Category: Uncategorized

APIsecure 2023 day 1 Red Track

“New conference in town”

Today was the first day APIsecure API security conference and as it was a free conference I didn’t know what to expect. I actually somehow missed it last year so I didn’t know what to expect. I was expecting a lot of “product coverage”, but it was the opposite, I was pleasantly surprised that that wasn’t the case. One presenter who tried to pitch a product & was actually cut off for it.

My Favorites of the Day

There were quite a few interesting talks, but my favorites of the day were:

  • Michael Taggart-“Beyond Vuln Management: How Adding Offensive Methodology Made Our APIs More Secure.”
  • Antoine Carossio and Tristan Kalos Escape Workshop: “Discovering GraphQL Vulnerabilities in the Wild”
  • Ted Miracco “Enhancing API Security with Runtime Secrets & Attestation”

Michael Taggart had the smoothest and most enjoyable presentation to follow. If the videos are uploaded this is the one I will send to quite a few blue teamers I know. I totally agree with the idea that the blue team must know offensive tactics.

Although “Antoine Carossio and Tristan Kalos” had a lot of technical issues (internet issues) that made the talk a bit hard to follow. Besides the issues, I actually liked it a lot and learned something new. Hadn’t taken too much time previously to go into details on GraphQL vulnerabilities and this talk actually gave me new ideas on what to try when doing an assessment.

Ted Miracco‘s talk on mobile app API security was quite interesting also, proposing some interesting ideas on bettering the security of apps. To be honest, the leak statistics shown in the talk were worse than I thought they would be.

All the talk videos/slides were supposed be uploaded some time after the conference on their website.. Can’t wait to actually be able to go through the slides and “perfect my notes” on GraphQL. The conference website can be found here.

Does VMware Workstation Pro 15.5 run on Windows 11???

As Microsoft stopped selling Windows 10 licenses & Windows 11 has been out for quite a while now I thought I’d give it a try. First questions that came to mind were does everything I need for work actually work there and what do I need to change.. As VMware itself states that Workstation 15.5 on Windows 11 isn’t a supported setup I still thought I’d give it a try before getting the upgrade.

So here’s what you can expect from this setup (or how it was for me). It somewhat worked.. :

  • Some VM-s required “VM hardware upgrade”
  • None of the VM-s with more than 1 CPU/Core would even start – threw errors & refused to start until extra cores removed
  • 3D acceleration issues inside VM-s when needing to use GUI (Gnome/KDE,etc)- GUI worked, but image sometimes was blurry/sometimes resolution issues when resizing VM Window, etc.
  • Suspend VM button instantly crashes/shuts the VM down.

So if you don’t need multi core VM-s with/3d acceleration or pause(standby) functionality, then it might work for you.. But I’d just recommend skipping this trial and error phase if your not just curious & bored.. and just upgrade to 17.

Ethical hacker isn’t a vigilante

A long time ago, when I decided to get the EC Council “Certified Ethical Hacker” certification done, I couldn’t imagine what type of job offers and requests I would start getting after adding it to my Freelancer profile. People started asking me about a lot of illegal things. And over the years nothing has changed, still almost every day I get some strange requests I now just tend to ignore, not even turn down with a reply.

Initially it seemed strange to receive on a daily basis requests to break into some ones Facebook, Twitter or Instagram account or bug their smart device. Eventually I got used to it, but still some of the requests are stranger than others and make me scratch my head..

Mostly people ask to spy on their life partners/family/close ones, because they think they are being cheated on and to them this makes the privacy invasion & illegal actions ethical. Those are just the regular everyday ones and somewhat relatable as an emotional outburst- yet still a bit creepy people go that far instead of just confronting the issue. But besides these regular ones there are the strange ones.

One day I got a request asking whether it would be possible for me to remove every negative news article ever made about one specific person from one country’s news sites. Yes all of them from all news papers. That almost got me interested into replying to the request, just to know what they are trying to hide.. But decided not to, just in case.. Then there are requests to “get my money back from a gambling site or some crypto deal”. Or locate who ever is behind what ever gamer tag or social media account and get their personal details..

No those aforementioned requests don’t come via some shady underground forums, but regular freelancer job exchanges. Which makes it seem to me that they actually don’t moderate their postings, even after reporting some illegal postings as illegal they were still up 3 days after the report.

