Archive for February, 2016


February 25, 2016

515276483_691482

 

In the last Years, there have been several high-profile vulnerabilities in the SSL and TLS protocols such as Heartbleed or POODLE (Padding Oracle On Downgraded Legacy Encryption) that have sent administrators scrambling. There are a number of tools that can help you identify and evaluate the security of your SSL configuration. One tool, SSLyze, is a SSL scanner that can give you an idea of what flaws exist in your SSL implementation. While it won’t fix them, it will help you identify issues in your configuration.

 

SSLyze is a freely available SSL scanner from iSEC Partners. It works by attempting different, secure connections to the server that you are testing. SSLyze is built in python and runs in the command line. Let’s see how it works.

 

Let’s look how to install it, if you are Kali Linux user it present by default. Just update it frequently.

 

SSL is a good thing to have implemented as security on a website. But only if it is set up correctly. And the newest version, Otherwise you (your site) maybe will be hacked (Heartbleed).

 

It is a Python tool that can analyze the SSL configuration of a server by connecting to it. It is designed to be fast and comprehensive, and should help organizations and testers identify mis-configurations affecting their SSL servers. SSLyze is all Python code but it uses an OpenSSL wrapper written in C called nassl, which was specifically developed for allowing SSLyze to access the low-level OpenSSL APIs needed to perform deep SSL testing.

 

 

Some features are:

 

  • Multi-processed and multi-threaded scanning: it’s very fast.
  • Support for all SSL protocols, from SSL 2.0 to TLS 1.2.
  • NEW: SSLyze can also be used as a library, in order to run scans and process the results directly from Python.
  • Performance testing: session resumption and TLS tickets support.
  • Security testing: weak cipher suites, insecure renegotiation, CRIME, Heartbleed and more.
  • Server certificate validation and revocation checking through OCSP stapling.
  • Support for StartTLS handshakes on SMTP, XMPP, LDAP, POP, IMAP, RDP, PostGres and FTP.
  • Support for client certificates when scanning servers that perform mutual authentication.

 

 
To install SSLyze you can use either pip

 

 

#pip install sslyze

 

or  clone it from Github

 

#git clone https://github.com/nabla-c0d3/sslyze.git
#cd sslyze
#pip install -r requirements.txt –target ./lib

 

The following command is how you run a basic SSLyze scan:

 

#python sslyze.py  –regular  example.com:443

 
Additionally, SSLyze can be packaged as an executable so you can use it on windows machine easily. That command would look like this:

 

 

sslyze.exe –regular somewebsite.com:443

 
This command scans the domain and writes the output back to the console. The option, –regular, is a shortcut for several options that are commonly used. The output will look something like the example screenshot below.

 

This gives you some good information about the security of your SSL configuration, such as whether or not specific settings are enabled (like secure renegotiation or compression), some general information about the certificate, and what SSL protocols and ciphers are accepted by your server. Let’s look at each section individually.

 

#sslyze -h

 

Screenshot from 2016-02-26 00:59:27

Screenshot from 2016-02-26 01:01:11

 

 

The first section of the report requires little explanation, it’s just SSLyze letting you know what plugins it’s using and checking to see if the host you entered is available.

 

 

REGISTERING AVAILABLE PLUGINS

—————————–

PluginCertInfo

PluginChromeSha1Deprecation

PluginHSTS

PluginOpenSSLCipherSuites

PluginSessionResumption

PluginHeartbleed

PluginCompression

PluginSessionRenegotiation

CHECKING HOST(S) AVAILABILITY

—————————–

0.0.0.0:443 => 0.0.0.0:443

In the second section we start to see some of the first vulnerabilities SSLyze is looking for. All of these relate to some issue with SSL configuration.

 

For example, if compression is enabled, then you are probably vulnerable to the CRIME attack. Or if you have an insecure renegotiation vulnerability (that’s when client-initialed renegotiations are accepted and secure renegotiation is disabled) that can lead to denial of service attacks and man-in-the-middle request injections. Generally, if SSLyze says VULNERABLE instead of OK, then you have some reconfiguring to do.

 

* Deflate Compression:

OK – Compression disabled

* Session Renegotiation:

Client-initiated Renegotiations: OK – Rejected

Secure Renegotiation: OK – Supported

* OpenSSL Heartbleed:

OK – Not vulnerable to Heartbleed

 

 

The next section of the report contains a lot of simple info about the SSL certificate. It contains the name of the certificate authority that signed this certificate and the key size signature algorithm.

 

Right now, SHA1 with a 2048 bit key is the standard, however in the next few years, browsers will no longer trust SHA1. Also, this section is where SSLyze will check if OCSP (Online Certificate Status Protocol) Stapling or session resumption are enabled.

