Tuesday, 14 July 2015

Adobe Flash Player - Keep it up-to-date

There is a big debate about uninstalling Adobe Flash Player completely from your systems or not. Unfortunately, Adobe Flash Player has been found to suffer by a number of vulnerabilities and new ones surface each other week. 
If you still want to keep flash player on your system, I suggest you change your browser* settings and make sure any flash content runs after you have authorised it by clicking on it and not automatically when you visit a web page. 

I also suggest you make sure you have the latest version of Adobe Flash Player which YOU MUST ONLY download from the Adobe website and not through any random popups or third party links. 

This is the official URL where you can download the latest version of Adobe Flash Player for your system and the browser you are using is https://get.adobe.com/flashplayer/. Please note that you need to run Windows Update in order to download automatically the latest Adobe Flash Player update for Internet Explorer. I suggest restarting your system before you run Windows Update and after you have completed patching your OS through Windows Update. 

By visiting the following link you can check if you are running the latest version of Adobe Flash Player: http://www.adobe.com/uk/software/flash/about/

* Make sure you have updated your browser (Firefox, Chrome, Opera, etc.) to its latest version before updating the flash player. In order to check if you have the latest version, run your browser, hit the Alt key from the keyboard, go to the Help menu and select the "About" option. Your browser will inform you if it is at its latest version or it will start downloading the latest version for you. 

Thursday, 9 July 2015

OpenSSL vulnerability, Severity: High, CVE-2015-1793

On June 11, an updated version of OpenSSL was released. It was disclosed earlier today that it contained a serious certificate validation error (CVE-2015-1793). Luckily, the vulnerability was discovered quickly enough (two weeks ago) and once made it was made public today a patch was also made available.
During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate.

This issue will impact any application that verifies certificates including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication. 

This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.
OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d
OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p

Please note that support for OpenSSL versions 1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these releases will be provided after that date. Users of these releases are advised to upgrade their OpenSSL implementations to the latest version. 

It is strongly suggested to update OpenSSL implementations to the latest version.

If you would like to run a quick check on your network for SSL implementations you can do that by using nmap: 
nmap -sV -Pn --script ssl-enum-ciphers --version-intensity 2 [IP/CIDR]

Are you using Nessus? If you do, make sure you update to the latest version (6.4.1) and update your plugins: nessuscli.exe update --plugins-only
Use Plugin IDs 84636/7 for testing.

Maybe it is time for you to look into into the s2n, which is a new open source TLS implementation. This implementation avoids the rarely used options and extensions of the TLS implementation. Consequently, it consists of approximately 6000 lines of code and makes it a lot easier to review. As it stands at the moment, s2n has passed three external security evaluations and penetration tests.

Saturday, 4 July 2015

SteelCon 2015 - Can you really hack an airplane? (myths & truths)

I was very excited to hear my talk that was sent to SteelCon 2015 (http://www.steelcon.info) was accepted. This time I am talking about something different than usual, which has to do about hacking airplanes.
A lot of noise, many discussions and many articles have been written lately due to the recent so claimed airplane hack. It is indeed very difficult, up to impossible, to find information about the security of an airplane's systems if you are not actually the person responsible for designing and building such systems. Of course, it is understandable that these details regarding these systems will never become available to the general public for security reasons.

Wednesday, 1 July 2015

Steps you need to take for the upcoming Windows Server 2003 End of Support (EOS)

The End of Support (EOS) for Windows Server 2003 is only a few days away. It is very important for CISOs and CyberSecurity decision makers in general to plan the next day once the support for this product has ended. Microsoft will stop issuing security patches next week and the risk of running a critical system in production will start to increase rapidly. 
As a reminder, the date for your calendar as the last day a security patch will be issued is the 14 July 2015. As it happened with Windows XP, after its end of support, attacks against the Operating System increased in an attempt to exploit it. 

Sunday, 28 June 2015

Linkedin - security issue - Unvalidated Redirects and Forwards

This is a Linkedin shortened URL that seems to be pointing to Linkedin (when you try to reverse it) but in reality, it redirects to this blog post! https://lnkd.in/eSQcwhD

Below we are going to prove that this unvalidated redirect method (OWASP A10) can be used to deceive users and redirect them to malicious websites and malicious executable files by letting them think they are being redirected to Linkedin.

>> Responsible Disclosure: Before I start describing the issue I would like to mention that I followed LinkedIn's policy on reporting vulnerabilities process to the letter (responsible disclosure) and reported the issue exactly as it is described in this page:

After sending a detailed description of the issue (on 27/May/2015), I received the following reply from Linkedin.

Thank you for contacting us and sending us your writeup.

We do perform validation for third-party links that users submit to LinkedIn, checking the destination for inclusion on malware and safe browsing blacklists. The hash you observed is used for that purpose. 


Regarding unwinding of our short links or obfuscation, URL encoding is working as expected and the depth of third-party inspectors is not something under our control. Note that some of our redirects use JavaScript, so they may not be capable of analyzing the content. Those redirects also clearly show an interstitial that a redirect is occurring.

If you believe we have misinterpreted your report, please let us know.
Thanks!

[name of responder not being disclosed]

LinkedIn House Security

From my point of view, Linkedin did not understand the extend of the issue I described. So, I replied to that person giving him a couple of examples why I believe this unvalidated redirect "feature" doesn't seem to be working as "expected". Simply because, it can redirect/trick/deceive users into downloading malware and/or visit a malicious website, while under the impression they are being redirected to Linkedin instead. So, my reply to Linkedin response was the following: