Breaches aren’t just a problem for security professionals, the impact is felt across the whole business. Everyone needs to play their part in managing the risks, but first, you need to understand what you’re up against. Although many business owners are aware of these threats, but are ignorant of it, due to some common misconceptions about security.

Below are few misconceptions that can lead to a data breach

“I have a Nextgen firewall, so I’m safe.”

Enterprise Security is far more complex today then it used to be a few years ago. While having anti-virus, endpoint protection, firewalls help control few class of attacks via real-time network monitoring and decision making. These alone are not adequate to protect a network from any form of intrusions. Most attacks are delivered via email, and the web, both of which are allowed through firewalls and firewalls do not control outbound data theft.

Attackers have become more supplicated, that they have invented new ways to evade any kinds of malicious detection, as an example most of the malware today use techniques like DNS exfiltration (using DNS packets to ex-filtrate data out of network) since outbound DNS is mostly allowed in all firewalls, hence in cases like these the above mentioned security is voided.

“Why would my organization be attacked? My company is small.”

Majority of the organizations assume that hackers are always target focused, therefore the less well known or your organizations is very unlikely to be a victim of such attacks while your company might not be a victim to targeted attack. There are many threat actors out there that are using exploit kit powered malware wildly so that you might be a part of the global target.

Botnet infection is one such case where hackers try to compromise as many devices as possible around the globe without a specific target in mind. Today, it doesn’t matter if you have a well-known brand, you’re running your website for fun, or you’re somewhere in between. If you have any data worth stealing, you have to consider yourself a potential target.

“I have the best software developer so why bother.”

Many organizations think that building a website with a perfect web developer or getting software from a trusted organization will prevent their website from criminal activities, but this is a common misconception. It is a must to know and note that web developers are generally not security experts. Hackers are always at work looking for new ways to do the evil things to disrupt your data. An excellent example of this is Microsoft: they regularly send security updates to millions of PCs because what was safe yesterday isn’t safe today.

“We go through Vulnerability Assessments & Penetration Tests.”

People and physical security is a rise in attacks these days as you can not blindly trust humans because humans are predictable and they make mistakes. There are many cases of GitHub token, aws keys, source code leaks on a popular platform like GitHub, Pastebin, trello, etc. Lack of security awareness among the developers results in the exposure of sensitive information like credentials, secret key, access keys, source code.

Recently cloud leak exposed the business of the big organizations like Accenture. Misconfigured S3 bucket exposed the configuration files, the plain document containing the master access key for Accenture account, etc.

“I am Compliant. Hence I am Secure”

It is known that the most common starting approach into managing security as an organization is achieving compliance standards of various forms. There are multiple audits and checklists like PCI (for online payments processing), soc2 (accounting report for publicly traded companies), They are all well known, official, and are industry-regulated security standards, so it’s understandable that businesses have an impression that being compliant against best industry standards equals being secure.

But that’s not the case, most of the organizations that suffered data breaches had passed a variety of compliance audits. Being compliant against these standards will provide business benefits and help improve security around various systems, but this doesn’t make the business secure against all the possible threats.

Security cannot be bound to a list of checkboxes. It is a continuous process. Compliance is necessary for doing business, but it’s not what great security practices are built around.

The post Data Breach : 5 Security Misconceptions appeared first on Security Brigade Blog.

On an overcast morning, the Security Brigade Employees prepare for their Biannual Sports Day. They battled to prove their resilience on the field as they do off it. After all, a Sports Day at work is the time to show off some of your childhood skills. It’s great to see our co-workers get a break from the office and get outside to enjoy some classic sporting events.

A couple of weeks before the event, we had the office split up into four groups. Each team with a unique moniker and colour. Team members spent their free time strategising catchphrases, partners for sporting, team names, and a whole lot more.

White Walkers- White Team

Greyhounds – Grey Team

Red Hawks- Red Team

Dark Knights- Black Team

Foosball: The Ultimate Indoor Battle

Nothing gets you warmed up for a little soccer like little soccer.

Foosball Tournament

Foosball Tournament

It’s a rite of passage at Security Brigade. If you’re one of us, you play Foosball. Though it’s not your traditional sports day activity, it happens to be the go-to stress buster at work. We take this more seriously than Manchester United fans take a Manchester derby.

Badminton: Are we there yet?

