Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wordpress-seo domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/html/wp-includes/functions.php on line 6114
Education Archives - Page 2 of 2 - Cyber Security News
Secure Socket Layer (SSL) and its successor, Transport Layer Security (TLS), are widely used protocols for secure online communication. They provide encryption and authentication between two applications over a network, ensuring the confidentiality and integrity of data transmitted between them.
However, SSL/TLS is not invulnerable, and over the years, several vulnerabilities have been discovered that can compromise the security of online transactions. One of the most significant vulnerabilities is the POODLE attack, discovered in 2014, which affects the older versions of SSL/TLS. This vulnerability allows an attacker to exploit the way SSL/TLS handles padding in the encryption process, enabling them to read encrypted information, including sensitive information such as passwords and credit card numbers.
Another vulnerability is the BEAST attack, which exploits a vulnerability in the way SSL/TLS handles block ciphers in older versions of the protocol. This attack allows an attacker to intercept and decrypt secure HTTPS cookies, potentially giving them access to sensitive data.
A third vulnerability is known as the DROWN attack, which can exploit weak encryption protocols such as SSLv2. The attack allows an attacker to read encrypted data transmitted over an SSL/TLS connection by exploiting a flaw in the SSLv2 protocol. Even though SSLv2 is now considered obsolete and no longer used, some older systems may still have it enabled, leaving them vulnerable to attack.
To ensure the maximum security of your online transactions, it’s essential to be aware of the potential vulnerabilities of SSL/TLS and to take necessary precautions. To start with, it’s recommended to use the latest version of TLS, which is currently TLS 1.3, and to disable support for older, insecure protocols like SSLv2 and SSLv3.
It’s also important to use strong encryption ciphers and to regularly test your TLS configuration for potential vulnerabilities. This can be done using tools like SSL Labs’ SSL Server Test, which can check the strength of your TLS configuration and identify any potential vulnerabilities.
Another crucial step is to regularly update your TLS certificates, which verify the identity of the server you’re communicating with and ensure that your data is not intercepted by an attacker. TLS certificates have an expiration date, so it’s essential to keep them up to date to ensure maximum security.
Finally, consider using other security measures like firewalls, antivirus software, and two-factor authentication to provide an additional layer of protection.
By taking these necessary precautions, you can significantly reduce the risk of SSL/TLS vulnerabilities and ensure the maximum security of your online transactions.
CWE (Common Weakness Enumeration) is a list of common types of hardware and software defects that have security implications. The CWE list can be used as a framework to describe and communicate such vulnerabilities in terms of CWEs.
The goal is to support all those methods (including automatic ones) to control and prevent software errors. It can be used at the development stage, during the Code Review activity, and later on during the penetration test activity to classify and communicate the vulnerability type to developers. The system is at version 4.7 and contains over 600 categories of weaknesses and vulnerabilities
The CWE Top 25 Most Dangerous Software Weakness List is a list of the most common programming errors that can lead to software vulnerabilities. Vulnerabilities present in the CWE Top 25 are usually easy to detect and exploit. For example, the CWE-79 is related to Cross-Site Scripting while the CWE-89 to SQL Injection. A similar project is Top Ten Owasp (Open Web Application Security Project). Compared to the CWE Top 25, the Top Ten OWASP focuses solely on vulnerabilities of web applications. The CWE Most Important Hardware Weakness List serves the same purpose, but it focuses on hardware defects.
Description The software does not restrict or incorrectly restricts operations within the boundaries of a resource that is accessed using an index or pointer, such as memory or files. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-664 Consequences Other: Varies by Context Potential Mitigations CVE References
Description This entry has been deprecated because it was a duplicate of CWE-908. All content has been transferred to CWE-908. Modes of Introduction: Related Weaknesses Consequences Potential Mitigations CVE References
Description The code uses a data representation that relies on low-level data representation or constructs that may vary across different processors, physical machines, OSes, or other physical components. Modes of Introduction: Related Weaknesses CWE-758 CWE-1105 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
Description The product relies on third-party software components that do not provide equivalent functionality across all desirable platforms. Modes of Introduction: Related Weaknesses CWE-758 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
Description The product relies on third-party components that are not actively supported or maintained by the original developer or a trusted proxy for the original developer. Modes of Introduction: Related Weaknesses CWE-1357 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
Description The product or code uses machine-dependent functionality, but it does not sufficiently encapsulate or isolate this functionality from the rest of the code. Modes of Introduction: Related Weaknesses CWE-758 CWE-1061 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
Description The source code uses literal constants that may need to change or evolve over time, instead of using symbolic constants. Modes of Introduction: Related Weaknesses CWE-1078 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
Description The source code uses symbolic constants, but it does not sufficiently place the definitions of these constants into a more centralized or isolated location. Modes of Introduction: Related Weaknesses CWE-1078 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
Description The code is structured in a way that relies too much on using or setting global variables throughout various points in the code, instead of preserving the associated information in a narrower, more local context. Modes of Introduction: Related Weaknesses CWE-1076 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
Description The code contains a callable, block, or other code element in which the same variable is used to control more than one unique task or store more than one instance of data. Modes of Introduction: Related Weaknesses CWE-1078 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
