Temporary & Disposable Email / SMS List

Sometimes it is very useful to have a temporary email address which you will be only using briefly. I admit it, I personally use these disposable email providers because I need to download for example a free whitepaper or register to an online form that I know I won't be using again in the future for a very long time and I don't want to get bombarded with advertising material afterwards (or have my email shared with undisclosed third-parties).

Before I move on telling you about the temporary/disposable email addresses, let me point out another interesting online service that sometimes might come in handy. These are temporary mobile numbers to receive actual text messages (aka SMS). There are websites which allow you to receive an SMS online and won't parse or modify the content. (Yes, this means you can do XSS if you manage to fit your JavaScript code within one SMS.) Basically, the only thing you need to do is to look for the country you want the SMS to be sent to, and pick an available number from the list. 

I am surprised to see that major companies in the information security community don't maintain a black-list of these temporary emails and public phone numbers for SMS messages, at least the same way Google does. Google knows these temporary/disposable email addresses and publicly accessible phone numbers for SMS, and won't allow you to use them when registering for a new gmail account. 

So, I have done the hard work for you. Instead of listing the websites where you can go get a temporary/disposable email (for example, see here or use a search engine), I am listing all the domains being used by these websites that offer temporary/disposable email addresses. (its too much work to list all the phone numbers as well and by the way, these are modified/change too often to put them in a static list similar to the temporary/disposable email domains).

This information is fully up-to-date today (19/Jan/2016) and I will try to update it again as often as it is possible. Of course, if you find any domain used for such purpose which is not on my list, feel free to contact me and I will be happy to update the list. I believe this list is good to be shared among the infosec community, so anyone who might have a domain or domains to add, will be able to do so. 

You can find all these hundreds of domain names in this PDF File. Follow me on Twitter (@drgfragkos) and let me know if you found this list useful. 

A serious bug with SSH that requires immediate action

Two issues have been identified in OpenSSH (CVE-2016-0777 and CVE-2016-0778). Theo de Raadt in a mailing list posting gave us a heads up earlier today. 

More or less, you will need to add the option UseRoaming no to your /etc/ssh/ssh_config (or your user's ~/.ssh/config) file, or start your SSH client with -oUseRoaming=no included on the command line. Adding the option to the config file can be done with a single command:

# echo -e 'Host *\nUseRoaming no' >> /etc/ssh/ssh_config

This is a basically a workaround until you are able to patch all affected systems. 

First Patch Tuesday for 2016

The new year brought a set of new patches for the vulnerabilities identified in the Microsoft product family. I know there is no point saying it once more but for those who need to hear it, make sure you patch your systems as soon as possible! :

See here: https://technet.microsoft.com/en-us/library/security/mt637763.aspx

MS16-010	Security Update in Microsoft Exchange Server to Address Spoofing (3125573)	Microsoft Exchange
MS16-008	Security Update for Windows Kernel to Address Elevation of Privilege (3124605)	Microsoft Windows
MS16-007	Security Update for Microsoft Windows to Address Remote Code Execution (3124901)	Microsoft Windows
MS16-006	Security Update for Silverlight to Address Remote Code Execution (3126036)	Microsoft Developer Tools & Software
MS16-005	Security Update for Windows Kernel-Mode Drivers to Address Remote Code Execution (3124584)	Microsoft Windows
MS16-004	Security Update for Microsoft Office to Address Remote Code Execution (3124585)	Microsoft Office
MS16-003	Cumulative Security Update for JScript and VBScript to Address Remote Code Execution (3125540)	Microsoft Windows
MS16-002	Cumulative Security Update for Microsoft Edge (3124904)	Microsoft Edge & Microsoft Windows
MS16-001	Cumulative Security Update for Internet Explorer (3116180)	Internet Explorer & Microsoft Windows

SSH vulnerability in Fortinet Fortigate products

It was stated that an SSH "backdoor" was identified in Fortinet Fortigate products and the proof-of-concept source code was posted on the Full Disclosure mailing list. 

See here: http://seclists.org/fulldisclosure/2016/Jan/26

Fortinet released a brief statement regarding the issues found with FortiOS on January 12, 2016. The brief statement says that the issue that was recently disclosed publicly was resolved and a patch was made available in July 2014. 

