Author Archives: Alexander Leonov

About Alexander Leonov

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven't used Telegram yet, give it a try. It's great. You can discuss my posts or ask questions at @avleonovchat. А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

AM Live Vulnerability Management Conference Part 1: Full video in Russian + Timecodes in English

1 Reply

AM Live Vulnerability Management Conference Part 1: Full video in Russian + Timecodes in English. Hello all! 2 weeks ago I participated in the best online event fully dedicated to Vulnerability Management in Russia. It was super fun and exciting. Thanks to all the colleagues and especially to Lev Paley for the great moderation! I have talked out completely. Everything I wanted and the way I wanted. It seems that not a single hot topic was missed.

AM LIve: Vulnerability Management conference

You can see the two hours video below. It is in Russian. And it’s pretty complicated to translate it all. I won’t event try. ? If you don’t understand Russian you can try auto-generated and auto-translated subtitles on YouTube, but the quality is far from ideal.

To give you the idea what we were talking about I added the timecodes in English.

Timecodes

Section 1. Vulnerability Management Process and Solutions

  • 5:18 Vulnerability Management Process Definition
  • 10:53 Vulnerability Management is the opposite of the admin’s saying “If it works – don’t touch it!” The main thing in the process is to somehow fix the vulnerabilities. (Leonov)
  • 12:30 Sometimes a basic vulnerability scanner and Jira is already a Vulnerability Management solution (Leonov)
  • 13:30 Difference between Vulnerability Management Solutions and Vulnerability Scanners
  • 17:09 Vulnerability Management and Vulnerability Scanners: in our restaurant we call rusks “croutons”, because a rusk cannot cost $8, but crouton can“ (Leonov)
  • 23:00 Licensing schemes, delivery options and costs
  • 28:48 Module-based licensing and the situations when modules can be excluded from the subscription (Paley)
  • 30:24 Commercial Vulnerability Management solutions are expensive, especially when licensed per host (Leonov)
  • 31:00 Maxpatrol unlimited licenses (Bengin)
  • 34:08 Perimeter scanning: very critical, low reliability of banner-based detections, it’s better to assess hosts accessible from the Internet with internal authenticated scans. Criticality of the network as an element of scoring. (Leonov)
  • 36:50 The impact of Regulators on the Vulnerability Management Market, a free ScanOVAL tool
  • 39:10 What to do with vulnerabilities in local software products that are not supported by foreign VM vendors?
  • 44:00 When it’s enough to use a free scanner? Could there be a full-functional and free vulnerability scanner? In theory, yes, but it is not clear how the vendor will finance the maintenance of the knowledge base. In practice, we see how such stories collapse. You need to understand the limitations of free products (such as OpenVAS). Including the completeness of the scan results and the ease of building the VM process. (Leonov)
  • 47:19 Poll: what is used in your organization?

Continue reading

Vulristics: Microsoft Patch Tuesdays Q1 2021

Leave a reply

Vulristics: Microsoft Patch Tuesdays Q1 2021. Hello everyone! It has been 3 months since my last review of Microsoft vulnerabilities for Q4 2020. In this episode I want to review the Microsoft vulnerabilities for the first quarter of 2021. There will be 4 parts: January, February, March and the vulnerabilities that were released between the Patch Tuesdays.

I will be using the reports that I created with my Vulristics tool. This time I’ll try to make the episodes shorter. I will describe only the most critical vulnerabilities. Links to the full reports are at the bottom of the blog post.

Continue reading

Vulristics: Beyond Microsoft Patch Tuesdays, Analyzing Arbitrary CVEs

Leave a reply

Vulristics: Beyond Microsoft Patch Tuesdays, Analyzing Arbitrary CVEs. Hello everyone! In this episode I would like to share an update for my Vulristics project.

For those who don’t know, in this project I am working on an alternative vulnerability scoring based on publicly available data to highlight vulnerabilities that need to be fixed as soon as possible. Roughly speaking, this is something like Tenable VPR, but more transparent and even open source. Currently it works with much less data sources. It mainly depends on the type of vulnerability, the prevalence of vulnerable software, public exploits and exploitation in the wild.

Elevation of Privilege - Windows Win32k

I started with Microsoft PatchTuesday Vulnerabilities because Microsoft provides much better data than other vendors. They have the type of vulnerability and the name of the vulnerable software in the title.