Description When a Java application uses the Java Native Interface (JNI) to call code written in another programming language, it can expose the application to weaknesses in that code, even if those weaknesses cannot occur in Java. Many safety features that programmers may take for granted do not apply for native code, so you must…
Description The product’s design documentation does not adequately describe control flow, data flow, system initialization, relationships between tasks, components, rationales, or other important aspects of the design. Modes of Introduction: Related Weaknesses CWE-1059 Consequences Potential Mitigations CVE References
Description The product’s documentation does not adequately define inputs, outputs, or system/software interfaces. Modes of Introduction: Related Weaknesses CWE-1059 Consequences Potential Mitigations CVE References
Description The document does not fully define all mechanisms that are used to control or influence how product-specific programs are executed. Modes of Introduction: Related Weaknesses CWE-1059 Consequences Potential Mitigations CVE References
Description The source code uses comment styles or formats that are inconsistent or do not follow expected standards for the product. Modes of Introduction: Related Weaknesses CWE-1078 Consequences Potential Mitigations CVE References
Description The source code contains whitespace that is inconsistent across the code or does not follow expected standards for the product. Modes of Introduction: Related Weaknesses CWE-1078 Consequences Potential Mitigations CVE References
Description The source code contains elements such as source files that do not consistently provide a prologue or header that has been standardized for the project. Modes of Introduction: Related Weaknesses CWE-1078 Consequences Potential Mitigations CVE References
Description The source code contains comments that do not accurately describe or explain aspects of the portion of the code with which the comment is associated. Modes of Introduction: Related Weaknesses CWE-1078 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
Description The code contains a function or method whose signature and/or associated inline documentation does not sufficiently describe the callable’s inputs, outputs, side effects, assumptions, or return codes. Modes of Introduction: Related Weaknesses CWE-1078 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
Description The documentation does not sufficiently describe the techniques that are used for error handling, exception processing, or similar mechanisms. Modes of Introduction: Related Weaknesses CWE-1059 Consequences Potential Mitigations CVE References
Description The code uses too many unconditional branches (such as “goto”). Modes of Introduction: Related Weaknesses CWE-1120 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
Description The software accepts XML from an untrusted source but does not validate the XML against the proper schema. Most successful attacks begin with a violation of the programmer’s assumptions. By accepting an XML document without validating it against a DTD or XML schema, the programmer leaves a door open for attackers to provide unexpected,…
Description A function, method, procedure, etc. contains an excessive amount of code that has been commented out within its body. Modes of Introduction: Related Weaknesses CWE-1078 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
Description A class contains an unnecessarily large number of children. Modes of Introduction: Related Weaknesses CWE-1093 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
Description A class contains a virtual method, but the method does not have an associated virtual destructor. Modes of Introduction: Related Weaknesses CWE-1076 Consequences Other: Reduce Reliability Potential Mitigations CVE References
Description The code has a synchronous call to a remote resource, but there is no timeout for the call, or the timeout is set to infinite. Modes of Introduction: Related Weaknesses CWE-821 Consequences Other: Reduce Reliability Potential Mitigations CVE References
Description The software uses a large data table that contains an excessively large number of indices. Modes of Introduction: Related Weaknesses CWE-405 Consequences Other: Reduce Performance Potential Mitigations CVE References
Description Automatic filtering via a Struts bean has been turned off, which disables the Struts Validator and custom validation logic. This exposes the application to other weaknesses related to insufficient input validation. Modes of Introduction: – Implementation Related Weaknesses CWE-1173 CWE-20 Consequences Access Control: Bypass Protection Mechanism Potential Mitigations Phase: Implementation…
Description A method for a class performs an operation that directly accesses a member element from another class. Modes of Introduction: Related Weaknesses CWE-1061 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
Description The software contains a method that accesses an object but does not later invoke the element’s associated finalize/destructor method. Modes of Introduction: Related Weaknesses CWE-772 CWE-1076 Consequences Other: Reduce Performance Potential Mitigations CVE References
Description The software uses the same control element across multiple architectural layers. Modes of Introduction: Related Weaknesses CWE-710 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
Description The software uses an unnecessarily complex internal representation for its data structures or interrelationships between those structures. Modes of Introduction: Related Weaknesses CWE-710 Consequences Other: Reduce Maintainability Other: Reduce Performance Potential Mitigations CVE References
Description The software contains an index range scan for a large data table, but the scan can cover a large number of rows. Modes of Introduction: Related Weaknesses CWE-405 Consequences Other: Reduce Performance Potential Mitigations CVE References
Description The software uses a loop with a control flow condition based on a value that is updated within the body of the loop. Modes of Introduction: Related Weaknesses CWE-1120 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
Description The software implements a Singleton design pattern but does not use appropriate locking or other synchronization mechanism to ensure that the singleton class is only instantiated once. Modes of Introduction: Related Weaknesses CWE-820 CWE-662 CWE-662 Consequences Other: Reduce Reliability Potential Mitigations CVE References
Description The software uses a storable data element that does not have all of the associated functions or methods that are necessary to support comparison. Modes of Introduction: Related Weaknesses CWE-1076 CWE-595 Consequences Other: Reduce Reliability Potential Mitigations CVE References
Description The code contains a data element with a pointer that does not have an associated copy or constructor method. Modes of Introduction: Related Weaknesses CWE-1076 Consequences Other: Reduce Reliability Potential Mitigations CVE References
