Category Archives: Topics

Kaspersky Security Center 11 API: getting information about hosts and installed products

I spent a lot of time last week working with the new API of Kaspersky Security Center 11. KSC is the administration console for Kaspersky Endpoint Protection products. And it has some pretty interesting features besides the antivirus/antimalware, for example, vulnerability and patch management. So, the possible integrations with other security systems might be quite useful.

Kaspersky SC 11 openAPI

A fully functional API was firstly presented in this latest version of KSC. It’s is documented pretty well, but in some strange way. In fact, the documentation is one huge .chm file that lists the classes, methods of these classes and data structures with brief descriptions. It’s not a cookbook that gives a solution for the problem. In fact, you will need to guess which methods of which classes should be used to solve your particular task.

For the first task, I decided to export the versions of Kaspersky products installed on the hosts. It is useful to control the endpoint protection process: whether all the necessary agents and products were installed on the hosts or not (and why not).

Continue reading

The most magnificent thing about Vulnerabilities and who is behind the magic

What I like the most about software vulnerabilities is how “vulnerability”, as a quality of a real object (and the computer program is real), literally appears from nothing.

The most magnificent thing about Vulnerabilities and who is behind the magic

Let’s say we have a fully updated server. We turn it off, lock it in a safe and forget about it for half a year. Six months later, we get it, turn it on. It is the same and works absolutely the same. But now it is also exposed to dozens of critical vulnerabilities that, with some (un)luck, can be exploited by any script kiddie. New important characteristic of the material object appeared from nowhere, isn’t this magnificent? 🀩

Continue reading

First steps with Docker: installation in CentOS 7, vulnerability assessment, interactive mode and saving changes

Docker and containerization are literally everywhere. IMHO, this changes the IT landscape much more than virtualization and clouds. Let’s say you have a host, you checked it and find out that there are no vulnerable packages. But what’s the point if this host runs Docker containers with their own packages that may be vulnerable? Add to this the issues with complex orchestration systems, such as Kubernetes, completely different DevOps subculture with their own terms, slang, beliefs, priorities, and the situation begins to look like complete IT Hell. πŸ™‚

First steps with Docker

But it seems that Docker will be here for a long time, so we will have to live with it. πŸ˜‰ Here I will not write what Docker is and how it works. There are many publications about this. I personally interested in what actually we can do with these weird “virtual machines”, how can we run and assess them.

Continue reading

How to make Email Bot service in Python

First of all, why you may want to use such service? Despite the fact that currently there are so many different channels of communication (including various messaging apps), Email is still a default and universal way to do it.

  • Literally every enterprise service supports email notifications, even if it’s integration capabilities are rather limited. So, with Email Bot you can automatically process such notifications.
  • Email is good, simple, reliable and familiar way to communicate with humans. Send an email – get response. Everyone can do it. So, email bot can make basic routine operations, like organizing the external meetings, pretty much like a human secretary.
  • It’s easier to code Email bot than any other interface, and the code can be reused for other communication channels, for example messaging apps.
How to make Email Bot service in Python

I get email messages from IMAP server in python3 using easyimap module.

Continue reading

Who should protect you from Cyber Threats?

The world is becoming increasingly dependent on information technologies.

  1. Government. More and more states provide digital services for their citizens and rely complex information systems.
  2. Business. There are no more companies that do not have IT infrastructure (on-premises or cloud). IT processes become the most valuable competitive advantages of the companies.
  3. People. The number of active Internet users is steadily growing. People own a large number of connected devices: from desktops and smartphones to smart homes and cars. Electronic payments (bank cards, Apple pay, PayPal, etc.) replace cash and traditional banking tools.

All these information systems make our life easier and more efficient. They also create the need for a huge amount of various software. This software is developed by people. And people tend to make mistakes. Especially when security is not their priority (when speed is a priority, for example). These errors cause large number of vulnerabilities exploited by attackers.

Who should protect you from Cyber Threats?

Regularly, we can hear about exploitation cases that often lead to significant damage. Who should protect us from cyber threats and cybercrime?

Continue reading

No left boundary for Vulnerability Detection

It’s another common problem in nearly all Vulnerability Management products. In the post “What’s wrong with patch-based Vulnerability Management checks?” I wrote about the issues in plugin descriptions, now let’s see what can go wrong with the detection logic.

The problem is that Vulnerability Management vendors, in many cases, have no idea which versions of the Software were actually vulnerable.

OMG?! How this can be true? πŸ™‚ Let’s take an example.

Each vulnerability at some points in time:

  • was implemented in the program code as a result of some mistake (intentional or not)
  • existed in some versions of the program
  • was detected and fixed

Read more about this in “Vulnerability Life Cycle and Vulnerability Disclosures“.

No left boundary in Vulnerability Detection

Let’s suppose that we have some Software A with released versions 1, 2 … 20.

Just before the release of version 10, some programmer made a mistake (bug) in the code and since the version 10 Software A has become critically vulnerable. Before the release of version 20, Software Vendor was informed about this vulnerability and some programmer fixed it in version 20. Then Software Vendor released a security bulletin: “Critical vulnerabilities in the Software A. You are not vulnerable if you have installed the latest version 20.”

And what does Vulnerability Management vendor? This vendor only sees this security bulletin. It is logical for him to decide that all versions of Software A starting from 1 are vulnerable. So, it will mark installed versions 1 … 9 of the Software A as vulnerable, even so actually they are NOT.

Continue reading

Retrieving data from Splunk Dashboard Panels via API

Fist of all, why might someone want to get data from the panels of a dashboard in Splunk? Why it might be useful? Well, if the script can process everything that human analyst sees on a Splunk dashboard, all the automation comes very natural. You just figure out what routine operations the analyst usually does using the dashboard and repeat his actions in the script as is. It may be the anomaly detection, remediation task creation, reaction on various events, whatever. It really opens endless possibilities without alerts, reports and all this stuff. I’m very excited about this. πŸ™‚

Exporting data from Splunk dashboard

Let’s say we have a Splunk dashboard and want to get data from the table panel using a python script. The problem is that the content of the table that we see is not actually stored anywhere. In fact it is the results of some search query, from the XML representation of the dashboard, executed by Splunk web GUI. To get this data we should execute the same search request.

That’s why we should:

  1. Get XML code of the dashboard
  2. Get the search query for each panel
  3. Process searches based on other searches and get complete search query for each panel
  4. Launch the search request and get the results

First of all, we need to create a special account that will be used for getting data from Splunk. In Web GUI “Access controls -> Users”.

Continue reading