Elevation of Privilege - Windows Win32k MS site

But it’s time to go further and now you can use Vulristics to analyze any set of CVEs. I changed the scirpts that were closely related to the Microsoft datasource and added new features to get the type of vulnerability and name of the software from the CVE description.

Elevation of Privilege - Sudo (CVE-2021-3156) - High [595]

Continue reading

Microsoft Defender for Endpoint: Why You May Need It and How to Export Hosts via API in Python

5 Replies

Microsoft Defender for Endpoint: Why You May Need It and How to Export Hosts via API in Python. Hello everyone! In this episode, I want to talk about Microsoft Defender for Endpoint. It’s not a well-known free Defender antivirus built in Windows 10, but an enterprise level solution with the similar name. Yes, the naming is pretty confusing.

I will not repeat Microsoft’s marketing thesis. Just the basic idea. The Windows endpoints on your network have built-in agents that can send some data to the Microsoft cloud. In the cloud, they process this data into security events. Users can see these events in the web interface on the Microsoft website.

Continue reading

Vulners Linux Audit API for Host Vulnerability Detection: Manual Auditing, Python Scripting and Licensing

5 Replies

Vulners Linux Audit API for Host Vulnerability Detection: Manual Auditing, Python Scripting and Licensing. Hello everyone! This episode will be about Vulners Linux Audit API, which allows you to detect vulnerabilities on a Linux host knowing only the OS version and installed packages. I had a similar post about this 4 years ago, but some details have changed, so I came back to this topic.

Continue reading

Vulristics Vulnerability Score, Automated Data Collection and Microsoft Patch Tuesdays Q4 2020

1 Reply

Vulristics Vulnerability Score, Automated Data Collection and Microsoft Patch Tuesdays Q4 2020. In this episode I would like to make a status update of my Vulristics project. For those who don’t know, in this project I retrieve publicly available vulnerability data and analyze it to better understand the severity of these vulnerabilities and better prioritize them. Currently, it is mainly about Microsoft Patch Tuesday vulnerabilities, but I have plans to go further. Also in this episode I want to demonstrate the new Vulristics features on Microsoft Patch Tuesday reports for October, November and December 2020.

Vulristics Vulnerability Scores, automated data collection and Microsoft Patch Tuesday Q4 2020

Patch Tuesdays Automated Data Collection

First of all, I dealt with the annoying collecting of the data for Microsoft Patch Tuesdays reports. Previously it took pretty long time. I had to go to Microsoft website and search for CVE IDs. After that, I had to get the comments from various Vulnerability Management vendors and researchers blogs (Tenable, Qualys, Rapid7, ZDI). I wanted this to be as much automated as possible. I have added some code to make CVE search requests on the Microsoft website for a date range (including the second Tuesday of the month). I also figured out how to make searches on the Vulnerability Management vendors blogs. So, now to get a Microsoft Patch Tuesday report it’s only necessary to set the year and month.

Continue reading

My projects that are not related to Information Security: Yennysay TTS and PyTouchOk companion app

Leave a reply

My projects that are not related to Information Security: Yennysay TTS and PyTouchOk companion app. Thanks to the long New Year holidays in Russia, I had time to work on my own projects that are not related to information security. I released them on github and recorded short demos (by the way, Zoom is quite convenient for this! ?).

Yennysay is a GUI text-to-speach tool that uses a free offline TTS engine in Windows 10. This was my first experience with Tkinter and it turned out to be quite successful. I use this tool a lot now. Yennysay can read English and Russian texts aloud, show progress, track clipboard, retrieve text from copied URL, open YouTube URL in SMPlayer, and so on.

Check out the video

and sources on github

PyTouchOk is also a Tkinter application for automating routine actions with GUI (similar to SikuliX and AutoIt). The idea was to create a companion app that would track the content of the screen and, under certain conditions, take control to perform routine actions. As an example of such a routine action, I implemented the export of slides from LibreOffice Impress in svg format via pyautogui by automatically clicking in the interface. This operation cannot be performed for all slides through the GUI, and LibreOffice API is quite difficult to work with. But the main goal was to create a companion app that could be easily expanded with new skills. And it succeeded, the program “understands” that LibreOffice Impress is open on the screen and starts automatic actions.
Here is the demo on youtube

аnd the sources on github.