Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wordpress-seo domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/html/wp-includes/functions.php on line 6114
Education Archives - Page 2 of 2 - Cyber Security News
Secure Socket Layer (SSL) and its successor, Transport Layer Security (TLS), are widely used protocols for secure online communication. They provide encryption and authentication between two applications over a network, ensuring the confidentiality and integrity of data transmitted between them.
However, SSL/TLS is not invulnerable, and over the years, several vulnerabilities have been discovered that can compromise the security of online transactions. One of the most significant vulnerabilities is the POODLE attack, discovered in 2014, which affects the older versions of SSL/TLS. This vulnerability allows an attacker to exploit the way SSL/TLS handles padding in the encryption process, enabling them to read encrypted information, including sensitive information such as passwords and credit card numbers.
Another vulnerability is the BEAST attack, which exploits a vulnerability in the way SSL/TLS handles block ciphers in older versions of the protocol. This attack allows an attacker to intercept and decrypt secure HTTPS cookies, potentially giving them access to sensitive data.
A third vulnerability is known as the DROWN attack, which can exploit weak encryption protocols such as SSLv2. The attack allows an attacker to read encrypted data transmitted over an SSL/TLS connection by exploiting a flaw in the SSLv2 protocol. Even though SSLv2 is now considered obsolete and no longer used, some older systems may still have it enabled, leaving them vulnerable to attack.
To ensure the maximum security of your online transactions, it’s essential to be aware of the potential vulnerabilities of SSL/TLS and to take necessary precautions. To start with, it’s recommended to use the latest version of TLS, which is currently TLS 1.3, and to disable support for older, insecure protocols like SSLv2 and SSLv3.
It’s also important to use strong encryption ciphers and to regularly test your TLS configuration for potential vulnerabilities. This can be done using tools like SSL Labs’ SSL Server Test, which can check the strength of your TLS configuration and identify any potential vulnerabilities.
Another crucial step is to regularly update your TLS certificates, which verify the identity of the server you’re communicating with and ensure that your data is not intercepted by an attacker. TLS certificates have an expiration date, so it’s essential to keep them up to date to ensure maximum security.
Finally, consider using other security measures like firewalls, antivirus software, and two-factor authentication to provide an additional layer of protection.
By taking these necessary precautions, you can significantly reduce the risk of SSL/TLS vulnerabilities and ensure the maximum security of your online transactions.
CWE (Common Weakness Enumeration) is a list of common types of hardware and software defects that have security implications. The CWE list can be used as a framework to describe and communicate such vulnerabilities in terms of CWEs.
The goal is to support all those methods (including automatic ones) to control and prevent software errors. It can be used at the development stage, during the Code Review activity, and later on during the penetration test activity to classify and communicate the vulnerability type to developers. The system is at version 4.7 and contains over 600 categories of weaknesses and vulnerabilities
The CWE Top 25 Most Dangerous Software Weakness List is a list of the most common programming errors that can lead to software vulnerabilities. Vulnerabilities present in the CWE Top 25 are usually easy to detect and exploit. For example, the CWE-79 is related to Cross-Site Scripting while the CWE-89 to SQL Injection. A similar project is Top Ten Owasp (Open Web Application Security Project). Compared to the CWE Top 25, the Top Ten OWASP focuses solely on vulnerabilities of web applications. The CWE Most Important Hardware Weakness List serves the same purpose, but it focuses on hardware defects.
Description An attacker can inject a Windows UNC share (‘\UNCsharename’) into a software system to potentially redirect access to an unintended location or arbitrary file. Modes of Introduction: – Implementation Related Weaknesses CWE-36 Consequences Confidentiality, Integrity: Read Files or Directories, Modify Files or Directories Potential Mitigations Phase: Implementation Effectiveness: High Description: …
Description The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources. Modes of Introduction: – Operation Likelihood of Exploit: High Related Weaknesses CWE-664 Consequences Availability: DoS: Crash, Exit, or…
Description The software’s user interface does not warn the user before undertaking an unsafe action on behalf of that user. This makes it easier for attackers to trick users into inflicting damage to their system. Software systems should warn users that a potentially dangerous action may occur if the user proceeds. For example, if the…
Description The user interface provides a warning to a user regarding dangerous or sensitive operations, but the warning is not noticeable enough to warrant attention. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-693 Consequences Non-Repudiation: Hide Activities Potential Mitigations CVE References CVE-2007-1099 User not sufficiently warned if host key…
Description The software does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-573 CWE-693 CWE-345 CWE-290 Consequences Access Control: Bypass Protection Mechanism Potential Mitigations CVE References CVE-2002-0862 Browser…
Description The product does not properly prevent a person’s private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected. Modes of Introduction: – Architecture and Design Related…
Description The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as “/abs/path” that can resolve to a location that is outside of that directory. This allows attackers to traverse the file system to access files or directories that…
Description Security based on event locations are insecure and can be spoofed. Events are a messaging system which may provide control data to programs listening for events. Events often do not have any type of authentication framework to allow them to be verified from a trusted source. Any application, in Windows, on a given desktop…
Description The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently. Modes of Introduction: – Architecture and Design …
Description The software checks the status of a file or directory before accessing it, which produces a race condition in which the file can be replaced with a link before the access is performed, causing the software to access the wrong file. While developers might expect that there is a very narrow time window between…
Description The software uses a signal handler that introduces a race condition. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Medium Related Weaknesses CWE-362 CWE-415 CWE-416 CWE-123 Consequences Integrity, Confidentiality, Availability: Modify Application Data, Modify Memory, DoS: Crash, Exit, or Restart, Execute Unauthorized Code or Commands It may be possible…
