OpenSSL vulnerability, Severity: High, CVE-2015-1793

On June 11, an updated version of OpenSSL was released. It was disclosed earlier today that it contained a serious certificate validation error (CVE-2015-1793). Luckily, the vulnerability was discovered quickly enough (two weeks ago) and once made it was made public today a patch was also made available.

During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate.

This issue will impact any application that verifies certificates including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication. 

This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.
OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d
OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p

Please note that support for OpenSSL versions 1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these releases will be provided after that date. Users of these releases are advised to upgrade their OpenSSL implementations to the latest version. 

It is strongly suggested to update OpenSSL implementations to the latest version.

If you would like to run a quick check on your network for SSL implementations you can do that by using nmap: 

nmap -sV -Pn --script ssl-enum-ciphers --version-intensity 2 [IP/CIDR]

Are you using Nessus? If you do, make sure you update to the latest version (6.4.1) and update your plugins: nessuscli.exe update --plugins-only
Use Plugin IDs 84636/7 for testing.

Maybe it is time for you to look into into the s2n, which is a new open source TLS implementation. This implementation avoids the rarely used options and extensions of the TLS implementation. Consequently, it consists of approximately 6000 lines of code and makes it a lot easier to review. As it stands at the moment, s2n has passed three external security evaluations and penetration tests.

SteelCon 2015 - Can you really hack an airplane? (myths & truths)

I was very excited to hear my talk that was sent to SteelCon 2015 (http://www.steelcon.info) was accepted. This time I am talking about something different than usual, which has to do about hacking airplanes.

A lot of noise, many discussions and many articles have been written lately due to the recent so claimed airplane hack. It is indeed very difficult, up to impossible, to find information about the security of an airplane's systems if you are not actually the person responsible for designing and building such systems. Of course, it is understandable that these details regarding these systems will never become available to the general public for security reasons.

Steps you need to take for the upcoming Windows Server 2003 End of Support (EOS)

The End of Support (EOS) for Windows Server 2003 is only a few days away. It is very important for CISOs and CyberSecurity decision makers in general to plan the next day once the support for this product has ended. Microsoft will stop issuing security patches next week and the risk of running a critical system in production will start to increase rapidly. 

As a reminder, the date for your calendar as the last day a security patch will be issued is the 14 July 2015. As it happened with Windows XP, after its end of support, attacks against the Operating System increased in an attempt to exploit it. 

Linkedin - security issue - Unvalidated Redirects and Forwards

This is a Linkedin shortened URL that seems to be pointing to Linkedin (when you try to reverse it) but in reality, it redirects to this blog post! https://lnkd.in/eSQcwhD

Below we are going to prove that this unvalidated redirect method (OWASP A10) can be used to deceive users and redirect them to malicious websites and malicious executable files by letting them think they are being redirected to Linkedin.

>> Responsible Disclosure: Before I start describing the issue I would like to mention that I followed LinkedIn's policy on reporting vulnerabilities process to the letter (responsible disclosure) and reported the issue exactly as it is described in this page:

https://help.linkedin.com/app/safety/answers/detail/a_id/37022/chapter/reporting_policy 

After sending a detailed description of the issue (on 27/May/2015), I received the following reply from Linkedin.

Thank you for contacting us and sending us your writeup.

We do perform validation for third-party links that users submit to LinkedIn, checking the destination for inclusion on malware and safe browsing blacklists. The hash you observed is used for that purpose. 

Regarding unwinding of our short links or obfuscation, URL encoding is working as expected and the depth of third-party inspectors is not something under our control. Note that some of our redirects use JavaScript, so they may not be capable of analyzing the content. Those redirects also clearly show an interstitial that a redirect is occurring.
If you believe we have misinterpreted your report, please let us know.
Thanks!

[name of responder not being disclosed]
LinkedIn House Security

From my point of view, Linkedin did not understand the extend of the issue I described. So, I replied to that person giving him a couple of examples why I believe this unvalidated redirect "feature" doesn't seem to be working as "expected". Simply because, it can redirect/trick/deceive users into downloading malware and/or visit a malicious website, while under the impression they are being redirected to Linkedin instead. So, my reply to Linkedin response was the following:

Applied Cyber Security at MIT

MIT (Massachusetts Institute of Technology) created a short but intense Applied Cyber Security course. In order for someone to attend the course he/she had to apply and go through an approval process which determined if they were accepted to attend the course or not. In this course, experts from academia, the military and industry shared their knowledge and gave participants the principles, the state-of-the-practice, and strategies for the future in CyberSecurity. 

I was honoured and very excited to be accepted to participate in this course. In today’s world, organizations must be prepared to defend against threats in cyberspace. Decision makers must be familiar with the principles and best practices of cyber security to best protect their enterprises. 

I strongly believe that the best way to achieve this is to be educated, share knowledge and information among our peers. Our business strategies need to be reformed and adapt to the fast evolving threat landscape of cyber threats and be prepared to make the right decisions going forward.