Decrypting RSA with Obsolete and Weakened eNcryption (DROWN)

An OpenSSL security hole enables Secure Sockets Layer (SSLv2), to be used to attack modern web sites. Even though this is a  an ancient, long deprecated security protocol, it is estimated to be able to "kill" at least one-third of all HTTPS servers (approx. 11.5 million servers). 

The attack is dubbed as DROWN based on the words: 

Decrypting RSA with Obsolete and Weakened eNcryption. 

Obsolete Microsoft Internet Information Services (IIS) versions 7 and earlier are vulnerable as well, and editions of Network Security Services (NSS), a common cryptographic library built into many server products prior to 2012's 3.13 version, are also open to attack. 

OpenSSL 1.0.2 users should upgrade to 1.0.2g. 
OpenSSL 1.0.1 users should upgrade to 1.0.1s. 

If you're using another version move up to 1.0.2g or 1.0.1s

OpenSSL 1.0.2g is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html):

• http://www.openssl.org/source/
• ftp://ftp.openssl.org/source/

The flaw was identified by academics and the code for the attack has not yet been released. The main reason for this, is to allow people to patch their systems before the vulnerability starts being exploited. 

For further information on the issue, please visit the site: https://drownattack.com

Migration/Protection: https://drownattack.com/#mitigation
Instructions for Apache: https://drownattack.com/apache.html
Instructions for Postfix: https://drownattack.com/postfix.html
Instructions for Nginx: https://drownattack.com/nginx.html

There is also an offline scanner available on GitHub: 
https://github.com/nimia/public_drown_scanner

Teach your brain to regenerate passwords instead of remembering them

@TripwireInc posted a brief article about my talk for @AbertayHackers and #SecuriTayV happening this Friday 26/Feb. For those attending, you will learn how to teach your brain to regenerate passwords instead of remembering them! 

Let's cut to the chase. Despite the existence of a number of advanced authentication mechanisms, such as Single Sign-On (SSO), different types of Biometrics, multi-factor authentication, etc., the use of passwords is still the most popular means of authenticating users.

The need to generate, and hopefully to remember these passwords, has become even more demanding due to the rapid increase in the number of systems and online accounts being used. 

Best practice is that these passwords need to be as strong as the assets they protect, and password management applications are supposed to be the most straightforward solution for storing them safely.

If you think about it for a moment, no one has ever actually taught you how to think when choosing a password. Due to the fact, it is generally considered a straightforward task, it is assumed that you actually know how to choose the appropriate password for protecting a particular asset (email, social media account, OS login, etc.).

The rise of the (Chief) Data Protection Officer

Back in August 2015, Sysnet discussed the complexity of what the term CyberSecurity represents, especially in the context of today’s threat landscape. This complexity is not only constantly increasing but it is also expanding at an exponential rate. The risks involved demand constant attention and very good understanding of the new technologies being introduced onto the cyber defence ‘chessboard’.

Sysnet also explored the noticeable shift in the traditional roles of the CSO (Chief Security Officer) and the CIO (Chief Information Officer) which have changed a great deal over the past five years. Their focus on managing security by applying resources to the most crucial system components, in order to reduce the likelihood of a successful breach, is now considered an insufficient approach in the current environment of cyber threats. Threats are changing faster than traditional risk management approaches can cope with, and a more proactive and adaptive approach is needed for an effective cybersecurity strategy.

Looking back a bit further, Sysnet discussed the new EU Data Protection Regulation, which requires the appointment of a Data Protection Officer (DPO) for most organisations, and explained the role and responsibilities of the appointed DPO. 

Critical vulnerability found in glibc

A critical vulnerability has been found in Glibc. The critical flaw affects nearly all Linux machines, as well as API web services and major web frameworks. Glibc is the GNU C library which was at the core of last year’s GHOST vulnerability. 

The flaw, CVE-2015-7547, effects all Linux servers and web frameworks such as Rails, PHP and Python, as well as Android apps running Glibc. The vulnerability was discovered by researchers at Google and Red Hat and a patch has been made available. Google has released further information on the issue in its advisory. 

It is strongly suggested to patch all effected systems immediately, as this vulnerability is considered critical and could be exploited for malicious reasons (allows remote code execution). More specifically, the vulnerability effects all versions of Glibc since version 2.9 and there are no temporary mitigations that can be implemented until Linux machines are patched. 

