CloudSploit Scans – AWS Security Scanning Checks

CloudSploit scans is an open-source project designed to allow detection of security risks in an AWS account. These scripts are designed to run against an AWS account and return a series of potential misconfigurations and security risks.InstallationEnsure that NodeJS is installed. If not, install it from here.git clone git@github.com:cloudsploit/scans.gitnpm installSetupTo begin using the scanner, edit the index.js file with your AWS key, secret, and optionally (for temporary credentials), a session token. You can also set a file containing credentials. To determine the permissions associated with your credentials, see the permissions section below. In the list of plugins in the exports.js file, comment out any plugins you do not wish to run. You can also skip entire regions by modifying the skipRegions array.You can also set the typical environment variables expected by the aws sdks, namely AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN.Cross Account RolesWhen using the hosted scanner, you’ll need to create a cross-account IAM role. Cross-account roles enable you to share access to your account with another AWS account using the same policy model that you’re used to. The advantage is that cross-account roles are much more secure than key-based access, since an attacker who steals a cross-account role ARN still can’t make API calls unless they also infiltrate the authorized AWS account.To create a cross-account role:Navigate to the IAM console.Click “Roles" and then "Create New Role".Provide a role name (suggested "cloudsploit").Select the "Role for Cross-Account Access" radio button.Click the "Select" button next to "Allows IAM users from a 3rd party AWS account to access this account."Enter 057012691312 for the account ID (this is the ID of CloudSploit’s AWS account).Copy the auto-generated external ID from the CloudSploit web page and paste it into the AWS IAM console textbox.Ensure that "Require MFA" is not selected.Click "Next Step".Select the "Security Audit" policy. Then click "Next Step" again.Click through to create the role.PermissionsThe scans require read-only permissions to your account. This can be done by adding the "Security Audit" AWS managed policy to your IAM user or role.Security Audit Managed Policy (Recommended)To configure the managed policy:Open the IAM Console.Find your user or role.Click the "Permissions" tab.Under "Managed Policy", click "Attach policy".In the filter box, enter "Security Audit"Select the "Security Audit" policy and save.Inline Policy (Not Recommended)If you’d prefer to be more restrictive, the following IAM policy contains the exact permissions used by the scan.WARNING: This policy will likely change as more plugins are written. If a test returns "UNKNOWN" it is likely missing a required permission. The preferred method is to use the "Security Audit" policy.{ "Version": "2012-10-17", "Statement": [ { "Action": [ "cloudfront:ListDistributions", "cloudtrail:DescribeTrails", "configservice:DescribeConfigurationRecorders", "configservice:DescribeConfigurationRecorderStatus", "ec2:DescribeInstances", "ec2:DescribeSecurityGroups", "ec2:DescribeAccountAttributes", "ec2:DescribeAddresses", "ec2:DescribeVpcs", "ec2:DescribeFlowLogs", "ec2:DescribeSubnets", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeLoadBalancers", "iam:GenerateCredentialReport", "iam:ListServerCertificates", "iam:ListGroups", "iam:GetGroup", "iam:GetAccountPasswordPolicy", "iam:ListUsers", "iam:ListUserPolicies", "iam:ListAttachedUserPolicies", "kms:ListKeys", "kms:DescribeKey", "kms:GetKeyRotationStatus", "rds:DescribeDBInstances", "rds:DescribeDBClusters", "route53domains:ListDomains", "s3:GetBucketVersioning", "s3:GetBucketLogging", "s3:GetBucketAcl", "s3:ListBuckets", "ses:ListIdentities", "ses:getIdentityDkimAttributes" ], "Effect": "Allow", "Resource": "*" } ]}RunningTo run a standard scan, showing all outputs and results, simply run:node index.jsOptional PluginsSome plugins may require additional permissions not outlined above. Since their required IAM permissions are not included in the SecurityAudit managed policy, these plugins are not included in the exports.js file by default. To enable these plugins, uncomment them from the exports.js file, if applicable, add the policies required to an inline IAM policy, and re-run the scan.ComplianceCloudSploit also supports mapping of its plugins to particular compliance policies. To run the compliance scan, use the –compliance flag. For example:node index.js –compliance=hipaaCloudSploit currently supports the following compliance mappings:HIPAAHIPAA scans map CloudSploit plugins to the Health Insurance Portability and Accountability Act of 1996.ArchitectureCloudSploit works in two phases. First, it queries the AWS APIs for various metadata about your account. This is known as the "collection" phase. Once all the necessary data has been collected, the result is passed to the second phase – "scanning." The scan uses the collected data to search for potential misconfigurations, risks, and other security issues. These are then provided as output.Writing a PluginCollection PhaseTo write a plugin, you must understand what AWS API calls your scan makes. These must be added to the collect.js file. This file determines the AWS API calls and the order in which they are made. For example:CloudFront: { listDistributions: { property: ‘DistributionList’, secondProperty: ‘Items’ }},This declaration tells the CloudSploit collection engine to query the CloudFront service using the listDistributions call and then save the results returned under DistributionList.Items.The second section in collect.js is