Fortinet stated that: "This was not a “backdoor” vulnerability issue but rather a management authentication issue. The issue was identified by our Product Security team as part of their regular review and testing efforts. After careful analysis and investigation, we were able to verify this issue was not due to any malicious activity by any party, internal or external."

Have you heard of "Cyber Insurance"?

The Cyber Liability Insurance Cover (CLIC) or otherwise referred to as cyber insurance, is a market that grew significantly in 2015. One of the main factors that contributed significantly to this growth is the constant increase of threats in the cyber space and more specifically the high profile data breaches that took place during the past years. Due to these data breaches companies were taken to court and were forced not only to cover the losses, but to take upon the extra costs for the data breaches as well. In most cases, these additional costs included crisis management, legal costs, reputational damages, engaging in identity theft resolution, credit and fraud monitoring and further technical costs as well.

Under the potential threat of a breach and the inevitable consequences, this has established not only a need but also a demand for a cyber insurance market. This has also been highlighted by a cyber survey conducted by RIMS. The survey showed that 74 percent of the companies without Cyber insurance will be purchasing one within the next two years. Likewise, by 2025 the total annual premiums for stand-alone cyber insurance are projected to grow to $20 billion.

Quickly detect CMS & other technologies being used on a website

Ever wanted to uncover quickly the Content Management System (CMS) being used on a particular website? Well, if you are a developer or responsible for assessing the security of Web Applications, this might be a good tip on how to do this quickly and effectively. 

First of all, let me point out that there are several websites online that offer to analyse a given URL and then return results not only about the particular CMS being used, but on other technologies utilised in each case as well. These technologies may be the use of Apache, the presence of Google Analytics, other technologies such as jQuery, reCaptcha, etc. 

The problem with all these online services however is privacy. When checking a particular website, especially if you have been contracted to assess the security of the web application in place, you do not want this information to be shared with a third party or to be included in a publicly available "recently checked" list. 

I actually spent some time trying to locate a button or a check box on these website that would allow me to opt-out from allowing them to cache or display the information, but I couldn't. Thus, I had to find a different way that would respect my privacy and I think that I did. 

Biometrics: the Future of Mobile Payments?

Billions of people are now using smartphones, even in the most remote areas of the planet. Global adoption of these new mobile technologies opens up the discussion for more advanced methods of identification, authentication, and verification, especially when it comes to protecting against fraud, identity theft and financial crime. One of these promising new technologies, available to end users as a result of the acceptance of mobile devices such as mobile phones, tablets, and laptops, is biometrics.

Biometrics look promising when it comes to simplifying the processing, authentication, and confirmation of transactions in general, but more importantly when it comes to payments. Technological advances, along with pattern recognition and multi-factor biometrics, are expected to tackle cybercrime by making it very expensive and time-consuming for cybercriminals to attempt to target these systems. 

Message Header Analyzer (Microsoft & Google)

Spear-phishing attacks still happen and are still successful. According to Symantec: “The FBI estimates that the amount lost to BEC (Business Email Compromise) between October 2013 and August 2015 was over $1.2 billion. With such huge returns, it’s unlikely that these scams will cease any time soon.”

Symantec researchers also explained that “BEC attackers target senior-level employees rather than consumers as it’s easier to scam them out of large amounts. In one incident, we observed the scammers asking the target to transfer over US$370,000. By requesting large amounts of money, the scammers only need to be successful a couple of times to make a profit,”.

Usually spear-phishing emails are used for untargeted attacks. Lately we saw spear-phishing attacks becoming more targeted. An example is the CEO fraud attacks. A cyber criminal sends an email that appears to be from an executive (usually from the CEO to the CFO) asking for a specific payment to be processed immediately. The payment may be in any currently or even BitCoin(s). 

There are a couple of tools online that you can use to check the email headers of incoming emails. The email headers allow you to check if a suspicious incoming email is actually a spoofed email as part of a spear-phishing attack campaign.

FireEye critical vulnerability

Google's team in Project Zero discovered a critical vulnerability in FireEye NX, EX, AX and FX network security devices that run on security content version 427.334 or prior versions.