Description The product’s code, documentation, or other artifacts do not consistently use the same naming conventions for variables, callables, groups of related callables, I/O capabilities, data types, file names, or similar types of elements. Modes of Introduction: Related Weaknesses CWE-1078 Consequences Potential Mitigations CVE References
Description Debugging messages help attackers learn about the system and plan a form of attack. ASP .NET applications can be configured to produce debug binaries. These binaries give detailed debugging messages and should not be used in production environments. Debug binaries are meant to be used in a development or testing environment and can pose…
Description Validation fields that do not appear in forms they are associated with indicate that the validation logic is out of date. Modes of Introduction: – Implementation Related Weaknesses CWE-1164 CWE-20 Consequences Other: Other It is critically important that validation logic be maintained and kept in sync with the rest of the…
Description The product or code does not isolate system-dependent functionality into separate standalone modules. Modes of Introduction: Related Weaknesses CWE-1061 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
Description The product uses automatically-generated code that cannot be executed without a specific runtime support component. Modes of Introduction: Related Weaknesses CWE-710 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
Description The software contains a serializable data element that does not have an associated serialization method. Modes of Introduction: Related Weaknesses CWE-710 Consequences Other: Reduce Reliability Potential Mitigations CVE References
Description The software contains a data query against an SQL table or view that is configured in a way that does not utilize an index and may cause sequential searches to be performed. Modes of Introduction: Related Weaknesses CWE-1176 Consequences Other: Reduce Performance Potential Mitigations CVE References
Description The implementation of the product is not consistent with the design as described within the relevant documentation. Modes of Introduction: – Implementation Related Weaknesses CWE-710 Consequences Potential Mitigations CVE References
Description An invokable code block contains an exception handling block that does not contain any code, i.e. is empty. Modes of Introduction: Related Weaknesses CWE-1071 Consequences Other: Reduce Reliability Potential Mitigations CVE References
Description An unused validation form indicates that validation logic is not up-to-date. It is easy for developers to forget to update validation logic when they remove or rename action form mappings. One indication that validation logic is not being properly maintained is the presence of an unused validation form. Modes of Introduction: – Implementation …
Description The software contains a serializable, storable data element such as a field or member, but the data element contains member elements that are not serializable. Modes of Introduction: Related Weaknesses CWE-710 Consequences Other: Reduce Reliability Potential Mitigations CVE References
Description The source code contains a block that does not contain any code, i.e., the block is empty. Modes of Introduction: Related Weaknesses CWE-1164 Consequences Other: Reduce Reliability Potential Mitigations CVE References
Description The software accesses a data resource through a database without using a connection pooling capability. Modes of Introduction: Related Weaknesses CWE-405 Consequences Other: Reduce Performance Potential Mitigations CVE References
Description The software contains a client with a function or method that contains a large number of data accesses/queries that are sent through a data manager, i.e., does not use efficient database capabilities. Modes of Introduction: Related Weaknesses CWE-405 Consequences Other: Reduce Performance Potential Mitigations CVE References
Description A class has an inheritance level that is too high, i.e., it has a large number of parent classes. Modes of Introduction: Related Weaknesses CWE-1093 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
Description The software performs unconditional control transfer (such as a “goto”) in code outside of a branching structure such as a switch block. Modes of Introduction: Related Weaknesses CWE-1120 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
Description The product’s architecture, source code, design, documentation, or other artifact does not follow required conventions. Modes of Introduction: Related Weaknesses CWE-710 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
Description The code performs a comparison such as an equality test between two float (floating point) values, but it uses comparison operators that do not account for the possibility of loss of precision. Modes of Introduction: Related Weaknesses CWE-697 Consequences Other: Reduce Reliability Potential Mitigations CVE References
Description The source code does not follow desired style or formatting for indentation, white space, comments, etc. Modes of Introduction: Related Weaknesses CWE-1076 Consequences Potential Mitigations CVE References
Description A parent class contains one or more child classes, but the parent class does not have a virtual destructor method. Modes of Introduction: Related Weaknesses CWE-1076 Consequences Other: Reduce Reliability Potential Mitigations CVE References
Description Every Action Form must have a corresponding validation form. If a Struts Action Form Mapping specifies a form, it must have a validation form defined under the Struts Validator. Modes of Introduction: – Implementation Related Weaknesses CWE-1173 CWE-20 Consequences Other: Other If an action form mapping does not have a validation…
Description A source code file has too many lines of code. Modes of Introduction: Related Weaknesses CWE-1120 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
Description The code contains a class instance that calls the method or function to delete or destroy itself. Modes of Introduction: Related Weaknesses CWE-1076 Consequences Other: Reduce Reliability Potential Mitigations CVE References
Description The software is intended to manage data access through a particular data manager component such as a relational or non-SQL database, but it contains code that performs data access operations without using that component. Modes of Introduction: Related Weaknesses CWE-1061 Consequences Other: Reduce Reliability Potential Mitigations CVE References
Description A function or method contains too many operations that utilize a data manager or file resource. Modes of Introduction: Related Weaknesses CWE-405 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