Description This entry has been deprecated. There are no documented cases in which a switch’s control expression is evaluated more than once. It is likely that this entry was initially created based on a misinterpretation of the original source material. The original source intended to explain how switches could be unpredictable when using threads, if…
Description If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Medium Related Weaknesses CWE-362 CWE-662 CWE-662 Consequences Integrity, Other: Alter Execution Logic, Unexpected…
Description The software checks the state of a resource before using that resource, but the resource’s state can change between the check and the use in a way that invalidates the results of the check. This can cause the software to perform invalid actions when the resource is in an unexpected state. This weakness can…
Description A product performs a series of non-atomic actions to switch between contexts that cross privilege or other security boundaries, but a race condition allows an attacker to modify or misrepresent the product’s behavior during the switch. This is commonly seen in web browser vulnerabilities in which the attacker can perform certain actions while the…
Description The product divides a value by zero. This weakness typically occurs when an unexpected value is provided to the product, or if an error occurs that is not properly detected. It frequently occurs in calculations involving physical dimensions such as size, length, width, and height. Modes of Introduction: – Implementation Likelihood of Exploit:…
Description A software system that accepts input in the form of a slash absolute path (‘/absolute/pathname/here’) without appropriate validation can allow an attacker to traverse the file system to unintended locations or access arbitrary files. Modes of Introduction: – Implementation Related Weaknesses CWE-36 CWE-160 Consequences Confidentiality, Integrity: Read Files or Directories, Modify…
Description The software does not check the revocation status of a certificate after its initial revocation check, which can cause the software to perform privileged actions even after the certificate is revoked at a later time. If the revocation status of a certificate is not checked before each action that requires privileges, the system may…
Description The software does not properly determine which state it is in, causing it to assume it is in state X when in fact it is in state Y, causing it to perform incorrect operations in a security-relevant manner. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-664 Consequences Integrity, Other:…
Description This entry was deprecated because it overlapped the same concepts as race condition (CWE-362) and Improper Synchronization (CWE-662). Modes of Introduction: Related Weaknesses Consequences Potential Mitigations CVE References
Description The program sends non-cloned mutable data as an argument to a method or function. The function or method that has been called can alter or delete the mutable data. This could violate assumptions that the calling function has made about its state. In situations where unknown code is called with references to mutable data,…
Description Sending non-cloned mutable data as a return value may result in that data being altered or deleted by the calling function. In situations where functions return references to mutable data, it is possible that the external code which called the function may make changes to the data sent. If this data was not previously…
Description A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time. The use of predictable seeds significantly reduces the number of possible seeds that an attacker would need to test in order to predict which random numbers will be generated by the PRNG. Modes of Introduction:…
Description The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG’s algorithm is not cryptographically strong. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Medium Related Weaknesses CWE-330 CWE-330 Consequences Access Control: Bypass Protection Mechanism If a PRNG is used for authentication and authorization, such…
Description A Pseudo-Random Number Generator (PRNG) uses a relatively small seed space, which makes it more susceptible to brute force attacks. PRNGs are entirely deterministic once seeded, so it should be extremely difficult to guess the seed. If an attacker can collect the outputs of a PRNG and then brute force the seed by trying…
Description The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize ‘….//’ (doubled dot dot slash) sequences that can resolve to a location that is outside of that directory. Modes of Introduction: – Implementation Related Weaknesses CWE-23 Consequences Confidentiality, Integrity:…
Description The product uses a scheme that generates numbers or identifiers that are more predictable than required. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-330 Consequences Other: Varies by Context Potential Mitigations CVE References
Description A number or object is predictable based on observations that the attacker can make about the state of the system or network, such as time, process ID, etc. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-340 Consequences Other: Varies by Context This weakness could be exploited by an attacker…
Description An exact value or random number can be precisely predicted by observing previous values. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-340 Consequences Other: Varies by Context Potential Mitigations Phase: Description: Increase the entropy used to seed a PRNG. Phase: Architecture and Design, Requirements Description: Use products or…
Description The software’s random number generator produces a series of values which, when observed, can be used to infer a relatively small range of possibilities for the next value that could be generated. The output of a random number generator should not be predictable based on observations of previous values. In some cases, an attacker…
Description The product uses a constant value, name, or reference, but this value can (or should) vary across different environments. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-330 Consequences Other: Varies by Context Potential Mitigations CVE References CVE-2002-0980 Component for web browser writes an error message to a known…
Description The software does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-693 Consequences Integrity, Other: Varies by Context, Unexpected State Potential Mitigations CVE References
Description The software does not properly verify that the source of data or communication is valid. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-345 CWE-345 CWE-284 Consequences Access Control, Other: Gain Privileges or Assume Identity, Varies by Context An attacker can access any functionality that is inadvertently accessible to the…