postcalls, which is an array of objects defining API calls that rely on other calls being returned first. For example, if you need to first query for all EC2 instances, and then loop through each instance and run a more detailed call, you would add the EC2:DescribeInstances call in the first calls section and then add the more detailed call in postCalls setting it to rely on the output of DescribeInstances.An example:getGroup: { reliesOnService: ‘iam’, reliesOnCall: ‘listGroups’, filterKey: ‘GroupName’, filterValue: ‘GroupName’},This section tells CloudSploit to wait until the IAM:listGroups call has been made, and then loop through the data that is returned. The filterKey tells CloudSploit the name of the key from the original response, while filterValue tells it which property to set in the getGroup call filter. For example: iam.getGroup({GroupName:abc}) where abc is the GroupName from the returned list. CloudSploit will loop through each response, re-invoking getGroup for each element.Scanning PhaseAfter the data has been collected, it is passed to the scanning engine when the results are analyzed for risks. Each plugin must export the following:Exports the following:title (string): a user-friendly title for the plugincategory (string): the AWS category (EC2, RDS, ELB, etc.)description (string): a description of what the plugin doesmore_info (string): a more detailed description of the risk being tested forlink (string): an AWS help URL describing the service or risk, preferably with mitigation methodsrecommended_action (string): what the user should do to mitigate the risk foundrun (function): a function that runs the test (see below)Accepts a collection object via the run function containing the full collection object obtained in the first phase.Calls back with the results and the data source.Result CodesEach test has a result code that is used to determine if the test was successful and its risk level. The following codes are used:0: OKAY: No risks1: WARN: The result represents a potential misconfiguration or issue but is not an immediate risk2: FAIL: The result presents an immediate risk to the security of the account3: UNKNOWN: The results could not be determined (API failure, wrong permissions, etc.)Tips for Writing PluginsMany security risks can be detected using the same API calls. To minimize the number of API calls being made, utilize the cache helper function to cache the results of an API call made in one test for future tests. For example, two plugins: "s3BucketPolicies" and "s3BucketPreventDelete" both call APIs to list every S3 bucket. These can be combined into a single plugin "s3Buckets" which exports two tests called "bucketPolicies" and "preventDelete". This way, the API is called once, but multiple tests are run on the same results.Ensure AWS API calls are being used optimally. For example, call describeInstances with empty parameters to get all instances, instead of calling describeInstances multiple times looping through each instance name.Use async.eachLimit to reduce the number of simultaneous API calls. Instead of using a for loop on 100 requests, spread them out using async’s each limit.ExampleTo more clearly illustrate writing a new plugin, let’s consider the "IAM Empty Groups" plugin. First, we know that we will need to query for a list of groups via listGroups, then loop through each group and query for the more detailed set of data via getGroup.We’ll add these API calls to collect.js. First, under calls add:IAM: { listGroups: { property: ‘Groups’ }},The property tells CloudSploit which property to read in the response from AWS.Then, under postCalls, add:IAM: { getGroup: { reliesOnService: ‘iam’, reliesOnCall: ‘listGroups’, filterKey: ‘GroupName’, filterValue: ‘GroupName’ }},CloudSploit will first get the list of groups, then, it will loop through each one, using the group name to get more detailed info via getGroup.Next, we’ll write the plugin. Create a new file in the plugins/iam folder called emptyGroups.js (this plugin already exists, but you can create a similar one for the purposes of this example).In the file, we’ll be sure to export the plugin’s title, category, description, link, and more information about it. Additionally, we will add any API calls it makes:apis: [‘IAM:listGroups’, ‘IAM:getGroup’],In the run function, we can obtain the output of the collection phase from earlier by doing:var listGroups = helpers.addSource(cache, source, [‘iam’, ‘listGroups’, region]);Then, we can loop through each of the results and do:var getGroup = helpers.addSource(cache, source, [‘iam’, ‘getGroup’, region, group.GroupName]);The helpers function ensures that the proper results are returned from the collection and that they are saved into a "source" variable which can be returned with the results.Now, we can write the plugin functionality by checking for the data relevant to our requirements:if (!getGroup || getGroup.err || !getGroup.data || !getGroup.data.Users) { helpers.addResult(results, 3, ‘Unable to query for group: ‘ + group.GroupName, ‘global’, group.Arn);} else if (!getGroup.data.Users.length) { helpers.addResult(results, 1, ‘Group: ‘ + group.GroupName + ‘ does not contain any users’, ‘global’, group.Arn); return cb();} else { helpers.addResult(results, 0, ‘Group: ‘ + group.GroupName + ‘ contains ‘ + getGroup.data.Users.length + ‘ user(s)’, ‘global’, group.Arn);}The addResult function ensures we are adding the results to the results array in the proper format. This function accepts the following:(results array, score, message, region, resource)The resource is optional, and the score must be between 0 and 3 to indicate PASS, WARN, FAIL, or UNKNOWN.Download CloudSploit Scans