Our office is blessed to have an attached terrace. We do a lot here. Eat. Play. Contemplate Life. Instagram. Take a look at the view; you’ll get the drift. It also seemingly called for a DIY badminton tourney.

Security Brigade Terrace View

Badminton @ Security Brigade

GOOOOALLLLLL

Imagine the El Classico. (almost)

Bend it Like CJ

This event yielded some surprising results. Security Brigade’s team has two hidden gems. AKA the guys who played State and National level football in India. A few close calls, thunderous goals, smart defending and the desire to win made for quite the spectacle!

Cricket: The anticipated event.

Balanced performances from the four teams made this event the most competitive one. We’d saved the best for the last. The eager teams anticipating their turn witnessed a couple of spectacular half centuries. Kaif-like diving catches, all around pace in bowling, and a close nail-biting victory at the end.

SB Loves Cricket

SB Loves Cricket

We can’t wait until the next one!

The post Sports Day: Back To School appeared first on Security Brigade Blog.

“If you want to stop an attacker, you have to think like an attacker.”

Their goal is to act like the adversary and figure out different ways to break into a company so it can strengthen its defences. A red team considers the full ecosystem. Unlike penetration tests where we solely try to breach a component, red teamers use a plethora of multiple attack vectors. Ranging from social engineering, weak points in physical locations, external attacks.
This blog post addresses our recent Red Team where we comprised a bank’s network. Our Client (the bank) wanted a scenario as realistic as possible, where a dedicated adversary would be trying to break-in.

Methodology & Approach:

1. Defining the Target
2. Information Gathering
3. Vulnerability Analysis
4. Exploitation
5. Social Engineering
6. Physical Security Analysis
7. Post‐Exploitation or Maintaining Access

The Red Team Assessment commences with defining the target where we considered IP addresses, Applications, Organization’s physical security implementation, wireless network and employees for social engineering.

During the information gathering phase, the red team analyzed the banks’ ecosystem trying to leverage the maximum information. Typically, we gather information from various resources. OSINT plays a crucial role. We found IP addresses, applications, employee’s data, weak points in physical security implementation to name a few.

External Phase – Technical Analysis:

Once we had enough data on our target environment, the team began scanning their external network and public facing applications. Simultaneously we performed manual penetration testing on the applications. We correlated the information to find vulnerabilities that would allow us to execute commands on their remote server and help us to reach the primary target with pivoting.

Critical Vulnerabilities Discovered:
SQLi, Local File Download, LFI, Amazon S3 Buckets, Admin Panel, Hardcoded credentials, SQL server access, Command execution, Apache Tomcat running with default credentials.

The Red Team compiled sensitive data and internal files from the banks’ server and tried executing the command on their server. The banks’ security was resilient. The team tried accessing the Apache Tomcat with default credentials and got access to their tomcat admin panel. Having gained access we saw war deployment option and tried to upload our shell (It works!), we deployed our shell and executed the command on their server. Red teamers don’t stop here. The team tried pivoting to get access to further systems.

Up until now, we’d only tested the bank externally. The team gathered substantial sensitive data and access to sensitive resource of the organisation.

Social Engineering:

We conducted several successful interviews, promotional calls, and phishing attempts. With the help of social engineering attacks, we gathered sensitive details. Such as  AD credentials, personal information, internal proxy, physical security implementation, various security checkpoints, centralized server etc they were using.

Physical Security Analysis:

After the social engineering phase, we decided to have an anonymous visit to the bank. We had planned multiple scenarios to get inside: scheduling a job interview, RFID bypass, third-party meetings in the bank, promotional visits. However, we were successful in our first attempt but we also tried different methods to check the physical security postures. We used tailgating on various checkpoints where we also were able to take Red Team toolkit where they were unable to detect us. We also scheduled a meeting to get inside the organisation as a guest and were successfully able to enter in their premises.

Once the Red Team was on-site: We created a wireless network within the organisation using a LAN cable and our router which is usually the best way to be a part of their network. It was enough for us to be in their network. We also connected to their guest WiFi for network access but due to multi-step authentication, we only got the partial network access. A successful attack plan requires a backup option. To ensure that we didn’t lose connection via the wireless network we connected a Rasberry Pi in their network. This provided the reverse connection to our company for maintaining access.

