IoT Adventures: The LeFun WiFi Camera
October 03, 2018, Esteban Rodriguez, Consultant, Coalfire Labs, Coalfire
Recently I happened to be in the market for a baby monitor, so I decided to search Amazon for an affordable device that would fit my needs. A search for “baby monitor” within the “electronics” department brought me to the LeFun WiFi Camera. For $39.99 (at the time of my purchase), this seemed like it could be a good deal. Knowing the reputation of Internet of Things (IoT) devices, I was curious about its security. This was addressed in the product description with the guarantee that when I connect to any device, it will be via a “secure and safe network” and will be secured with “financial-level encryption.” It also boasts that they are “CE, FCC, and RoHS certified,” which is good, despite those certifications only dealing with safety and not information security.
The Unhealthy Security of Healthcare
September 25, 2018, Qasim Ijaz, Director, Coalfire Labs
I have been involved in a number of healthcare penetration tests here at Coalfire and in my previous roles. I have hacked electronic medical records, medical devices, and most importantly, humans. From my time as a systems engineer at a medical device and systems vendor to my current role at Coalfire as a penetration tester, I have seen a few healthcare organizations grow from highly insecure to cyber-fortresses. In this blog, I will highlight the most common issues my teammates and I come across while penetration testing healthcare environments.
From OSINT to Internal: Gaining Domain Admin from Outside the Perimeter
September 11, 2018, Esteban Rodriguez, Consultant, Coalfire Labs, Coalfire
When I first began working at Coalfire in early 2017, I couldn’t wait to get started pentesting professionally for the first time. When I finally got tasked with my first gig, I dove right in. I was tasked to perform an assessment of the external network. After hitting all known servers and web applications with various scanning tools, I had nothing. For a penetration tester, the assessment does not end here.
Exploiting Blind Java Deserialization with Burp and Ysoserial
September 04, 2018, Esteban Rodriguez, Consultant, Coalfire Labs, Coalfire
While performing a web application penetration test, I stumbled upon a parameter with some base64 encoded data within a POST parameter. Curious as to what it was, I sent it over to Burp decoder.
AWS Slurp Github Takeover
August 28, 2018, Logan Evans, Associate, Coalfire Labs, Coalfire
Slurp is a tool used by information security professionals to enumerate AWS S3 buckets. Slurp takes a domain name (example.com) or wordlist as input and cycles through likely S3 bucket names (example.s3.amazonaws.com) looking for any world-read/writeable buckets. S3 buckets are a great find for offensive security pros because they are commonly misconfigured. This leads to things like the famous RNC Voter Records breach or Verizon’s 2017 breach.