Description The software does not verify, or incorrectly verifies, the cryptographic signature for data. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-345 CWE-345 Consequences Access Control, Integrity, Confidentiality: Gain Privileges or Assume Identity, Modify Application Data, Execute Unauthorized Code or Commands An attacker could gain access to sensitive data and…
Description The software has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-345 Consequences Access Control: Bypass Protection Mechanism, Gain Privileges or…
Description The software, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-345 Consequences Access Control, Integrity: Bypass Protection Mechanism, Modify Application Data An attacker could package…
Description The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize ‘…/…//’ (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory. Modes of Introduction: – Implementation Related Weaknesses CWE-23 Consequences Confidentiality, Integrity:…
Description The software performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-290 CWE-923 CWE-807 CWE-923 Consequences Access Control:…
Description The software does not properly distinguish between different types of elements in a way that leads to insecure behavior. Modes of Introduction: – Implementation Related Weaknesses CWE-345 CWE-436 Consequences Other: Other Potential Mitigations CVE References CVE-2005-2260 Browser user interface does not distinguish between user-initiated and synthetic events. CVE-2005-2801 Product does…
Description The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. When a web server is designed to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it might be possible…
Description The software uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum. If integrity check values or “checksums” are omitted from a protocol, there is no way of determining if data has been corrupted in transmission. The lack of checksum functionality…
Description The software does not validate or incorrectly validates the integrity check values or “checksums” of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission. Improper validation of checksums before use results in an unnecessary risk that can easily be mitigated. The protocol specification describes the…
Description The application stores sensitive information in cleartext in an executable. Attackers can reverse engineer binary code to obtain secret data. This is especially easy when the cleartext is plain ASCII. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode…
Description The software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. Many communication channels can be “sniffed” by attackers during data transmission. For example, network traffic can often be sniffed by any attacker who has access to a network interface. This significantly lowers the difficulty…
Description The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize ‘…’ (triple dot) sequences that can resolve to a location that is outside of that directory. Modes of Introduction: – Implementation Related Weaknesses CWE-23 Consequences Confidentiality, Integrity: Read Files…
Description The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered. Modes of Introduction: – Architecture and Design Likelihood of Exploit: High Related Weaknesses CWE-798 CWE-798 CWE-798 Consequences Access Control: Bypass Protection Mechanism, Gain Privileges or Assume Identity If hard-coded cryptographic keys are used, it…
Description The software performs a key exchange with an actor without verifying the identity of that actor. Performing a key exchange will preserve the integrity of the information sent between two entities, but this will not guarantee that the entities are who they claim they are. This may enable an attacker to impersonate an actor…
Description Nonces should be used for the present occasion and only once. Nonces are often bundled with a key in a communication exchange to produce a new session key for each exchange. Modes of Introduction: – Architecture and Design Likelihood of Exploit: High Related Weaknesses CWE-344 Consequences Access Control: Bypass Protection Mechanism,…
Description The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key. While the expiration of keys does not necessarily ensure that they are compromised, it is a significant concern that keys which remain in use for prolonged…
Description The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm. Modes of Introduction: – Implementation Related Weaknesses CWE-573 CWE-358 Consequences Access Control: Bypass Protection Mechanism Confidentiality, Integrity: Read Application Data, Modify Application Data Accountability, Non-Repudiation: Hide Activities Potential Mitigations…
Description The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required. A weak encryption scheme can be subjected to brute force attacks that have a reasonable chance of succeeding using current attack methods and resources. Modes of Introduction: –…
Description The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information. The use of a non-standard algorithm is dangerous because a determined attacker may be able to break the algorithm and compromise whatever data has been protected. Well-known techniques may exist to break…
Description The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same…
Description The product generates and uses a predictable initialization Vector (IV) with Cipher Block Chaining (CBC) Mode, which causes algorithms to be susceptible to dictionary attacks when they are encrypted under the same key. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Medium Related Weaknesses CWE-1204 CWE-573 Consequences Confidentiality: Read…
Description The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize ‘….’ (multiple dot) sequences that can resolve to a location that is outside of that directory. Modes of Introduction: – Implementation Related Weaknesses CWE-23 Consequences Confidentiality, Integrity: Read Files…
Description The software uses insufficiently random numbers or values in a security context that depends on unpredictable numbers. When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive…
Description The software uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-330 CWE-330 Consequences Access Control, Other: Bypass Protection Mechanism, Other An attacker could guess the random numbers…
Description The lack of entropy available for, or used by, a Pseudo-Random Number Generator (PRNG) can be a stability and security threat. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Medium Related Weaknesses CWE-331 Consequences Availability: DoS: Crash, Exit, or Restart If a pseudo-random number generator is using a limited…
Description True random number generators (TRNG) generally have a limited source of entropy and therefore can fail or block. The rate at which true random numbers can be generated is limited. It is important that one uses them only when they are needed for security. Modes of Introduction: – Architecture and Design Likelihood of…
Description The number of possible random values is smaller than needed by the product, making it more susceptible to brute force attacks. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-330 Consequences Access Control, Other: Bypass Protection Mechanism, Other An attacker could easily guess the values used. This could lead to…