Internal Phase – Technical Analysis :

We started testing their internal network. After a primary analysis, we got access to their FTP server, Printers, IoT devices, Configuration panels but that was not sufficient for us. We tried digging further inside, and after a thorough analysis, we got access to their RDP’s. Unfortunately, the monitoring team shut down the RDP. (Kudos to the banks’ Blue Team)

We tried LLMNR and NBT-NS Poisoning and received some of the NTLM hashes of users, but finding plaintext credentials from NTLM was taking long and considering the Blue Team was actively monitoring us we did not waste the active time on these hashes.

The team observed that one of the FTP server is accessible with anonymous login and has a URL and Credentials of their Citrix server. We considered the possibility of it being a honeypot because the credentials we got didn’t have a system associated with it. However, we got a rough idea where the Citrix server runs. We also confirmed that the Blue team is actively monitoring the network.

We observed that their Citrix server’s login is configured over SSL, but the SSL was not enforced. The team tried SSLStriping to downgrade the protocol along with MITM and successfully received several credentials of their Citrix systems. Our Red Team configured the Citrix receiver with received credentials and successfully got access to the system which has admin rights and contains all the internal data of the bank. The same credentials allowed us to join our created system in the AD and gained persistent access into their network.

Citrix server and any other centralised server should be the first target in any red team activity since most of the companies do not follow the security best practices for implementation and leave it vulnerable. Also, these systems can give us the huge scope to reach our target.

Concluding the Red Team Activity:

Alternatively, we got access to their monitoring system where we could disable the entire monitoring system and put the Blue team in trouble and allowed us access to assets of the bank assigned to Blue Team. We have done exactly the same and gained the access to domain admin by pivoting in the absence of blue team.

The post Red Team: How We Compromised A Banks’ Network appeared first on Security Brigade Blog.

How not to get phished (like the DNC)
Watch this video to learn how a Spear Phishing campaign led to Russian hackers gaining access to the Democratic National Committee’s e-mails. Pro tip: Always check the link URL before clicking through, it will help bring clarity on whether the link is legitimate or not.

Read More

Ransomware Attacks Down, Fileless Malware Up in 2018
The use of fileless malware in attacks continues to grow and now represents 42 out of 1,000 endpoint attacks. The uptick represents a 94 per cent increase in the use of fileless-based attacks between January and June 2018.

As the name suggests, fileless malware infects targeted computers leaving behind no artefacts on the local hard drive, making it easy to sidestep traditional signature-based security and forensics tools. Typical attacks exploit vulnerabilities in browsers and associated programs (Java, Flash or PDF readers), or via a phishing attack that entices a victim to click on an attachment. They prey on gullible targets clicking on malicious links or files.
Read More

Banking Trojans and Shady Apps Galore In Google Play

Despite Google’s defences for protecting Android’s official marketplace, cybercriminals still manage to sneak in a banking Trojan, or two, or three, security researchers have discovered. Recently, security researchers from different security companies based in Europe disclosed on Twitter that they found several banking Trojans in Google Play.

Hackers found three such malicious apps posing as astrology software that offered the horoscope. What they divined, though, was theft of SMS and call logs, sending text messages in the victim’s name, downloading and installing apps without user approval, and stealing banking credentials.
Read More

Google Secretly Tracks What You Buy Offline Using Mastercard Data
Over a week after Google admitted the company tracks users’ location even after they disable location history, it has now been revealed that the tech giant has signed a secret deal with Mastercard that allows it to track what users buy offline.

Google has paid Mastercard millions of dollars in exchange to access this information.
Neither Google nor Mastercard has publicly announced the business partnership over allowing Google to measure retail spending, though the deal has now been disclosed by Bloomberg.
According to four unidentified people with knowledge of the deal cited by the news outlet, Google and Mastercard reached the agreement after a four-year negotiation, wherein all Mastercard transaction data in the U.S. has been encrypted and transmitted to Google.
Google packaged the data into a new tool for advertisers, called Store Sales Measurement, and currently being tested the tool with a small group of advertisers, allowing them to track whether online advertisements turned into real-world retail sales.
Read More

The post Weekly Cyber Security News: 3rd September 2018 appeared first on Security Brigade Blog.

Process Segregation for AS/400 security audit

This post is a continuation of part 1. We will dive deeper into the security audit of IBM AS/400 and system i. As we are aware that AS/400 is not just an application, it provides a complete environment to run the application including front-end(Green screen), business logic, backend, file storage and operating system support. So no third party interaction is allowed in the application for the execution environment.
In this case, the complete AS/400 environment becomes the scope of security audit to make sure the overall environment is secure. Considering the same, we segregate the security audit process in 3 major categories.

