LKDR Tech Blog
  • Home
  • Categories
    • penetration testing
      • WPScan I
      • WPScan II
    • systems integration
      • Onlyoffice
      • Cpanel & WHM
    • Hardening
      • Hardening I
      • Hardening II
  • Download
  • News
  • Contact Us

Ransomware attacks have grown up exponentially amid COVID-19, as cybercriminals take advantage of the new work-from-home world and target vulnerable industries and populations.

Ransomware penetrates an organization’s IT infrastructure through phishing emails or endpoint vulnerabilities and then encrypts files, holding data hostage until a fee is paid to decrypt them. The FBI has deemed ransomware the fastest growing malware threat, causing significant revenue loss, business downtime and reputational damage.

Therefore,  Protect Your Network From Ransomware by following the best practices below.

1. Backup files regularly

Backup all important files on regularly basis to an offsite server is recommended. Automatic backup systems of operating Systems(Windows , Linux) can be used for this purpose to backup data on daily basis.

For any sensitive data , ensure the backed-up data is encrypted to prevent data theft.

2. Security awareness programs for employees

Awareness sessions for employees to improve level of knowledge regarding information security. could be one of the best forms of defense.

Such sessions should focus on ;

  • Introduction about ransomware 
  • How to identify ransomware or if a machine is infected
  • Further steps - if a suspected ransomware attack is identified in office or work from home environment.
  • prevention tips for ransomware

3. Use of EDR(Endpoint Detection and Response) solution for endpoint protection.

EDR solution provide facility to manage security of the end points with proactive threat hunting and response. Advance EDR solutions provide Machine learning, Deep Learning based methodologies to accurate threat hunting. In addition Device control such as USB storage control, Network firewall for end points, system lock down or isolation facilities, sandboxing features are provided with the EDR.

4. Segment the System/Network

Segmenting  the Network will help to  reduce spreading a threat across the entire network. We can keep critical servers and application  in an isolated separate network to limit the spread.

5. Apply updates and patches regularly and promptly


Systems, applications and devices should be updated to the  latest version from reliable source. This will ensure the  system Security without exposing    security weaknesses  to attackers.

6. Proper use of login credentials.

Ensure that no easy platform is provide for ransomware or other malware by following best practices when login in to systems or handling credentials.

  • Do not use superuser/root user account to login to the system or server.
  • Use a regular non-admin account for web browsing, opening documents, and regular work.
  • When sending user login to someone use 2 different communication channels (email,SMS,Messenger,WhatsApp ...) to send username/login and password. And send it without mentioning keyword like “username” ,”password” ,”login” etc.


REFERENCES:
[1]https://www.techcert.lk/en/knowledge-base
[2]https://www.justice.gov/criminal-ccips/file/872771/download
[3] https://go.tenable.com

 


 Security risk: Critical 

Vulnerability: Drupal core - Critical - Third-party librariesThe Drupal project uses the pear Archive_Tar library, which has released a security update that impacts Drupal.

The vulnerability is mitigated by the fact that Drupal core's use of the Archive_Tar library is not vulnerable, as it does not permit symlinks.

Exploitation may be possible if contrib or custom code uses the library to extract tar archives (for example .tar, .tar.gz, .bz2, or .tlz) which come from a potentially untrusted source.

This advisory is not covered by Drupal Steward( is a web application firewall that bridges the gap between the time when a security release is announced and when your site is fully updated with the new security patch).

 

Solution: 

Install the latest version:

  • If you are using Drupal 9.2, update to Drupal 9.2.2.
  • If you are using Drupal 9.1, update to Drupal 9.1.11.
  • If you are using Drupal 8.9, update to Drupal 8.9.17.
  • If you are using Drupal 7, update to Drupal 7.82.

Versions of Drupal 8 prior to 8.9.x and versions of Drupal 9 prior to 9.1.x are end-of-life and do not receive security coverage.

 -published by https://www.drupal.org

MySQL brands itself as the world’s most popular open source database. As popular as MySQL database is among developers and SQL enthusiasts, it is equally popular amongst hackers. In today's article, you’ll learn some tips and tricks for securing your MySQL or MariaDB databases 

        1.Remove Users Without Password

    There are already created users, some of  some of which can connect to the database without a password or, even worse, anonymous users.This has changed in MySQL 5.7 which, by default, comes only with a root account that uses the password you choose at installation time. Still, there are MySQL installations which were upgraded from previous versions and these installations keep the legacy users. Also, MariaDB 10.2 on Centos-7 comes with anonymous users. Please note that users with very simple passwords are almost as insecure as users without any password. Passwords like “password” or “qwerty” are not really helpful.

    2.  Change default port mappings

    MySQL by default runs on port 3306. This should be changed after installation to obfuscate what critical services are running on which ports, as attackers will initially attempt to exploit default values.

    3.Do not run MySQL with root level privileges

    MySQL should be run under a specific, newly-created user account with the necessary permissions to run the service, as opposed to directly as the root user. This adds some auditing and logging benefits while preventing attackers from gaining access by hijacking the root user account.