After being bombarded with such requests for a while now, I wish people would actually learn what ethical hacker means and deal with their problems in a LEGAL way. Also I wish that freelancer sites would actually deal with the illegal offers on their sites them selves also.

As an ending to this rant, I have to cite the definition for ethical hacker I actually like and that feels right to me. The definition as it is written on techtarget :”An ethical hacker, also referred to as a white hat hacker, is an information security (infosec) expert who penetrates a computer system, network, application or other computing resource on behalf of its owners — and with their authorization.”

Teams Addon in Outlook for Mac “Authentication required” possible fix

A few customers had an issue where their Teams Addon in Outlook for MacOS would stop functioning after MFA activation on exchange. When trying to make a calendar invite with MS Teams integration they would get an message saying “Authentication required”. To be more exact “Outlook needs to confirm your account permissions before adding a Teams Meeting. Please login..”. After clicking “OK” on that popup, it would still fail.

Went through a ton of different answers from Google like:

  • Log out of both Outlook and Teams & then log into Teams before opening Outlook
  • Delete Outlook user and then re-add it to Outlook (Helped in one instance)
  • Delete some key chain entries

Those didn’t help one bit in that case. What actually fixed the issue was removing the Office 365 license and re-activating Office.

To remove the MS Office license just close all MS Office applications and download the removal tool from Microsoft and follow their guide here: How to remove Office license files on a Mac – Office Support (microsoft.com)

After removing the license re-open Outlook , it should prompt You to insert Your O365 licensing related credentials again. After doing that retry making a calendar invite and use the Teams Addon. A familiar “Authentication required” window should pop up. Click OK on it again, but this time the authentication process should actually start and work. After that it should continue working with out a hitch.

There was actually one instance where the license removal trick didn’t help. There I retried the account removal and that fixed it for that user.

Tenable.SC license renewal headache – things to keep in mind when renewing

First year of Tenable usage was coming to an end. Nessus scanners/Managers and Tenable.SC all notified me that their licenses are about to expire. Contacted the company selling tenable in the region, got the licenses extended.

New license expiry date popped into the tenable support site, was wondering if the different instances would auto update their licenses. Looked at the scanners and managers – all was fine and licenses were extended. So I was happy problem solved, at least so I thought.. But I had missed one place, the SC, as I assumed that all their software/licenses would work the same way and didn’t waste any more time looking at the licenses.

A few weeks pass and suddenly I cannot log into the SC any more “with invalid license” error popping up when I try and log in. As it turned out – never assume that a vendors products all work the same way. When going to the admin interface of the SC I discover that the license states that its expired. Logged into the tenable support website to check on the license status all is supposed to be fine.

After that had a little chat with support – as it turns out licenses for Tenable.SC can be renewed in multiple ways. In one case your license is extended and the other just superseded so you need to re-download the license key file and upload it to your SC for it to start working again..

During the period the license was expired the scan data was not imported (rejected with an error by the SC). Fortunately it could be re-processed in the scan results list, but all the data ended up having the discovery date set as the manual re-processing date.. A minor inconvenience/integrity issue, but at least all the info still exists.

Windows 10 WiFi ignoring DHCP DNS settings

After a long period of home office it seemed that my computer did not want to work well in any other WiFi network any more. It showed “no internet connection” in every other network.

When looking into the connection settings, I saw that it was still showing my home DNS server in the settings. No matter what network I was connecting to, be it my phones hot spot, etc still the same.
Example output of the netsh command:

C:\WINDOWS\system32>netsh interface ipv4 show config name=”Wi-Fi”

Configuration for interface "Wi-Fi"
DHCP enabled: Yes
IP Address: 10.1.0.38
Subnet Prefix: 10.1.0.0/24 (mask 255.255.255.0)
Default Gateway: 10.1.0.1
Gateway Metric: 0
InterfaceMetric: 70
DNS servers configured through DHCP: 172.31.1.1
Register with which suffix: Primary only
WINS servers configured through DHCP: None

So I tried using the “netsh” command to reset it by entering a static DNS:
netsh interface ipv4 set dnsservers name="Wi-Fi" source=static address=8.8.8.8

Now I had working name resolution, but this is not a fix for me to have to set a correct DNS server for all the networks I go to, so I set it to DHCP settings again.
netsh interface ipv4 set dnsservers name="Wi-Fi" source=dhcp

Name resolution broke again, as the “show config” returned my home DNS again.. So I turned to the Windows registry to find where that IP address exists. Find yielded the following result. In Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{interface-uid} there was a registry key called ProfileNameServer. It had a value that matched my problematic DNS server entry. After deleting registry key and reconnecting to the WiFi I finally saw that the DHCP given DNS server list was being used and network connection was working normally again.