 

* Certificate – Content:

SHA1 Fingerprint: 00000000000000000000000000000

Common Name: example.com

Issuer: Some SSL CA – G2

Serial Number: 0000000000000000000000000000000

Not Before: Jan 24 00:00:00 2015 GMT

Not After: Jan 22 23:59:59 2019 GMT

Signature Algorithm: sha1WithRSAEncryption

Key Size: 2048 bit

Exponent: 65537 (0x10001)

X509v3 Subject Alternative Name: {‘DNS’: [‘example.com’]}

* Certificate – Trust:

Hostname Validation: OK – Certificate matches example.com

“Mozilla NSS – 08/2015” CA Store: OK – Certificate is trusted

“Microsoft – 08/2015” CA Store: OK – Certificate is trusted

“Apple – OS X 10.9.4” CA Store: OK – Certificate is trusted

“Java 6 – Update 65” CA Store: OK – Certificate is trusted

Certificate Chain Received: [‘example.com’, ‘Some SSL CA – G2’, ‘Some CA’, ‘Some Secure Certificate Authority’]

* Certificate – OCSP Stapling:

NOT SUPPORTED – Server did not send back an OCSP response.

* Session Resumption:

With Session IDs: OK – Supported (5 successful, 0 failed, 0 errors, 5 total attempts).

With TLS Session Tickets: NOT SUPPORTED – TLS ticket not assigned.

 

 

The last section of the report details all of the enabled protocols and the allowed cipher suites on top of those protocols.

 

In this example, the administrator has disabled SSL version 2 as it is very insecure (yay!). However, SSLv3 is enabled and there are still some weak ciphers enabled on the TLS protocols, namely RC4 and DES. The next step for this admin would be to implement SSLv3, to avoid issues like POODLE (Padding Oracle Over Downgraded Legacy Encryption). After that, it would be wise to disable older, insecure suites and support NIST compliant cipher suites. For example, EDCHE RSA key exchange, with RSA encryption.

 

* SSLV2 Cipher Suites:

Server rejected all cipher suites.

* TLSV1_2 Cipher Suites:

Preferred:

AES128-SHA – 128 bits HTTP 200 OK

Accepted:

AES256-SHA – 256 bits HTTP 200 OK

RC4-SHA – 128 bits HTTP 200 OK

AES128-SHA – 128 bits HTTP 200 OK

DES-CBC3-SHA – 112 bits HTTP 200 OK

* TLSV1_1 Cipher Suites:

Preferred:

AES128-SHA – 128 bits HTTP 200 OK

Accepted:

AES256-SHA – 256 bits HTTP 200 OK

RC4-SHA – 128 bits HTTP 200 OK

RC4-MD5 – 128 bits HTTP 200 OK

AES128-SHA – 128 bits HTTP 200 OK

DES-CBC3-SHA – 112 bits HTTP 200 OK

* TLSV1 Cipher Suites:

Preferred:

AES128-SHA – 128 bits HTTP 200 OK

Accepted:

AES256-SHA – 256 bits HTTP 200 OK

RC4-SHA – 128 bits HTTP 200 OK

RC4-MD5 – 128 bits HTTP 200 OK

AES128-SHA – 128 bits HTTP 200 OK

DES-CBC3-SHA – 112 bits HTTP 200 OK

* SSLV3 Cipher Suites:

Preferred:

AES128-SHA – 128 bits HTTP 200 OK

Accepted:

AES256-SHA – 256 bits HTTP 200 OK

RC4-SHA – 128 bits HTTP 200 OK

RC4-MD5 – 128 bits HTTP 200 OK

AES128-SHA – 128 bits HTTP 200 OK

DES-CBC3-SHA – 112 bits HTTP 200 OK

SCAN COMPLETED IN 3.16 S

 

You can download SSLyze here. Hopefully you now have enough information about this excellent tool to take advantage of it.  and keep your website safe from hacking.

 

Share

February 19, 2016

It’s all over the news: https://www.washingtonpost.com/world/national-security/us-wants-apple-to-help-unlock-iphone-used-by-san-bernardino-shooter/2016/02/16/69b903ee-d4d9-11e5-9823-02b905009f99_story.html

Does the FBI really need Apple’s help to get around an iPhone PIN? We have cracked numerous PINs as part of our Penetration Testing audits for customers…..If Apple refuses, the FBI would be more than welcome to come to us and we would happily assist 🙂

Share

WPA / WPA2 Cloud Cracking

Author: Martin Voelk
February 17, 2016

In a recent Pentesting engagement for a client we came across across a large WPA2 PSK deployment with 6 different SSIDs. As the customer used generic SSID names such as VOIP-5GHz and INTERNAL-STAFF, which do not allow to trace the customer back, we decided to try one of those numerous Cloud cracking services.

