Category Archives: Trends

CVE-2014-6271 (“Shellshock”) and exploit PoC

September 26, 2014

By Andy Yang

(A little bit of background on this post – one of my colleagues, Norman Yue, posted something about the Internet being on fire to LinkedIn yesterday, regarding the bash bug. This blog post tries to explain a bit more about why exactly this is such a big issue, and also provides a proof-of-concept exploitation).

Firstly, the vulnerability itself. The actual vulnerability itself is amusing and unique, but otherwise, isn’t the magical everything-is-owned vulnerability that everyone makes it out to be. To paraphrase, if you are able to set an environment variable through the Bash shell, you can execute commands.

The interesting part is that this vulnerability may have existed for more than 20 years, in an application which is part of pretty much every Unix system since a long time ago. The vulnerable versions start from cpe:/a:gnu:bash:1.14.0 to cpe:/a:gnu:bash:4.3, which covers pretty much every Unix-based operating system available today (and by extension, a tremendous chunk of the Internet). Continue reading

Practical Security: Browser Security Settings

August 06, 2014

By Norman Yue (CTO)
Originally published:

This series of blog posts will aim to look at some “quick wins”, which an organisation or a security team (or even interested users) can realistically put into place immediately, what they are, and how they impact both security and usability.

This is not aimed at being remotely comprehensive, or reaching a “perfect” state of security – while a few people might browse the Internet with non-HTML non-image content off by default, we realize this probably isn’t feasible for most users, and having an actual Security Policy based on what you actually need is a Really Good Idea [tm].

While most people (and by extension, organisations) simply take their browser for granted, modern browsers typically have a slew of settings (not necessarily explicitly related to security) which can impact the security context for end-users. Here are a few “quick win” solutions which can easily be put in place, with minimal impact for users. Continue reading

The 7 reasons why businesses are insecure.

February 27, 2014

By Drazen Drazic

I won’t start by saying that implementing a strong framework is going to solve all business IT security problems. It won’t, but with one, at least you have one big advantage over now – you have a better picture and understanding of where your problems may lie and you’re less likely to be taken by surprise.

At present, most organisations have little understanding of the risks they face – where they are exposed, what they are exposed to and how these exposures could impact the business. So what are the problems?

1. Management and Governance – If the CEO and Senior Officers of the business do not ultimately own the responsibility and accountability for the security of the business, then it just does not get the appropriate attention. When we do “State of Security” reviews for our clients, we pretty much have 90% of our report written after the first hour if we find this layer of the framework not in place. ie; you can be guaranteed that if there is not an effective and ongoing management and governance layer in place, overall security within the organisation is weak. Matt Jonkman in a previous interview with Securus Global explained it well;

Continue reading

The Anatomy of a Security Breach.

January 16, 2014

Securus Global’s approach to minimising your risks…

By now, you have probably read about the Target security breach: (Nothing new… this happens all the time).

At Securus Global, we are frequently asked by our clients how hackers compromise companies and in turn, what can be done to minimise the risk of it happening to their own organisation.

By hiring the likes of Securus Global to test your systems in testing, pre-production and/or post production, we’ll be able to highlight any potential exposures you have and issue advice on how to fix them and ways to make you more resistant to such breaches all together.

Better yet, we would rather help you be in a position that your risks are identified beforehand, or even not to be there in the first place.

This is why in early 2014, we’re offering client workshops to explain the anatomy of such attacks and how the hackers are attaining this information from your companies.

These are 1-2 hour informal sessions (no cost), where we talk about what we have seen in the last 10 years, how the attacks are planned and take place but most importantly, what you can do to minimise the chances of this happening to your company. Continue reading

Looking at Good Application Security – It’s Not Just about Penetration Testing

June 05, 2013

(An updated article from article Tek-Tips, originally published in 2010: )

In 2013, there is still a growing reliance on penetration testing to identify all the flaws in the security of systems and applications. This is a flawed approach. While penetration testing is important and we believe a must-do for all new systems and applications being rolled out, if this is all you are doing, you really need to assess your whole security framework and systems development lifecycle. Penetration testing is just an assurance assessment – just one component of how an application should be reviewed/audited/tested by companies. Continue reading

Security audit for commercial sites

June 15, 2012

An interesting note found in a recent online security report has stated that malicious programmers have begun to target specific social websites for drive-by infections.

While in the past scammers would set up their own pages and attempt to drive traffic to them to gain control over a victim’s machine or network, there has been a shift in recent years towards compromising legitimate URLs.

According to the Malicious Code Trends section in Symantec’s Internet Security Threat Report 2011 – published back in April 2012 – approximately 61 per cent of all sites listed as containing shadowy programs are “actually regular web sites that have been compromised and infected with malicious code”.

The top five sites for these kinds of attacks are blogs, personal sites, business or economics pages, online shopping venues and educational references.

It could be that the largest of these – the blogs and personal communications sector at 19.8 per cent – are the least well defended because they tend to be utilised by their owners as a communications platform and journal rather than a money-making enterprise.

This theory seems to be backed up by the fact that the second-largest proportion of legitimate sites infected with malware is personal hosting services on 15.6 per cent – a result that seems to follow a noticeable trend.

It could be that the activities the pages are meant to support have a direct effect on the amount of effort that is put into ensuring their safety for visitors.

People who are in charge of commercial sites and sales channels – ten per cent and seven per cent respectively – are more experienced with controlling how their back end is accessed and how to defend against malicious activities.