Tim Cook's letter..

Tim Cook's letter about a recent demand made to Apple by the US government. (February 16, 2016)

A Message to Our Customers

The United States government has demanded that Apple take an unprecedented step

which threatens the security of our customers. We oppose this order, which has

implications far beyond the legal case at hand. This moment calls for public

discussion, and we want our customers and people around the country to

understand what is at stake.

The Need for Encryption

Smartphones, led by iPhone, have become an essential part of our lives. People

use them to store an incredible amount of personal information, from our private

conversations to our photos, our music, our notes, our calendars and contacts,

our financial information and health data, even where we have been and where we

are going. All that information needs to be protected from hackers and criminals

who want to access it, steal it, and use it without our knowledge or permission.

Customers expect Apple and other technology companies to do everything in our

power to protect their personal information, and at Apple we are deeply

committed to safeguarding their data. Compromising the security of our personal

information can ultimately put our personal safety at risk. That is why

encryption has become so important to all of us. For many years, we have used

encryption to protect our customers’ personal data because we believe it’s the

only way to keep their information safe. We have even put that data out of our

own reach, because we believe the contents of your iPhone are none of our

business.

Critical Security updates for all Windows versions

Microsoft has released a number of security updates to address vulnerabilities across all of its Operating Systems. All the vulnerabilities were reported to Microsoft under a responsible disclosure agreement, thus, these are not believed to have been actively exploited by attackers. 

• MS16-009: A security update for Internet Explorer 9 through 11 to patch 13 security issues, including remote-code-execution (RCE) and information disclosure issues.
• MS16-011: An update for Microsoft's Edge browser in Windows 10 patches 6 security issues, 4 of which address remote code execution vulnerabilities.
• MS16-012: An update to address two remote-code-execution flaws in Windows PDF Library and Reader for Windows 8.1, Windows 10 and Server 2012. These could allow attackers to run malicious code on an affected system by tricking users into opening a specially-crafted PDF file.
• MS16-013: An update for a memory-corruption flaw that could allow a remote attacker to execute arbitrary code as the logged-in user by tricking a user into opening a specially crafted Journal file.
• MS16-015: An update to patch 6 memory-corruption vulnerabilities in Microsoft Office, each of which could allow a remote attacker to run arbitrary code by tricking a user into opening a specially-crafted Office file.
• MS16-022: A security update for vulnerabilities found in Adobe Flash Player across all supported versions of Windows 8.1, Windows 10, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1.

It is highly recommended to ensure that any systems running any version of the Microsoft Operating System are updated as soon as possible. 

Abertay Ethical Hacking Society: 5th annual Security Conference: Securi-Tay V

Securi-Tay [1] is an Information Security conference held by the Abertay Ethical Hacking Society [2], and supported by the Abertay University in Dundee. The aim of the conference is to provide an opportunity to industry professionals, students and information security enthusiasts to attend and share knowledge and information. This year will be the fifth year the conference is taking place (hence the V) and it will be held on February 26th - 27th, 2016. Personally, I believe this conference offers a fantastic opportunity to students to meet and network with experts in the area of security, share information and have a first glance on how their future in the security industry can be like. 

I was very pleased to get accepted to speak at the conference again this year and I am already looking forward to it. The talk is about passwords and more specifically on how to train your brain to "regenerate" different passwords for different accounts, instead of remembering them. I know that this is not very clear at the moment, but I promise you that everything will be explained during the presentation. This is something I started working more than 10 years ago. I actually published two papers on the subject, one paper describing the thought process and one paper on how to reverse the password generation process during a computer forensics investigation based on an individual's profile. 

Temporary and Disposable Email: Anonymity, Privacy or Security?

There are several websites available that offer temporary and disposable email addresses, which have become quite popular among Internet users today, as they provide a quick alternative to anyone who wishes for their email address to remain private when sending and receiving emails. 

Some of these temporary and disposable email addresses are available only for a few minutes, while others remain publicly available for anyone to access once they have been created. The same goes for websites that offer access to publicly available mobile numbers for receiving text messages (SMS). There is a wide range of numbers available, from different countries.