Description The software uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-330 CWE-330 Consequences Access Control, Other: Bypass Protection Mechanism, Other If a PRNG is used incorrectly, such as using the same seed for each initialization or using a…
Description A Pseudo-Random Number Generator (PRNG) uses the same seed each time the product is initialized. Given the deterministic nature of PRNGs, using the same seed for each initialization will lead to the same output in the same order. If an attacker can guess (or knows) the seed, then the attacker may be able to…
Description The software does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised. An improper check for certificate revocation is a far more serious flaw than related certificate failures. This is because the use of any revoked certificate is almost certainly…
Description The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize ‘dir..filename’ (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory. Modes of Introduction: – Implementation Related Weaknesses CWE-23 Consequences Confidentiality, Integrity:…
Description The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint. In order to establish secure communication between…
Description Simple authentication protocols are subject to reflection attacks if a malicious user can use the target machine to impersonate a trusted user. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Medium Related Weaknesses CWE-287 CWE-327 Consequences Access Control: Gain Privileges or Assume Identity The primary result of reflection attacks…
Description The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-287 CWE-807 Consequences Access Control: Bypass Protection Mechanism Potential Mitigations Phase: Architecture and Design, Operation, Implementation Description: …
Description The requirements for the software dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect. This incorrect implementation may allow authentication to be bypassed. Modes of Introduction: – Implementation Related Weaknesses CWE-287 Consequences Access Control: Bypass Protection Mechanism Potential Mitigations CVE References CVE-2003-0750 Conditional…
Description The software implements an authentication technique, but it skips a step that weakens the technique. Authentication techniques should follow the algorithms that define them exactly, otherwise authentication can be bypassed or more easily subjected to brute force attacks. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-287 CWE-573 Consequences Access…
Description The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-287 Consequences Access Control: Bypass Protection Mechanism Potential Mitigations CVE References CVE-2002-1374 The provided password…
Description The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. Modes of Introduction: – Architecture and Design Likelihood of Exploit: High Related Weaknesses CWE-287 CWE-287 Consequences Access Control, Other: Gain Privileges or Assume Identity, Other Exposing critical functionality essentially…
Description The software does not implement sufficient measures to prevent multiple failed authentication attempts within in a short time frame, making it more susceptible to brute force attacks. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-287 CWE-287 CWE-799 Consequences Access Control: Bypass Protection Mechanism An attacker could perform an arbitrary…
Description The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme. While the use of multiple authentication schemes is simply piling on more complexity on top of authentication, it is inestimably valuable to have such measures of redundancy. The use of weak, reused,…
Description The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism. Password systems are the simplest and most ubiquitous authentication mechanisms. However, they are subject to such well known attacks,and such frequent compromise that their use in the most…
Description The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize ‘dir….filename’ (multiple internal backslash dot dot) sequences that can resolve to a location that is outside of that directory. Modes of Introduction: – Implementation Related Weaknesses CWE-23 Consequences Confidentiality,…
Description The software does not encrypt sensitive or critical information before storage or transmission. The lack of proper data encryption passes up the guarantees of confidentiality, integrity, and accountability that properly implemented encryption conveys. Modes of Introduction: – Architecture and Design Likelihood of Exploit: High Related Weaknesses CWE-693 Consequences Confidentiality: Read Application…
Description The application stores sensitive information in cleartext within a resource that might be accessible to another control sphere. Because the information is stored in cleartext, attackers could potentially read it. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode…
Description The application stores sensitive information in cleartext in a file, or on disk. The sensitive information could be read by attackers with access to the file, or with physical or administrator access to the raw disk. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which…
Description The application stores sensitive information in cleartext in the registry. Attackers can read the information by accessing the registry key. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information. Modes of Introduction: – Architecture and Design …
Description The application stores sensitive information in cleartext in a cookie. Attackers can use widely-available tools to view the cookie and read the sensitive information. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information. Modes of Introduction: –…
Description The application stores sensitive information in cleartext in memory. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-312 Consequences Confidentiality: Read Memory Potential Mitigations CVE References CVE-2001-1517 Sensitive authentication information in cleartext in memory. BID:10155 Sensitive authentication information in cleartext in memory. CVE-2001-0984 Password protector leaves passwords in memory…
Description The application stores sensitive information in cleartext within the GUI. An attacker can often obtain data from a GUI, even if hidden, by using an API to directly access GUI objects such as windows and menus. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which…
Description The application does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the application in an invalid state. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-755 …
Description The software does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-732 CWE-732 Consequences Confidentiality, Integrity: Read Application Data, Modify Application Data Potential Mitigations CVE…
Description The software assigns the wrong ownership, or does not properly verify the ownership, of an object or resource. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-284 Consequences Access Control: Gain Privileges or Assume Identity Potential Mitigations Phase: Architecture and Design, Operation Description: Very carefully manage the setting, management,…
