Category Archives: Topics

Somebody is watching you: IP camera, TV and Emma Watson’s smartphone

Leave a reply

Somebody is watching you: IP camera, TV and Emma Watson’s smartphone. Today I want to talk today about privacy in a most natural sense. You probably have an internet-connected device with camera an microphone: smartphone, tablet, smart TV, ip camera, baby monitor, etc.

– Can it be used to record video/audio and spy on you?
– Of course, yes!
– Only government and device vendor has resources to do it?
– Not really

Somebody is watching you

The sad truth is: most of internet-connected devices have security problems, and, unlike traditional desktops and servers, it’s much harder to patch them. Even if the vendor fixed the issue. The customers, average people, just don’t bother themselves to do it. Each week it’s become easier to access user data and even get full control over device. Hackers and pranksters may do it just for lulz, because they can.

Let’s see it on concrete examples.

Continue reading

Selenium, SikuliX and Social Network posting

2 Replies

Selenium, SikuliX and Social Network posting. The last post was about SikuliX. It’s fair to say that it’s not optimal for web applications automation. For such applications, it’s better to use something, that will natively work with your web-browse. The first solution that comes to mind is, of course, Selenium.

Selenium is a portable software-testing framework for web applications. Selenium provides a record/playback tool for authoring tests without the need to learn a test scripting language.

This app is released under the Apache 2.0 license and is a very common tool for Quality Assurance (QA). It can be also used in Information Security. For example, you can upload Selenium scripts in Qualys WAS (Web Application Scanner)  to help scanner in performing some complex operations, for example in authentication on the website.

Selenium Upload script in Qualys

Selenium is available in a form of two products: Selenium WebDriver for some hardcore automation and web-browser plugin Selenium IDE, which will help you to create and run scripts. I chose Selenium IDE.

Selenium types

Continue reading

Vulners.com and ranges of dates

Leave a reply

Vulners.com and ranges of dates. I have already wrote earlier how to automatically retrieve data from the Vulners.com vulnerability database: if you need objects of some particular type, it’s better use Collection API, if you want to get different types of objects using advanced queries, your choice is Search API v.3.

But what if we want to get, not all the objects, but only new or modified ones in a some date range? How can we do it in Vulners?

Vulners.com date ranges

Search queries

Each object in Vulners (vulnerability, patch, bulletin, etc.) has a publication date, and modification date. You can see it if you open some Vulners object in json format, for example CVE-2017-6301:

        "published": "2017-02-23T23:59:00",
        "modified": "2017-02-24T14:45:17",

Continue reading

SikuliX: the last chance for automation

3 Replies

SikuliX: the last chance for automation. This post I will publish in the API section of my blog. However, it is about the situation when there application has no API. Let’s suppose that we have to use in our work some graphical application or web-service. And unfortunately we need constantly repeat some very routine and annoying operations in it. This often happens if the application developers have not thought enough about the real-life cases their end-users will deal with. What can we do in such scenario?

  • First of all, look maybe there is an open and documented API
  • If there is no API, and it is an installed application, maybe you can use it in a console mode
  • If it is a web-service, maybe you can figure out how it works and how to automate it using tools like Firebug

But sometimes it is impossible to do anything at all. And it is even more sad, if this routine task is really elementary and you can easily explain the logic: what menu to choose, what button to push, where you should enter text and so on.

At this point, you just spit on all and use your last resort – SikuliX.

SikuliX Script window

With this tool, you can automate everything. It doesn’t matter if it is a web-service or a GUI application, what operating system it uses and so on. That’s all because SikuliX is working at the highest level. In fact, it just makes screenshots, analyses them as images, trying to find graphical elements that it should somehow use.

Continue reading

Automated task processing with JIRA API

9 Replies

Automated task processing with JIRA API. It’s no secret that task tracker is one of the most critical resources of any big organization. The whole working process can be represented as creating, processing and closing various tasks. Without task tracker there will be complete disaster, collapse and anarchy. So, it’s very important to work with this instrument efficiently. And when I write efficiently, I mean in automated way. It’s a blog about security automation after all. 😉

This post will be about Jira task tracker. I have already wrote how Jira can be used in VM Remediation process. That post was mainly about the main principles and how remediation tasks look in Jira WEB-GUI. Now, I will go further and show how to use it as a source of important information and easily deal with daily routine tasks using some trivial scripting. It is all possible because of advanced Jira Rest API.

Let’s say we have some regular tasks of some type. For example, to detect vulnerabilities on some hosts using Nessus and make a comment about founded vulnerabilities in the task. You can make a script that we will search for this kind of tasks in Jira, process them, add scan results to the comment and close the task. Of course it works the best when these tasks are also were created with in some automated way, in this case parsing will be much easier.

“Issue”, is the right name for the task in Jira; but I frequently use “issue”, “task” and “ticket” interchangeably. Sorry for this.

So, we need to take this steps:

  • Authorization
  • Search for existing Jira issues using some search request
  • View description, data and comments of the issue
  • Download files attached to the issue
  • Make some task processing
  • Add a new comment to the issue
  • Change status of the issue

Continue reading

Who wants to be a PCI ASV?

6 Replies

Who wants to be a PCI ASV? I think, most of financial and trade companies know about vulnerability scanning mainly because of PCI DSS. Vulnerability Assessment is, of course, an important issue, but when regular scanning is prescribed in some critical standard it become much more important for businesses.

This post will be about PCI ASV from the point of view of a scanning vendor. I decided to figure out what technical requirements exist for ASV solutions and how difficult/expensive it is to become an ASV.

Perimeter scanning

Basically, PCI ASV scan is a form of automated network perimeter control, performed by an external organization. All Internet-facing hosts of merchants and service providers should be checked 4 times a year (quarterly) with Vulnerability Scanner by PCI ASV (PCI DSS Requirement 11.2.2.). It is necessary to check the effectiveness of patch management and other security measures that improve protection against Internet attacks.

Continue reading

Divination with Vulnerability Database

Leave a reply

Divination with Vulnerability Database. Today I would like to write about a popular type of “security research” that really drives me crazy: when author takes public Vulnerability Base and, by analyzing it, makes different conclusions about software products or operating systems.

CVE Numbers their occult power and mystic virtues

The latest research of such type, was recently published in CNews – a popular Russian Internet portal about IT technologies. It is titled ““The brutal reality” of Information Security market: security software leads in the number of holes“.

The article is based on Flexera/Secunia whitepaper. The main idea is that various security software products are insecure, because of amount of vulnerability IDs related to this software existing in Flexera Vulnerability Database. In fact, the whole article is just a listing of such “unsafe” products and vendors (IBM Security, AlienVault USM and OSSIM, Palo Alto, McAfee, Juniper, etc.) and the expert commentary: cybercriminals may use vulnerabilities in security products and avoid blocking their IP-address; customers should focus on the security of their proprietary code first of all, and then include security products in the protection scheme.

What can I say about these opuses of this kind?

They provide “good” practices for software vendors:

  • Hide information about vulnerabilities in your products
  • Don’t release any security bulletins
  • Don’t request CVE-numbers from MITRE for known vulnerabilities in your products

And then analysts and journalists won’t write that your product is “a leader in the number of security holes”. Profit! 😉

Continue reading