Vulnerability Scanners you should know about

The discovery and patching of security vulnerabilities can be a very difficult and a time-consuming task, especially without the use of a proper vulnerability scanner. 

The following, is a list of the most well-known vulnerability scanners currently available in the market. A security consultant should spend some time to familiarise himself/herself with these scanners. Find the scanner that is most suitable for your needs and use it to scan your network infrastructure for security vulnerabilities. Go through the reports these scanners generate and engage in remediating the vulnerabilities discovered. This can be an invaluable experience when it comes to becoming able to understand security issues affecting large network infrastructures. 

Some of these scanner can be used under a free license for personal use. 

01) Nessus - http://bit.ly/1prtrZ3

02) Nexpose - http://bit.ly/1NHBSML

03) CORE Impact Pro - http://bit.ly/19e7dWC

04) OpenVAS - http://bit.ly/1NHCdPy

05) QualysGuard - http://bit.ly/1MUn52l

06) MBSA (Microsoft Baseline Security Analyser) - http://bit.ly/1MJ2NCE

07) Secunia PSI - http://bit.ly/1iiTjGR

08) Retina - http://bit.ly/1MBNHzo

09) Acunetix - http://bit.ly/1PA8rfA

10) SAINTscanner - http://bit.ly/1RLtB9A

11) GFI Lan Guard - http://bit.ly/1RLt8V2

If you know of a vulnerability scanner that you have used and it is worth mentioning here, let me know and I will add it to the list. 

POODLE SSLv3 Vulnerability

Bodo Möller, Thai Duong and Krzysztof Kotowicz from Google who discovered this, released a security advisory which you can find on OpenSSL website [2]. 
The Padding Oracle On Downgraded Legacy Encryption aka #POODLE vulnerability, has already a good write-up [1]. Jesper Jurcenoks explains the vulnerability on his blog [3] in a very detailed manner but at the same time, easy to understand. I am happy to see that Jesper used for his blog-post the logo I made for the poople vulnerability! :) Also, if you are thirsty for more technical details, you should also read this blog-post from ImperialViolet [4]. If you want to see some statistics on how vulnerable we are today in regards to this, you should read this article on netcraft [5]. The following post outlines the steps on how to disable SSLv3 [6]. If you wanna do a quick test and see if your browser supports SSLv3 regarding the poodle vulnerability, then you can visit: www.poodletest.com. On the other hand, www.howsmyssl.com can provide some useful information about the SSL/TLS client you used to render its page. Last but not least, if you need to a server given its domain name for this vulnerability, you may use www.poodlescan.com

CVE­-2014-­3566 has been allocated for this protocol vulnerability.

I had an idea for a logo for this vulnerability which I posted on twitter when the vulnerability came out and I would like to share it with you. We are trying to ditch SSLv3 for quite some time now, the logo had to look a little bit old style, retro and maybe vintage. Let me know what you think. ( you are free to use this logo, it would be nice if you reference it with: @drgfragkos )

Do you want to test manually?
Use this command: 
openssl s_client -connect google.com:443 -ssl3
If the handshake fails then the server doesn't support SSLv3 

BSides Manchester 2014

It was really nice to be invited to present at BSides Manchester (@BSidesMCR) this year [1]. Very interesting talks and one of the most organised events I have ever been. On-time information on the website and clear instructions about the event . I really enjoyed both days and tried to attend as many talks as I could. 

On the second day, I was presenting about the security of Point of Sale (POS) devices. These devices have a number of “features” which can be used to allow someone to deviate from payment process in a number of different ways. More specifically, it is possible to complete a transaction without actually being charged, pay with someone else’s card without knowing the PIN or even get paid instead of paying. The presentation gave a good understanding on how these devices work and basically demonstrated a number of “magic tricks” on how one could actually live for free! I was overwhelmed from the number of people attended the talk and their enthusiasm on the subject. Thank you all for your kind words, tweets and re-tweets, much appreciated.