Effectively, a user can register to an online service by using a publicly available mobile number and receive any verification texts online.

Some may argue that these temporary and disposable email addresses and SMS services provide some sort of privacy. That might be true, especially under specific circumstances, but do not confuse anonymity with privacy, and security.

Entering fake details while using a disposable email allows users to subscribe avoiding any future incoming communications from that particular website to their email or phone, but at what cost?

The "prediction" frenzy for 2016 in CyberSecurity and the Black Swan effect

The past few days, a number of articles have hit the web, which have as their main subject the attempt to predict emerging threats for 2016. Moreover, numerous webinars and discussion panels are being organized, mainly to express an opinion on these claimed predictions. I would like to share with the readers of my blog that this “prediction” frenzy is happening for a very specific underlying reason. 

The information security industry and more specifically the vendors, attempt to shift their value proposition once more in 2016, and make it the year of “predicting” attacks, initially from detection to prevention, and now to prediction. This is going to be the InfoSec buzzword for this coming year. 

Detection > Prevention >  Prediction 

It is sometimes annoying to see that some industry professionals (especially tied to specific vendors, as a publicity stand for quick profit) discuss/present such ideas as novel, when in reality researchers, especially in academia, have worked upon the evolution of threat assessment, and detection, many years back. Several PhD theses have been written on how intrusion detection will evolve, and even more on how unification of networkevents will address the problem of managing the vast amounts of information generated (later called “Big Data”). Also, how prevention can be effective across different geographic locations, how will this lead to “Threat Intelligence” needs, by sharing attack patterns across heterogeneous systems in real-time (including IoT), and what are the realistic expectations for predicting cyber threats, based on the abstraction of network events, and the behavioural analysis of cyber-criminals, and trends in cybercrime.

The Rise of Ransomware - Tips on prevention, response and evading extortion

Ransomware, a malware that prevents or in some cases limits users from accessing their data has been on the rise. Last year, 2015 saw a considerable increase with Crowti (also known as CryptoWall) and FakeBSOD being the two instances that affected more than 850,000 systems between June and November. In the first quarter of 2015, ransomware saw a 165% increase compared to the previous year. In the second quarter of 2015, 4 million samples of ransomware were identified indicating 58% ransomware growth. Ransomware is expected to grow in 2016 considering that more than half of malware attacks in 2015 also carried ransomware.

The main function of ransomware is to prevent the user (or users if it infects a server) from using that particular system. It does this by encrypting the files that it finds stored in the filesystem and connected drives. Usually, ransomware also tries to prevent certain applications and services from running.

Malicious files

These malicious files are called ransomware because they demand a payment (a ransom) in order to allow the users to decrypt their files; the attacker provides the decryption key in exchange for the payment. Some of these types of malicious files try to convince individuals that they have done something illegal in an attempt to scare them into making the payment (ransomware acting as scareware). In order to be more believable, some ransomware payment demands pretend to be from a law enforcement agency. The ransom usually starts at a few US dollars to hundreds of dollars or its Bitcoin equivalent.

Browse Safely & Tools for Looking up Potentially Malicious Websites

The following list contains free online tools for looking up a potentially malicious websites. Some of these tools will lookup their own historical data for a particular website, while others perform live tests. The URLs are in alphabetical order. 

Even though these websites allow you to initiate an online check on-demand, it is not the most convenient way for everyday use, especially when you jump from one website to the next. In that case, I strongly suggest the use of a browser plug-in (extension) that will do this for you automatically. On that note, know that there are several extensions that will do this check for you in real-time. 

I tested a bunch of them and to be completely honest the most lightweight and effective one I found was the Avira Browser Safety. This is a tiny extension that will not only lookup and check each website you visit for any malicious content but it will also list all trackers on the website. Also, the Avira Browser Safety extension allow you to select which trackers would you like to turn off by flipping a switch next to each tracker listed. Combining this with you favourite extension that blocks ads makes visiting website a little bit less scary process. 

