General

A Comprehensive Technical Guide to Denial of Service (DoS) Attacks

Introduction What is a DoS attack? Do they have the potential to impact our organization negatively? If so, to what degree do we need to worry about DoS attacks, and how can an organization prevent or mitigate their impact? This pillar article is designed to equip you with a core understanding of what DoS attacks are, the motives of adversaries that launch them, and strategies for defending an organization against this increasingly common threat to IT security.  The “CIA Triad” stands for Confidentiality, Integrity, and Availability, which are the fundamental principles of information security that need to be protected. DoS attacks primarily disrupt the Availability of IT services – that is they prevent IT systems and services from functioning properly causing downtime. This can result in financial losses, negatively impact an organization’s operations and reputation, impose legal and regulatory liabilities, and cause data loss, reduced productivity, or loss of competitive…

Read more

@0x0SojalSec tweeted out a pure genius one-liner for automated SQL Injection pentesting and it while it was mind-blowing, it is also useful to dissect into the various elements.  Along the way we can learn some great tools for command line penetration testing! Check out the original tweet or the image below: This is a great example of how automated toolkits can provide do a lot of work that doesn’t cost a lot of time.  So, let’s disect the command and learn 5 great command line tools from @0x0SojalSec’s sorcery that will certainly prove useful on a pen-testing engagement. #1 – subfinder Subfinder is a command line tool from ProjectDiscovery.io  that accepts a top-level domain and will return a set of subdomains from historical DNS records.  Whenever relying on historical DNS records, the output is only as good as the service’s repository of historical data, but ProjectDiscovery’s service is top notch. …

Read more

When Best Practices Are Infeasible

Cloud Security

IT Security Best Practices are processes and configurations outlined by industry leading standards organizations such as SANS, NIST, and OWASP amongst others. Some examples of best-practices include: keeping software and systems updated, uninstalling all but required applications and services, segmenting critical network resources, and configuring host and network firewalls to first block all traffic, then allow only required traffic by IP and protocol. But are best practices always feasible for an organization? To some, this may seem like a ridiculous question. Most CISO’s would likely rather consider the question the other way around: “Is not having best practices feasible?”, since their jobs depend on the performance of security controls. So why then did John Mandia of Mandiant Security LLC to respond with “it depends” when responding to that question before a US congressional special hearing in response to the SolarWinds malware [1]? Senator Wyden’s question specifically referenced NIST firewall best…

Read more

Linux Dominates Performance-based Computing Market Share Linux may be less susceptible to cyber-attacks because Windows presents such an attactive target by holding the majority of the desktop marketshare. However, Linux servers dominate the global market in some powerful ways. According to industry reports, Linux OSs comprise 100% of all supercomputers, and over 95% of the top 1 million web servers are running Linux. Linux runs on 90% of all cloud infrastructure and dominates the mobile phone market with > 80% of market share. Embedded operating systems, and RTOS for IoT devices? Again, Linux is by far the most popular OS of choice. If you want more interesting facts about Linux’s market presence, you can Read Nick Galov’s revealing 2021 comprehensive summary of Linux market penetration. Knowing how to conduct a Security Audit of a Linux system and services is very important indeed.  This most often includes whitelisting required applications and…

Read more

A new type of vulnerability has been disclosed by researchers at Cambridge University in the UK where Unicode Bidirectional Control Characters are used to change the way text appears in the IDE or text editor compared to how the compiler will interpret and compile the source code into an executable.  Proof of concept code has been released for virtually every language including C, C#, C++, Go, Java, Ruby, Python, JavaScript, Rust, and more. Here is a link to the original paper, a GitHub repository released by the authors that includes proof-of-concept code samples for virtually every popular language and the issued CVEs CVE-2021-42574 and CVE-2021-42694, both having severity score of 9.8 “Critical”. Unicode Bidirectional Control Characters are needed in Unicode because Unicode is meant as a super encoding standard which allows all languages (and even emojis) to be contained in a single encoding standard as opposed to say, ASCII which…

Read more

Is A New Protocol The Best Solution to Web-Content Accessibility?