An attacker could exploit this vulnerability to gain persistent access and remotely exploit code. It is good to see that FireEye focused this time towards patching the security flaw and did not try to take legal action, like previously, for the vulnerabilities discovered by the German security firm ERNW). 

FireEye responded with a support alert stating that a patch was released through automated security content updates for all of the affected devices. FireEye is making the patch available for “out-of-contract customers” and the firm warned customers who perform manual security content updates, to “update immediately”.

The flaw discovered by Project Zero follows an earlier series of vulnerabilities discovered by the German security firm ERNW. FireEye filed an injunction against ERNW in September after learning that the firm was planning to release findings on vulnerabilities that it discovered in FireEye's operating system

It was proven that it was possible for an attacker to root the FireEye's network security device by simply tricking a victim into clicking on a link contained in an email. 

"Unauthorized code" in Juniper firewalls decrypts encrypted VPN traffic

Juniper Networks published an advisory saying that NetScreen firewalls using ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 contain unauthorized code that surreptitiously decrypts the VPN traffic by giving attackers administrative access. 

This system "backdoor" requires immediate patching! The vulnerability was discovered during a recent internal code review[1]. The "unauthorised code" in ScreenOS could allow a knowledgeable attacker to gain administrative access to NetScreen appliances and to decrypt VPN connections. 

Juniper Networks explained in a separate advisory that there are two separate vulnerabilities which are both described as “Unauthorised Code”.

The first flaw allows unauthorized remote administrative access to an affected device over SSH or telnet. Exploits can lead to complete compromise. "The second issue may allow a knowledgeable attacker who can monitor VPN traffic to decrypt that traffic," the advisory said. "It is independent of the first issue. There is no way to detect that this vulnerability was exploited." [2]

This Github repository contains notes, binaries, and related information from the analysis of the CVE-2015-7755 & CVE-2015-7756 issues within Juniper ScreenOS. See a detailed analysis by Rapid7. 

Joomla Critical 0day Remote Command Execution Vulnerability - Patch Now

A vulnerability that affects all versions of Joomla from 1.5.0 to 3.4.5 have just been released (CVE-2015-8562). 

The Joomla security team released a patch to address this critical remote command execution vulnerability that is already being exploited in the wild. 

Joomla is one of the most popular Content Management Systems (CMS), alongside Wordpress, Drupal and Magento. Joomla CMS is used to build web sites and online applications in conjunction with the many supported shopping cart, e-commerce and payment gateway extensions.  

Joomla users need to upgrade to version 3.4.6 immediately. For Joomla 3 and above, updating is a simple one-click process through the admin panel. For the unsupported versions 1.5.x - 2.5.x the users need to patch using the Joomla hotfixes.

Combating cybercrime during the holidays. Advice for retailers and shoppers

Online shopping, especially during the holiday period, is a massively important trading platform for many businesses. For online retailers their ability to service high customer demand and ensure the availability of their website throughout this period is crucial to their success.

The shopping frenzy has already started, with the adoption of Black Friday and Cyber Monday in many countries adding additional pressure on high street, and online retailers. In the UK and Europe, this only increased further during the holiday week and the discounts the day after Christmas. With these periods being hugely busy on the high street, an increasing number of shoppers are moving to the Internet to hunt for their bargains.

During this overwhelming period of spending, online retailers and shoppers need to be wary since this also is a lucrative period for Cybercriminals. In this article, we have highlighted a few key steps retailers and shoppers can take to keep themselves safe from cybercrime during the holidays.

Restore Points in Windows 8.1

How to create a Restore Point:
1. Press the WinKey+X to display the system menu and click System.
2. On the left side menu, click System Protection.
3. In the Protection Settings section, click the C: (system) drive.
4. Click the Create button.
5. Type a name for the System Restore file (The Date and Time will be added automatically).


Rolling Back to a Restore Point in Windows 8.1:
1.Save your work and then close all running programs.
2.Press the WinKey+X to display the system menu and click System.
3.On the left side menu, click System Protection.
4.Click the System Restore button.
5.Click Next
6.Select the restore point you’re considering and then click the Scan for Affected Programs button.
7.If you don’t see any major problems with the restore point click Close, and then click Next.
8.Follow the instructions to save any open files, close all programs, and then click Finish.