• System Security Analysis
• System Configuration Audit
• Application Logical Testing

System Security Analysis

The ‘System Security Analysis phase covers the security assessment of system environment which works as a container to run the application. Any system, running the application is one of a layer for an attacker to break into to get the access of all applications (including target application) running in that particular system. To secure an application, we must ensure that system which is providing the environment for running that application is also secure.
The system security analysis covers these critical points to analyze and ensure system security.

• System OS version.
• Open ports on the system.
• Services that are running on the system.
• Default services enabled on the system.
• Accessibility of system to end user.
• Vulnerability analysis of the services running on a system

Tools might be helpful to complete this phase :

There are a lot of tools available which helps in port scanning, service enumeration, vulnerability assessment and analyze other systems/network services. Below are the most common tools which are efficient and user-friendly and considered to be flexible for all types of environment.

NMAP can help you in port scanning and service enumeration where Nessus helps out with the vulnerability assessment for the services running on a system. Combination of NMAP and Nessus create a perfect suite for any Auditor while doing a security assessment of a system/network.
With the help of NMAP and Nessus or any other alternate tool, we need to ensure that we can identify all the ports, services running the system and point out the vulnerabilities existing in the system. This phase should cover all the above-listed points to ensure the security of the system which is layer 1 for our application.

Security Configuration Audit

Every system/application has a layer of inbuilt security to run the application with a secured configuration to avoid any unauthenticated/ unique access into the system. The system security configuration is designed by vendors to run with a best security practice which becomes user-friendly for system administrator or end user to configure the system as per standard security guidelines.
AS/400 also have some inbuilt security configuration to ensure the security of a system. All the system security configurations are easy to understand and implement for any AS/400 administrator who is capable of operating the AS/400 systems.

Mentioned below is the checklist for security configuration of AS/400 which can help to configure the AS/400 system with security best practices.

 Download our checklist here:  AS400 audit checklist Security Brigade

Note: This checklist is created based on the experience of audits Security Brigade has done so far. It’s not derived from vendors or any other external resources.

Application Logical Testing

Application logic testing covers the core logic behind application be it like business logic, data transmission, bidirectional component interaction and other checkpoints playing a crucial role in the application environment.

Logic and processes may include:
• Data transmission between client-server
• Request endpoints
• Communication protocols and conceptual behaviour
• Input processing
• Business logic layer integration and data processing
• File system
• Data storage
• Input/Output Encoding/Decoding
• Origin verification
• Application client accessibility and behaviour
• Application client enforcement
• Data manipulation during transmission

In the previous post, we mentioned specific challenges you may face. The system is entirely different from other conventional systems, so we need to work out to set up the testing environment first.
For security testing of any application, an auditor needs below parameters to work on:

• Architecture of system
• Protocol Analysis
• Setup the environment to view/modify/replay traffic
• Understanding the application logic
• Request/Response Analysis
• Local memory analysis

The above parameters are possible if we can view/modify/reply to the data transmission between client-server. So, first of all, we need to set up an environment which allows us to monitor and manipulate the application traffic. With HTTP/HTTPS based application this is easy, but when it comes to different protocols with security checkpoints of a vendor, it becomes complicated to work with.
We have already mentioned the architecture of this system in the previous system. So let’s have a look on the possibilities an auditor have to work with these systems in respect of security audit.

Analyzing The Protocol :

As per the standard protocol and design by the vendor, AS/400 work on TCP and allow to connect with the application via telnet. So there is no involvement of HTTP/HTTPS in this case which could help us to audit the system smoothly.

So we need to work on the initial analysis of system behaviour first to analyze the protocol so that we can figure out the solution to view/modify/replay the requests.
Here, Wireshark helps you analyze the traffic on a particular network interface. You can quickly filter out the traffic of as/400 with the below filter.
IP.src == <Your Local IP> && IP.dst == <IP of AS/400>

Once you can see traffic for AS/400 sent from your system or as/400 client terminal you can analyze and find the protocol it is using for communication.
IBM iSeries AS/400 Character Encoding: AS/400 uses different character encoding, but in most of the cases you can see that it uses EBCDIC which is a traditional character encoding for any application written in Cobol. In the next step, we need to figure out a solution/tool which helps us to deal with traffic over TCP with EBCDIC character encoding or any other encoding it is using.