Please note that I am referring to legitimate websites that have been breached with the only purpose to deliver malware to its visitors. In many cases, this breach stays undetected for days or weeks before it is picked up by the developers or the security team. Also, the reason why I am suggesting an ads blocker is because there have been many cases where ads have been compromised, and contain malicious JavaScript that infects visitors. (see: Malvertising) 

• AVG LinkScanner Drop Zone: Analyzes the URL in real time for threats
• BrightCloud URL/IP Lookup: Presents historical reputation data about the website
• Cisco SenderBase: Presents historical reputation data about the website
• Comodo Web Inspector: Examines the URL in real-time
• Cyscon SIRT: Provides historical data for IP addresses, domains and ASNs.
• FortiGuard lookup: Displays the URL’s history and category
• Is It Hacked: Performs several of its own checks of the URL in real time and consults some blacklists
• IsItPhishing: Assesses the specified URL in real-time
• KnownSec: Presents historical reputation data about the website; Chinese language only
• Malware Domain List: Looks up recently-reported malicious websites
• MalwareURL: Looks up the URL in its historical list of malicious websites
• McAfee Site Advisor: Presents historical reputation data about the website
• McAfee TrustedSource: Presents historical reputation data about the website
• MxToolbox: Queries multiple reputational sources for information about the IP or domain
• Norton Safe Web: Presents historical reputation data about the website
• PhishTank: Looks up the URL in its database of known phishing websites
• Quttera ThreatSign: Scans the specified URL for the presence of malware
• Reputation Authority: Shows reputational data on specified domain or IP address
• Sucuri SiteCheck: Scans the URL for malware in real time and looks it up in several blacklists
• Trend Micro Web Reputation: Presents historical reputation data about the website
• Unmask Parasites: Looks up the URL in the Google Safe Browsing database
• URL Blacklist: Looks up the URL in its database of suspicious sites
• URL Query: Looks up the URL in its database of suspicious sites and examines the site’s content
• URLVoid: Looks up the URL in several website blacklisting services
• VirusTotal: Looks up the URL in several databases of malicious sites
• vURL: Retrieves and displays the source code of the page; looks up its status in several blocklists
• WebPulse Site Review: Looks up the website in BlueCoat’s database
• Wepawet: Analyzes the URL in real time for threats
• Zscaler Zulu URL Risk Analyzer: Examines the URL using real-time and historical techniques

If you think you know of a site that can do something similar but it is not on this list, let me know and I will be happy to add it. 

Temporary & Disposable Email / SMS List

Sometimes it is very useful to have a temporary email address which you will be only using briefly. I admit it, I personally use these disposable email providers because I need to download for example a free whitepaper or register to an online form that I know I won't be using again in the future for a very long time and I don't want to get bombarded with advertising material afterwards (or have my email shared with undisclosed third-parties).

Before I move on telling you about the temporary/disposable email addresses, let me point out another interesting online service that sometimes might come in handy. These are temporary mobile numbers to receive actual text messages (aka SMS). There are websites which allow you to receive an SMS online and won't parse or modify the content. (Yes, this means you can do XSS if you manage to fit your JavaScript code within one SMS.) Basically, the only thing you need to do is to look for the country you want the SMS to be sent to, and pick an available number from the list. 

I am surprised to see that major companies in the information security community don't maintain a black-list of these temporary emails and public phone numbers for SMS messages, at least the same way Google does. Google knows these temporary/disposable email addresses and publicly accessible phone numbers for SMS, and won't allow you to use them when registering for a new gmail account. 

So, I have done the hard work for you. Instead of listing the websites where you can go get a temporary/disposable email (for example, see here or use a search engine), I am listing all the domains being used by these websites that offer temporary/disposable email addresses. (its too much work to list all the phone numbers as well and by the way, these are modified/change too often to put them in a static list similar to the temporary/disposable email domains).

This information is fully up-to-date today (19/Jan/2016) and I will try to update it again as often as it is possible. Of course, if you find any domain used for such purpose which is not on my list, feel free to contact me and I will be happy to update the list. I believe this list is good to be shared among the infosec community, so anyone who might have a domain or domains to add, will be able to do so. 

You can find all these hundreds of domain names in this PDF File. Follow me on Twitter (@drgfragkos) and let me know if you found this list useful. 

A serious bug with SSH that requires immediate action

Two issues have been identified in OpenSSH (CVE-2016-0777 and CVE-2016-0778). Theo de Raadt in a mailing list posting gave us a heads up earlier today. 