IRISSCON 2015 Recap - IRISSCERT

I had the pleasure of attending the 7th Irish Reporting and Information Security Service Computer Emergency Response Team (IRISSCERT) Cyber Crime conference (#IRISSCON) in Dublin, Ireland. See: www.iriss.ie

The event took place on Thursday, 19/Nov/2015 in the Berkley Court Hotel, in Ballsbridge Dublin. 

The annual all-day conference focuses on providing attendees with an overview of the current cyber-threats most businesses are facing; primarily in Ireland and throughout the world. During IRISSCON, experts share their thoughts and experiences on cybercrime and cybersecurity, while a number presentations provide the opportunity all attendees to discuss the issues that matter the most.

Thought leaders from the industry, academia and the government present at IRISSCON and the main audience is primarily the business community within Ireland, discussing the following topics:

• Cyber Crime
• Cyber Security
• Cloud Security
• Incident Response
• Data Protection
• Incident Investigation
• Information Security Threats
• Information Security Trends
• Securing the Critical Network Infrastructure

In case you are not aware of this, IRISSCERT is a not-for-profit company that provides a range of free services to Irish businesses, related to Information Security issues. Effectively, the mission is to help raise the awareness and counter the security threats posed to Irish businesses and its Internet space. 

POS Malware Alert - AbaddonPOS and Cherry Picker

Two new malware files have been identified targeting point-of-sale (POS) terminals called AbaddonPOS and Cherry Picker. 

The AbaddoPOS malware is delivered by the Angler Exploit Kit or through an infected Microsoft Office document. The malware targets the memory of all processes running on the infected system (excluding its own memory space) looking for card data. Once the card data has been found, it is sent back to a Command and Control (C&C) server. 

The Cherry Picker also targets card data but there is some further functionality built-in to it. It tries to clean up after itself and this is the main reason why it went undetected for such a long time. Another characteristic of the Cherry Picker is that it focuses on just one process that is known to contain card data. That way it attracts as little attention as possible, compared to trying to target all running processes on the infected system.

Guest Speaker for Cardiff University - CyberSecurity and the Payment Card Industry

I had the pleasure to be invited as a guest speaker to Cardiff University in order to give a talk about: "CyberSecurity and the Payment Card Industry". 

The talk starts with an introduction to the Payment Card Industry (PCI),  Payment Card Industry Data Security Standard (PCI DSS) and the Payment Card Industry Security Standards Council (PCI SSC). The participants are given the opportunity to understand what is an Approved Scanning Vendor (ASV), the responsibilities of a Qualified Security Assessor (QSA) and last but not least the job of a PCI Forensics Investigator (PFI).

Adobe Flash patches 17 remote code execution vulnerabilities

Adobe Flash version 19.0.0.245 was released today. This version patches 17 remote code execution vulnerabilities if exploited [see here]. Adobe said that there are no reports of public exploits for any of the patched flaws.

In addition to the desktop version of Flash for Windows and Mac OS X, Adobe also updated Flash for Internet Explorer 11 and Microsoft Edge, both of which are expected to be included in today’s Microsoft Patch Tuesday security bulletins. Adobe also updated Flash Player for Linux and various Adobe Air products for Windows, iOS and Android mobile devices. 

To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. To verify the version of Adobe AIR installed on your system, follow the instructions in the Adobe AIR TechNote. 

For those of us using multiple browsers, perform the check for each browser you have installed on your system. The Flash updated packages can be found here.

CVE numbers: CVE-2015-7651, CVE-2015-7652, CVE-2015-7653, CVE-2015-7654, CVE-2015-7655, CVE-2015-7656, CVE-2015-7657, CVE-2015-7658, CVE-2015-7659, CVE-2015-7660, CVE-2015-7661, CVE-2015-7662, CVE-2015-7663, CVE-2015-8042, CVE-2015-8043, CVE-2015-8044, CVE-2015-8046

During last month’s scheduled update, Adobe patched Flash and Acrobat Reader addressing 69 critical vulnerabilities that could lead to code execution and information disclosure. Just three days later, Adobe updated Flash once again with an emergency patch that addressed a zero-day type confusion* vulnerability. The zero-day was being exploited by a Russian-speaking APT group during Operation Pawn Storm.