Setup The Environment To View/Modify/Replay Traffic :

AS/400 comes with an IBM suite which has various utilities to connect, configure, troubleshoot and maintain the system. IBM emulator is one of them which help an end user to connect to the system. The same uses telnet instance in the background for remote connectivity.
We now need to think how we can place our proxy tool in between the IBM emulator and AS/400 system. We are using the below mediators as proxy tools for this purpose to capture/modify/replay the traffic :

• Echo Mirage
• ITR(Interactive TCP Replay)

We can have a look below to see the data representation in ITR :

However, thinking from a different perspective, here we have 2 ways to connect to AS/400.

1. Using IBM Emulator provided by the vendor.
2. Using telnet terminal with third party utility or system itself.

While connecting through IBM emulator, you’ll encounter a green screen window to operate the system as shown below.

Analyzing both ways for connectivity you should see that you are not able to capture the traffic using any of the above proxy tools if connecting via IBM emulator but you can capture the traffic while you connect directly using any telnet terminal. There might be the main reason which does not allow us to capture the traffic while connecting with IBM emulator. One of the main reasons is that IBM emulator is wrapped with their security checkpoints which do not allow an end user to route the traffic through other non-standard utilities.

“So we can eliminate the first challenge to capture the traffic by directly using telnet client instead IBM emulator to connect to AS/400.”

Still, if the system is configured to use only IBM emulator and deny the connection request with other utilities, we have to go with python to replay the request for testing which is not an efficient solution to deal with this challenge, but it is undoubtedly going to reduce your effort.
“So we can eliminate the second challenge to capture the traffic by using python scripts to reduce the effort and replay the requests.
Once we can capture/modify/replay the traffic, our setup is ready to proceed with the technical audit.

Understanding The Application Logic :

AS/400 based application is the standard application and provides you functionalities from inbuilt modules as per the user’s need. So all the modules are already created as per the standard procedures and guidelines. Whenever a new requirement comes, the particular set of modules are configured and provided to the end user.

The application process on the server itself and only remote access of the application can be used by the user, so there is no logic base at client end which can be exploited from the front end and manipulation between client server. The application allows a user to select particular options or write the commands (if CLI is provided to users) and these directly goes to the server so in this case, no manipulation is possible.

The application is just an interface to interact with the backend, and business logic for the same get processed on the server itself where the user does not have any command over the logic manipulation.

Moreover, we can try the below test cases to ensure the security from front end :

• DB2/SQL Injection
• JCL Injection
• Command Injection
• Input Validation Issues
• Logical Errors
• User Enumeration
• Privilege Escalation
• Insecure Cryptographic Algorithms

All of the above issues are straightforward to test as we perform testing in standard thick/thin client applications. Few of the test cases can be done with the help of inbuilt tools provided in the IBM suite such as iSeries Navigator.

iSeries Navigator allows us to access the integrated file system of AS/400 which can be used to analyze the storage, privileges, directories, security configurations, SoD and many more. This tool also helps us in configuration review of the file system as well as other access control related checkpoints.

Checkout Accessing the integrated file system

Request/Response Analysis
These request and response are purely EBCDIC encoded and can easily be seen in plain text also, but as we already know, the application logic is processed on the server itself so there is a minimum chance of doing a client-side manipulation which could lead to a severe compromise.
The below request can be seen to understand the application encoding character set transmitted in EBCDIC :

The system is developed and owned by IBM, so they have their parameters and security checkpoints to ensure the secure transmission of data. So an auditor has to mainly focus on the client side testing and security configuration review.

Local Memory Analysis :
AS/400 based application use its inbuilt integrated file system which we have discussed in previous post and analysis of the same’s discussed in the above phase. Now we mainly focus on the local storage analysis at runtime.
WinHex is a well known and efficient tool for memory analysis which allows us to monitor and analyze the memory at runtime. It is a multipurpose tool for computer forensics, data recovery, and low-level data processing. For this audits purpose, we’ll take benefit of this tool for memory analysis from the security perspective. With the help of WinHex, we can check, how the application stores data in memory in the runtime environment.