Link: http://feedproxy.google.com/~r/PentestTools/~3/kO89DoOlQUw/cloudsploit-scans-aws-security-scanning.html

Lynis 2.6.7 – Security Auditing Tool for Unix/Linux Systems

We are excited to announce this major release of auditing tool Lynis. Several big changes have been made to core functions of Lynis. These changes are the next of simplification improvements we made. There is a risk of breaking your existing configuration.Lynis is an open source security auditing tool. Used by system administrators, security professionals, and auditors, to evaluate the security defenses of their Linux and UNIX-based systems. It runs on the host itself, so it performs more extensive security scans than vulnerability scanners.Supported operating systemsThe tool has almost no dependencies, therefore it runs on almost all Unix-based systems and versions, including:AIXFreeBSDHP-UXLinuxMac OSNetBSDOpenBSDSolarisand othersIt even runs on systems like the Raspberry Pi and several storage devices!Installation optionalLynis is light-weight and easy to use. Installation is optional: just copy it to a system, and use “./lynis audit system" to start the security scan. It is written in shell script and released as open source software (GPL). How it worksLynis performs hundreds of individual tests, to determine the security state of the system. The security scan itself consists of performing a set of steps, from initialization the program, up to the report.StepsDetermine operating systemSearch for available tools and utilitiesCheck for Lynis updateRun tests from enabled pluginsRun security tests per categoryReport status of security scanBesides the data displayed on the screen, all technical details about the scan are stored in a log file. Any findings (warnings, suggestions, data collection) are stored in a report file.Opportunistic ScanningLynis scanning is opportunistic: it uses what it can find.For example, if it sees you are running Apache, it will perform an initial round of Apache related tests. When during the Apache scan it also discovers an SSL/TLS configuration, it will perform additional auditing steps on that. While doing that, it then will collect discovered certificates so they can be scanned later as well.In-depth security scansBy performing opportunistic scanning, the tool can run with almost no dependencies. The more it finds, the deeper the audit will be. In other words, Lynis will always perform scans which are customized to your system. No audit will be the same!Use casesSince Lynis is flexible, it is used for several different purposes. Typical use cases for Lynis include:Security auditingCompliance testing (e.g. PCI, HIPAA, SOx)Vulnerability detection and scanningSystem hardeningResources used for testingMany other tools use the same data files for performing tests. Since Lynis is not limited to a few common Linux distributions, it uses tests from standards and many custom ones not found in any other tool.Best practicesCISNISTNSAOpenSCAP dataVendor guides and recommendations (e.g. Debian Gentoo, Red Hat)Lynis PluginsPlugins enable the tool to perform additional tests. They can be seen as an extension (or add-on) to Lynis, enhancing its functionality. One example is the compliance checking plugin, which performs specific tests only applicable to some standard.ChangelogUpgrade note## Lynis 2.6.7### Changed- BOOT-5104 – Added busybox as a service manager- KRNL-5677 – Limit PAE and no-execute test to AMD64 hardware only- LOGG-2190 – Ignore /dev/zero and /dev/[aio] as deleted files- SSH-7408 – Changed classification of SSH root login with keys- Docker scan uses new format for maintainer value- New URL structure on CISOfy website implemented for Lynis controlsDownload Lynis 2.6.7