*Type confusion vulnerabilities occur when the code doesn't verify the type of object that is passed to it, and uses it without type-checking. 

October’s Cyber Aftermath, CyberSecurity Awareness Month

October is known as being the Cyber Security Awareness Month. Many campaigns especially during October are trying to teach and raise the awareness about Cyber Security. Public and private initiatives especially during this month, are trying to raise the awareness further on online security and safety. 

Unfortunately there are still many steps that need to be made towards awareness and Cyber Security. Businesses and individuals are still affected by cyber-attacks and security breaches. The discovery and investigation of a breach can be a very time-consuming process and this is the main reason it takes so long to be reported.

Even though patches and updates are available for most security vulnerabilities as soon as they are discovered, new threats and zero days (0day) are constantly surface and exploited. 

During this month a number of security breaches, cyber-attacks and vulnerabilities were announced. Let's see this month's aftermath...

CyberSecurity Strategy and Essentials

Cybersecurity becomes even more complicated in the context of today’s threat landscape, which is not only constantly changing, but is also expanding at an increasingly fast rate. This is the most problematic element of Cybersecurity; its evolution is so fast and unpredictable while the nature of the risks involved are constantly changing.

Managing security by diverting resources to the most crucial system components in order to reduce the likelihood of a successful breach, is now considered to be an insufficient approach in the current environment of advanced cyber threats. Threats are changing faster than traditional risk management approaches can deal with, and a more proactive, focused and adaptive approach is needed to manage an effective Cybersecurity strategy.

Good security management is a continuous effort with preparation, readiness, and good planning being the best approach. To achieve this, there are some basic best practices that can be considered essential to organisations that need to protect their assets from the most common and opportunistic cyber-attacks.

Security BSides Athens 2016, Greece

I am happy to announce that I am involved in organising Security BSides Athens 2016, in Greece. More information you will find at the BSides Athens website www.bsidesath.gr (currently under construction).

Most of the information about the status of the event can be also found at the official Security BSides wiki page in the following URL: goo.gl/pseoow

The 1st ever BSides Athens conference is scheduled to take place on Saturday, 25 June 2016. The entrance to the event will be free of charge, but attendees will need to book a ticket online in advance, when these are made available (we expect them to become available around March 2016). 

Please follow us on Twitter @BSidesAth and send us a message if you would like to sponsor, support, volunteer or just give us a hand on the day. 

Please use hashtags #BSidesAth #BSidesAthens when talking about BSides Athens on social platforms (i.e. Twitter) and spread the word! Even though Twitter is our main form of communication for reaching out to you, and for you to reach us, there is also an official BSides Athens group on Facebook and one group on Linkedin. 

CFP (Call for Presenters) is scheduled to open on Monday, 30 November 2015 and it will close in March 2016. 

• An Android mobile application is available on Play Store for BSides Athens.
  https://play.google.com/store/apps/details?id=dimism.bsidesathens
• An iOS mobile application is available on App Store.
  https://itunes.apple.com/us/app/bsidesath/id1057022307

The mobile applications allows you to find information about the conference on the spot, have real-time access to the track schedule and directions on how to the get to the venue. So, for this event #goPaperless by downloading the mobile application suitable for your phone and tablet!

In the following links you can find the Security BSides Athens 2016 logo in different dimensions and use it freely to promote the event on your webpage and/or social media. 

• 500 pixels: http://www.bsidesath.gr/logo/BSidesAth_logo01.jpg
• 250 pixels: http://www.bsidesath.gr/logo/BSidesAth_logo01_250x250.jpg
• 200 pixels: http://www.bsidesath.gr/logo/BSidesAth_logo01_200.jpg
• 150 pixels: http://www.bsidesath.gr/logo/BSidesAth_logo01_150x150.jpg
• 50 pixels: http://www.bsidesath.gr/logo/BSidesAth_logo01_50.jpg

Visit www.bsidesath.gr and stay tuned for more to come!