Download our checklist here:  AS400 audit checklist Security Brigade

References:
• https://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-Carmel/bh-eu-06-Carmel.pdf
• https://cplusglobal.wordpress.com/2015/06/25/ibm-i-as400-security-audit-controls/
• https://www.ibm.com/support/knowledgecenter/en/ssw_ibm_i_72/rzamv/rzamvsecauditchecklists.htm
• https://search400.techtarget.com/tip/Is-your-AS-400-secure-How-a-hacker-could-get-valuable-information-from-your-system
• https://www.sec-consult.com/wp-content/uploads/files/whitepapers/SEC-Consult_Whitepaper_COBOL_V1.1.pdf
• https://resources.infosecinstitute.com/application-security-testing-of-thick-client-applications/#gref

The post Security Audit of IBM AS/400 and System i : Part 2 appeared first on Security Brigade Blog.

In this blog post, we will be describing our experience of conducting a security audit of IBM AS/400 and System i.

AS/400 also known as IBM i Series or Green Screen System was initially designed for micro businesses. By industry need and reliable performance of these systems with the efficient output, IBM redesigned the system for distributed networks.

AS/400 supports the distributed network communication while interacting with multiple core applications to serve the data in a multi-direction manner. It runs on its internal operating system called OS/400 which is equipped to provide versatile all-purpose services.

OS/400 based AS/400 system is a milestone success, where IBM can compete with Windows and Unix based servers. Unlike Windows and Unix, its multi-purpose environment and inbuilt security implementation make it safer and reliable in the industry.

Features Of The AS/400 System

Given that most companies have adopted other popular systems where users have accessibility, reliability, efficiency, troubleshooting, human resources, cost-effective, and ease of implementation, we’ll argue the case for why companies should consider adopting AS/400 over other popular systems.

AS/400 systems/servers have always been an attraction for the businesses that deal with a high volume of transactions. These systems are entirely reliable, safe and efficient as per the business need. Below are some key factors which work as a backbone for the existence of AS/400 in the industry:

• Performance
• In-built Security
• Thousands of inbuilt application environment
• Fully integrated h/w and s/w components
• RISC processor technology
• Efficiency
• Stability
• Accuracy
• Versatility

AS/400 or System i Architecture

As we all know, dealing with financial transactions and sensitive user data has always been a concern for organizations. These types of operations require maximum efficiency as well as accuracy as they are expecting the security of critical assets. So organizations tend to go with systems which are capable of providing all these critical factors along with a high-performance environment to the end user to avoid any business/security issues in the place.

IBM AS/400 uses an integrated file system that allows applications to access specific segments of storage that it organizes as logical units. These logical units are files, directories, libraries, and objects.

Integrated File System

There are various file systems in the integrated file system:

• Root (/)
• Open Systems (QOpenSys)
• Library (QSYS.LIB)
• Document Library Services (QDLS)
• LAN Server/400 (QLANSrv)
• Optical Support (QOPT)
• File Server (QFileSvr.400) etc

Challenges During Security Audits of AS/400

The above overview, architecture, file system is enough to understand that these systems are entirely different from other systems which are commonly in use. Whenever we talk about security audit of any system, it directly relates to and depends on the architecture and workflow of that system. So auditor must have an idea about the architecture and workflow of the target system to create the strategy for security testing of that particular system.

As we are aware that, these systems entirely different from other systems to the process and methodology of security testing for other systems would not work here anymore.So let’s have a look on the challenges auditors usually face while doing the security audit of AS/400 based system:

• It uses it’s own IBM client to access the application which is completely wrapped with IBM security checkpoints, so it is difficult to intercept the traffic for testing.
• Requires expertise in AS/400 system commands, where most of the auditors are from a Windows, networking or other background and don’t have in-depth AS/400 security knowledge.
• A file system is different from other conventional systems, so analyzing and choosing attack vectors for the respective module is difficult.
• Runs on IBM Mainframe based systems, so it is challenging to understand the background support processes as mainframe is in infrequent use.
• If a third party utility is used to access the application, IBM’s security checkpoints crash the utility and don’t allow the user to access the application using other utilities.
• Another reason of crashing the utility is that AS/400 is a high performance and reliable system so it requires a utility to access the application which capable as per the AS/400’s requirements, and usually, other utilities are not capable.
• Most of the AS/400 system works on EBCDIC (Extended Binary Coded Decimal Interchange Code) character set so tools used as a proxy in other application by auditors may fail.
• It transfers data character by character, so mass manipulation of data is difficult to perform.
• Depending on the configuration done by administrators, AS/400 may only allow the request from the IBM client only, so auditor’s methodology of sending or replaying existing request might get blocked.
• Client-side manipulation is difficult as it is made by the IBM standard code which is being used since it’s deployment.
• As the application logic is processed on the server, there is almost no scope for application logic testing.
• It is challenging for those companies or auditors to audit AS/400 who mainly depends on the automation testing as there is a minimum scope of automation testing in this scenarios and as such no automated scanner is available.

