Author: zafirt

Headless OpenVAS install

I needed to run OpenVAS (OpenVAS stands for Open Vulnerability Assessment System) the Linux based vulnerability management software on a virtual machine, which means it does not have its own monitor that one sits at to see this screen:

OpenVAS is made by Greenbone, “which develops OpenVAS as part of their commercial vulnerability management product family “Greenbone Security Manager” (GSM). “(from their main web page:)

OpenVAS was developed out of the Nessus code base since 2005, now at github.  The developer of Nessus decided to make Nessus closed source(proprietary) in October of 2005, so openVAS was created and initially named GNessUs.

Why am I talking OpenVAS today? Because I was tasked to install it on a virtual system.

So, one has to install OpenVAS (or update on some Linux distributions since it is already installed by default).  So I work with Kali Linux,  since I use a lot of other tools that are built into the distribution. I wanted to keep some familiarity and so run OpenVAS on Kali Linux.

What are you installing? Several pieces that will need to run on the virtual machine:

As you can see in the image above the Greenbone Security Assistant is software that connects to the OpenVAS Manager and Scanner to run the scans to the targets. OpenVAS uses NVTs(Network Vulnerability Tests) to run the scans. Up to this point (3/18/2019) there are over 49600 tests. CVEs now number 115906.

So in a standard kali Linux install one has the OpenVAS version that comes with it, so to use OpenVAS you have to upgrade Kali first using the following commands:

apt-get update && apt-get install openvas

So now that you have the latest version on your machine how are you going to access OpenVAS? since you cannot sit at the monitor of a virtual system (or what is called a headless install).

 

After some (actually a lot) of review online and some tinkering I found it useful to know some systemd.  And it just so happens that systemd has several configuration files in a few directories:

/etc/systemd/system/*

/run/systemd/system/*

/lib/systemd/system/*

 

The one that is important and relevant for OpenVAS is the /lib/systemd/system directory.

In here there are 3 files that are of importance:

Openvas-scanner.service

Openvas-manager.service

Greenbone-security-assistant.service

What we have to do to make the installation complete is to replace the ip address of the virtual machine to the greenbone-security-assistant.service file.

Specifically

change it in this manner, run the following command(changing <your ip> to the virtual system ip address):

Sed –e ‘s/mlisten=<your ip>/127.0.0.1/g’  greenbone-security-assistant.service

Example the virtual system ip address is 192.68.0.1  so this is what should be run:

Sed –e ‘s/mlisten=192.168.0.1/127.0.0.1/g’  greenbone-security-assistant.service

After running this command you have to run the following:

Systemctl  daemon-reload

(these commands need to be run with root permissions(sudo))

So once the ip address is entered in command line, and the systemd file .service file reloaded you can restart the gsad  and then log into the web interface assuming you already set up the users.  To access the Greenbone-security-assistant program enter the following in your browser:

https://192.168.0.1:9392

From there you will have to learn how to create scans and more.  But at least it is working remotely.

There is also a small issue with this procedure, it is not supported by Greenbone, they want you to install the Greenbone community edition

The security feed is more stable than the community feed (the free version) and has encrypted transmissions.

Contact us to discuss

We are Never Going to Be Secure

I did not have to put 100% in the headline: i.e. “We are never going to be 100% Secure”

Whenever there is a device that is to be used for your purposes,  someone can find a way to use that purpose against you and fight you with it.

So it is my assertion: Do not state “We are secure”!, say “we are  ‘secure’  within our abilities and budget”.

The problem is that some tasks are so basic it is unbelievable when an attack is successful.  take a look at this informational message from a WordPress security company(Wordfence):

(and in text form):
XSS Vulnerability in Abandoned Cart Plugin Leads To WordPress Site Takeovers

Last month, a stored cross-site scripting (XSS)h, Vulnerabilities, WordPress Security on March 11, 2019 by Mikey Veenstra   0 Replies flaw was patched in version 5.2.0 of the popular WordPress “plugin Abandoned Cart Lite For WooCommerce”. The plugin, which we’ll be referring to by its slug woocommerce-abandoned-cart, allows the owners of WooCommerce sites to track abandoned shopping carts in order to recover those sales. A lack of sanitation on both input and output allows attackers to inject malicious JavaScript payloads into various data fields, which will execute when a logged-in user with administrator privileges views the list of abandoned carts from their WordPress dashboard.

 

 

So essentially what wordfence is suggestingwordfence is suggesting is to update WooCommerceAbandoned cart  Cart Lite for WooCommerce.

Wordfence is suggesting to update the plugin ASAP to 5.2.0 or higher to solve the sanitization checks that a bug introduced.

 

So now that we know a specific problem with a specific plugin, all we have to do is update. But this basic act of updating is not that easy sometimes.

This is typical of software and our security dilemma,  a new vulnerability is discovered, has to be fixed and patched/released. Then of course the administrators have to install the patch.

So this is why we will never be 100% secure there will always be a time when the vulnerability is discovered to the time it a patch is installed  when  we are not secure.