Description The code contains callable control elements that contain an excessively large number of references to other application objects external to the context of the callable, i.e. a Fan-Out value that is excessively large. Modes of Introduction: Related Weaknesses CWE-710 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
Description The software performs a data query with a large number of joins and sub-queries on a large data table. Modes of Introduction: Related Weaknesses CWE-1176 Consequences Other: Reduce Performance Potential Mitigations CVE References
Description The application has a form field that is not validated by a corresponding validation form, which can introduce other weaknesses related to insufficient input validation. Omitting validation for even a single input field may give attackers the leeway they need to compromise the application. Although J2EE applications are not generally susceptible to memory corruption…
Description The software has a loop body or loop condition that contains a control element that directly or indirectly consumes platform resources, e.g. messaging, sessions, locks, or file descriptors. Modes of Introduction: Related Weaknesses CWE-405 Consequences Other: Reduce Performance Potential Mitigations CVE References
Description The software initializes data using hard-coded values that act as network resource identifiers. Modes of Introduction: Related Weaknesses CWE-665 Consequences Other: Reduce Reliability Potential Mitigations CVE References
Description The software initializes a data element using a hard-coded literal that is not a simple integer or static constant element. Modes of Introduction: Related Weaknesses CWE-665 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
Description The product does not have documentation that represents how it is designed. Modes of Introduction: Related Weaknesses CWE-1059 Consequences Potential Mitigations CVE References
Description The code at one architectural layer invokes code that resides at a deeper layer than the adjacent layer, i.e., the invocation skips at least one layer, and the invoked code is not part of a vertical utility layer that can be referenced from any horizontal layer. Modes of Introduction: Related Weaknesses CWE-1061…
Description The software contains a class with inheritance from more than one concrete class. Modes of Introduction: Related Weaknesses CWE-1093 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
Description A named-callable or method control element has a signature that supports a variable (variadic) number of parameters or arguments. Modes of Introduction: Related Weaknesses CWE-1120 Consequences Other: Reduce Reliability Potential Mitigations CVE References
Description The software uses a dedicated, central data manager component as required by design, but it contains code that performs data-access operations that do not use this data manager. Modes of Introduction: Related Weaknesses CWE-1061 Consequences Other: Reduce Performance Potential Mitigations CVE References
Description The code contains a function or method that operates in a multi-threaded environment but owns an unsafe non-final static storable or member data element. Modes of Introduction: Related Weaknesses CWE-662 CWE-662 CWE-662 Consequences Other: Reduce Reliability Potential Mitigations CVE References
Description The product does not contain sufficient technical or engineering documentation (whether on paper or in electronic form) that contains descriptions of all the relevant software/hardware elements of the product, such as its usage, structure, architectural components, interfaces, design, implementation, configuration, operation, etc. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-710…
Description When an application does not use an input validation framework such as the Struts Validator, there is a greater risk of introducing weaknesses related to insufficient input validation. Modes of Introduction: – Implementation Related Weaknesses CWE-1173 CWE-20 Consequences Integrity: Unexpected State Potential Mitigations Phase: Architecture and Design Description: Use an…
Description The software performs too many data queries without using efficient data processing functionality such as stored procedures. Modes of Introduction: Related Weaknesses CWE-1120 Consequences Other: Reduce Performance Potential Mitigations CVE References
Description The software does not sufficiently hide the internal representation and implementation details of data or methods, which might allow external components or modules to modify data unexpectedly, invoke unexpected functionality, or introduce dependencies that the programmer did not intend. Modes of Introduction: Related Weaknesses CWE-710 Consequences Potential Mitigations CVE References
Description The code has a parent class that contains references to a child class, its methods, or its members. Modes of Introduction: Related Weaknesses CWE-1061 Consequences Other: Reduce Reliability Potential Mitigations CVE References
Description A static code block creates an instance of a class. Modes of Introduction: Related Weaknesses CWE-1176 Consequences Other: Reduce Performance Potential Mitigations CVE References
Description The software contains a function, subroutine, or method whose signature has an unnecessarily large number of parameters/arguments. Modes of Introduction: Related Weaknesses CWE-1120 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
Description The application uses deployed components from application servers, but it also uses low-level functions/methods for management of resources, instead of the API provided by the application server. Modes of Introduction: Related Weaknesses CWE-710 Consequences Other: Reduce Reliability Potential Mitigations CVE References
Description The software uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag. The HttpOnly flag directs compatible browsers to prevent client-side script from accessing cookies. Including the HttpOnly flag in the Set-Cookie HTTP response header helps mitigate the risk associated with Cross-Site Scripting (XSS) where an attacker’s…
Description The software displays information or identifiers to a user, but the display mechanism does not make it easy for the user to distinguish between visually similar or identical glyphs (homoglyphs), which may cause the user to misinterpret a glyph and perform an unintended, insecure action. Modes of Introduction: – Architecture and Design Likelihood…
Description The application uses multiple validation forms with the same name, which might cause the Struts Validator to validate a form that the programmer does not expect. If two validation forms have the same name, the Struts Validator arbitrarily chooses one of the forms to use for input validation and discards the other. This decision…
Description The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. A web application is expected to place restrictions on whether it is allowed to be rendered within frames, iframes,…
