SAML Attacks can break down Single Sign-On(SSO)

Area41 Defconswitzerland had an interesting video about attacking Single Sign-on technology SAML – Security Assertion Markup Language  (basic tutorial on SAML)

There are a few ways an attack can happen, while the initial connections are made (and all certificate info is exchanged or other info needed.

Or after the initial connection was made and now the single sign on conditions are set. I.e. the auth server will store cookies, and redirects on next ask for access.

The image above is from

So when the attacker tries to inject an attack they are mimicking the tokens. or the XML .

check out the following from the defconswitzerland video:

SAML Attacks Certificate Tampering

  • Clones a certificate, generate a new key material
  • Use a certificate signed by other official CA

SAML Attacks XML

  • signature Exclusion(simply delete Signature)
  • XML signature Wrapping
    • Paper on breaking SAML(Be whoever you want to be 2012)

SSO is supposed to be a technology which makes accessing multiple network systems easier and safer. So if there is a way to attack it and have access then it defeats the purpose of all this defense.


Contact Us to discuss auditing your network environment

You are Good, But Neighbor is not… Now What?

Let’s set this up…

You have paid attention to some Cyber security efforts, and have a number of defenses, maybe not “all of them” but your risk management matrix has shown you where to focus. What is impact on a device if having Cyber security problems?

Assuming you set up the probability matrix of all of your devices failure impact… Did you think of everything?

What about this:

Internet Storm center has  a story “More malspam pushing Lokibot”  

The post is about when an email attachment RTF(Rich Text Format) runs and then downloads an exploit for CVE-2017-11882 which installs Loki the information stealer.

Once Loki is on the machine it will contact home base and more.

Loki is an especially bad malware software, as it steals FTP credentials, SMTP credentials, Browser data, database information, and keylogger abilities.

So how do we defend against this malware? we need to deny the entry points. Because if once the malware is in one of your systems or one of your partners then it is a different game.


So what happens when  you think the neighbor is infected?  The firewall is no longer in play, as all internal machines are now open to attack. All it takes is another payload to be dropped into the infected machine that will take advantage of other machines with weak defenses.

So the problem is that any machine that you allow into your network (with vpn or otherwise) also can make your network systems weaker.

Coming back to our neighbor, if the neighbor does not have the same methods to security as you do, they are now a liability if you do not take the neighbor threat seriously.

I want to give an example in an apartment building that has been setup with a well known ISP internet service. So you get an apartment  and the service for internet is built-in to the price of your apartment(or at least is a minor add-on).

The Apartment people tell you to just plug into the wall and voila you have internet service.

So when i plug in, do i get my own router? Or am I connected within a switch with every other apartment first? So now I have to run a discovery scan, and check all other IP addresses first?

This is why one runs a discovery scan, to see all the machines that are on the network and that can see you. This is all part of the risk management of your company.


Contact Us to discuss Risk management and more.

Criminals Trying to Run Crypto Miners on Your Systems

Good YouTube video: “Rise of the Miners Josh Grunzweig

Ransomware is no longer a viable method of making money for the criminals, since Bitcoin is worth a lot of money, and it would be difficult to get people to pay for their ransomed computers.

So the Criminals have moved to Cryptomining.

The cryptominers have infected hundreds of thousands of machines to capture pennies per day for each machine.  Together on a daily basis the criminal can accumulate wealth. And it never ends. 609000 machines times 2 pennies per day = $12,180  per day or $365,000 per month. $4.4mil per year.

It may be worth it for the criminal to spend a little money on spam or watering hole attacks.   A water hole attack is where a popular website is infected with malware (a water hole).   as soon as the infections go into the hundreds of thousands the traffic and infrastructure will be noticed, so you may need to bribe various organizations as well. Like in Russia,  you may have to pay the local government officials to keep quiet (or China too).

In North Korea, the state itself could be running an operation like this.


Contact us to discuss this phenomenon.