Tools and Techniques to be used in AS/400 Audit

Below are some tools which can help you during the security audit of AS/400. Use of a particular tool depends on the application behaviour and client application. The role and reason behind choosing these tools will be explained in the core audit process.

• Wireshark
• ITR(Interactive TCP Relay)
• Echo Mirage
• SysInternalSuite
• WinHex
• In-built IBM Utilities
• Python(To reduce the effort during testing)

In the next part, we will explain the process segregation and core audit process covering various aspects of a security audit in regards of AS/400 environment.

The post Security Audit of IBM AS/400 and System i : Part 1 appeared first on Security Brigade Blog.

Second Quarter 2018 Top-Clicked Phishing Email Subjects
The Top 10 Most-Clicked General Email Subject Lines Globally for Q2 2018 include:
1. Password Check Required Immediately (15%)
2. Security Alert (12%)
3. Change of Password Required Immediately (11%)
4. A Delivery Attempt  (10%)
5. Urgent Press Release to Employees (10%)

Read More

Hackers Steal $13.5 Million from Indian Bank in ATM Scheme
The Federal Bureau of Investigation (FBI) is warning banks that cybercriminals are preparing to carry out a highly choreographed, global fraud scheme known as an “ATM cash-out,” in which crooks hack a bank or payment card processor and use cloned cards at cash machines around the world to fraudulently withdraw millions of dollars in just a few hours.
According to the FBI alert: “Historical compromises have included small-to-medium size financial institutions, likely due to the less robust implementation of cyber security controls, budgets, or third-party vendor vulnerabilities. The FBI expects the ubiquity of this activity to continue or possibly increase shortly.”
The FBI urged banks to review how they’re handling security, including password requirements and multi-factor authentication for local administrators and business-critical roles.
Read More

Sebi To Expand The Scope of Cybersecurity Initiatives For MIIs
Regulator Sebi is planning to broaden the scope of cybersecurity initiatives for the market infrastructure institutions (MIIs) and look into the operational modalities of their implementation to deal with the cyber challenges.
“Taking cognisance of the threat posed by technological developments in the Indian capital markets. With the rise of cyber threats in the financial domain across the globe, Sebi had laid down a detailed framework about cyber security and cyber resilience that stock exchanges, clearing corporations and depositories are required to adopt,” the regulator said in its annual report for 2017-2018.
Read More

Mamata Banerjee Unveils West Bengal’s IT Policy With a Focus On AI & Big Data Analytics
The new policy revolves around Cybersecurity, Internet-of-Things (IoT), 3D printing, big data analytics, animation and gaming besides, robotics, drones, fin tech, artificial intelligence, Industry 4.0, quantum computing and others.
“West Bengal has surged ahead economically and seeks to leverage IT for social welfare and economic development. The state’s vision is to become one of the leading states in India in the IT, ITeS, ICT (Information and Communication Technology) and ESDM (Electronic System Design and Manufacturing) sectors,” it said. “The policy strives to unlock the vast potential of the IT&E to design a paradigm shift in the sector, all the while fostering social welfare,” it said.
Read More

The post Weekly Cyber Security Update: 17th August 2018 appeared first on Security Brigade Blog.

Pizza As  A Service 2.0
A unique and upgraded take by Paul Kerrison to describe the various types of cloud services available for modern IT deployment.

Read More

Optus Email Scam Target Customers with Fake Late Payment Penalties
The fake emails are sophisticated and use a web address that looks like the real Optus website. The email contains a link to a fake ‘pay your bill’ page, which then asks for your credit card details.

The fake email and payment form are cunningly crafted to trick people. It’s important you check the legitimacy of email links to protect your personal information—use contact details you find through a legitimate source and not those contained in the suspicious message.
Read More

2.6 billion records exposed in 2,300 disclosed breaches so far this year
After a surprising drop in the number of reported data breaches in the first quarter, breach activity appears to be returning to a more “normal” pace.