Link: http://feedproxy.google.com/~r/PentestTools/~3/cjXe5Qqu-Uw/lynis-267-security-auditing-tool-for.html

Are There Working Ways To Check Who Viewed My Instagram Profile?

Few hours back, I saw a blog post talking about “working ways to check who viewed your Instagram profile“. Then I made a random Google search to see the results and I was surprised to see numbers of…
The post Are There Working Ways To Check Who Viewed My Instagram Profile? appeared first on UseThisTip.

Link: http://feedproxy.google.com/~r/blogspot/csAFg/~3/LXLO_2xuNY8/are-there-working-ways-to-check-who-viewed-my-instagram-profile.html

WindowsSpyBlocker – Block Spying And Tracking On Windows

WindowsSpyBlocker is an application written in Go and delivered as a single executable to block spying and tracking on Windows systems. The initial approach of this application is to capture and analyze network traffic based on a set of tools. It is open for everyone and if you want to contribute or need help, take a look at the Wiki.Configuration file app.conf is generated at first launch :For more info, take a look at Wiki.Telemetry and data collectionTo capture and analyze network traffic for the telemetry option, QEMU virtual machines are used on the server virtualization management platform Proxmox VE based on :Windows 10 Pro 64bits with automatic updates enabled.Windows 8.1 Pro 64bits with automatic updates enabled.Windows 7 SP1 Pro 64bits with automatic updates enabled.Traffic dumps are clean every day and compared with the current rules to add / remove some hosts or firewall rules.Tools used to capture traffic :qemu -net dump : captureWireshark : capture + logsSysmon : capture + logsProxifier : logsThe data folder contains the blocking rules based on domains or IPs detected during the capture process :data//extra.txt : Block third party applicationsdata/<type>/spy.txt : Block Windows Spy / Telemetrydata/<type>/update.txt : Block Windows UpdateFirewall and Hosts data are the main types. The others are generated from these as :DNSCrypt : a protocol for securing communications between a client and a DNS resolver.OpenWrt : an open source project used on embedded devices to route network traffic.P2P : a plaintext IP data format from PeerGuardian.Proxifier : an advanced proxy client on Windows with a flexible rule system.simplewall : a simple tool to configure Windows Filtering Platform (WFP).And about data collection, you can read the Telemetry collection page for more info.Projects using WindowsSpyBlockerpi-hole : A black hole for Internet advertisements (designed for Raspberry Pi).OpenWrt adblock package : DNS based ad/abuse domain blockingWPD : Customize Group Policy, Services and Tasks, responsible for data collection and sending, as you like.simplewall : Simple tool to configure Windows Filtering Platform (WFP).LEDE Project : A Linux operating system based on OpenWrt.Mikrotik hosts parser : An application that blocks “advertising" for routers based on RouterOS.void-zones-tools : A list of void zones that can be readily feed into Unbound on FreeBSD.DNSCrypt Proxy : A flexible DNS proxy, with support for encrypted DNS protocols.Download WindowsSpyBlocker