More or less, you will need to add the option UseRoaming no to your /etc/ssh/ssh_config (or your user's ~/.ssh/config) file, or start your SSH client with -oUseRoaming=no included on the command line. Adding the option to the config file can be done with a single command:

# echo -e 'Host *\nUseRoaming no' >> /etc/ssh/ssh_config

This is a basically a workaround until you are able to patch all affected systems. 

First Patch Tuesday for 2016

The new year brought a set of new patches for the vulnerabilities identified in the Microsoft product family. I know there is no point saying it once more but for those who need to hear it, make sure you patch your systems as soon as possible! :

See here: https://technet.microsoft.com/en-us/library/security/mt637763.aspx

MS16-010	Security Update in Microsoft Exchange Server to Address Spoofing (3125573)	Microsoft Exchange
MS16-008	Security Update for Windows Kernel to Address Elevation of Privilege (3124605)	Microsoft Windows
MS16-007	Security Update for Microsoft Windows to Address Remote Code Execution (3124901)	Microsoft Windows
MS16-006	Security Update for Silverlight to Address Remote Code Execution (3126036)	Microsoft Developer Tools & Software
MS16-005	Security Update for Windows Kernel-Mode Drivers to Address Remote Code Execution (3124584)	Microsoft Windows
MS16-004	Security Update for Microsoft Office to Address Remote Code Execution (3124585)	Microsoft Office
MS16-003	Cumulative Security Update for JScript and VBScript to Address Remote Code Execution (3125540)	Microsoft Windows
MS16-002	Cumulative Security Update for Microsoft Edge (3124904)	Microsoft Edge & Microsoft Windows
MS16-001	Cumulative Security Update for Internet Explorer (3116180)	Internet Explorer & Microsoft Windows

SSH vulnerability in Fortinet Fortigate products

It was stated that an SSH "backdoor" was identified in Fortinet Fortigate products and the proof-of-concept source code was posted on the Full Disclosure mailing list. 

See here: http://seclists.org/fulldisclosure/2016/Jan/26

Fortinet released a brief statement regarding the issues found with FortiOS on January 12, 2016. The brief statement says that the issue that was recently disclosed publicly was resolved and a patch was made available in July 2014. 

Fortinet stated that: "This was not a “backdoor” vulnerability issue but rather a management authentication issue. The issue was identified by our Product Security team as part of their regular review and testing efforts. After careful analysis and investigation, we were able to verify this issue was not due to any malicious activity by any party, internal or external."

Have you heard of "Cyber Insurance"?

The Cyber Liability Insurance Cover (CLIC) or otherwise referred to as cyber insurance, is a market that grew significantly in 2015. One of the main factors that contributed significantly to this growth is the constant increase of threats in the cyber space and more specifically the high profile data breaches that took place during the past years. Due to these data breaches companies were taken to court and were forced not only to cover the losses, but to take upon the extra costs for the data breaches as well. In most cases, these additional costs included crisis management, legal costs, reputational damages, engaging in identity theft resolution, credit and fraud monitoring and further technical costs as well.

Under the potential threat of a breach and the inevitable consequences, this has established not only a need but also a demand for a cyber insurance market. This has also been highlighted by a cyber survey conducted by RIMS. The survey showed that 74 percent of the companies without Cyber insurance will be purchasing one within the next two years. Likewise, by 2025 the total annual premiums for stand-alone cyber insurance are projected to grow to $20 billion.

Quickly detect CMS & other technologies being used on a website

Ever wanted to uncover quickly the Content Management System (CMS) being used on a particular website? Well, if you are a developer or responsible for assessing the security of Web Applications, this might be a good tip on how to do this quickly and effectively. 

First of all, let me point out that there are several websites online that offer to analyse a given URL and then return results not only about the particular CMS being used, but on other technologies utilised in each case as well. These technologies may be the use of Apache, the presence of Google Analytics, other technologies such as jQuery, reCaptcha, etc. 

The problem with all these online services however is privacy. When checking a particular website, especially if you have been contracted to assess the security of the web application in place, you do not want this information to be shared with a third party or to be included in a publicly available "recently checked" list. 

I actually spent some time trying to locate a button or a check box on these website that would allow me to opt-out from allowing them to cache or display the information, but I couldn't. Thus, I had to find a different way that would respect my privacy and I think that I did.