Category Archives: Productology

Microsoft Patch Tuesday April 2020: my classification script, confusing RCE in Adobe Type Manager and updates for older vulnerabilities

Microsoft Patch Tuesday April 2020: my classification script, confusing RCE in Adobe Type Manager and updates for older vulnerabilities. Making the reviews of Microsoft Patch Tuesday vulnerabilities should be an easy task. All vulnerability data is publicly available. Even better, dozens of reviews have already been written. Just read them, combine and post. Right?

Microsoft Patch Tuesday April 2020: my classification script, confusing RCE in Adobe Type Manager and updates for older vulnerabilities

Not really. In fact it is quite boring and annoying. It may be fun to write about vulnerabilities that were already used in some real attacks. But this is a very small part of all vulnerabilities. What about more than a hundred others? They are like “some vulnerability in some component may be used in some attack (or may be not)”. If you describe each of them, no one will read or listen this.

You must choose what to highlight. And when I am reading the reports from Tenable, Qualys and ZDI, I see that they choose very different groups of vulnerabilities, pretty much randomly.

My classification script

That’s why I created a script that takes Patch Tuesday CVE data from microsoft.com and visualizes it giving me helicopter view on what can be interesting there. With nice grouping by vulnerability type and product, with custom icons for vulnerability types, coloring based on severity, etc.

Continue reading

Parsing Nessus v2 XML reports with python

Parsing Nessus v2 XML reports with python. Upd. This is an updated post from 2017. The original script worked pretty well for me until the most recent moment when I needed to get compliance data from Nessus scan reports, and it failed. So I researched how this information is stored in a file, changed my script a bit, and now I want to share it with you.

Previous post about Nessus v2 reports I was writing mainly about the format itself. Now let’s see how you can parse them with Python.

Please don’t work with XML documents the same way you process text files. I adore bash scripting and awk, but that’s an awful idea to use it for XML parsing. In Python you can do it much easier and the script will work much faster. I will use lxml library for this.

So, let’s assume that we have Nessus xml report. We could get it using Nessus API (upd. API is not officially supported in Nessus Professional since version 7) or SecurityCenter API. First of all, we need to read content of the file.

Continue reading

Forrester report for Rapid7: number juggling and an excellent overview of Vulnerability Management problems

Forrester report for Rapid7: number juggling and an excellent overview of Vulnerability Management problems. I recently read Forrester’s 20-page report “The Total Economic Impact™ Of Rapid7 InsightVM“. It is about the Cost Savings And Business Benefits that Vulnerability Management solution can bring to the organizations.

Forrester report for Rapid7

In short, I didn’t like everything related to money. It seems like juggling with numbers, useless and boring. But I really liked the quotes from customers who criticized existing Vulnerability Management solutions, especially the low quality of the remediation data. These are the real pain points of Vulnerability Management process.

How did Forrester count money?

Forrester interviewed five existing customers of Rapid7 and created a “composite organization”.

This “composite organization” has 12,000 IT assets and spends $223,374 per year on Rapid7 InsightVM ($670,123 for 3 years) including integrations and trainings costs. That means $18 per host. Well, quite a lot, especially when compared to unlimited Nessus Professional for just $2,390 per year. A wonderland of Enterprise Vulnerability Management. 🙂

Continue reading

Crypto AG scandal

Crypto AG scandal. The article in The Washington Post is really huge, but even a brief glance is enough to see how absolutely amazing this Crypto scandal is. A great example of chutzpah. ?

“Crypto AG was a Swiss company specialising in communications and information security. It was jointly owned by the American CIA and West German intelligence agency BND from 1970 until about 2008. … The company was a long-established manufacturer of [backdoored] encryption machines and a wide variety of cipher devices.”

“You think you do good work and you make something secure,” said Juerg Spoerndli, an electrical engineer who spent 16 years at Crypto. “And then you realize that you cheated these clients.”
¯\_(ツ)_/¯

Now the causes of hysteria around Kaspersky and Huawei become more clear. It is natural to suspect others in the things you practiced yourself.

A completely different company, with a different strategy

And note the disclaimer on the Crypto’s website. A completely different company, with a different strategy. ☝️? Okaaay…

Is Vulnerability Management more about Vulnerabilities or Management?

Is Vulnerability Management more about Vulnerabilities or Management? I’ve just read a nice article about Vulnerability Management in the Acribia blog (in Russian). An extract and my comments below.

In the most cases Vulnerability Management is not about Vulnerabilities, but about Management. Just filtering the most critical vulnerabilities is not enough.

Practical Cases:

  1. “Oh, yes, we know ourselves that that everything is bad!” – CVE-2013−4786 IPMI password hash disclosure on > 500 servers. Customer just accepted the risks, Acribia proposed an effective workaround (unbrutable user IDs and passwords). It’s often hard to figure out right remediation measures and implement them. Someone should do it!
  2. “We can download OpenVAS without your help!” – CVE-2018-0171 Cisco Smart Install RCE on 350 hosts. Vulnerability detection rules of several Vulnerability Scanners were not good enough to detect this vulnerability. Do not rely on scanners, know how they work and their limitations.
  3. “If the attackers wanted to hack us, they would have already done it!” – CVE-2017-0144 (MS17-010) Windows SMB RCE on domain controller and several other critical servers. Vulnerability was detected in infrastructure several times, the remediation was agreed with the management, but it was ignored by responsible IT guys. As a result, during the next successful WannaCry-like malware attack the servers, including the DC were destroyed. Vulnerability Management is about the willingness to patch anything, very quickly, as often as required. Otherwise, it makes no sense.

IT Security in The New Pope

IT Security in The New Pope. Lol, IT Security is everywhere. Even in the first episode of “The New Pope” TV series (the sequel of “The Young Pope”, 2016) some monks change credentials in the Vatican’s IT systems under cover of night. This happened after, well, some unexpected changes in the corporate culture and organizational structure. ?

IT Security in The New Pope

– How did it go?
– Very well. We’ve changed the passwords, only you can log on to the bank accounts. The vault too, only you can get in.
– Tomorrow they’ll be crying.

I hope it won’t be a big spoiler. ? The episode was great. ? ?

CISO Forum 2019: Vulnerability Management, Red Teaming and a career in Information Security abroad

CISO Forum 2019: Vulnerability Management, Red Teaming and a career in Information Security abroad. Today, at the very end of 2019, I want to write about the event I attended in April. Sorry for the delay ?. This doesn’t mean that CISO Forum 2019 was not Interesting or I had nothing to share. Not at all! In fact, it was the most inspiring event of the year, and I wanted to make a truly monumental report about it. And I began to write it, but, as it usually happens, more urgent tasks and topics appeared, so the work eventually stopped until now.

The first discussion was about Offensive Security and Red Teams in particular

At CISO Forum 2019 I participated in two panel discussions. The first one was about Offensive Security and Red Teams in particular.

Continue reading