Wednesday, 30 April 2014

BSides London 2014 - POS Devices

I was given the opportunity to present at this year's BSides London [1]. The talk was a 15 minutes presentation about Point of Sale (POS) devices, during a no-camera, no-recording session due to the sensitive content. 

I have been researching the features of POS devices for more than a year and I wanted to share my findings before someone else does something similar. However, due to the fact it is not easy to fix the issues overnight, I decided to keep the presentation "behind closed doors". During the presentation I demonstrated how it is possible for anyone to become a "hacker" and abuse these little devices with simple key combinations. 

Wednesday, 9 April 2014

Critical OpenSSL vulnerability

OpenSSL released a security advisory yesterday (7/Apr/2014) regarding the TLS heartbeat read overrun (CVE-2014-0160). [1] This is a CRITICAL vulnerability affecting 1.0.1 and 1.0.2-beta releases of OpenSSL, including 1.0.1f and 1.0.2-beta1.

An attacker can read memory contents of the remote server . The server will not crash or otherwise exhibit suspicious behaviour. Successful exploitation leaks usernames, passwords, web application session cookies or other sensitive information. 

Currently, some of the vulnerable websites are:

The quickest way to test your server is by using the following link:

Affected users should upgrade to OpenSSL 1.0.1g. The alternaltive at this point if you cannot upgrade to OpenSSL 1.0.0g is to recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS

For remediating against an Apache install you will also need to upgrade libssl (libssl1.0.0).

Note that Ubuntu 1.0.1-4ubuntu5.12 of OpenSSL resolves the issue.

Temporary Snort signatures:
a) alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"Heartbleed attack with";flow:to_server,established; content:"|18 03 02 00 03 01 40 00|"; rawbytes; isdataat:!1,relative; reference:cve,2014-0160; sid: 6000000; rev:1;)

b) alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"Heartbleed attack";flow:to_server,established; content:"|18 03|"; rawbytes; depth:2; byte_test:1, &, 3, 0, relative; byte_test:2, >, 200, 3, relative, big; reference:cve,2014-0160; sid: 6000001; rev:2;)