The results were stunningly good. Out of 6 WPA2 handshakes 4 were cracked (incl. the most important ones). Funnily enough the secured GUEST Network wasn’t crackable with a rainbow attack.

https://www.cloudcracker.com

This highlights the danger of WPA/WPA2 PSK once again. The key is only as secure as the complexity. We advice Enterprise RADIUS multi factor authentication with client site certificates and preferably RSA tokens instead.

 

Share

A pictures says more than…

Author: Martin Voelk
February 15, 2016

Forensics are an important part of any investigation. Law enforcement, private detectives as well as Cyber Intelligence companies make use of forensic analysis. We have assisted clients and law enforcement in many cases to track down information about fraudulent activities online. Last year we were involved in numerous investigative cases for clients, where criminals were posting pictures of stolen goods on eBay etc.

More than once we were able to retrieve GPS data from the images along with exact times when the pictures were shot, which cameras have been used, resolution types and in some cases even a digital footprint of the owner of the camera. In our Cyber Intel work we use around 10 different image research tools. Here we would like to introduce 2 of them.

http://fotoforensics.com
http://regex.info//exif.cgi

We wouldn’t be in 2016, if this wouldn’t be cloud based 🙂 Just upload any image you wish to investigate or put the picture URL in. The results are as good or bad as the forensic skills of the picture publishers are. An interesting experience for everyone nonetheless.

Share

Some funny SSL stuff

Author: Martin Voelk
February 13, 2016

Everyone knows that you shouldn’t use self-signed certificates because they are not trusted by browsers natively and generate an error message. If users get used to accept untrusted certificates, they won’t know the difference between a self-signed and a man-in-the-middle attack. I think most Admins are clear about that. This is why there are CAs like Verisign, Comodo, Godaddy and so on.

But when it comes to Google everything is funny. Many people don’t know that Google runs their own CAs and so it must be natively trusted right because it’s Google?!? This is unfortunately, what the Internet has become. A company just needs to grow big enough and then form their own trusted CA and every browser trusts natively. German Telecom is the same thing.

No user would trust company X with a self-signed certificate over their portal login. Yet if it’s Google or Youtube, all is nicely signed by themselves and the little green lock shows in the browser. All good and safe 🙂 Happy Internet

Screen Shot 2016-02-12 at 22.52.32

Share

CRITICAL VULNERABILITY ON CISCO ASA IKEv1 and IKEv2. CHECK IMMEDIATELY!

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike 

 

Share

February 6, 2016

It’s the time of the year again. Cyber 51 LLC is giving away a free external Network Penetration Test against 1 IP address. The winner receives a complete free Pentest without any obligations.

How it works?

  • Use the contact form and launch a request stating 2016 Pentest Raffle
  • Your details will be entered into our database
  • On March 31st 2016 a script will randomly draw the lucky winner

Eligibility Criteria

  • Raffle needs to be entered by a US company (valid email address from a corporate domain)
  • Unfortunately the raffle can not be entered by individuals or non-US companies
  • Only participants who are not yet customers or have already received a free service in the past can participate in the draw
  • The winner can choose which system they want audited and when it will take place
  • The winner will receive a full executive summary and in-depth technical report (same as for the paid service)
Share

February 5, 2016

Today we are going to share a few tips for a more secure Apple iPhone.

1. Lock your phone.

Use a pass code and set your phone to lock after a few minutes of inactivity. To make it easier for a Good Samaritan to return a locked phone if lost, use image editing software to put text including your contact details in your phone’s wallpaper.

2. Backup your phone’s data.

Backup your data on a regular basis and download system software updates when prompted. “This way, you’ll always have the latest security updates and ensure that your device is always performing at an optimal level,”

3. Only use what you need.

Disable Wi-Fi, Bluetooth and location services when not being used. These can let evildoers access your device. “iPhones try to connect to the nearest WiFi signal and if this is left open, an attacker can create a WiFi hot spot, which the user could connect to without realizing it,”

4. Use security apps.

The BlackSMS app encrypts messages, requiring the recipient to know a password to decode them. This keeps your secrets from someone who picks up your unlocked phone and scans your message log or receives a forwarded message. “As long as the password is only known to you and the recipient, your message is safe,” says BlackSMS creator Tyler Weitzman.
The free Lookout app locates a lost or stolen iPhone, warns you if you connect to an unsecured hotspot and offers other useful security tools. You can also use Apple’s Push Notification service to lock your iPhone remotely, or erase the data on it. If you use a Cisco firewall, the free Cisco AnyConnect app sets up a secure connection permitting advanced work like using Windows Remote Desktop to remotely control a PC.