Description The software does not properly verify that a critical resource is owned by the proper entity. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-282 Consequences Access Control: Gain Privileges or Assume Identity An attacker could gain unauthorized access to system resources. Potential Mitigations Phase: Architecture and Design, Operation…
Description The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor. Modes of Introduction: – Architecture and Design Related Weaknesses Consequences Other: Varies by Context Potential Mitigations Phase: Architecture and Design, Operation Description: Very carefully manage the setting, management, and handling of privileges. Explicitly manage…
Description The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. An access control list (ACL) represents who/what has permissions to a given object. Different operating systems implement (ACLs) in different ways. In UNIX, there are three types of permissions: read, write,…
Description The software does not properly manage a user within its environment. Users can be assigned to the wrong group (class) of permissions resulting in unintended access rights to sensitive objects. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-284 Consequences Other: Varies by Context Potential Mitigations CVE References
Description When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct. Modes of Introduction: – Architecture and Design Likelihood of Exploit: High Related Weaknesses CWE-284 CWE-284 Consequences Integrity, Confidentiality, Availability, Access Control: Read Application Data, Gain Privileges or Assume Identity,…
Description A product requires authentication, but the product has an alternate path or channel that does not require authentication. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-287 CWE-284 CWE-420 CWE-425 Consequences Access Control: Bypass Protection Mechanism Potential Mitigations Phase: Architecture and Design Description: Funnel all access through a single…
Description The software performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-287 Consequences Access Control: Bypass Protection…
Description The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize ‘..filename’ (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory. Modes of Introduction: – Implementation Related Weaknesses CWE-23 Consequences Confidentiality, Integrity:…
Description This attack-focused weakness is caused by improperly implemented authentication schemes that are subject to spoofing attacks. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-287 CWE-287 Consequences Access Control: Bypass Protection Mechanism, Gain Privileges or Assume Identity This weakness can allow an attacker to access resources which are not otherwise…
Description The software uses an IP address for authentication. IP addresses can be easily spoofed. Attackers can forge the source IP address of the packets they send, but response packets will return to the forged IP address. To see the response packets, the attacker has to sniff the traffic between the victim machine and the…
Description This entry has been deprecated because it was a duplicate of CWE-350. All content has been transferred to CWE-350. Modes of Introduction: Related Weaknesses Consequences Potential Mitigations CVE References
Description The referer field in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking. The referer field in HTML requests can be simply modified by malicious users, rendering it useless as a means of checking the validity of the request in question. Modes of Introduction: –…
Description A capture-replay flaw exists when the design of the software makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes). Capture-replay attacks are common and can be difficult to defeat…
Description The software does not validate, or incorrectly validates, a certificate. When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. The software might connect to a malicious host while believing it is a trusted host, or…
Description The software does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Low Related Weaknesses CWE-295 CWE-573 Consequences Non-Repudiation:…
A vulnerability is a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.
Vulnerability analysis includes the detection, assessment, classification and treatment based on the risk they pose to the company.
Vulnerability Identification
A security team can detect vulnerabilities following different approaches. As part of a vulnerability management process, it is good practice to subscribe to the mailing lists in which vulnerabilities and related countermeasures are disclosed. This service is usually offered by the vendor or, if not available, through third parties. It is a very time expensive but necessary task. You must perform it on a daily basis to promptly detect vulnerabilities and to comply with several standards/regulations. Other inputs could derive from the analysis of the hardening procedures reports/tasks, the periodic review of the access rules and of the company policies and procedures.
Tools
Thanks to tools like Nessus and OpenVAS, it is possible to partially automate the discovery and analysis of vulnerabilities. After verifying the active hosts and the related services, we can deepen our analysis and determine the operating system and application versions.
As shown in the figure, Nessus provides the list of vulnerabilities to which each analyzed host is potentially vulnerable. Potentially because the scanner does not attempt to exploit the vulnerability. This phase, often manual, is not part of the vulnerability analysis process and is normally carried out within a penetration test.
CVSS
In the report, vulnerabilities are classified according to the CVSS (Common Vulnerability Scoring System), a framework used to classify software vulnerabilities. CVSS is an important tool that simplifies the vulnerability management process.
Let’s pretend you are in a meeting with the company management and you have to share the results of your vulnerability analysis. The test results were not good: you need at least three system administrators for one month to implement the remediation plan. You need to install patches, implement countermeasures, and you have to do it fast. During the meeting, you could try to tell management that you found several RCE-type vulnerabilities on systems deployed in your DMZ. Attackers do not need system/applications credentials to perform the attack and exploits are readily available on the Internet. Or you could report the presence of several CVSS 10 vulnerabilities on critical systems. For more information on CVSS, in its two versions 2.0 and 3.0, I suggest reading our article.
CVE & NVD
Each vulnerability has a Common Vulnerability and Exposures (CVE) ID, in the form of CVE-YYYY-NNNN. The assignment of an ID to each vulnerability allows one to keep track of it and to automate/simplify the integration of the different tools available to an analyst.