Secure a Sapce ?

This is one of the biggest fails ever! How can you misspell your own URL on the tickets you are issuing and more importantly, in the section where you actually ask people to visit that non-existent misspelled URL and pay a parking fine?! Yes, they did! This is not a hoax!

Lets look at the ticket. The parking fine has instructions on how to pay it online. There is a header which says: HOW TO MAKE A PAYMENT. Below that you will see the name of the company and its postal address. However, you will notice that they have misspelled their own URL! 

A Weapon for the Mass Destruction of Computer Infrastructures

Disclaimer: This is NOT a weapon. This is AN EXPERIMENT. 

You MUST NOT try this at home. The tests were performed under the supervision of licensed electricians, in a controlled environment. 

I intentionally do not provide any technical details about the devices. The purpose of this blog post is not to tell you how to do this, but to raise the awareness that this can actually happen. I believe, entities should be aware of this threat and take any necessary actions to protect their infrastructures. 

Having done a number of physical security assessments over the years, I started wondering how vulnerable our computer infrastructures are. I tried to think of a way for a malicious insider or an external third-party, to target a company’s computer network and take it down by damaging it (someone who doesn't have physical access to the server room). I started thinking about this from a different perspective and I tried to approach this "question" with an outside-the-box point of view. 

Due to my experience with physical security assessments I noticed that there are many unattended Ethernet ports (sockets) everywhere around a building. These ports might not be “active” but most of the time they are connected at the far-end on a managed or unmanaged network switch. 

I started wondering what would be the effect if one tried to apply electric current on an Ethernet socket from a power socket directly. The picture on the left illustrates a cable which sends electric current (220V-250V) directly from the power socket to the Ethernet port (This is very dangerous, do not make one, and do not try to use it). In reality, such attempt is actually pointless, as it will only "toast" the device you connect this modified power cable. 

The hypothetical network switch at the other end will end up toasted in a split second and the person doing this will experience a loud bang and a bright flash, along with the smell of burned plastic at the Ethernet socket side. 

This is a very dangerous thing for one to do and not a very convenient or an effective way for taking down the whole computer infrastructure. The whole point is to manage to "fry" all the devices behind the network switch!!! (..even after the network switch is "toasted", and the circuits are burned). Also, without exposing ourselves to any danger, as it would have happen if someone have used the cable mentioned earlier on. 

Skype is down!

Skype seems to be having technical difficulties! Most users can login but they appear offline. Skype said that it is still possible to chat in most occasions but not possible to receive or make calls. It seems though that the web.skype.com is working! Also, Skype for business seems to be working without issues. 
According to the Down Detector website the service appears to be out in a number of different countries worldwide. Maybe it is related to a major AWS outage which knocked Amazon, Netflix, Tinder and IMDb. The official twitter account of Skype (@Skype) posted the following message: 

"We are working to fix an issue which is preventing some users from logging in & using Skype. We apologize for any inconvenience."

Even thought this message was posted about an hour ago the Skype Support team (@SkypeSupport) posted a message four hours ago about the issue. More specifically, the message was saying that "We are aware of an issue affecting Skype status at the moment, and are working on a quick fix: sk.ype.ms/1KuQTL".

The URL sk.ype.ms/1KuQTL takes you to the skype.com domain where you can read more about the issue. This is what has been posted about the issue: 

We have detected an issue that is affecting Skype in a number of ways. 

If you're signed in to Skype, you will not be able to change your status and your contacts will all show as offline even if they are online. As a result, you won’t be able to start Skype calls to them.. 

A small number of messages to group chats are not being delivered, but in most cases you can still instant message your contacts.. 

If you aren’t signed in to Skype, you may be experiencing difficulty when attempting to sign in. Any changes to your Skype account such as your Credit balance or your profile details might take a little while to be displayed.. 

You may also have difficulty loading web pages on the Skype Community. For that reason, please check back here for future updates.. 

We're doing everything we can to fix this issue and hope to have another update for you soon. Thank you for your patience as we work to get this incident resolved.

