Cloudflare Leaks data from potentially millions of sites. #CloudBleed

 

So when Tavis Ormandy from Google’s Project Zero called out cloudflare last week, it perked my interest. I knew SOMETHING what up. What exactly…no idea. I’m not a genius like Tavis. Tavis discovered a memory leak at cloudflare leaking information  from all sites that use Cloudflare’s service. That’s over two million sites. Not two million passwords…two million websites!

Cloudflare has since fixed the problem…literally hours after the issue was disclosed. What concerns me is that this has been leaking information since September of last year.  Cloudflare has made an official announcement and lessons learned. That’s great. However, what’s concerning is that it’s hasn’t, and probably won’t release a list of all the affected sites. I guarantee many of these sites won’t ever. Some of the more notable sites are:

Uber.com
okcoupid.com
Authy.com
Fitbit.com
account.leagueoflegends.com
4chan.org
patreon.com
medium.com
coinbase.com
Glassdoor.com
Fiverr.com
Adafruit.com

and many many many more…

For a full list of all the compromised and potentially compromised sites, check out this github page or download the full list (22mb).

So what now? Really, it’s better to just go ahead and change all your passwords. That’s right…all of them. Make sure your passwords are UNIQUE and complex. Use a password manager like lastpass, keepass, or if you’re an enterprise organization I hear CyberArk is pretty good. 🙂

Basic Security Practices for Regular Folks #1

Funny thing. Sometimes you can’t see the forest through all the trees. Something along those lines happened to me just recently. Dropbox just recently announced it was compromised…from back in 2012. 68 million accounts were compromised. Including my own. I figured it would be a good deed to share with my friends via social media in case they didn’t know. Apparently people outside of infosec don’t follow major data breaches like I do. 🙂

For the next couple days, my friends (tech and luddite alike) hit me up with questions on how to improve their privacy online. That seems like such a simple thing from someone who’s occupation is security. All their questions are valid and I figured I should compile them all here so everyone can learn.

Read more “Basic Security Practices for Regular Folks #1”

Stealing Credentials with ProcDump and MimiKatz

Hello World.

For the longest time I’ve kept this domain as my personal repository for projects, files, and relics of time gone by. Since Infosec has taken over my time as a hobby and professionally, I figured I needed to resurrect my chunk of property online and start the blog back up.

Tinker was tweeting about manipulating memory dumps, and I mentioned I had a method to do a proc dump and extract passwords from it. The great thing is that you’re using Sysinternals Procdump to do so. Microsoft bought Sysinternals a few years ago, so almost always this method gets through AV scanners. Unless a system has some strict application control policies, this method will work to extract hashes.  The key here is to offload the memory dump to another machine and run mimikatz on it.

There’s a lot of ways to clean this script up and actually automate it further. Originally, I had the file named the machine name and the date and time in which the dump was taken. That complicated things more than I wanted and kept messing things up. Perhaps the next person could improve on it some more.

I guess I’ll be presenting on this next DHA. Goal is to do a live demonstration of this. Youtube video to follow….

Read more “Stealing Credentials with ProcDump and MimiKatz”