“2018 has been a curious year. After the wild ride of 2017, we became accustomed to seeing a lot of breaches, exposing extraordinary amounts of information. 2018 is remarkable in that the number of publicly disclosed breaches appears to be levelling off while the number of records exposed remains stubbornly high,” said Inga Goddijn, Executive Vice President for Risk Based Security. “It’s not easy to characterize 2.6 billion records exposed as an improvement, even if it is less than the 6 billion exposed at this time last year.”

Read More

Healthcare Industry Cyber Woes continues, UnityPoint Health’s 1.4 Million Records Breached
UnityPoint the healthcare company was recently breached as their employees were scammed with phishing emails, losing their email credentials in the process. Other than patient records, non-medical personally identifiable information like driver’s license numbers and Social Security numbers.
Read More

The post Weekly Cyber Security News: 10th August 2018 appeared first on Security Brigade Blog.

New Gmail Feature Could Open More Users To Phishing Risks
Google is rolling out a sweeping redesign of its popular Gmail service. The redesign has a new feature called “Confidential Email” which requires users to click a link to access confidential emails. Google has essentially created an opportunity where malicious cyber actors could exploit this feature leading to a potential 1.4 billion users more susceptible to dangerous phishing attacks.
Read More

Worst Cyber Attack in Singapore’s Healthcare Industry Recorded
Singapore’s Prime Minister made an announcement that 1.5 million patient personal records, including his own personal data, have been stolen in a major cyber attack against SingHealth.
The data breach included the leakage of 160,000 prescription records, this can easily be dubbed as a record-breaking cyber attack against Singapore’s premier healthcare firm.
Read More

Google Chrome Is Calling Out Insecure Websites
The latest version of Google’s web browser, Chrome 68, is taking on one of the web’s basic but most important issues: encryption. Chrome is taking a stand against websites by marking those that don’t use HTTPS by default, as insecure.
“This is a really significant change in our default standards for security,” explains security researcher Scott Helme. “We’re now expecting it to be secure and if it is not we will tell the user.” What users see from Google isn’t going to be a radical change but if a website isn’t using HTTPS it will show a message next to the URL in the search bar saying “not secure”.
Read More

US-CERT Warns of ERP Application Hacking
Enterprise resource planning (ERP) applications from vendors such as Oracle and SAP are under attack and the critical data living inside them is vulnerable to both criminal and nation-state hackers. The three key steps an organization can take to reduce their attack exposure are to carefully review configurations for known vulnerabilities; change default passwords and require strong passwords for administrators and users, and try to reduce the exposure of ERP applications to the Internet.
Read More

The post Weekly Cyber Security News: 1st August 2018 appeared first on Security Brigade Blog.

The Biggest Hacks and Data Breaches of 2018 (so far)
We’re now more than halfway through 2018 and the number of data breaches is ramping up. This year has seen more third-party services being breached and customer data stolen from multiple companies in one go. From the devastating Aadhar breach to Ticketmaster, here’s a roundup of the year in breaches
Read More

Indian iPhone Spy Campaign Used Fake MDM Platform
Cyber attackers have used a bogus mobile device management (MDM) system to target a small – but presumably high-value – set of iPhones in India, in a cyber-espionage campaign that has some unusual hallmarks. Attackers deployed an open-source MDM – which is typically used in business environments to provide security, policy-enforcement, expense tracking and application management across a company’s mobile workforce.
Read More

India’s telecom regulator recommends stricter data security rules
“The white paper recognizes the need for a rights-based data protection framework, but how it goes about providing that is problematic,” says Apar Gupta, a Supreme Court lawyer who has worked extensively on privacy and freedom of speech related issues in India. “It articulates the central problem as achieving an acceptable trade-off between innovation and data protection, instead of attempting to harness innovation to facilitate individual autonomy, dignity, and self-determination.”
Read More

Cyber attacks a major threat to startups

Banks and telecom companies have the most robust cybersecurity systems in India, while only 8% of startups are secure. When it comes to response, only 3% of startups are equipped to deal with a cyber attack, while 40% of banks are prepared. Visit our website to see the range of client’s we’ve worked with: https://lnkd.in/f7eVxVd We cater to all industry verticals, creating customized security solutions driven by expert manual testing that is empowered by AI and machine learning.
Read More

The post Weekly Cyber Security News: 24th July 2018 appeared first on Security Brigade Blog.