I wrote about this before(Dec 2017): From Vulnerability Found , to patched safe

The above image describes the journey from Vulnerability found to Patched better than

What are the  possible problems when patches are not applied? and hackers do their work first?

Here is a worst case scenario:

Onlineathens.com has the story of the  Ryunk Ransomware

Here is a notable quote:

Jackson County Sheriff Janis Mangum said Friday that experts are still cleaning their computers.

“We can book someone (in jail) without doing it on paper, but deputies are still doing paper reports,” she said.

Mangum said she received a telephone call last Saturday from the Information Technology staff “wanting to know if we had an FBI contact they could reach. That’s when I knew it was more serious than just being down,” she said.

This article does not go into the forensics investigation of how the ransomware software installed itself, and we will keep an eye out to the Internet as to how exactly this started.

But very likely something was not patched, the hacker software installed and then went from there to control the data and all the devices on the network it can.

Even if the initial infestation was unique (social engineering ) the additional attacks of infesting the rest of the computers usually requires some additional vulnerability which also can take advantage of unpatched devices.

The weaker you are with patching the more likely you will be attacked and hacked. In this case (Sheriffs computers in court house) somehow were infested and then later the encryption software download happened. After that the software tries to propagate and destroy the rest of the systems on the network.

Also an Auditor reviewing your patching is also advisable.

There are no guarantees, although one can reduce risk with enough safeguards and testing in place.

Like we can do  CISA certified contact us.

Time For Security Major Effort?

I.e. Do we need to make a major research effort to solve all(or most) Cybersecurity problems?

Why?

Because mistakes keep happening:

And these are not small mistakes – they may shift our world underneath us…  As California considers more legislation and Breach reporting requirements, other states may also look into this issue.  At Databreachtoday.com there is a story about how California is proposing new changes to Data breach notification requirements.

The California law is  adding clarification to potential breaches, as before it is not obvious that government issued identification is part of “personal identification”, and any biometric data as well.

The now defined “personal information” includes:

  • Social Security number;
  • Driver’s license number, California identification card number or other government-issued identification number;
  • Account number or credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account;
  • Medical information;
  • Health insurance information;
  • Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data;
  • Information or data collected through the use or operation of an automated license plate recognition system.

It is good to get clarification which only means most other states will follow and also enact similar laws.

If you have a breach you are on the clock and will be judged by how fast you can deliver information to your customers or employees about the breach.

 

What is different in California is the privacy law AB375 which is actually referred as “The California Consumer Privacy Act of 2018.”

(1) The right of Californians to know what personal information is being collected about them.
(2) The right of Californians to know whether their personal information is sold or disclosed and to whom.
(3) The right of Californians to say no to the sale of personal information.
(4) The right of Californians to access their personal information.
(5) The right of Californians to equal service and price, even if they exercise their privacy rights.
There are going to be implications for all companies that store data from this law.
So are we now forced to spend a lot more money and to push for much higher Cybersecurity? Yes and no…  of course we will have to focus on Cyber aware policies that pay closer attention to how we use data, but is it truly necessary to spend an inordinate amount of money on Cyber products and people?
I don’t believe so.
We have to learn how to do the basics efficiently.
It is the basics that are not done right… that is the focus and constant improvement we need to focus on. Maybe a new tech is needed, but it will likely not cost an arm and a leg. It should be a Risk-reward analysis that uncovers what is needed from the governance policy and standards.
That is what is needed – proper governance, and reviewing what is really needed. A ‘moonshot’ or silver bullet is not there for us, we don’t have to ask some super agency to create a Cybersecurity ‘Manhattan Project’  that will solve all our problems.  The problems we have will always be there until we address them.
Let’s get after them now…  Contact us to get started.

PCI Compliance Small Biz Simplified

There are 12 pieces to PCI compliance, let’s list them and find if they are applicable, or if we can minimize our attention.

first of all it is not a major point in the standards, but creating an inventory of devices is paramount in becoming PCI compliant. Being compliant will also be easier for you if you make a proper inventory (with all the software and hardware that is applicable), but it is also good for general security even if not needed due to not touching payment card data.  Basically for PCI compliance anything that touches payment card data is going to get some extra scrutiny.

So guess what, you need to have documentation and procedures to make sure only the right people will access the data and not abuse the data. I.e. do not send payment card data in an unencrypted format over Internet for example. Another example is do not send customer data via fax or chat sessions.

So if you have documentation and have signed employee statements that they read this, then PCI compliance is easier.

 

Let’s work our way form bottom:   Must have security policy(documentation), must have testing of network and all systems, must have a firewall, must have antivirus or anti-malware software, must change default passwords, do not develop your own software (as that is much more difficult), authenticate to systems and restrict access to payment card data also physically.  Do not store cardholder data will simplify your compliance needs.

Encrypt the actual transaction from cardholder (merchant to financial institution). This machine should be an approved mechanism from your financial institution.    Although it complicates things if you have it on one of your computers. Easier if on a machine specific for swiping cards, or inserting cards.

