Why You Need a BGP Hijack Response Plan!

I published an article on the IBM SecurityIntelligence blog on Why You Need a BGP Hijack Response Plan. The posts starts with an introduction to BGP, how BPG routing exactly works and what a BGP hijack is.

The bulk of this type of incident response plan is done during the preparation and detection phase, for the containment, eradication and recovery you will most likely have to depend on your upstream ISPs.

Hunt for devices with default passwords (with Burp)

In my previous post I talked about using the nmap NSE scripts or Hydra to search for systems with default passwords. My approach involved two steps: first learn via Burp how the authentication works (getting to know the form elements etc.) and then use this information as input for the brute force scripts.

A colleague pointed out that you can also use Burp suite for this last step.

Similar as with the previous approach, firstRead more.

Hunt for devices with default passwords

I wrote a follow-up on using Burp for both the analysis and attack phase : Hunt for devices with default passwords (with Burp).

Using a strong and unique password for authentication is a key element in security. Unfortunately there are still a lot of devices installed with a default password. This post describes how you can find the web interface of these devices.

Before we start, it’s to important to list the three different webRead more.

How to Use Passive DNS to Inform Your Incident Response

I published an article on How to Use Passive DNS to Inform Your Incident Response on the Security Intelligence blog.

This article gives you an insight on the different logging options for DNS traffic and how the historical records in passive DNS can help you during incident response. I included references to generating passive DNS data based on your traffic and which options you have for consuming it from a client perspective.

Security and MQTT

I recently had to explore MQTT. I had never heard of this protocol before. However some helpful resources provide a clear explanation what MQTT is about.

MQTT is a machine-to-machine (M2M)/”Internet of Things” connectivity protocol that uses a lightweight publish/subscribe messaging transport. MQTT works on top of TCP/IP and by default uses port tcp/1883.

A quick search on Shodan reveals that there are a lot of devices publicly available, primarily in the US and Asia.Read more.

Doing OSINT and Twitter Analytics with Tinfoleak

Twitter is a great source for conducting open source intelligence. One of my favorite tools is Tweetsniff from Xavier Mertens. It will grab a Twitter user timeline for further processing, for example in Elasticsearch.

Another tool that I recently discovered is Tinfoleak. Tinfoleak is build for Twitter intelligence analysis and provides you with an HTML file output.

I wanted to use Tinfoleak to build profiles of users to tune targeted phishing campaigns (spear phishing) forRead more.

Drupal SA-CORE-2018-002 aka Drupalgeddon2

The Drupal team released a security advisory for all Drupal sites recommending all these sites to upgrade to the latest Drupal version.

The discovered vulnerability could lead to remote code execution in Drupal 7.x and 8.x.

I have a mindmap on this vulnerability

Further information from Drupal can be found at

Drupal core – Highly critical – Remote Code Execution – SA-CORE-2018-002 The FAQ on SA-CORE-2018-002

According to bojanz this vulnerabilityRead more.

BadRabbit malware

Another day, another supposedly large scale malware attack. This time it’s called BadRabbit.

2017-10-25 : Detection methods (Windows events) 2017-10-25 : YARA rules 2017-10-25 : Removed spreading via Eternalblue 2017-10-25 : Removed Petya link

Based on the information from ESET the malware targets

transportation organizations governmental organizations media outlets Russia fewer attacks in Ukraine, Turkey and Germany

The malware is delivered via a fake Adobe Flash update (drive-by attack)

hxxp://1dnscontrol.com/flash_install.php (block this URL) hxxp://1dnscontrol.com/install_flash_player.exe (blockRead more.

Practical KRACKs

KRACKs (Key Reinstallation AttaCKs) is a number of vulnerabilities in WPA2, related to key handshakes between a client and an access point.

An attacker can trick a victim into reinstalling an already-in-use key. This key (the 3rd message in a 4-way handshake) is resent multiple times by the attacker and each time installed by the client, resetting the nonce. By forcing nonce reuse in this manner, the same encryption key is used with nonce valuesRead more.

Use Philips Hue as an IDS

I recently bought a Philips Hue light system. It allows you to control your lights via a smartphone app and set the right colour mood. Setup is easy, you connect a light bridge to your home router, connect with the app and then setup the lights. The system also includes an API to build your own apps.

In 2015 I tweeted on an episode of CSI Cyber where “good” code automagically turned green whereas “bad”Read more.