Description The web application produces links to untrusted external sites outside of its sphere of control, but it does not properly prevent the external site from modifying security-critical properties of the window.opener object, such as the location property. When a user clicks a link to an external site (“target”), the target=”_blank” attribute causes the target…
Description The software performs a comparison between entities that must consider multiple factors or characteristics of each entity, but the comparison does not include one or more of these factors. An incomplete comparison can lead to resultant weaknesses, e.g., by operating on the wrong object or making a security decision without considering a required factor.…
Description The software performs a comparison between two entities, but the entities are of different, incompatible types that cannot be guaranteed to provide correct results when they are directly compared. In languages that are strictly typed but support casting/conversion, such as C or C++, the programmer might assume that casting one entity to the same…
Description The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses. This can lead to incorrect results and resultant weaknesses. For example, the code might inadvertently compare references to objects, instead of the relevant contents of…
Description The application has a validator form that either does not define a validate() method, or defines a validate() method but does not call super.validate(). If the code does not call super.validate(), the Validation Framework cannot check the contents of the form against a validation form. In other words, the validation framework will be disabled…
Description The developer builds a security-critical protection mechanism into the software, but the processor optimizes the execution of the program such that the mechanism is removed or modified. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Low Related Weaknesses CWE-1038 Consequences Integrity: Bypass Protection Mechanism A successful exploitation of this…
Description The product uses a mechanism that automatically optimizes code, e.g. to improve a characteristic such as performance, but the optimizations can have an unintended side effect that might violate an intended security assumption. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Low Related Weaknesses CWE-435 CWE-758 Consequences Integrity: Alter…
Description The product uses an automated mechanism such as machine learning to recognize complex data inputs (e.g. image or audio) as a particular concept or category, but it does not properly detect or handle inputs that have been modified or constructed in a way that causes the mechanism to detect a different, incorrect concept. Modes…
Description If a form bean does not extend an ActionForm subclass of the Validator framework, it can expose the application to other weaknesses related to insufficient input validation. In order to use the Struts Validator, a form must extend one of the following: ValidatorForm, ValidatorActionForm, DynaValidatorActionForm, and DynaValidatorForm. One of these classes must be extended…
Description The software has multiple functions, methods, procedures, macros, etc. that contain the same code. Modes of Introduction: Related Weaknesses CWE-710 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
Description The code contains a member element that is declared as static (but not final), in which its parent class element is not a singleton class – that is, a class element that can be used only once in the ‘to’ association of a Create action. Modes of Introduction: Related Weaknesses CWE-1176 …
Description The software uses a data element that has an excessively large number of sub-elements with non-primitive data types such as structures or aggregated objects. Modes of Introduction: Related Weaknesses CWE-1093 Consequences Other: Reduce Performance Potential Mitigations CVE References
Description The software’s architecture contains too many – or too few – horizontal layers. Modes of Introduction: – Architecture and Design Related Weaknesses CWE-710 Consequences Other: Reduce Maintainability Potential Mitigations CVE References
Description A parent class has a virtual destructor method, but the parent has a child class that does not have a virtual destructor. Modes of Introduction: Related Weaknesses CWE-1076 Consequences Other: Reduce Reliability Potential Mitigations CVE References
A vulnerability is a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.
Vulnerability analysis includes the detection, assessment, classification and treatment based on the risk they pose to the company.
Vulnerability Identification
A security team can detect vulnerabilities following different approaches. As part of a vulnerability management process, it is good practice to subscribe to the mailing lists in which vulnerabilities and related countermeasures are disclosed. This service is usually offered by the vendor or, if not available, through third parties. It is a very time expensive but necessary task. You must perform it on a daily basis to promptly detect vulnerabilities and to comply with several standards/regulations. Other inputs could derive from the analysis of the hardening procedures reports/tasks, the periodic review of the access rules and of the company policies and procedures.
Tools
Thanks to tools like Nessus and OpenVAS, it is possible to partially automate the discovery and analysis of vulnerabilities. After verifying the active hosts and the related services, we can deepen our analysis and determine the operating system and application versions.
As shown in the figure, Nessus provides the list of vulnerabilities to which each analyzed host is potentially vulnerable. Potentially because the scanner does not attempt to exploit the vulnerability. This phase, often manual, is not part of the vulnerability analysis process and is normally carried out within a penetration test.
CVSS
In the report, vulnerabilities are classified according to the CVSS (Common Vulnerability Scoring System), a framework used to classify software vulnerabilities. CVSS is an important tool that simplifies the vulnerability management process.
Let’s pretend you are in a meeting with the company management and you have to share the results of your vulnerability analysis. The test results were not good: you need at least three system administrators for one month to implement the remediation plan. You need to install patches, implement countermeasures, and you have to do it fast. During the meeting, you could try to tell management that you found several RCE-type vulnerabilities on systems deployed in your DMZ. Attackers do not need system/applications credentials to perform the attack and exploits are readily available on the Internet. Or you could report the presence of several CVSS 10 vulnerabilities on critical systems. For more information on CVSS, in its two versions 2.0 and 3.0, I suggest reading our article.