    4. Limit or disable SHOW DATABASES

    Again, stripping remote attackers of their information gathering capabilities is critical to a secure security posture. For this reason, the SHOW DATABASES command should be limited or removed entirely by adding skip-show-database to the [mysqld] section of the MySQL configuration file at /etc/my.cnf.
     
     
     
     
    References:
    [1] https://www.upguard.com/blog/top-11-ways-to-improve-mysql-security
    [2] https://severalnines.com/database-blog/ten-tips-how-achieve-mysql-and-mariadb-security
     

     


SQL injections are one of the most utilized web attacking mechanism used to  retrieving sensitive information. In this week we hope to discuss about SQL injections and how to secure your PHP website .
If a web developer isn’t careful, they might build their site in such a way that a malicious actor can cause unintended effects in its database.This is how SQL injections happen and it is the main reason for fall victim to SQL Injections.The hacker inputs, or injects, malicious SQL code on the website and fools it into  delivering that code to its database as a legitimate query.



During the phase of website development you should follow best practices to avoid SQL injections.There are several reasons for SQL Injections.

  •  Passing data to DB without sanitizing.
  •  Not using full Unicode encoding.
  •  Mixing of the code and data
  •  Incorrect Type handling
  •  Incorrectly filtered space characters
  •  Use of quotation marks to delimit string

Now we look at some of prevention technique that can used to avoid SQL Injections.

  • Validate your inputs

    Validating user input is not a direct solution to SQL Injection, but it helps us avoid malicious user data being interpreted by the database.
    Let's take example URL like this.
    http://techblog.domains.lk/customer_details.php?id=4

    A simple way to fix the vulnerability in the above URL would be to check whether the ID parameter is what is actually expected from it. That means positive integer.
    <?php 
    if (is_numeric($_GET['id']) && abs($_GET['id']) == $_GET['id']){
         $sql =     "SELECT * FROM user WHERE id = ".$_GET['id'];
    } else{ 
        echo "Sorry, only positive integers allowed here!";
    }
    ?> 
    Then system will response only for positive integers. likewise you can use user validation technique based on your application or situation. 
 

  • Use prepared statements

     Another way you can protect your code against SQL injections is by using prepared statements. Prepared statements are pre-compiled SQL commands.They can be used with a specific database access library such as  PDO. 

    $sql = "SELECT * FROM users WHERE email = '$email' AND status='$status'";

    lets take above example. it is a sql query without PDO. we can use PDO -a Database Access Abstraction Layer to modify above  query  to prevent from SQL injections.

    $stmt = $pdo->prepare('SELECT * FROM users WHERE email = ? AND status=?');
    $stmt->execute([$email, $status]);
    $user = $stmt->fetch();
    // or
    $stmt = $pdo->prepare('SELECT * FROM users WHERE email = :email AND status=:status');
    $stmt->execute(['email' => $email, 'status' => $status]);
    $user = $stmt->fetch();

     

    Tips For Avoiding PHP SQL Injection Vulnerabilities

    Prevention is better than cure. You must take the following precautions as these are the best ways to prevent SQL injection in php:

    • To avoid SQL injections, user input should be validate for a definite set of rules for syntax, type, and length.
    • While granting rights to the database for particular users, try to provide only the minimum required rights, in order to avoid any future attacks to sensitive data.
    • If a user is given rights for a specific application, make sure that he does not access the application unnecessarily.
    • Removing unused stored procedures may also help in the prevention of SQL injects.
    • Be careful when using stored procedures as they are easily exploited.
 
REFERENCES:
[1] https://www.cloudways.com/blog/prevent-php-sql-injection/
[2] https://www.php.net/manual/en/book.pdo.php

 

 
The Elasticsearch security features enable you to easily secure a cluster. You can password-protect your data as well as implement more advanced security measures such as encrypting communications, role-based access control, IP filtering, and auditing.
When you use the basic and trial licenses, the Elasticsearch security features are disabled by default.
In this blog you will learn how to enable elasticstack security features.
 

Add the xpack.security.enabled setting to the elasticsearch.yml file.
xpack.security.enabled: true

Restart the elasticsearch service.
systemctl restart elasticsearch

./bin/elasticsearch-setup-passwords interactive

 

Create a kibana keystore from usr/share/kibana directory


cd /usr/share/kibana 

./bin/kibana-keystore create --allow-root

now choose username and password for kibana.
 
 
./bin/kibana-keystore add elasticsearch.username --allow-root
./bin/kibana-keystore add elasticsearch.password --allow-root

After that restart the kibana serivce
systemctl restart kibana

Let's setup Logstash security as well.
you can see the errors of the logstash from following command

tail -f /var/log/logstash/logstash-plain.log

Now stop the Logstashservice from systemctl stop logstash

Edit logstash.yml file for enablelogstash security.
uncomment the x-pack monitoring username and password and enter your details to here which you enter at the beginning of this post.

 

 Create keystore for logstash as well.

sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash create

  

    Enter username and password for logstash keystore

sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash add ES_USER