Let’s say you have just detected a vulnerability on your firewall appliance. Since it is a well-known vulnerability, it has got a specific CVE-ID. Assuming that your firewall vendor catalogues their vulnerabilities and patches by CVE, it is going to be easy to ask the vendor for additional information, search for the relevant patches and to minimize the possible impacts of applying remediation on the infrastructure. Furthermore, it is going to be easy to find the relevant signature in your IDS/IPS. CVE is operated by “The Mitre Corporation“. More details can be obtained on the cve.org website.
NVD (National Vulnerability Database) is managed by NIST (National Institute of Standards and Technology). NVD is a vulnerability database: for each CVE information such as countermeasure, criticality and impact is provided.
CWE & OWASP
CWE (Common Weakness Enumeration) is a list of common types of hardware and software defects that have security implications. The CWE list can be used as a framework to describe and communicate such vulnerabilities in terms of CWEs. The CWE Top 25 Most Dangerous Software Weakness List is a list of the most common programming errors that can lead to software vulnerabilities. Vulnerabilities present in the CWE Top 25 are usually easy to detect and exploit. For example, the CWE-79 is related to Cross-Site Scripting while the CWE-89 to SQL Injection. A similar project is Top Ten Owasp (Open Web Application Security Project). Compared to the CWE Top 25, the Top Ten OWASP focuses solely on vulnerabilities of web applications. The CWE Most Important Hardware Weakness List serves the same purpose, but it focuses on hardware defects.
Vulnerabilty Analysis steps
Vulnerability analysis comprehends different phases.
Preparatory phase
it is not possible to carry out a thorough and reliable analysis without having a deep knowledge of the infrastructure/application under examination. If the procedure for managing IT services and their related assets is not implemented, it is not going to be possible to classify and prioritize vulnerabilities. Let’s say our vulnerability scanner found 300 vulnerabilities on approximately 30 hosts. Which vulnerabilities should I prioritize? Which one shall I remediate immediately? The answer relies not only on the vulnerability severity but also on how important are the hosts and services affected by it.
Discovery and analysis of vulnerabilities
You performed vulnerability scans, you analysed security advisories, system configurations, your company policies and procedures. You have a comprehensive list of vulnerabilities. You can now prioritise them, identify false positives (and false negatives), and improve the results with your knowledge of the infrastructure/application. At the end of this phase, your security team will produce a vulnerability scan report.
Post assessment
It is now possible to define a remediation plan. The remediation plan is not a mere list of the patches, countermeasures and IPS rules: if your analysis has shown the presence of several SQL Injection, CRSF and XSS vulnerabilities in the software developed internally (or by a specific supplier), you must immediately schedule secure programming training classes for your developers.
If these kinds of vulnerabilities are found on software purchased from third parties, you must tell the service owner to look for a new vendor.
While the first scenario is a symptom of a poor security awareness policy, the second one highlights a poor supplier policy: do you review your supplier security policies after you sign a contract? Do you ask to review their development procedures? Do they regularly perform code reviews? Is security fully integrated into their development life-cycle? Outsourcing has hidden costs that you always need to consider.
Once the remediation plan has been implemented, the security team shall verify it has been properly implemented. Depending on its size, the implementation of the remediation activities can take several weeks, if not months. It is crucial to plan periodic meetings to keep the team focused and to check the progress.
What’s next?
In the next articles, we will analyse the vulnerability management process and its implications for regulations like ISO27001 and PCI-DSS. In the meantime, we suggest reading our articles about CVSS and the Metasploit lab.
Regardless of your motivations (attacker or defender), you need to know the ports, hosts and services available within a network.
From a defender’s point of view, the task is a precondition of several keys procedure:
Asset Management – whoever manages the infrastructure (and its security) must know which devices are active and present within our infrastructure. Furthermore, it helps to detect unauthorized hosts that could derive from malicious activities (or more commonly, your system administrators forgot to document them… and maybe to apply the company’s hardenization procedures).
Network scanning is a fundamental step of a company vulnerability management procedure. Here is a non-comprehensive list of its possible benefits:
it allows the detection of unauthorized services and the presence of obsolete systems;
it helps to verify the correspondence between the specifications document and the actual implementation;
it helps to verify the correct application of the hardening procedures.
Penetration test – independently from the approach in use, it is necessary to determine the active hosts and the exposed services. You have to do it even in a white-box penetration test to confirm your client/colleagues inputs.
From an attacker point of view… Well, that goes without saying 🙂
The network scanning procedure aims to identify active hosts. On the other hand, port scanning seeks to detect the ports that hosts disclose and with which it is possible to interact. Starting from the output of a network/port scanning, an attacker, or a newly hired CISO, can outline different traits of a company security posture.
In these articles we will see:
the different steps of a network scan;
some examples with the NMAP tool.
Host discovery
Port scanning involves sending several packets to the host and verifying its response. Usually, the analysis is restricted to the 1024 most common ports (it depends on the available time and the final goal of the analysis). As you may expect, performing this task for all the hosts within a network/infrastructure is time-expensive and generates a lot of noise.