Nice feature/bug in Check Point NAT

It seems that I have stumbled upon a interesting Check Point firewall NAT behavior. Namely the firewall does something that it is not ordered to do, it translates the source IP to a different one than in the policy.

Had a static inbound NAT rule where the source address of the client was supposed to be faked to another static address. What happened was that yes the policy installed fine. Yes the client IP address was changed and hidden from the service. But it was changed to an incorrect address. The rule stated that the client IP address be changed to for example 172.16.2.10, but what it was translated to was 172.16.2.100. And the new address did not exist anywhere in the policy database.

And after upgrading that particular management server to R80.20 it refused to compile the policy with that NAT rule in place. Fortunately recreating the NAT rule removed the issue.

The error in the FWM debug logs was for that issue:
“Invalid Object in Source of Address Translation Rule 57. The range size of Original and Translated columns must be the same.”

The interesting thing is, that it was fixed simply by deleting the rule and just re-adding it. And yes it was a 1 address to 1 address translation, not a network to 1 address.

WhatsApp used to interact with ATMs in Brazil

Happened upon a interesting article today – https://www.zdnet.com/article/banco-do-brasil-launches-cash-withdrawals-via-whatsapp/. As URL already states they are enabling users to withdraw cash from ATM’s via WhatsApp.

Basically what they say is that, the user needs to add a chatbot to their contact list and ask it for money. Then the chatbot gives them a “key” that is valid for a day. Although the service has a 80$ transaction limit, it still feels like a bad idea to me. I can already feel the new “malware wave” coming that tries to exploit this thing on the phones.

When thinking about this service, I really would love to see the analysis they made to say this is a really secure thing to do. How is this channel secured? How are they protecting people against “theft via malware”? I feel like I need to do some research in to that.

Malware campaigns are going even after the smaller “markets”

Yesterday I happened to read a warning by the Estonian police, that there is a new malware campaign. The fact that there is a malware campaign going on is not news to anyone. But what actually caught my attention was the translation quality on the phishing sites.

The warning had a screenshot of a site spreading malware was the classic your computer is infected with a virus scam, but for smart phones. Sites like that have been used for a long time. But the quality of translation has been really bad for those sites. This time the message had quite good quality and a lot of people might actually fall for it.

The message there basically stated that the user had visited a site containing malware or porn and might be infected with a virus. It also contained a threat that your ISP will block your internet access. They have scripted the ISP part, so that they try to get the ISP name from your IP address.

Besides the rise of quality of the phishing text and translation based on the localization info, a lot of the phishing sites have also moved on to using HTTPS. Malware sites have started using certificates that are accepted by web browsers making them a bit harder to detect by unsuspecting users.

It is the first time in years I felt like doing a refresher to my parents on recognizing malicious sites.

E-mail spam, a way to sway policy makers decisions

Although politicians and law-making is not something I usually would write about, it is something I just found interesting.

I think by now everyone who has an e-mail address has come in to contact with spam e-mails. Usually they are sent to sell you something or do some phishing. But as it turns out sending spam e-mails can also make politicians vote in certain ways.

A few days ago, I happened to hear a old recording of a radio show that had multiple politicians as guests. And Indrek Tarand an Estonian representative at the EU was one of them. When the topic of the new “EU copyright bill” came up, he did something that I wasn’t expecting. He completely baffled me with his reasoning behind his decision.

Namely, he said he voted for the bill, because the people who are against the bill supposedly used AI to send spam to him to try make him vote against it. And voting for the new law was his way of reacting to the hundreds of e-mails he got.

So as it turns out, you don’t need to spend a lot of money to lobby a politician in to voting some way. Just try and press the right buttons by sending them spam e-mails. They might just vote your way just because you spammed them not to do it.