CVE & NVD
Each vulnerability has a Common Vulnerability and Exposures (CVE) ID, in the form of CVE-YYYY-NNNN. The assignment of an ID to each vulnerability allows one to keep track of it and to automate/simplify the integration of the different tools available to an analyst.
Let’s say you have just detected a vulnerability on your firewall appliance. Since it is a well-known vulnerability, it has got a specific CVE-ID. Assuming that your firewall vendor catalogues their vulnerabilities and patches by CVE, it is going to be easy to ask the vendor for additional information, search for the relevant patches and to minimize the possible impacts of applying remediation on the infrastructure. Furthermore, it is going to be easy to find the relevant signature in your IDS/IPS. CVE is operated by “The Mitre Corporation“. More details can be obtained on the cve.org website.
NVD (National Vulnerability Database) is managed by NIST (National Institute of Standards and Technology). NVD is a vulnerability database: for each CVE information such as countermeasure, criticality and impact is provided.
CWE & OWASP
CWE (Common Weakness Enumeration) is a list of common types of hardware and software defects that have security implications. The CWE list can be used as a framework to describe and communicate such vulnerabilities in terms of CWEs. The CWE Top 25 Most Dangerous Software Weakness List is a list of the most common programming errors that can lead to software vulnerabilities. Vulnerabilities present in the CWE Top 25 are usually easy to detect and exploit. For example, the CWE-79 is related to Cross-Site Scripting while the CWE-89 to SQL Injection. A similar project is Top Ten Owasp (Open Web Application Security Project). Compared to the CWE Top 25, the Top Ten OWASP focuses solely on vulnerabilities of web applications. The CWE Most Important Hardware Weakness List serves the same purpose, but it focuses on hardware defects.
Vulnerabilty Analysis steps
Vulnerability analysis comprehends different phases.
Preparatory phase
it is not possible to carry out a thorough and reliable analysis without having a deep knowledge of the infrastructure/application under examination. If the procedure for managing IT services and their related assets is not implemented, it is not going to be possible to classify and prioritize vulnerabilities. Let’s say our vulnerability scanner found 300 vulnerabilities on approximately 30 hosts. Which vulnerabilities should I prioritize? Which one shall I remediate immediately? The answer relies not only on the vulnerability severity but also on how important are the hosts and services affected by it.
Discovery and analysis of vulnerabilities
You performed vulnerability scans, you analysed security advisories, system configurations, your company policies and procedures. You have a comprehensive list of vulnerabilities. You can now prioritise them, identify false positives (and false negatives), and improve the results with your knowledge of the infrastructure/application. At the end of this phase, your security team will produce a vulnerability scan report.
Post assessment
It is now possible to define a remediation plan. The remediation plan is not a mere list of the patches, countermeasures and IPS rules: if your analysis has shown the presence of several SQL Injection, CRSF and XSS vulnerabilities in the software developed internally (or by a specific supplier), you must immediately schedule secure programming training classes for your developers.
If these kinds of vulnerabilities are found on software purchased from third parties, you must tell the service owner to look for a new vendor.
While the first scenario is a symptom of a poor security awareness policy, the second one highlights a poor supplier policy: do you review your supplier security policies after you sign a contract? Do you ask to review their development procedures? Do they regularly perform code reviews? Is security fully integrated into their development life-cycle? Outsourcing has hidden costs that you always need to consider.
Once the remediation plan has been implemented, the security team shall verify it has been properly implemented. Depending on its size, the implementation of the remediation activities can take several weeks, if not months. It is crucial to plan periodic meetings to keep the team focused and to check the progress.
What’s next?
In the next articles, we will analyse the vulnerability management process and its implications for regulations like ISO27001 and PCI-DSS. In the meantime, we suggest reading our articles about CVSS and the Metasploit lab.
Regardless of your motivations (attacker or defender), you need to know the ports, hosts and services available within a network.
From a defender’s point of view, the task is a precondition of several keys procedure:
Asset Management – whoever manages the infrastructure (and its security) must know which devices are active and present within our infrastructure. Furthermore, it helps to detect unauthorized hosts that could derive from malicious activities (or more commonly, your system administrators forgot to document them… and maybe to apply the company’s hardenization procedures).
Network scanning is a fundamental step of a company vulnerability management procedure. Here is a non-comprehensive list of its possible benefits:
it allows the detection of unauthorized services and the presence of obsolete systems;
it helps to verify the correspondence between the specifications document and the actual implementation;
it helps to verify the correct application of the hardening procedures.
Penetration test – independently from the approach in use, it is necessary to determine the active hosts and the exposed services. You have to do it even in a white-box penetration test to confirm your client/colleagues inputs.
From an attacker point of view… Well, that goes without saying 🙂
The network scanning procedure aims to identify active hosts. On the other hand, port scanning seeks to detect the ports that hosts disclose and with which it is possible to interact. Starting from the output of a network/port scanning, an attacker, or a newly hired CISO, can outline different traits of a company security posture.
In these articles we will see:
the different steps of a network scan;
some examples with the NMAP tool.