How many Bad Cyber-Characters Are There?

As I was listening to

The Future is not Blockchain. It’s Hashgraph. I had a question as they were discussing how a potential attack could come into their product, i.e. what if 3 out of 5 cheaters were in a card game? Obviously the cheaters would win, unless the game was found out to be cheated and you could enforce something to recoup losses.

The problem we have is we are on the Internet, and we have to be, so my question came as an obvious, how many bad characters are on the Internet right now?

Let’s list some of the known actors:

  1. Ransomware creators (criminal syndicates in friendly legal areas – East European countries)
  2. Ransomware creators (bad state actors – like NorK, Iran, and to some degree China -only because China has some local government that can do this for some time – and any others that push their weight around)
  3. Malware creators that want to make Bitcoins or Monero by using your computers to mine cryptocurrencies.(could be anybody)
  4. DoS (Denial of Service) attacks causing threats and ransom in other ways are sold on Darkweb for money, so anybody can attack anybody else(competitors, neighbors etc.)


The reality is we do not know “exactly” our adversaries, and there are estimates that ransomware cost $5 Billion in 2017, but numbers can be inflated.

But let’s turn that around – if your device receives ransomware and you cannot unlock it then stating statistics of millions (or Billions) of dollars means little when your device is not working.

So yes it is good to know your adversary, and there is no shortage of criminals and their methods to extract more money from their marks(people who do not know how to defend their computers).

What does that mean to all of us without exaggeration?

So we know there are a lot of cyber criminals, and they are constantly looking for you to mess up. They are becoming more sophisticated not less.

So here is a report by Mandiant (a Fireeye company) that investigates last year’s actual breaches and other activity as they have found at client sites and more- you can click on the report without registering.

There is also an interesting statistic they have compiled: “Dwell time” the number of days that there is evidence of a compromise on the network before detection.

America dwell time was 75.5 days in 2017, an improvement of 23.5 days(was 99days).

The average for the world was 101 days in 2017.

So this is an interesting statistic and is in line within Cybersecurity discussions as I know them. A bad character once they breach a network they will stay under the radar for a while, then performing their stealing or destruction before they are found.

So if we use both sets of information we know the Cyber criminals are making a lot of money and they are very sophisticated. They are not like the old “script kiddies” where it is fun to see what mischief to get into. Today’s bad characters are here to stay, to make more money this year than last.

We have to become more sophisticated as we keep using more of the Internet with more technologies.

Contact Us to discuss the sophistication of attackers and more.

Replace your Wi-Fi Router if 2yr+ old

Insignary had some research and created a report that looked into the binary code of most of the routers on the market. Technewsworld has  a story…

And Business Insider has a story

The short story is that many router companies do not update their devices which would mean customers would have to upgrade firmware, which is also doubtful, but at least it is possible to update and secure your router.  Many people do not update because it is difficult or time consuming, and the router upgrades require a technical skill missing in most home users anyway. It seems that all of the vulnerabilities of the routers:

WPA2(KRACK) – Key reinstallation attack

ffmpeg – DoS attack

openssl – DoS attack, and remote code exec

Samba – remote code exec

OSS components have weaknesses which are also open source.

New components that are secure have been created but have not been created to coexist with the Wi-Fi devices (within their firmware). If they would have been created you would have to download the firmware and then you would have to update this firmware. So the process of updating firmware in Wi-Fi routers differs with each manufacturer, I would go to your manufacturer website and try to find out if a new firmware has been released.

But as a safety precaution (with security in mind) it is probably best just to buy a new Wi-Fi  router (which has  software that does not have these old vulnerabilities.

So it depends on your level of risk and what you are protecting. Myself I always like to update my computers and wifi devices every year or every two years anyway.  If you are in the habit of doing this as a standard way of doing business you will not be affected by these vulnerabilities.


Contact Us to discuss your risk exposure and decide what upgrade standards you might need.