In most cases, only a tiny fraction of IP addresses are active at any given moment. To avoid wasting time, the tester first perform the host discovery phase to determine the active hosts in the tested networks and infrastructure.
There are several techniques:
ARP Ping scan;
ICMP Ping scan;
UDP Ping Scan;
TCP SYN/ACK Ping scan;
IP Protocol Ping scan.
As stated in the official documentation, the default NMAP host discovery strategy involves sending an ICMP echo request (-PE), a TCP SYN segment to port 443 (-PS443), a TCP ACK segment to port 80 (-PA80), and an ICMP timestamp request (-PP).
ARP ping scans are the most effective method to detect active hosts inside a LAN. Its limits are the impossibility of applying the technique on the subnet to which it does not belong. Even if you supply other -P* options to NMAP, the tool performs by default an ARP/Neighbor Discovery against targets on a local Ethernet network since it is the fastest and more reliable technique.
An ICMP scan consists of sending ICMP echo requests to hosts on the network. If a host is found to be active, it will return an ICMP echo response. The technique has limited usability as blocking ICMP requests is part of firewalls and systems’ basic hardening rules.
A TCP scan consists in sending TCP segment to the hosts and analysing the host response. There are two different modes: TCP SYN Ping scan and TCP ACK Ping Scan.
TCP SYN SCAN
As illustrated in the figure, a TCP Syn ping scan consists of the following steps:
The tester sends a TCP SYN segment to port 80.
If the port is closed, the host responds with an RST segment.
If the port is open, the host responds with a TCP SYN/ACK segment indicating that a connection can be established.
Afterwards, an RST segment is sent to reset this connection.
Since it is a normal attempt to establish a TCP connection, traffic is not blocked by firewalls and does not require administrator permissions.
A TCP ACK ping scan instead consists of the following steps:
The tester sends an empty TCP segment with the ACK flag set to port 80 (the nmap default port, but another port can be used).
If the host is offline, it should not respond to this request.
Otherwise, it will return an RST segment and will be treated as online. An RST is sent because the TCP ACK is not associated with any valid existing connection.
ACK Ping Scan requires administrator privileges. Since it is recognized and blocked by a stateful firewall, its main goal is to get information about the filter configurations, not port status.
Port Scan
Once the active hosts within a network have been determined, a portscan can be performed to determine exposed ports and services.
Several techniques are available:
TCP Scan (Connect and Half Open Scan);
UDP Scanning;
SCTP Scanning;
SSDP Scanning.
Only the first two strategies will be considered. Please see the NMAP manual for additional information on SCTP and SSDP Scanning.
TCP Scan
With a TCP Connect scan, a TCP connection is established with the host. That is, the whole 3-way handshake is performed.
The least expensive and most performing variant, the TCP Half Open scan (TCP SYN Scan) sends the SYN segment. If an open SYN+ACK segment is received, the port will be identified as open. In case of RST, the door will be judged closed.
A third typology, foresees the TCP FIN, NULL and Xmas Scans, foresees the modification of the flags of the TCP segment (FIN, URG, PSH, NULL) in an attempt to induce a response from the server.
The technical functionality exclusively on operating systems with implementations of the TCP/IP suite compliant with RFC793. For example, it does not work with Windows systems as these return an RST in both cases.
THE SEGMENT IS COMING
If the state is CLOSED (i.e., TCB does not exist), then all data in the incoming segment is deleted. An on the way the segment containing an RST is deleted. An incoming segment no containing an RST causes an RST to be sent in response. The confirmation and sequence field values are selected to render the recovery sequence acceptable to the TCP that sent the error segment.
If the port is open, the system will not produce any while the response will return an RST/ACK segment if it is closed.
To understand the origin of the name, just look at the image below. Nmap’s -sX flag “Sets the FIN, PSH, and URG flags, illuminating the package like a Christmas tree.”
UDP scan
UDP connection does not involve a handshake. If a UDP packet is sent to a port on which no service is listening, the system will respond with an ICMP Port Unreachable. In case of no answer, the port can be considered closed or filtered.
Contermeasures
To detect and prevent network scanning attempts, we suggest the following countermeasures:
carefully design your services to reduce your attack surface; exposing only necessary services and always keep in mind the principles of least privileges and need to know.
Configure your firewalls to block all traffic that has not got a business justifications;
Periodic reviews your firewall ruleset to keep it aligned to your business needs;
Harden your servers, disabling all unused services;
Perform network and port scans to ensure your firewall/server policies are aligned to your business needs.
Configure an IDS/IPS to promptly detect network and port scans.
The first step in a cyberattack, or a penetration test, is footprinting. The attacker/analyst tries to get information about the targeted infrastructure. Thanks to footprinting techniques, attackers can obtain information such as:
personal data, skills, experience and interests of company’s employees;
company headquarters;
technologies in use (middleware, operating systems);
suppliers and consultants who collaborate periodically with the company;
blocks and network topology;
DNS records.