Host discovery
Port scanning involves sending several packets to the host and verifying its response. Usually, the analysis is restricted to the 1024 most common ports (it depends on the available time and the final goal of the analysis). As you may expect, performing this task for all the hosts within a network/infrastructure is time-expensive and generates a lot of noise.
In most cases, only a tiny fraction of IP addresses are active at any given moment. To avoid wasting time, the tester first perform the host discovery phase to determine the active hosts in the tested networks and infrastructure.
There are several techniques:
ARP Ping scan;
ICMP Ping scan;
UDP Ping Scan;
TCP SYN/ACK Ping scan;
IP Protocol Ping scan.
As stated in the official documentation, the default NMAP host discovery strategy involves sending an ICMP echo request (-PE), a TCP SYN segment to port 443 (-PS443), a TCP ACK segment to port 80 (-PA80), and an ICMP timestamp request (-PP).
ARP ping scans are the most effective method to detect active hosts inside a LAN. Its limits are the impossibility of applying the technique on the subnet to which it does not belong. Even if you supply other -P* options to NMAP, the tool performs by default an ARP/Neighbor Discovery against targets on a local Ethernet network since it is the fastest and more reliable technique.
An ICMP scan consists of sending ICMP echo requests to hosts on the network. If a host is found to be active, it will return an ICMP echo response. The technique has limited usability as blocking ICMP requests is part of firewalls and systems’ basic hardening rules.
A TCP scan consists in sending TCP segment to the hosts and analysing the host response. There are two different modes: TCP SYN Ping scan and TCP ACK Ping Scan.
TCP SYN SCAN
As illustrated in the figure, a TCP Syn ping scan consists of the following steps:
The tester sends a TCP SYN segment to port 80.
If the port is closed, the host responds with an RST segment.
If the port is open, the host responds with a TCP SYN/ACK segment indicating that a connection can be established.
Afterwards, an RST segment is sent to reset this connection.
Since it is a normal attempt to establish a TCP connection, traffic is not blocked by firewalls and does not require administrator permissions.
A TCP ACK ping scan instead consists of the following steps:
The tester sends an empty TCP segment with the ACK flag set to port 80 (the nmap default port, but another port can be used).
If the host is offline, it should not respond to this request.
Otherwise, it will return an RST segment and will be treated as online. An RST is sent because the TCP ACK is not associated with any valid existing connection.
ACK Ping Scan requires administrator privileges. Since it is recognized and blocked by a stateful firewall, its main goal is to get information about the filter configurations, not port status.
Port Scan
Once the active hosts within a network have been determined, a portscan can be performed to determine exposed ports and services.
Several techniques are available:
TCP Scan (Connect and Half Open Scan);
UDP Scanning;
SCTP Scanning;
SSDP Scanning.
Only the first two strategies will be considered. Please see the NMAP manual for additional information on SCTP and SSDP Scanning.
TCP Scan
With a TCP Connect scan, a TCP connection is established with the host. That is, the whole 3-way handshake is performed.
The least expensive and most performing variant, the TCP Half Open scan (TCP SYN Scan) sends the SYN segment. If an open SYN+ACK segment is received, the port will be identified as open. In case of RST, the door will be judged closed.
A third typology, foresees the TCP FIN, NULL and Xmas Scans, foresees the modification of the flags of the TCP segment (FIN, URG, PSH, NULL) in an attempt to induce a response from the server.
The technical functionality exclusively on operating systems with implementations of the TCP/IP suite compliant with RFC793. For example, it does not work with Windows systems as these return an RST in both cases.
THE SEGMENT IS COMING
If the state is CLOSED (i.e., TCB does not exist), then all data in the incoming segment is deleted. An on the way the segment containing an RST is deleted. An incoming segment no containing an RST causes an RST to be sent in response. The confirmation and sequence field values are selected to render the recovery sequence acceptable to the TCP that sent the error segment.
If the port is open, the system will not produce any while the response will return an RST/ACK segment if it is closed.
To understand the origin of the name, just look at the image below. Nmap’s -sX flag “Sets the FIN, PSH, and URG flags, illuminating the package like a Christmas tree.”
UDP scan
UDP connection does not involve a handshake. If a UDP packet is sent to a port on which no service is listening, the system will respond with an ICMP Port Unreachable. In case of no answer, the port can be considered closed or filtered.
Contermeasures
To detect and prevent network scanning attempts, we suggest the following countermeasures:
carefully design your services to reduce your attack surface; exposing only necessary services and always keep in mind the principles of least privileges and need to know.
Configure your firewalls to block all traffic that has not got a business justifications;
Periodic reviews your firewall ruleset to keep it aligned to your business needs;
Harden your servers, disabling all unused services;
Perform network and port scans to ensure your firewall/server policies are aligned to your business needs.
Configure an IDS/IPS to promptly detect network and port scans.
The first step in a cyberattack, or a penetration test, is footprinting. The attacker/analyst tries to get information about the targeted infrastructure. Thanks to footprinting techniques, attackers can obtain information such as:
personal data, skills, experience and interests of company’s employees;
company headquarters;
technologies in use (middleware, operating systems);
suppliers and consultants who collaborate periodically with the company;
blocks and network topology;
DNS records.
