Thursday, 9 February 2017

Ticketbleed (CVE-2016-9244)

A vulnerability similar to the well-known heartbleed was discovered in the TLS/SSL stack of F5 BIG-IP appliances that allows a remote attacker to extract up to 31 bytes of uninitialized memory at a time. This vulnerability is called Ticketbleed as it lies in the implementation of Session Tickets, which is a resumption technique used to speed up repeated connections. The vulnerability affects the proprietary F5 TLS stack which exposes 31 bytes at a time.

Test
You can test your domain using the automated script which you can find at: https://filippo.io/Ticketbleed/

Alternatively, you can test for Ticketbleed yourself with a Go script: here

Fixes and mitigation
The full list of affected versions is available on the F5 website. At the time of this public disclosure not all releases have upgrade candidates available.

Disabling Session Tickets is a complete mitigation, which will only cause a performance degradation in the set-up phase of resumed connections.

Reproduced here are the instructions provided by F5 and available at the link above.

  1. Log in to the Configuration utility
  2. Navigate on the menu to Local Traffic > Profiles > SSL > Client
  3. Toggle the option for Configuration from Basic to Advanced
  4. Uncheck the Session Ticket option to disable the feature
  5. Click Update to save the changes

Source: https://filippo.io/Ticketbleed/

Monday, 6 February 2017

Guest Speaker for University of South Wales (Information Security Research Group) - InfoSec Community; Stepping into the security industry

I had the pleasure to be invited as a guest speaker to the University of South Wales by the Information Security Research Group (ISRG). The talk was about the Information Security community and more specifically how young professionals can step into the security industry.
During this talk, the students (graduates & postgraduates) had the opportunity to understand and discuss what they can do today in order to ensure they are well prepared when it comes to stepping into the security industry.

The talk included an introduction to what is considered to be a security oriented mindset, provided a number of quick tips, mentioned several online resources, and last but not least how to prepare for an interview. The students among a number of subjects that were raised during the talk, were also introduced to penetration testing types, practices, methodologies, real stories from the industry, tools, and techniques. Black Box testing versus White Box testing was explained, the significance of white-listing was discussed and a brief comparison between Vulnerability Assessments and Penetration Testing was given.


Saturday, 31 December 2016

Representing DeepRecce - Conferences list 2016

IRISSCERT Cyber Crime Conference – November 2016

irisscertIRISS is Ireland’s CERT team and provides a range of services to its clients to help them defend and secure their networks and data. This annual conference is now recognised as Ireland’s premier Cyber Security event where experts on various aspects of cyber security share their thoughts and experiences. DeepRecce was represented by Dr. Grigorios Fragkos who delivered a really forward looking talk on Cyber Resilience with the interesting title: All aboard, next stop; Cyber Resilience. The talk familiarised the audience with what Cyber Resilience really is, how a holistic approach to cybersecurity problems is better to protect us from cyber threats, and last but not least, how Cyber Resilience will change once and for all the way cybersecurity is discussed in the boardroom, as it will provide companies the means to stay within budget.

BruCON – October 2016

finalgamingdefOne of the most important security conferences for ethical hackers in Europe is BruCON. The event started with security training sessions that lasted for three days and concluded with a two-day conference composed of outstanding security presentations and workshops. It comes without surprise to see so many people arriving to the event from all over Europe to join an interesting atmosphere for open discussions related to critical InfoSec issues, privacy, information technology and its cultural/technical implications on society. DeepRecce was represented at the conference by Dr. Grigorios Fragkos who was invited to present his talk on Point of Sales (POS) and more specifically on Point of Interaction (POI) devices and Virtual Terminals. Even though the research started almost three and a half years ago, the findings were never made publicly available, and have only been presented behind closed doors and to by invitation only events/conferences, in order to be given enough time to acquirers, payment processors and affected parties to remediate the issues disclosed.

Securing Online Gaming – October 2016

finalgamingdefThe challenges involved when it comes cyber resilience were discussed at this year’s annual “Securing Online Gaming” in London, on the 4th October 2016. DeepRecce is not only a strategic sponsor to the event, but was also represented by Dr. Grigorios Fragkos with an innovative and forward-looking talk on “Online Gaming towards Cyber Resilience”. The talk focused mainly on:
• Today’s challenges & requirements towards security online gaming
• How attacks are evolving, and what should we expect
• Taking steps for an effective Cyber Resilience strategy


44CON – September 2016

44conlondonDeepRecce had a presence at this year’s 44CON in London. We had the chance to meet and catch up with friends and colleagues from the industry. As Cyber Security becomes a more and more boardroom discussion it was a pleasure to see the department of MoJ Digital & Technology at the event who also designed a fun yet challenging Capture the Flag. Information Security professionals from all industries, mostly interested in cybersecurity and ethical hacking, had the change to attend a series of interesting talks and workshops related to security from speakers around the world.

