Tag Archives: java

September 2023: VM courses, Bahasa Indonesia, Russian Podcasts, Goodbye Tinkoff, MS Patch Tuesday, Qualys TOP 20, Linux, Forrester, GigaOm, R-Vision VM

Hello everyone! On the last day of September, I decided to record another retrospective episode on how my Vulnerability Management month went.

Alternative video link (for Russia): https://vk.com/video-149273431_456239136

September was quite a busy month for me.

Vulnerability Management courses

I participated in two educational activities. The first one is an on-line cyber security course for my alma mater, Bauman Moscow State Technical University.

Continue reading

Log4j “Log4Shell” RCE explained (CVE-2021-44228)

Hello everyone! I decided to make a separate episode about Log4Shell. Of course, there have already been many reviews of this vulnerability. But I do it primarily for myself. It seems to me that serious problems with Log4j and similar libraries will be with us for a long time. Therefore, it would be interesting to document how it all began. So what is the root cause of Log4Shell?

Logs

Generally speaking, the IT infrastructure of any company deals with streams of input data. From user requests to a corporate website to integration with banking APIs and cloud services. A lot of data gets into the infrastructure of the company, is transferred from system to system, periodically getting into the logs. These logs are required to verify that the systems are functioning correctly.

Continue reading

Vulnerability Intelligence based on media hype. It works? Grafana LFI and Log4j “Log4Shell” RCE

Hello everyone! In this episode, I want to talk about vulnerabilities, news and hype. The easiest way to get timely information on the most important vulnerabilities is to just read the news regularly, right? Well, I will try to reflect on this using two examples from last week.

I have a security news telegram channel https://t.me/avleonovnews that is automatically updated by a script using many RSS feeds. And the script even highlights the news associated with vulnerabilities, exploits and attacks.

And last Tuesday, 07.02, a very interesting vulnerability in Grafana was released.

Continue reading

Petya the Great and why *they* don’t patch vulnerabilities

I really like this. Just imagine. Quiet, routine, everyday Vulnerability Management process in organizations: scanning-patching, scanning-patching, scanning-patching… And then. Suddenly! PEEETYYA!!!

And at very same moment everything changes. People from different companies start to communicate with each other actively, reverse this new malware, share the data, write and share tools for detection and recovery. Security professional is a friend, a brother and a source of useful information for security professional. Real movement! Real community! =)

Petya ransomware

For example, my friends from Vulners.com created pretty popular gist about Petya (petrWrap, notPetya, GoldenEye) and updated in real time for several hours.

Vulners Petya gist

My former colleagues from Positive Technologies released detailed technical review of this ransomware (in Russian) few hours since the outbreak started, at 01:00 am . They also found a local kill switch, and probably were the first one. Simultaneously with Amit Serper from Cybereason.

Continue reading

Vulnerability subscriptions in terms of business

The question is: do we really need an employee in organization that deals with vulnerabilities in infrastructure on a full-time basis? Since this is similar to what I do for living, I would naturally say that yes, it is necessary. But as person, who makes security automation, I can say that there are some options. ?

Vulners Subscriptions

What can and can’t Vulnerability Assessment (VA) specialist do?

VA specialist makes recommendations to remove vulnerabilities from your infrastructure using some tools: vulnerability scanners, vulnerability feeds, different news sources. In case of network vulnerabilities, he will most often tell your IT administrators: “Do we use A software with version BBB? As I see some security bulletin says that there is a critical vulnerability in it”. That’s it.

VA specialist by himself usually don’t patch the hosts. Moreover, sometimes he can’t detect the vulnerability, even he has an expansive vulnerability scanner, because some vulnerabilities can only be detected locally during authenticated scanning, and this IS specialist may not have permissions to do it.

Continue reading

SikuliX: the last chance for automation

This post I will publish in the API section of my blog. However, it is about the situation when there application has no API. Let’s suppose that we have to use in our work some graphical application or web-service. And unfortunately we need constantly repeat some very routine and annoying operations in it. This often happens if the application developers have not thought enough about the real-life cases their end-users will deal with. What can we do in such scenario?

  • First of all, look maybe there is an open and documented API
  • If there is no API, and it is an installed application, maybe you can use it in a console mode
  • If it is a web-service, maybe you can figure out how it works and how to automate it using tools like Firebug

But sometimes it is impossible to do anything at all. And it is even more sad, if this routine task is really elementary and you can easily explain the logic: what menu to choose, what button to push, where you should enter text and so on.

At this point, you just spit on all and use your last resort – SikuliX.

SikuliX Script window

With this tool, you can automate everything. It doesn’t matter if it is a web-service or a GUI application, what operating system it uses and so on. That’s all because SikuliX is working at the highest level. In fact, it just makes screenshots, analyses them as images, trying to find graphical elements that it should somehow use.

Continue reading