Graphic image of visual eye test and reading glasses

If you have been around the internet since the mid 1990’s you may have the same sense of I have. The internet was better then. Gillian Anderson… and other reasons. Mostly the web wasn’t so… bull-shitty. There were less advertisements. There were fewer user interface changes to websites so you didn’t have to search for the button that some psychometric web-design team lead decided to move because you would look at ads longer if they made it harder to find. The real content still changed. Websites still changed and were updated. It was just mostly the content that changed not the UI. I suspect that nobody has felt the wave of the new “bull-shitty” internet more than people with disabilities. Yes, accessibility features existed in the 1990’s for computers. They may have been even better than the state they are in today. Perhaps as Bill Hicks might say, it’s that…

Read more

New Web-Accessibility Laws in Ontario

Graphic image with icon for each disability such as visual, hearing, and physical

In 2021 new laws will be enacted in Canada that demand web-content be accessible to people with disabilities. The law applies to any organization with 50 or more employees and fines can be up to $50,000. The new regulation sets the gold-standard for compliance at WCAG 2.0 “AA” (Web Content Accessibility Guidelines double A) standard. This is the second level of the three levels included in the WCAG. If you are a website owner and you want assitance makign your website compliant with the new regulations, please contact me by email at joseph@ripplesoftware.ca or contact me using the website contact form. web-developer or compliance officer tasked with making sure your website meets this standard, read on to find out what the standard is and how you can make your site compliant. Overview of Web-Accessibility Laws in Ontario By January 1, 2021, Ontario businesses must make their public-facing websites conformant with…

Read more

Stages of Vulnerability Disclosure

This article attempts to give an overview of how IT vulnerabilities are categorized during their life-cycle.  Understanding the terms related to the various stages of IT security vulnerabilities can allow a better understanding of what a proper security policy framework should include.  First lets cover the stages: Unknown – vulnerabilities that exist but nobody knows about them.  The vulnerability is not designed in put into the software or hardware by a malicious actor.  These vulnerabilities are caused by poor implementation.  Software coding standards and software development guidelines attempt to prevent these types of vulnerabilities from happening, but complex constructs in software programming languages are difficult to implement properly can be a large source of vulnerabilities.   Unknown vulnerabilities may be discovered through static code analysis and “fuzzing” (automated testing) by malicious actors, bug hunters, or security threat hunters. Known – once the vulnerability has been discovered, it may fall into…

Read more

Sources of Red Team Education

What is red-teaming? A important term in IT security context, a red team (red cell) is a group of hackers with various skill-sets, who simulate attacks on the network infrastructure.  By contrast the blue team’s job is to defend the network.  Red teams follow a specific set of rules known as the rules of engagement which stipulate what types of attacks are allowed and points in the attack when they should stop and reporting should be done.  The attacks may employ technical, physical, social or process-based attack vectors.  This intends to cover all aspects of a organization’s security controls such as physical,  administrative, and technical.  The red team helps step 4 of the NIST Risk Management Framework to assess the security controls. Taking the steps of the cyber-kill-chain into account (reconnaissance, weaponization, delivery, exploitation, installation, command and control, actions on objectives), the red team may simply seek to gain reconnaissance…

Read more

Building a crypto-currency POS with an API.

Bitcoin Featureed Image

I’ve recently been working on a project to create a crypto-currency wallet and API for POS transactions. I won’t tell you which crypto-currency I’m working on publicly, but if you want to hire me for helping you to create a POS system, blockchain parser, or API. Please let me know. First off, I had to choose between two packages: Node.js driven bitcoin-insight-api, and python scripted bitcoin-abe. Both are available on GitHub. https://github.com/bitcoin-abe/bitcoin-abe https://github.com/bitpay/insight-api Although it seems that node.js is increasing in popularity everyday, and python is looked down on by some for it’s high-level syntax, I eventually decided to use bitcoin-abe for the time being with hopes of eventually modifying the insight app. My reasoning is as follows: insight is dependant on bitcore.js. Right now there is not much documentation out there on modifying bitcore to work with alt-coins. There docmentation even advises that the package is still in development…

Read more