The difference is that – while it is in everyone’s best interests to protect repeat visitors to online venues – commercial concerns simply have more to lose by allowing their customers and clients to suffer from their lack of in-depth vulnerability management schedules.

That being said, the fact is that 17 per cent of legitimate sites infected with malware belong to enterprises that either trade goods and services or relay economic and financial information to their customers.

This means that every incident of infection has the potential to disrupt their flow of income – be it from advertising revenue or customer transactions.

Patching routines examined by penetration testing services

June 10, 2012

Fake software updates have been identified as being pushed through free Wi-Fi in cafes and hotels – prompting security professionals to warn travellers to keep their software up to date before they head abroad.

An alert was issued by the Internet Crime Complaint Center on May 5 that said recent intelligence operations by the Federal Bureau of Intelligence (FBI) has uncovered malicious applications being spread through wireless connections in a range of hospitality venues.

According to the report, travellers attempting to access these Wi-Fi points have encountered a pop-up window that seems to be guiding them to update “a widely used software product”.

“The pop-up window appeared to be offering a routine update to a legitimate software product for which updates are frequently available,” said the report.

On clicking the button to accept this ‘upgrade’, malicious programs would be downloaded and installed that could compromise the device’s integrity.

The report states: “The FBI recommends that all government, private industry, and academic personnel who travel abroad take extra caution before updating software products on their hotel Internet connection.”

While regular audits and upgrades can help to make a difference in defending digital assets from outside intrusion, a penetration testing service can provide the insight and training they need to instil security-conscious behaviour in all travelling staff members.

Cyber attacks can have devastating healthcare consequences

June 09, 2012

An increased uptake in wireless technology has left some medical facilities – and their patients – exposed to new security vulnerabilities.

A new US report prepared by the National Cybersecurity and Communications Integration Center reveals that wireless medical devices (MDs) – which are connected to information technology (IT) networks – are creating new opportunities in this field, but are not without their risks.

Healthcare and public health organisations have much to gain from emerging wireless technology that allows for remote access – benefiting from enhanced operations, improved ease of use and rapid computing speed.

However, the report asserted, “the communications security of MDs to protect against theft of medical information and malicious intrusion is now becoming a major concern”.

Vulnerabilities in such wireless systems could have a number of dangerous consequences – ranging from vandalism, device reprogramming or even the loss or theft of sensitive medical information, which can compromise patients’ personal privacy and can result in identity theft.

Often, according to the report, these vulnerabilities can arise through poor security practices, misconfigured networks or errors made during the implementation or deployment of new technologies.

These can also occur through the increasing uptake of mobile devices and wireless networks.

Sometimes, these technologies are so new that IT departments are unaware of how to adequately secure them or keep up with changing trends. Others fail to install the adequate updated to these systems, which can open them up to further risks later down the line.

Penetration testing is one strategy that can be used to identify these risks and can help businesses of all types – including healthcare organisations – stay on top of any potential operational weaknesses.

This type of testing can not only alert you to any potential security issues that could affect your business, but also the consequences – both operational and financial – of a malicious attack.

Gartner reports on changing mobile trends

June 08, 2012

With a rising number of businesspeople encouraged to use their own mobile devices – rather than company-owned phones – for work, mobile security is becoming an increasingly important consideration.

According to new research from Gartner, IT developers need to take a more proactive approach to mobile security – and rather than a single-standard solution, developers may wish to instead consider “managed diversity”.

This term refers to flexible strategies for managing a range of mobile devices – including those that are owned by individuals and the business.

“This is the only approach that helps IT leaders maintain control over mobility, and supports bring-your-own-device programs,” said Gartner research director Terrence Cosgrove

He explained that an effective mobile device management (MDM) strategy hinges on the ability of operations and security teams to co-ordinate effectively.

Specific mobile security measures must be taken to ensure that devices are configured to match company policy, Gartner suggests, noting that many corporate policies call for devices to be password-protected , or for the ability for sensitive information to be wiped in the event of a security breach.

Cosgrove explained: “Because of the complexity of the mobile device landscape, there must be a person or group responsible for monitoring this landscape and for understanding users’ demands for new types of device and the impact that new platforms have on applications.”

He added that security professionals and the monitoring individual or group need to meet on a regular basis to address any changes in the technological landscape – and to assess their impact on the security of an organisation.

Adopting a managed diversity strategy can help companies keep costs down in the long run, Gartner noted, particularly when it comes to user productivity.

Having support from the IT department is crucial when it comes to security, the research body added, as otherwise users may attempt to circumvent IT standards – and therefore increase the risk of noncompliance costs.

If I had a Dollar – penetration testing and security myths from Steve Darrall, Securus Global Practice Manager

May 22, 2012

If I had a dollar…..part 1 of (well, who knows?)

This post will be the first in a series from Securus Global where we dispel a few information security myths that we hear on an all too regular basis to the point that if we were paid every time we heard them we’d be sunning ourselves on a quiet pacific island. :-)

No doubt, you’ve heard most of these yourselves and may wonder if you’re alone. You’re not.

So without further ado, here’s our first installment…

Once security testing is complete, we’ll put it into production”. This isn’t the best of project management approaches to take from our experience. Any project should allow time for remediation and retesting activities to take place. Security testing shouldn’t be seen as a tick in the box on your project schedule. Continue reading