Registering a .dll under Windows (solutions for 64-bit / 32-bit compatibility issues)

If you find yourself missing a .dll under the latest versions of Windows, you will have to download the missing DLL and register it in order to make it work. Also, due to the the 32-bit and 64-bit versions of Windows, you might end up with errors which you need to troubleshoot further. In this blog-post I am trying to give you a couple of hints on how to solve these compatibility issues when registering a .dll (32-bit/64-bit). 

The truth about CyberSecurity

Many articles have been written about CyberSecurity. Most have focused on the broad meaning of the term and in some cases have treated CyberSecurity as an "off-the-shelf" product. The truth is that CyberSecurity is more complicated than that. In this article, we will discuss some of the reasons why Cyber Security is not only difficult to define, but just how complex it really is.

How to force downloading/upgrading to Windows 10 on a VM for testing

I really wanted to test Windows 10 migration before I updated my Windows laptop. I decided to install a copy of Windows in a VM and upgrade that copy to Windows 10. Once I had Windows installed, I run Windows Update and got all the latest updates for my installation. But, the Windows 10 logo on my taskbar (Get Windows 10) did not appear. I restarted a couple of times just in case and run Windows Update again, but still nothing. 

Even though I could download an ISO image of Windows 10 or force the update through wuauclt.exe /updatenow, I discovered that the best way to do this is through the task scheduler which initiates the upgrade process as intended. Before you begin, you should navigate to C:\Windows\SoftwareDistribution\Download and delete all the files in that folder. 

Was I just overcharged for a free copy of Windows 10 ???

Everyone is talking about Windows 10, and articles pop out left and right informing people about the new and technically the "last version of" Windows you will ever need! Well, to rephrase that, Microsoft is presenting Windows 10 as "the last version of Windows" you’ll ever need to get. After that, you will receive regular feature updates and product improvements.

shell: command in Windows - Did you know?

I recently discovered that not many people are aware of the shell: command in Windows. Windows Explorer (not the Internet Explorer) recognises the command shell: allowing you to open specific system folders. (you can also use: shellnew: instead of shell:)

For example, type the command shell:startup in the address bar and hit Enter.

This action will open the StartUp folder which under Windows 8.1, it is located here:

C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Burp Suite - Error handshake alert: unrecognized_name

This is the first time I had to deal with this error in Burp and I was trying to figure out what was the problem. It seems there is a problem with Java which causes Burp to fail when accessing some specific websites. This is the screen you get when this particular error occurs. 

Figure 1 - Burp Error handshake alert: unrecognized_name

If you ever stumble upon this problem the solution is easy once you know what to do. As a start, make sure you have the latest version of Java installed. 

What is the process to verify a particular certification?

I recently had people coming to me asking me what is the process to verify a particular certification and if I knew of a centralised way for doing this. 

Unfortunately (or fortunately as some may say) there isn't a centralised way where you could query for a particular certification. 

For example, the PCI Security Standards Council (PCI SSC) maintain a list of all certified companies and Qualified Security Assessors which is constantly up-to-date. If you want to verify a consultant's certification the only thing you need to do is to visit this link. 

Anyhow, this blog post is intended as a reference guide to the various webpages where you can verify a particular certification. If you do know of any other or you found that the list needs to be be updated just send me a message on Twitter and I will update it as soon as possible.

Below, the certifications are listed Alphabetically according to the respective company which have issued each certificate. 

Critical Patch by Microsoft - MS15-078

Vulnerability in Microsoft font driver could allow remote code execution. This vulnerability requires immediate remediation (16 July 2015). 

Microsoft patch MS 15-078 addresses a serious security flaw found in the way Windows products read certain types of fonts. 

An attacker can send you an office document or ask you to visit a specific web page with a specific font being used. The attack is straight forward and simple to execute, and for that reason it is highly important to patch immediately. 

The attack is possible because it focuses on the Windows Adobe Type Manager Library and the way it deals with OpenType fonts, allowing Remote Code Execution. 

Please note that this vulnerability affects all modern versions of Windows. Also, if you install a language pack after you install this update, you must reinstall this update. Therefore, install any language packs that you need before you install this update. For more information, see Add language packs to Windows.