Security BSides Manchester – August 2016

bsidesmcrDSecurity BSides events are Information Security community based conferences happening all over the world and DeepRecce was present at this year’s event in Manchester. Information Security Professionals, experts, researchers, ethical hackers and InfoSec enthusiasts come together to discuss the next “big thing”, not only to ethical hacking, but instead the conference is open to a wide range of subjects related to security such as incident response, IoT security, computer forensics, security standards and of course compliance. DeepRecce was represented at the event by Dr. Grigorios Fragkos with a talk about “Accessing the personal details of most of the InfoSec professionals & the Responsible Disclosure process”. Due to the sensitive nature of the contents, the talk was not allowed to be recorded.

Electromagnetic Field – August 2016 – EMF Camp

cpl-kqywyaak1qfA UK based camping festival that takes place every two years for those with an inquisitive mind or an interest in making/breaking things: hackers, geeks, digital artists, scientists, engineers and technology enthusiasts. DeepRecce was represented at the event by Dr. Grigorios Fragkos with a talk on the myths and truths when it comes to hacking airplanes.


SnoopCon – July 2016

DeepRecce was represented by Dr. Grigorios Fragkos at SnoopCon 2016 invited by the Cyber Security Testing and Validation Team at British Telecoms (BT) in order to attend their annual internal conference, as a guest speaker. This is actually the second time Grigorios attended this by-invitation-only conference, where he was awarded the Best External speaker award in 2015. The conference is known as SnoopCon and it is BT’s Penetration Testing and Ethical Hacking annual meet-up event which lasts five days overall.

Monday, 26 December 2016

TP-LINK Modem / Router (ADSL2+) Security and Vulnerabilities

I really hope this blog post starts a small trend when it comes to the security of home-based routers. I started searching online for home routers (SOHO) and wanted to compare them based on how secure they are, up to a reasonable price for a household. I have seen all these different makes that have been found in the recent years to contain hard-coded credentials and other known backdoors, and I wanted to investigate this a bit further. 

It is very hard to find security related information about routers before deciding which one to buy. Also, it is really annoying to see that manufacturer only care and promote the features and functionality of a router, and do not consider security at all.

From where I stand, when a company sells a router, should be in their best interest that router to have no security vulnerabilities. Otherwise, it is like having a company that wants to sell bulletproof vests that doesn't stop bullets, other than those fired from Airsoft BB guns.

I do understand that most people might choose a router based on its cost, colour, shape and if it is shiny. However, from my experience, these people just want to get online and want to simply replace the really bad modem/router their ISP provided for "free". Most of the time the real reason behind that decision is because when more than two devices are connected to those "free" devices, the Internet experience becomes annoying, to say the least. For such use, it is not hard to find a replacement for these "free" routers at a very reasonable price, and 90% of the time, it is totally worth it.

Friday, 23 December 2016

in-flight entertainment vs avionics

For those of you who have had the opportunity to see one of my presentations "Can you really hack an airplane: Myths & Truths", you are already familiar with what is really happening and the confusion between in-flight entertainment systems and avionics (https://en.wikipedia.org/wiki/Avionics). I was asked to put this article up by a number of friends in the security industry to highlight a few very important points. The purpose of this article is to provide food for thought. Especially, when you hear someone saying that "hacked" an airplane, or made it fly "sideways" by tampering with its systems through the in-flight entertainment system. Consider the following points and come to your own conclusions. 

Anyone who is trying to "generalise" and claim that during an actual flight, for example through the in-flight entertainment system, managed to take control of the plane and/or that it is possible to actually fly an aircraft like this, should first read what the law has to say about this. (Tokyo Convention 1963). 
Do you really want someone with the excuse of being a "security researcher" tampering with the airplane's systems while you are on an actual flight, because he/she decided that has nothing better to do? I am sorry, but from where I stand, we (security researchers) respect the law, and make sure we have permission to conduct any security assessments & penetration testing, in a safe and approved environment.