Sunday, 28 June 2015

Linkedin - security issue - Unvalidated Redirects and Forwards

This is a Linkedin shortened URL that seems to be pointing to Linkedin (when you try to reverse it) but in reality, it redirects to this blog post!

Below we are going to prove that this unvalidated redirect method (OWASP A10) can be used to deceive users and redirect them to malicious websites and malicious executable files by letting them think they are being redirected to Linkedin.

>> Responsible Disclosure: Before I start describing the issue I would like to mention that I followed LinkedIn's policy on reporting vulnerabilities process to the letter (responsible disclosure) and reported the issue exactly as it is described in this page:

After sending a detailed description of the issue (on 27/May/2015), I received the following reply from Linkedin.

Thank you for contacting us and sending us your writeup.

We do perform validation for third-party links that users submit to LinkedIn, checking the destination for inclusion on malware and safe browsing blacklists. The hash you observed is used for that purpose. 

Regarding unwinding of our short links or obfuscation, URL encoding is working as expected and the depth of third-party inspectors is not something under our control. Note that some of our redirects use JavaScript, so they may not be capable of analyzing the content. Those redirects also clearly show an interstitial that a redirect is occurring.

If you believe we have misinterpreted your report, please let us know.

[name of responder not being disclosed]

LinkedIn House Security

From my point of view, Linkedin did not understand the extend of the issue I described. So, I replied to that person giving him a couple of examples why I believe this unvalidated redirect "feature" doesn't seem to be working as "expected". Simply because, it can redirect/trick/deceive users into downloading malware and/or visit a malicious website, while under the impression they are being redirected to Linkedin instead. So, my reply to Linkedin response was the following:

Friday, 26 June 2015

Applied Cyber Security at MIT

MIT (Massachusetts Institute of Technology) created a short but intense Applied Cyber Security course. In order for someone to attend the course he/she had to apply and go through an approval process which determined if they were accepted to attend the course or not. In this course, experts from academia, the military and industry shared their knowledge and gave participants the principles, the state-of-the-practice, and strategies for the future in CyberSecurity. 
I was honoured and very excited to be accepted to participate in this course. In today’s world, organizations must be prepared to defend against threats in cyberspace. Decision makers must be familiar with the principles and best practices of cyber security to best protect their enterprises. 

I strongly believe that the best way to achieve this is to be educated, share knowledge and information among our peers. Our business strategies need to be reformed and adapt to the fast evolving threat landscape of cyber threats and be prepared to make the right decisions going forward.

Friday, 19 June 2015

SnoopCon 2015

It was a great honour to be invited by the Cyber Security Testing and Validation Team at British Telecoms (BT) to attend their annual internal conference, as a guest speaker. The conference is known as SnoopCon and it is BT’s Penetration Testing and Ethical Hacking annual meet-up event which lasts five days. 

The event is held behind closed doors, however it is customary that on the third day they invite people from the industry, recognising that their work would be an invaluable input if presented at their internal conference.

I had fantastic day at BT and the quality of the guest talks was over the roof. From Cyber Wargaming to the dark corners of the Dark Net, hacking the Internet of Things, a different approach when it comes to hacking cars, OS exploitation and of course, Threat Intelligence in depth.

The amazing news came a couple of days later, when I was informed that I was awarded the "Best External Speaker" award for my talk. 

The award is called the “my little Pwnie Award” based on the word "pwn", which is hacker slang meaning "to compromise" or to "control", hense the eccentric type of the award.

Thank you for inviting me to the conference and a special thank you for the award. I am looking forward to the next conference already! 

Follow me on Twitter: @drgfragkos 

Saturday, 13 June 2015

How to initialize your brand new SSD (Windows)

If you decide to buy a new Solid State Drive a.k.a. SSD, before you can use it, you have to initialize and partition it. 

Otherwise it will seem to you that you connect the drive and nothing is happening. You can do the initialization by connecting the SSD through a USB cable (SATA to USB).

  1. Attach the SSD as a secondary drive and load Windows from your existing drive.
  2. In Windows 7 and earlier, open 'Disk Management' by right clicking on 'Computer' and selecting 'Manage', then 'Disk Management'. In Windows 8 and later, move the mouse to the lower left corner of your desktop and right-click on the Start Icon, then select Disk Management.
  3. When Disk Management opens, a pop-up should appear and prompt you to initialize the SSD.
  4. Select MBR (Master Boot Record) and click OK
  5. Right click in the area that says Unallocated and select New Simple Volume...
  6. The New Simple Volume Wizard will open, click Next
  7. Leave the Specify Volume Size as the maximum (default value) and click Next
  8. Select a Drive Letter and click Next
  9. In the Format Partition screen, decide on a Volume label (the name you want to give the drive) and click Next
The drive is now formatted and ready for use.

Sunday, 7 June 2015

InfoSec 2015, BSides London 2015 and 2600

My first time at InfoSec was something like ten years ago, or more. It was interesting to see how the event has evolved over the years. Once again, it was really exciting to be among so many colleges in information security during InfoSec and Security BSides London

As always, I enjoyed my rounds at InfoSec and that I had the chance to chat and catch up with a number of people from the Information Security community and to a number of vendors about their products and their cybersecurity strategies for the next year. 

Friday, 5 June 2015

Understanding the significance of Operations Security (OPSEC) in a fast evolving threat landscape

It is not the first time a military term is being used by the Information Security community in order to describe an Information Assurance process. Operations Security (OPSEC) is a military term referring to the protection of different types of unclassified information which could end up exposing the security of an entity if put together and combined. In other words, in information security OPSEC describes the process by which publicly available information (unclassified) can be used against us if taken advantage by cyber criminals and/or adversaries with malicious intent.