Critical OpenSSL vulnerability

OpenSSL released a security advisory yesterday (7/Apr/2014) regarding the TLS heartbeat read overrun (CVE-2014-0160). [1] This is a CRITICAL vulnerability affecting 1.0.1 and 1.0.2-beta releases of OpenSSL, including 1.0.1f and 1.0.2-beta1.

An attacker can read memory contents of the remote server . The server will not crash or otherwise exhibit suspicious behaviour. Successful exploitation leaks usernames, passwords, web application session cookies or other sensitive information. 

Currently, some of the vulnerable websites are: 
yahoo.com
okcupid.com
flickr.com

The quickest way to test your server is by using the following link:
http://filippo.io/Heartbleed/

Remediation:
Affected users should upgrade to OpenSSL 1.0.1g. The alternaltive at this point if you cannot upgrade to OpenSSL 1.0.0g is to recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS

For remediating against an Apache install you will also need to upgrade libssl (libssl1.0.0).

Note that Ubuntu 1.0.1-4ubuntu5.12 of OpenSSL resolves the issue.

Temporary Snort signatures:
a) alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"Heartbleed attack with ssltest.py";flow:to_server,established; content:"|18 03 02 00 03 01 40 00|"; rawbytes; isdataat:!1,relative; reference:cve,2014-0160; sid: 6000000; rev:1;)

b) alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"Heartbleed attack";flow:to_server,established; content:"|18 03|"; rawbytes; depth:2; byte_test:1, &, 3, 0, relative; byte_test:2, >, 200, 3, relative, big; reference:cve,2014-0160; sid: 6000001; rev:2;)


[1] http://www.openssl.org/news/secadv_20140407.txt

Guest Speaker for Derby University (Digital Forensic Investigation Course) - Cyber-Security and Cyber-Defence

I was very excited to be invited by the Derby University once more and more specifically by the Digital Forensic Investigation Course in order to give a talk. The title of the talk was "Cyber-Security and Cyber-Defence in the industry and financial services utilising Penetration Testing and Computer Forensics".

The talk focused on the current Cyber-Threats, Cyber-Security and Cyber-Defense tactics. It introduced to the participants different types of security services, which included threat assessment, threat intelligence and threat management solutions. The talk also gave the students an opportunity to hear about the most successful vendors in the security industry.

Figure 1 - Guy Fawks Mask as a Rorschach Test

The trends in cybercrime were discussed along with why cybercriminals participate in cyber-gangs and the reasons why cybercrime is still successful. More specifically the talk looked into the reasons why cybercrime has a presence, how much does it pay, explored the increasing scope, scale, and complexity of cybercrime impacting the industry at the moment, how cyber-espionage is involved and how can we focus on real-world strategies to avoid being targeted.

A number of tools and techniques were introduced to the students along with a practical session on how easy would it be to create their own version of a malware capable of evading AntiVirus detection. All this raised their awareness and made start thinking outside-the-box when it comes to this fast evolving threat landscape of cyber-threats.

I do believe the students enjoyed the talk as the feedback was exceptional. I do hope they gained enough information during the day to go back and start looking into cyberthreats more closely and with a better understanding.

Journal of Information Warfare

After the 12th annual European Conference of Cyber Warfare and Security (ECCWS), used to be known as European Conference on Information Warfare and Security (ECIW) [1] held in July 2013 at the University of Jyvaskyla in Finland, the Journal of Information Warfare (JIW) [2] decided to select a few papers that stand out during the conference and invited the authors to submit an updated version of the submitted paper for the JIW (Volume 12, Issue 3). The title of the updated paper was Antivirus False-Positive Alerts, Evading Malware Detection, and Cyber-security Issues [3]. 

RSA Conference Europe 2012

I was delighted to be invited to attend the RSA Conference Europe in 2012 (9-11/Oct) in London [1]. A number of interesting talks which included Jimmy Wales talking about the freedom of speech on the Internet and the distribution of knowledge through Wikipedia.

I was looking forward to Ira Winkler's talk "What the Security Profession Can Learn From the Intelligence Profession". Very interesting views as always and one of the few people in security that has something new to say, without repeating outdated ideas.