Silicon Shecky: IT News, Opinions, and Reviews

Zoom Zoom or WTF people?

April 16, 2020 By Michael Kavka 1 Comment

Slide by Dave Kennedy, CEO of TrustedSec and Binary Defense from his closing remarks at Grimmcon.

Zoom is not malware. Repeat with me… ZOOM IS NOT MALWARE!

Zoom has been everywhere and on many peoples minds. We have also failed the company, not by finding holes in their software, but by playing the role of chicken little. The sky is not falling, at least not from Zoom. We in the world of security have lost it, and as Dave Kennedy said at Grimmcon this week, and I paraphrase, “We have pushed back our relations with the everyday person. We have forgotten that usability is part of our equation of risk, and that responsibility in disclosing of bugs is important.”

Here is a great blog post about the whole situation with Zoom (written by Amit Serper and Dave Kennedy): https://medium.com/@0xamit/zoom-isnt-malware-ae01618e2046

To those that do not want to read that, here are a few key points:

Zoom usage grew from 10 Million people to 200 Million people in a matter of weeks. That is 20x the people in a matter of weeks, unbelievable growth in a product.
Zoom has made mistakes and has bugs. All software does, and the real proof of a company is how they respond.
Zoom has a PDF of best practices for securing Zoom meetings.

On point 2, Zoom has not only been fast to respond and push out fixes, but has not complained about people finding these issues. As of April 2, 2020 Zoom announced a 90 day hold on any new features to focus on security fixes. This is amazing in its own right. I have not heard of many companies doing this. These bugs that Zoom has been fixing have been fixed in a matter of days in most cases. Last time I checked Microsoft, Apple, Cisco, Oracle, take months or longer to fix bugs in most cases. They have done this with no warning about the bugs, they are hearing about them at nearly the same time as we are. Google, Microsoft, Oracle, Cisco, usually get 90 days from notification of a bug to fix it, and the bug is usually not announced until a fix is out.

As far as End to End Encryption goes, that was a marketing mistake. Cisco WebEx, while offering End to End Encryption, does not offer it for Video conferencing. There also have been plenty of flaws found on WebEx and other Video conferencing systems over the years.

As far as the breach with usernames and passwords, all I have to say is.. Target, Best Buy, Home Depot, Equifax, Anthem, need I go on?

Zoom has made mistakes, no doubt. They are not perfect, but their model is one of simplicity. One of allowing people to communicate easily, and that is what it was easy. Easy for grandma to not have to log into anything and just take a link sent to her by her family to video chat with them. Easy to just set up and go. It was not designed to be used for State Secrets. Its threat model at the time was different than what it was starting to be used for by Governments and Corporations. It is a product that got shoved under a microscope, and has responded to being under that microscope a lot better than many companies I have seen over the years.

So yes, Zoom is safe for the everyday person to use. Zoom now defaults to requiring passwords for the meeting sessions. Zoom now wants people to log in. Zoom has taken away some of its simplicity. Zoom is not Malware!

Random Stream of Thoughts

March 26, 2020 By Michael Kavka Leave a Comment

So here we are, a pandemic going on. The current (temporary) norm is everyone work from home. We secure what we can of course, and many of us are use to working from home, at least some times, but what else is available to do?

Myself, I’ve been working on CTFs from tryhackme.com and making a little headway in them. Many conferences have or are going virtual, and while I understand still charging for them, the ones that are not charging are appreciated. There are things like Virtual Lobby Con which happens a couple times a week. All this is great to see, but this environment has been increasing imposter syndrome, at least in me.

I am not the smartest, nor best out there. I do what I can, but community wise I feel sort of like a third wheel quite often. I don’t have any vulnerability finds under my belt. My github has stuff I have done, but much of it is just reworking of other projects out there for my own experience. Still it feels like I have not done much.

I have volunteered for a number of things, Hack4Kidz, BSides Chicago, even the new Blue Team Con, but feel like I am on the outside looking in, even when I want to be more involved and have said it straight out. I have a lot of acquaintances, and some I consider friends in the world of infosec, but feel that I get left out of a lot. Yes, I can’t make as many things as I would like to due to having a toddler at home and wanting to make sure that his stay at home mom gets time out and about, but it gets tough when all I want to do is be a part of some things and build relationships.I help with some local meetups, including helped found one, but when I am at the meetups, I tend to be on the quieter side because I don’t know as much as many of the people there. I am not trying to fool anyone, just trying to be me and learn by listening.

All this social distancing should be easy for me, but it is not. I do crave human interaction, and while online is okay, in person is what I miss. I am getting too much time to ponder on all of this, too much time to let my brain beat itself down, and bring me down with it. All I know is that imposter syndrome has been getting larger and larger, which is why I ask, what are you doing to keep yourself sane during these times? Feel free to post here, or hit me up on twitter (@siliconshecky).

Nessus and Python Scripts

January 17, 2020 By Michael Kavka Leave a Comment

I have been working on some Python scripting over the past couple months for Nessus Pro, which I have been playing with. These are no real big deal, but might be able to help some of you out. The are located at my github page.

The first one, is the grabber script. We had been using one for our local scanner that required username and password. I decided it was about time to do it through API keys so I rewrote the generic script we already head to use them. It was a great way to get to understand how to use API keys to access the Nessus scanner. This script will show you information so you can grab just one scan, or all scans if you have multiple ones set up.

Once that was done, I turned my mind to parsing the raw nessus file, which is XML into an easy to read format (nessus_parser.py). We had been using a perl script from years ago to create a multi-page Excel file. I instead have done it in python, modifying a script I found that was not completely functional, reworking it to use import the CSV feature and output everything into a single CSV file. There is also a remarked out section with some notes, if you only want to parse out vulnerabilities with CVSS scores (so non info data). I personally like having access to all the data.

Inside the parser there is the following line:

csvHeaders = ['CVSS Score', 'IP', 'FQDN', 'OS', 'Port', 'Vulnerability', 'Risk', 'Description', 'Exploit Available', 'Proof', 'Solution', 'See Also', 'CVE'] #headers for the CSV

This maps to the line below it:

nessusFields = ['cvss_base_score', 'host-ip', 'host-fqdn', 'operating-system', 'port', 'plugin_name', 'risk_factor', 'description', 'exploit_available', 'plugin_output', 'solution', 'see_also', 'cve'] # headers of the nessus file. These are pulled from the XML. Order here must match up to the CSV headers you want for each item.

If you want some piece of data pulled from the raw nessus file that I am not pulling, you can add it into both lines, the lower one being the field in nessus, and the upper being what the head for that data will be called. You can look at the code and the raw nessus file to see what I mean as far as the <tag> goes. Also, there is a section to pull attributes out of the <ReportItem> tag such as port, protocol etc…

if item.tag == 'ReportItem': # this will parse out items that are in the tag <Report item>
            reportRow = dict(reportHost)
            reportRow['Port'] = item.attrib['port']
            reportRow['Vulnerability'] = item.attrib['pluginName']
            reportRow['Plugin ID'] = item.attrib['pluginID']
            for tag in (tag for tag in item if tag.tag in nessusFields):
                reportRow[getKey(tag.tag)] = getValue(tag.text)

As I said simple stuff, nothing written from scratch but heavily modified to make them working scripts for this day and age. Enjoy!

« Previous Page
1
…
4
5
6
7
8
…
248
Next Page »