This blog is part of the talk “Super Size your Security”, as presented at J and Beyond 2018, co-presented with Marco Dings, CTO ViryaGroup. The concept of the Audit Log starts at 5.20, and is availbale on YouTube. The Case: Typical Security Incident I want to start off this blog with a very practical and common security case, as illustrated above. In this case, a user installed a plugin to the Joomla!
Spreading the word about security trumps talking about the product.
It were a great few months, after the release of the ElastAlert Kibana plugin. Even better, we have been able to receive many commits, most notably support for Kibana 5.0 up to Kibana 5.6. BitSensor has another gift to the community: Rule Templates Templates allow you to setup rules quickly, in this case setup an Frequency rule, that is triggered if a tool is hammering your website, maybe for data exfiltration.
In June of 2017 Nelson Berg wanted to buy a house in Amsterdam. He registerd with a real estate agent and was asked to upload his passport, pay slips and bank statements into their online tool. Anyone else may not have had any qualms about sharing these privacy sensitive data, but Nelson Berg wasn’t your ordinary internet user. He happened to be a cybersecurity analyst and an ethical hacker. So he decided to check out how secure the website actually was.
Centralized logging is a fantastic tool, especially if you are able to take it from collection-only, to realtime action. The tools that enable realtime alerting, such as Watcher and ElastAlert, haven’t been easy to use as it is focused on file based configuration. BitSensor now open-sources our ElastAlert plugin, that enables realtime alerting on top of ElasticSearch and is fully integrated into Kibana. It takes under 5 minutes to setup, as we have packed everything for you.
After we find a bug in our code, we as developers reason about our code and question ourselves: did we have Unit Tests and Integration Tests, Design Patterns, Clean Code and Logging. What are their equivalents for security bugs and vulnerabilities, and how can we reason about them? Slides are available at: How We Hacked LinkedIn and What Happened Next | JFall 2016 from Ruben van Vreeland So, lets start with one the most commonly found class of vulnerabilities in code: missing validation.
Internet of Things has been given many names with regards to security. Take Jaya Baloo (CISO KPN), who calls it IoS, Internet of Shit. Other security experts agree and there is a collective worry that security in IoT will be impossible if not thoroughly considered from the start. When Volker Wessel and the municipality of Eindhoven opened up a Smart City bidding to improve Eindhoven as a IoT smart city, BitSensor jumped in, and out of the 66 proposals BitSensor is placed first.
With DevOps, we have a higher return on our investment in code, by making it possible to release new features to production in realtime. We do this by automating our tests, which is something that is hard to do for security. Now, you have to choose: lower returns on investment in features and losing customers by delaying deployments, or risking data breaches in functionality that went live untested. With realtime instrumentation, we propose a solution that isolates attackers from actual customers transparently, moving the attack traffic to the audited version of an application while actual customers have access to the latest features.
__Google is a well-known search engine, and in the security community also famous for the “Google dorks” functionality: finding vulnerable websites using Google queries. __ Exploits in the Google Url Database Using google dorks is not new and has been discussed thoroughly, however while we were analyzing the Joomla SQL injection vulnerability on com_contenthistory, we found this URI in the results of the Google query: If we decode the URL parameters, we get this:
One of the biggest challenges of building a high-performance service is making it scale. To do that, we use IBM’s SoftLayer. SoftLayer started in 2005 as an Infrastructure as a Service (IaaS) and was acquired by IBM in July 2013. It has grown since then as one of the world largest cloud hosting platforms. Everyone can find a fitting solution there, from small webhosters to huge companies. SoftLayer offers virtual nodes, as well as bare metal servers, both can be fully customized to select the ideal hardware configuration.
Recently, I have reported a security issue where a CSRF was used to compromise the integrity of a database stack abusing the web application management tool. While explaining the issue about the possibility of data modification in the best case and RCE using another CVE in the worst case, I got the comment that it was a total surprise to them to see an CSRF based on the HTTP Authorization header.