If you focused on no development of your own software and used only a specific PCI compliant machine with documentation for your employees that would go a long way to solving your PCI compliance.  If you can segment the network (if the payment card machine needs to access the Internet which a lot do now) that will cut down on the number of machines to test by the auditor.

Monitoring the log system is just prudent, as well as making sure that the access of systems is properly authenticated.  Many of these steps are just common sense computer security items (changing default passwords).

 

Some general topic headings from PCI document:

Build and Maintain a Secure Network and Systems

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program
  5. Protect all systems against malware and regularly update anti-virus software or programs
  6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

  1. Restrict access to cardholder data by business need to know
  2. Identify and authenticate access to system components
  3. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

  1. Track and monitor all access to network resources and cardholder data
  2. Regularly test security systems and processes

Maintain an Information Security Policy

  1. Maintain a policy that addresses information security for all personnel

 

 

 

We will test your network and give you a specific list of making PCI compliance easy to follow and complete.  Contact us to discuss.

 

Phishing #1 Attack – Includes Email Scams

Have you received an email saying your password has been stolen in broken English?

Subject: "Security Notice. Someone have access to you system"

As you may have noticed, I sent you an email from your account.

This means that I have full access to your acc: On moment of crack (youremail@youremaildomain.com)  password: jfwqu6qoizxahofj0qkw

You say: this is my, but old password!
Or: I will change my password at any time!
Of course! You will be right,
but the fact is that when you change the password, my malicious code every time saved a new one!
I've been watching you for a few months now.
But the fact is that you were infected with malware through an adult site that you visited.
If you are not familiar with this, I will explain.
Trojan Virus gives me full access and control over a computer or other device.
This means that I can see everything on your screen, turn on the camera and microphone, but you do not know about it.
I also have access to all your contacts and all your correspondence from e-mail and messangers.
Why your antivirus did not detect my malware?
Answer: My malware uses the driver, I update its signatures every 4 hours so that your antivirus is silent.
I made a video showing how you satisfy yourself in the left half of the screen, and in the right half you see the video that you watched.
With one click of the mouse, I can send this video to all your emails and contacts on social networks. I can also post access to all your e-mail correspondence and messengers that you use.
If you want to prevent this, transfer the amount of $770 to my bitcoin address (if you do not know how to do this, write to Google: "Buy Bitcoin").
My bitcoin address (BTC Wallet) is: 1MrUDSrZiqD3ijxsBUPt2SukoFy534orP2
After receiving the payment, I will delete the video and you will never hear me again.
I give you 48 hours to pay.
I have a notice reading this letter, and the timer will work when you see this letter.

Filing a complaint somewhere does not make sense because this email cannot be tracked like my bitcoin address.
I do not make any mistakes.

—————————————————–

So this trickster extortionist  actually makes several mistakes (besides the spelling errors).

First of all the email says ” As you may have noticed, I sent you an email from your account.”  there is a basic issue with this statement.  All email can be ‘spoofed’ thus making it a form of spam. Spoofed means all text in the ‘From:’ means nothing it can be changed to whatever the spammer wants to make it look like.   (In fact you can change your From field yourself if you choose as an experiment)

So if your email is “youremail@emaildomain.com” then the spammer can make it look that way.

 

The other problem the spammer sextortionist has is they have to make assumptions of a video camera that is on the computer.

What if there is no video camera on the computer? then how can the video sextortion work?

So the scammer makes several assumptions:

  1. you don’t know about From spoofing
  2. ignore misspelling and bad grammar
  3. email owner used porn
  4. email owner has videocam functioning on the computer
  5. at one time there was a password that is included in email
  6. knows enough about bitcoin or can learn how to transfer money into bitcoin

Those are a lot of assumptions, and on top of that the scammer is leaving an electronic trail in Bitcoin or at least how they access bitcoin(we will not go into detail of how this is done). The scammer leaves an electronic trail as to how they access bitcoin to experienced investigators, which is why you should goto bitcoinabuse website and file a report (link below).

One thing people should do is to see how many others this has happened to and to decide what to do from here  Internet Storm Center  also had one of these (i.e. google or startpage.com a portion of the email and see what comes up).

 

What did I do you may ask?  Of course you NEVER pay the extortionist.  But one can also help the Internet denizens to reduce this type of email:  goto Bitcoin Abuse website

Go to the website and File a report by adding the bitcoin address that is included in the email so that law enforcement and other people who track and try to find these spammers can start to do something about it.

Or you can View a report with the bitcoin address to see how many others has this email gone to??  check the FAQ on bitcoinabuse.com

Above image is from Bitcoinabuse FAQ

We at oversitesentry and fixvirus.com help others with a variety  of Internet Security issues.

Update 02/02/2019 (Groundhogs Day)   Sextortion Follow the money part 3 – The Cashout begins!

So the short story is the scammers have accumulated a lot of money in hundreds(434) Bitcoin addresses which slowly started to move the money into a few addresses, as much as $21.5mil  plus $18.5mil .  Then from there the bitcoin addresses will be “mixed” so experts like in the link above will not be able to tell where the money goes (anonymity) using bestmixer.io.

So again please do not pay these scammers if you receive an email like the one included in this blog.