Wednesday, 9 April 2014

Critical OpenSSL vulnerability

OpenSSL released a security advisory yesterday (7/Apr/2014) regarding the TLS heartbeat read overrun (CVE-2014-0160). [1] This is a CRITICAL vulnerability affecting 1.0.1 and 1.0.2-beta releases of OpenSSL, including 1.0.1f and 1.0.2-beta1.

An attacker can read memory contents of the remote server . The server will not crash or otherwise exhibit suspicious behaviour. Successful exploitation leaks usernames, passwords, web application session cookies or other sensitive information. 

Currently, some of the vulnerable websites are: 
yahoo.com
okcupid.com
flickr.com

The quickest way to test your server is by using the following link:
http://filippo.io/Heartbleed/

Remediation:
Affected users should upgrade to OpenSSL 1.0.1g. The alternaltive at this point if you cannot upgrade to OpenSSL 1.0.0g is to recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS

For remediating against an Apache install you will also need to upgrade libssl (libssl1.0.0).

Note that Ubuntu 1.0.1-4ubuntu5.12 of OpenSSL resolves the issue.

Temporary Snort signatures:
a) alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"Heartbleed attack with ssltest.py";flow:to_server,established; content:"|18 03 02 00 03 01 40 00|"; rawbytes; isdataat:!1,relative; reference:cve,2014-0160; sid: 6000000; rev:1;)

b) alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"Heartbleed attack";flow:to_server,established; content:"|18 03|"; rawbytes; depth:2; byte_test:1, &, 3, 0, relative; byte_test:2, >, 200, 3, relative, big; reference:cve,2014-0160; sid: 6000001; rev:2;)


[1] http://www.openssl.org/news/secadv_20140407.txt

Monday, 31 March 2014

So many Computer Forensics tools but no time

Do you want to get your hands in Computer Forensics but you don't really know where to start. Are you looking for a tool that does a specific job but you don't know which one to download and use. Forensic Control [1] have a list of free tools as a free resource for all. The tools are grouped in categories and a detailed description allows you to find what you are looking for. 

The main categories of the tools you can find are:

  • Disk tools and data capture
  • Email analysis
  • General tools
  • File and data analysis
  • Mac OS tools
  • Mobile devices
  • File viewers
  • Internet analysis
  • Registry analysis
  • Application analysis
  • Abandonware




[1] https://forensiccontrol.com/resources/free-software/

Monday, 24 March 2014

Booby-trapped documents in Rich Text Format are being used for targeted attacks


There are booby-trapped documents being circulated in the Rich Text Format (RTF) that exploit a vulnerability in the 2010 version of Microsoft Word [CVE-2014-1761]. 

Microsoft Advisory published on Monday 24/Mar/2014 (2953095) [2] warns about the Vulnerability in Microsoft Word which could allow Remote Code Execution. A Temporary fix is available by Microsoft [3].

[1] ​http://arstechnica.com/security/2014/03/zero-day-vulnerability-in-microsoft-word-under-active-attack/

[2] http://technet.microsoft.com/en-us/security/advisory/2953095

[3] https://support.microsoft.com/kb/2953095

Sunday, 23 March 2014

SANS Investigate Forensic Toolkit (SIFT) Workstation Version 3.0

SANS SIFT 3.0 Virtual Machine Released [1]

Developed and continually updated by an international team of forensic experts, the SIFT is a group of free open-source forensic tools designed to perform detailed digital forensic examinations in a variety of settings. With over 100,000 downloads to date, the SIFT continues to be the most popular open-source forensic offering next to commercial source solutions.

[1] http://digital-forensics.sans.org/blog/2014/03/23/sans-sift-3-0-virtual-machine-released

Friday, 28 February 2014

Guest Speaker for Derby University (Digital Forensic Investigation Course)

I had the pleasure to be invited as a guest speaker to Derby University in order to give a talk about Penetration Testing in the real world and more specifically for the Digital Forensic Investigation course.

The talk included an introduction to the Payment Card Industry (PCI),  Payment Card Industry Data Security Standard (PCI DSS) and the Payment Card Industry Security Standards Council (PCI SSC). The participant had an opportunity to understand what is an Approved Scanning Vendor (ASV), a Qualified Security Assessor (QSA) and last but not least a PCI Forensics Investigator (PFI).

The students were introduced to penetration testing types, practices, methodologies, real stories from the industry, tools, and techniques. Black Box testing versus White Box testing was explained, the significance of white-listing was discussed and comparison of ASV, Vulnerability Assessment and Penetration Testing was given.

The second part of the talk focused on malware and included a more practical approach with a hands-on session. The talk focused on how easy could it be to create malware that is capable of evading AntiVirus detection (including reputation based detection). The students were given an executable file and a hex editor which allowed them to modify the given binary. Social engineering and spear phishing were also discussed. The purpose was to raise their awareness and allow them to understand with examples why we say there is no 100% security.

I had a wonderful day at the University, the students were very excited and I do hope they learned a lot. All the best with their course. The industry needs these knowledgeable future professionals.