Link: http://feedproxy.google.com/~r/PentestTools/~3/Rk4RI5FNbqk/windowsspyblocker-block-spying-and.html

Gary Berman, Cyberman Security – Business Security Weekly #93

Gary is the CEO of Cyberman Security and refers to himself as, “the most reluctant cyber security person in the world” given that his 25-year career has been as a thought leader in marketing communications in general and in market segmentation in particular. Full Show NotesVisit http://securityweekly.com/category/ssw for all the latest episodes!
The post Gary Berman, Cyberman Security – Business Security Weekly #93 appeared first on Security Weekly.

Link: http://feedproxy.google.com/~r/securityweekly/Lviv/~3/XiqU3HfMdP8/

Article Discussion – Business Security Weekly #93

This week, Michael and Paul discuss the power of leaders who focus on solving problems, always waiting for and trusting the question, what someone learned from 5 years at Gartner, & how “Urgency bias” is killing your productivity. What I Learned from 5 Years at Gartner Inspired by this tweet:https://twitter.com/michaldivar/status/1019365875546140674https://www.linkedin.com/pulse/what-i-learned-from-5-years-gartner-martin-kihn Most problems are not unique; […]
The post Article Discussion – Business Security Weekly #93 appeared first on Security Weekly.

Link: http://feedproxy.google.com/~r/securityweekly/Lviv/~3/K9Q6c_Rr2a8/

Joe Garcia, CyberArk – Application Security Weekly #25

As a Global Corporate Solutions Engineer, Joe Garcia has a strong background in DevOps, Cloud and Security and is currently focused on helping customers implement and scale effective secrets management solutions. He was previously a Solutions Architect with the CyberArk Customer Success team for the West and Southeast regions. Full Show Note: https://wiki.securityweekly.com/ASW_Episode25 Follow us […]
The post Joe Garcia, CyberArk – Application Security Weekly #25 appeared first on Security Weekly.

Link: http://feedproxy.google.com/~r/securityweekly/Lviv/~3/BgYfVECb3oM/

Gary Berman, Cyberman Security – Business Security Weekly #93

Gary is the CEO of Cyberman Security and refers to himself as, “the most reluctant cyber security person in the world” given that his 25-year career has been as a thought leader in marketing communications in general and in market segmentation in particular. Full Show NotesVisit http://securityweekly.com/category/ssw for all the latest episodes!
The post Gary Berman, Cyberman Security – Business Security Weekly #93 appeared first on Security Weekly.

Link: http://feedproxy.google.com/~r/securityweekly/Lviv/~3/XiqU3HfMdP8/

Joe Garcia, CyberArk – Application Security Weekly #25

As a Global Corporate Solutions Engineer, Joe Garcia has a strong background in DevOps, Cloud and Security and is currently focused on helping customers implement and scale effective secrets management solutions. He was previously a Solutions Architect with the CyberArk Customer Success team for the West and Southeast regions. Full Show Note: https://wiki.securityweekly.com/ASW_Episode25 Follow us […]
The post Joe Garcia, CyberArk – Application Security Weekly #25 appeared first on Security Weekly.

Link: http://feedproxy.google.com/~r/securityweekly/Lviv/~3/BgYfVECb3oM/