Marc Rogers

How the COVID-19 Pandemic Has Dramatically Changed the Cybersecurity Landscape

Over the past two decades working in the security space, I’ve observed that there’s always an uptick in attackers looking to exploit the chaos during disasters or periods of civil unrest or political instability. As people panic or try to act with more urgency, they become more vulnerable. Caution, one of our strongest defenses, is the first thing to go out of the window. As our sense of urgency grows, we become more willing to take shortcuts and the opportunity to fool us grows...

Christopher Bennett

The Case for Host Security Logs

A look at why host security logs should be at the top of your list when establishing a security program.

Andrew Lee

Using hack_url_re to Auto Detect Website Spoofing Vulnerabilities

Phishing attacks often spoof websites in order to steal passwords, tricking users into entering credentials to a website that looks identical to the one they routinetly access. To avoid such trickery, account holders can trust their passwords to password managers like Okta’s SWA plugin, which are not fooled by visual similarity. However, if the code for identifying the website contains any flaws, attackers could exploit them in order to continue to steal passwords. Recognizing this threat, the...

Andrew Lee

Multi-Factor Mixup: Who Were You Again?

Summary: A weakness in the Microsoft ADFS protocol for integration with MFA products allows a second factor for one account to be used for second-factor authentication to all other accounts in an organization. After being notified about the vulnerability and independently validating it, Microsoft produced a patch to address it. See CVE-2018-8340. This vulnerability is best addressed within ADFS and it likely affects all MFA products for ADFS. Organizations running Microsoft ADFS are...

Josh Pitts

I can be Apple, and so can you

A Public Disclosure of Issues Around Third Party Code Signing Checks Summary: A bypass found in third party developers’ interpretation of code signing API allowed for unsigned malicious code to appear to be signed by Apple. Known affected vendors and open source projects have been notified and patches are available. However, more third party security, forensics, and incident response tools that use the official code signing APIs are possibly affected. Developers are responsible for...

Josh Pitts

Hey Chef, What's the Length of your Encrypted Password?

TL;DR This post takes a quick look at Chef Data-Bags and SaltStack Pillar (GPG.Renderer) and identifies methods to determine if encrypted information leaks details about the plaintext, such as password length, that could aid an attacker. Introduction Does your organization, or one you are testing/auditing, use Chef Data Bags or SaltStack Pillar with the GPG.renderer to secure secrets for deployment and operations? If so, you have probably looked at these encrypted blobs of data and thought,...

Josh Pitts

Teaching Shellcode New Tricks - DEF CON 25 Addition

My REcon Brussels talk of the same title was accepted for DEF CON 25. It was supposed to be a release of x64 bit Import Address Table (IAT) based payload parsing stubs to get them into the Metasploit Framework as a feature. It was supposed to be straight forward, no issues, no surprises kind of talk. Until June 18th, everything was great. Then I checked twitter. Surprise, Surprise! Microsoft is shipping in Windows 10 RS3 not only EMET in the Windows Kernel, but they added an Import Address...

Down the SAML Code

Working for an identity company like Okta forces you to constantly be aware of new, old and obscure authentication methods — and also encourages you to dive deep into the underlying protocol to discover whether engineers have correctly implemented the technology. Okta’s Research & Exploitation Team does exactly that, by researching commonly used libraries, protocols and security methods. At Okta we work by the idea that security is not just about how good your code is — it’s about securing...

Josh Pitts

Fido: Teaching Old Shellcode New Tricks

Last month at the initial REcon Security Conference in Brussels, I gave a talk on ‘Teaching Old Shellcode New Tricks’ or breathing new life into existing MetaSploit Framework (MSF) Windows exploit payloads.  During the talk, I released Fido, a tool that enables penetration testers to bypass EMET EAF/Caller protections and various antivirus provider detections by modifying existing MSF payloads on the fly. The talk is a result of research that led to a surprising conclusion: A stable EMET EAF...