about the event I attended in April. Sorry for the delay πŸ˜…. This doesn’t mean that CISO Forum 2019 was not Interesting or I had nothing to share. Not at all! In fact, it was the most inspiring event of the year, and I wanted to make a truly monumental report about it. And I began to write it, but, as it usually happens, more urgent tasks and topics appeared, so the work eventually stopped until now.

The first discussion was about Offensive Security and Red Teams in particular

At CISO Forum 2019 I participated in two panel discussions. The first one was about Offensive Security and Red Teams in particular.

Continue reading

Detectify Asset Inventory and Monitoring

Continuing the topic about perimeter services. As I mentioned earlier, I don’t think that the external perimeter services should be considered as a fully functional replacement for custom Vulnerability Management processes. I would rather see their results as an additional feed showing the problems your current VM process has. Recently I tested the Detectify’s Asset Inventory (Monitoring) solution, which provides such feed by automatically detecting the issues with your second, third (and more) leveled domains and related web services.

Detectify Asset Inventory screenshot from the official blog

Let say your organization has several second level web domains, over9000 third (and more) level domains, and you even don’t know for what services they are used. This is a normal situation for a large organization. So, you simply add yourorganization.com to Detectify, activate Asset Monitoring, and Detectify automatically discovers third (and more) level domains and related technologies: web services, CMS, JavaScript frameworks and libraries. “It provides thousands of fingerprints and hundreds of tests for stateless vulnerabilities such as code repository exposure for SVN or Git.” This is called fingerprinting.

Continue reading

Vulnerability Management Product Comparisons (October 2019)

Here I combined two posts [1.2] from my telegram channel about comparisons of Vulnerability Management products that were recently published in October 2019. One of them was more marketing, published by Forrester, the other was more technical and published by Principled Technologies.

Vulnerability Management Product Comparisons (October 2019)

I had some questions for both of them. It’s also great that the Forrester report made Qualys, Tenable and Rapid7 leaders and Principled Technologies reviewed the Knowledge Bases of the same three vendors.

Let’s start with Forrester.

Continue reading

Zbrunk search launcher and event types statistics

I also changed the priorities. Now I think it would be better not to integrate with Grafana, but to create own dashboards and GUI. And to begin with, I created a simple interface for Searching (and Deleting) events.

upd. 16.12.2019

A small update on Zbrunk. First of all, I created a new API call that returns a list of object types in the database and number of this types for a certain period of time. Without it, debugging was rather inconvenient.

$ curl -k https://127.0.0.1:8088/services/searcher -d '{"get_types":"True", "search": {"time":{"from":"1471613579","to":"1471613580"}}, "output_mode": "json", "max_count":"10000000", "auth_token":"8DEE8A67-7700-4BA7-8CBF-4B917CE23512"}'

{"results": ["test_event"], "results_count": 1, "all_results_count": 0, "text": "Types found", "code": 0}

I also added some examples of working with Zbrunk http API from python3. Rewriting them from pure curl was not so trivial. πŸ˜… Flask is rather moody, so I had to abandon the idea of making requests exactly the same as in Splunk. πŸ˜“ But the differences are cosmetic. It is now assumed that events will be passed to collector in valid json (not as a file with json events separated by ‘\n’). I also send all params of requests as json, not data. But for the compatibility reasons previous curl examples will also work. πŸ˜‰