We can divide footprinting techniques into two macro areas:
active: it involves the collection of information with direct interaction with the target. It is a more risky practice than the passive one, as it could leave traces. The systems of the attacked organization could (should) detect the information gathering attempt. Some examples of active footprinting are the use of web spiders, email tracking, traceroute and social engineering techniques.
passive: involves the collection of information without direct interaction with the target. Some examples are the usage of search engines, social networks, job posting sites, analysis of data received from providers that monitor website’s traffic, commercial performance or deliver reports about future commercial operations of the target.
Identifying the technologies adopted by the target drastically simplifies attackers’ jobs. The awareness about the usage of certain technologies, the lack of good security practices, or of a bad security posture increases the attacker’s chances of success.
When we perform a penetration test in which the company aims to identify chances of an attacker completely unrelated to the organization, footprinting activities heavily influence the success of the test.
Footprinting with search engines and social networks
Search engines offer a myriad of information to the attacker. The advanced functions available in Google, Bing and other search engines offer information that companies are not even aware to expose to the public.
The technique, combined with the most used search engine, has taken the name of Google Hacking. For more information, you can consult our article about the Google Hacking Database.
Thanks to search engines, an attacker gets to know technologies in use (web servers, firewalls, IDS, WAF, third-party applications), IoT devices, applications for internal use only and many other information about the target.
Like search engines, social networks provide an enormous quantity of information to attackers.
An attacker can dig LinkedIn to understand who the key people of the organization are, their experience and knowledge. You can get to know their interests, their religious and political beliefs, their weaknesses. Afterwards, attacker can exploit gathered information to perform a social engineering attack.
Tools like theHarvester and sublist3r simplify attackers’ job, reducing the manual work.
Footprinting through job posting sites
The following image shows the information revealed on a job advertisement post. The job post is real. I found it on the platform indeed.com.
The company is looking for an IT System Administrator with knowledge of Linux and Solaris. They even mention the Linux distribution names and the Solaris release version. You can bet they have got some LAMP servers, that they probably monitor their infrastructure using Nagios and are using Oracle and DB2 as RDBMS. Their infrastructure may include J2EE Containers like Glassfish and JBoss and servlet containers like Tomcat. Even if they reached the EOL over 5 and 2 years ago, they are still asking for people with experience on Windows XP and 7.
You are getting information not only about the used technologies but you are also outlining the security posture of the company.
Job posts can tell you a lot more. Are they searching for IT security specialists? Besides tools and countermeasures adopted, they may even tell you how big is their security team. Are they even trying to cover important roles like CIO or CISO?
Tools and services:
We suggest looking at the following tools. We wrote a brief description of them: Sublist3r, theHarvester, Shodan, Sherlock, Burp Suite, Metagofofil, Exitftool, DNSRecon, traceroute.
Contermeasures
Your employees/colleagues’ awareness about attackers’ behaviour and techniques is fundamental for your company’s safety. Every company must adopt a security awareness policy to inform its employees about the security risks they are exposed inside and outside the office.
The adoption of security policies (hardening of the systems, analysis and reviews of IDS/IPS and other monitoring tools, etc.), the definition of roles and responsibilities will allow a company to quickly detect and react to attackers’ attempts to gather information or to exploit the knowledge they previously gained through passive footprinting techniques.
The term hacker often takes on a negative connotation.
In the past, we often focused on the distinction between a hacker, a person with deep security knowledge who explores technologies, systems and related vulnerabilities out of pure passion, and crackers, the “malicious” counterpart, who uses his knowledge to cause damage and steal data. a certain value (for example, credit cards).
RFC1392 provides the following definitions:
hacker
A person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular. The term is often misused in a pejorative context, where “cracker” would be the correct term.
cracker
A cracker is an individual who attempts to access computer system without authorization. These individuals are often malicious, as opposed to hackers, and have many means at their disposal for breaking into a system.
Unfortunately, media have never bothered to understand the distinction and, for the masses, there is no difference between crackers and hackers.
In our opinion, here is the correct terminology to be used in the security sector:
Black hats (Crackers)
Crackers, or black hats, have got extraordinary computing skills but they lack ethics. They may violate laws by committing malicious or destructive acts.
Script Kiddies
An unskilled cracker who compromises systems using tools, scripts and software developed by others.
White Hats (Ethical Hacker)
An individual who uses his hacking skill for defensive purposes.
They analyse computer systems or networks to detect security issues and give recommendations for improvement to their owners.
A white hat will penetrate a system only with the authorisation and upon request of the infrastructure owner.
Gray Hats
Gray hats use their skills both offensively and defensively.
They often look for system vulnerabilities without the permission or knowledge of the owner. If they find a security issue, they may reveal it to the owner upon the payment of a small fee. Sometimes, their ultimate goal is to show their skills and create awareness about the intrinsic insecurity of the Internet.
It may be useful to know some additional terms. State-sponsored hackers are employed by the government to penetrate other government systems to damage or gain top-secret information. You have surely heard about Cyber Terrorists, individuals moved by political or religious beliefs to create fear among civilians and influence the policy of the targeted governments.