We can divide footprinting techniques into two macro areas:
active: it involves the collection of information with direct interaction with the target. It is a more risky practice than the passive one, as it could leave traces. The systems of the attacked organization could (should) detect the information gathering attempt. Some examples of active footprinting are the use of web spiders, email tracking, traceroute and social engineering techniques.
passive: involves the collection of information without direct interaction with the target. Some examples are the usage of search engines, social networks, job posting sites, analysis of data received from providers that monitor website’s traffic, commercial performance or deliver reports about future commercial operations of the target.
Identifying the technologies adopted by the target drastically simplifies attackers’ jobs. The awareness about the usage of certain technologies, the lack of good security practices, or of a bad security posture increases the attacker’s chances of success.
When we perform a penetration test in which the company aims to identify chances of an attacker completely unrelated to the organization, footprinting activities heavily influence the success of the test.
Footprinting with search engines and social networks
Search engines offer a myriad of information to the attacker. The advanced functions available in Google, Bing and other search engines offer information that companies are not even aware to expose to the public.
The technique, combined with the most used search engine, has taken the name of Google Hacking. For more information, you can consult our article about the Google Hacking Database.
Thanks to search engines, an attacker gets to know technologies in use (web servers, firewalls, IDS, WAF, third-party applications), IoT devices, applications for internal use only and many other information about the target.
Like search engines, social networks provide an enormous quantity of information to attackers.
An attacker can dig LinkedIn to understand who the key people of the organization are, their experience and knowledge. You can get to know their interests, their religious and political beliefs, their weaknesses. Afterwards, attacker can exploit gathered information to perform a social engineering attack.
Tools like theHarvester and sublist3r simplify attackers’ job, reducing the manual work.
Footprinting through job posting sites
The following image shows the information revealed on a job advertisement post. The job post is real. I found it on the platform indeed.com.
The company is looking for an IT System Administrator with knowledge of Linux and Solaris. They even mention the Linux distribution names and the Solaris release version. You can bet they have got some LAMP servers, that they probably monitor their infrastructure using Nagios and are using Oracle and DB2 as RDBMS. Their infrastructure may include J2EE Containers like Glassfish and JBoss and servlet containers like Tomcat. Even if they reached the EOL over 5 and 2 years ago, they are still asking for people with experience on Windows XP and 7.
You are getting information not only about the used technologies but you are also outlining the security posture of the company.
Job posts can tell you a lot more. Are they searching for IT security specialists? Besides tools and countermeasures adopted, they may even tell you how big is their security team. Are they even trying to cover important roles like CIO or CISO?
Tools and services:
We suggest looking at the following tools. We wrote a brief description of them: Sublist3r, theHarvester, Shodan, Sherlock, Burp Suite, Metagofofil, Exitftool, DNSRecon, traceroute.
Contermeasures
Your employees/colleagues’ awareness about attackers’ behaviour and techniques is fundamental for your company’s safety. Every company must adopt a security awareness policy to inform its employees about the security risks they are exposed inside and outside the office.
The adoption of security policies (hardening of the systems, analysis and reviews of IDS/IPS and other monitoring tools, etc.), the definition of roles and responsibilities will allow a company to quickly detect and react to attackers’ attempts to gather information or to exploit the knowledge they previously gained through passive footprinting techniques.
The term hacker often takes on a negative connotation.
In the past, we often focused on the distinction between a hacker, a person with deep security knowledge who explores technologies, systems and related vulnerabilities out of pure passion, and crackers, the “malicious” counterpart, who uses his knowledge to cause damage and steal data. a certain value (for example, credit cards).
RFC1392 provides the following definitions:
hacker
A person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular. The term is often misused in a pejorative context, where “cracker” would be the correct term.
cracker
A cracker is an individual who attempts to access computer system without authorization. These individuals are often malicious, as opposed to hackers, and have many means at their disposal for breaking into a system.
Unfortunately, media have never bothered to understand the distinction and, for the masses, there is no difference between crackers and hackers.
In our opinion, here is the correct terminology to be used in the security sector:
Black hats (Crackers)
Crackers, or black hats, have got extraordinary computing skills but they lack ethics. They may violate laws by committing malicious or destructive acts.
Script Kiddies
An unskilled cracker who compromises systems using tools, scripts and software developed by others.
White Hats (Ethical Hacker)
An individual who uses his hacking skill for defensive purposes.
They analyse computer systems or networks to detect security issues and give recommendations for improvement to their owners.
A white hat will penetrate a system only with the authorisation and upon request of the infrastructure owner.
Gray Hats
Gray hats use their skills both offensively and defensively.
They often look for system vulnerabilities without the permission or knowledge of the owner. If they find a security issue, they may reveal it to the owner upon the payment of a small fee. Sometimes, their ultimate goal is to show their skills and create awareness about the intrinsic insecurity of the Internet.
It may be useful to know some additional terms. State-sponsored hackers are employed by the government to penetrate other government systems to damage or gain top-secret information. You have surely heard about Cyber Terrorists, individuals moved by political or religious beliefs to create fear among civilians and influence the policy of the targeted governments.