5. Choose your friends wisely.

Family, friends and acquaintances who have an opportunity to pick up an unguarded and unlocked phone probably present the biggest security risk, guesses Weitzman. Families that share iTunes accounts also, depending on settings, sometimes share text messages, he reminds. And your security is only as good as your correspondents’. “If you send a message to someone, even if you have perfect security on your own phone, if they don’t then there is still a security risk that unwanted eyes will read it,” he says.

6. Finally, don’t be lazy.

Most people don’t activate automatic locking and require pass codes to open their phones because they get tired of punching in the codes. Even more people don’t turn off Bluetooth and Wi-Fi when not used. And only a small number will go to the expense and trouble of buying and installing security apps.

7. Be careful what you click on.

“SMS texts coming to the device with links or attachments could potentially be an attack on the device,” IPhones hide the actual URLs of links included in messages, making it hard for users to know if they’re being redirected to a spoof or phishing site that will attempt to get you to type passwords or other information into a Web page, he notes.
In this regard, treat your iPhone as you would your PC and don’t click on links in e-mails or messages from sources you don’t recognize. (To find out the actual URL contained in an iPhone e-mail, tap the link and hold until a menu appears. Details about the link will be displayed at the top of the menu.) “Users should be aware of how to look at the URL bar on their iPhone to make sure they are actually on the Website they think they went to,”

Share

Free Disk Encryption Tools

Author: Martin Voelk
February 4, 2016

Encryption should be used by everyone (businesses and individuals alike). Unfortunately we see that the majority of users are still neither encrypting their communication, neither encrypting their hard drives. What would happen if a laptop gets stolen? What if a laptop is seized by an oppressive government regime? It should be common sense to encrypt everything these days. There are so many sophisticated free tools out there. Today we feature 3 of them:

Bitlocker (Microsoft OS)
http://technet.microsoft.com/en-us/library/hh831713.aspx

DiskCryptor (Microsoft OS)
https://diskcryptor.net/wiki/Main_Page

FileFault (Apple OSX)
https://support.apple.com/en-us/HT204837

Share

Cyber Crime on the rise

Author: Martin Voelk
February 3, 2016

You can read about Cyber crime in the papers daily. Breaches and hacks in all parts of the world. However what is often neglected is the fact that a lot of the Cyber crime is committed by a lot absolute amateurs with very little IT knowledge. The victims unfortunately, in most cases, are even less experienced in even basic IT Security. A lot of the crimes could be prevented by basic user education. Even a lot of companies fail to educate their users around the threats out there, so one can imagine how the security awareness is around individuals and families.

No doubt there are sophisticated hacking groups, organised networks and individuals who are very skilled and true Black hats. But the sort of scams we see almost daily are sometimes so basic, yet so effective due to the lack of education.

A few very bad examples we encountered:

  • Bad guy sends an email to someone’s wife asking for confidential information like a credit card by email. Bit of research, new gmail or Yahoo address and the results are stunning how many people send their Credit Card information to their alleged husband/wife
  • Installing Malware with a Microsoft installer and even disabling AV because the instruction of the great game or tool asks people to
  • Trusting any Facebook profile if people believe it’s actual a friend, not realising that anyone can set up any Facebook profile and pretext to be someone else
  • Get a $100 USD/EUR/GBP voucher for XYZ  by simply answering 5 questions and authenticate with your Gmail / Yahoo / Hotmail / Amazon or Ebay account. This is a bit more sophisticated but for the bad guys easily done. The problem is cross authentication where you have legit sites which allow you to use FB/Twitter login. If in doubt – don’t enter credentials! No one will give anyone a $100 voucher for a few questions.

A few golden rules to mitigate threats:

  • Mistrust all email which isn’t digitally signed (verify offline, call the boss, husband, wife or whoever asks for something sensitive by Email)
  • Don’t blindly install cool games or tools. Run an AV scan on everything first
  • Don’t trust Social Media and especially not requests for sensitive information over that medium. Verify offline
  • No one will give you a $100 USD voucher for just a few questions. And if someone really does, there is no need to supply a password ever!

A police officer in a small town in the UK recently addressed the fact that 80% of Cyber crime could be prevented by basic user education and security awareness. Very good article.

http://www.swindonadvertiser.co.uk/news/14247115.Chief_Constable_waging_war_on_cyber_crime_in_Wiltshire/

 

 

Share