Thursday 25 April 2013

Tools update (25th Apr 13)

My slightly irregular update on new and updated Information Security tools that I have come across or use. The tools are mainly those for PenTesting although other tools are sometimes included. As a bit of background into how I find these tools, I keep a close watch on twitter and other websites to find updates or new releases, I also search for pen testing and security projects on Source Forge. Some of the best sites I have found for details of new tools and releases are http://www.toolswatch.org/ & http://tools.hackerjournals.com

SSH Communications Security, the inventor of the Secure Shell and SFTP protocols, today announced the launch of SSH Risk Assessor (SRA), a free tool that provides users with a clear report on risk and compliance exposures in SSH environments. SRA will be available in May 2013, you can request it http://www.ssh.com/index.php/products/ssh-risk-assessor.html (registration required).

Nessus 5.2
http://www.tenable.com/products/nessus/new-in-nessus-52
Nessus 5.2 offers the ability to store attachments in the scan reports. Scan results now contain, among other things, remote screenshots via Remote Desktop Protocol (RDP) and VNC, as well as “pictures” of scanned websites.
The new attachments feature provides easy access to supporting information for vulnerability investigation and documentation, as well as offers other interesting information.

Friday 12 April 2013

Identifying SSL/TLS Ciphers

Increasingly communication across networks and the Internet are using SSL/TLS to protect the transactions, this has been driven by a raft of legislation that is mandating the use of strong encryption, examples of such regulations, law and standards from around the world are listed below.


  • PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (DSS)
  • GRAMM-LEACH-BLILEY ACT (GLBA)
  • SARBANES-OXLEY ACT (SOX)
  • BASEL II ACCORD
  • EURO-SOX
  • Financial Instruments and Exchange Law of 2006
  • HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT (HIPAA)
  • FDA TITLE 21 CFR PART 11 (1997)
  • 95/46/EC EUROPEAN UNION (EU) DIRECTIVE
  • BUNDES-DATENSCHUTZ-GESETZ (BDSG)
  • CALIFORNIA SENATE BILL 1386 (SB 1386)
  • PERSONAL INFORMATION PROTECTION & ELECTRONIC DOCUMENTS ACT (PIPEDA)
  • DATA PROTECTION ACT (DPA) OF 1984 (AMENDED 1998)
  • PERSONAL INFORMATION PROTECTION LAW (PIPL) OF 2003


The SSL/TLS protocols are used by the HTTPS protocol to encrypt web pages and data entered into them. There are a number of versions of SSL/TLS which are in use; SSL was developed by Netscape for transmitting private documents via the Internet. TLS was developed by the Internet Engineering Task Force (IETF) to provide similar functionality to SSL..

SSLv1 - Never Published
SSLv2 - released in February 1995
SSLv3 - released in 1996 (RFC 6101, Historical document)
TLSv1.0 - released in January 1999 (RFC 2246)
TLSv1.1 - released in April 2006 (RFC 4346)
TLSv1.2 - released in August 2008  (RFC 5246)

Both SSL and TLS use cryptographic systems to encrypt data, the actual cryptographic system used is negotiated during the SSL/TLS handshake where the cipher suite is selected and encryption keys are generated and exchanged. Both use the asymmetric encryption using the website certificate to exchange the private keys for symmetric encryption.

In order for SSL/TLS to be acceptable for the encryption of cardholder data in order to comply with requirements for strong encryption such as section 4 of the PCI DSS, the negotiation phase should result in the use of a strong cipher. This requires the server to support versions of SSL and TLS that do not have well know vulnerabilities and use cipher suites based on strong cryptography. The capabilities of a server using HTTPS are advertised by the certificate and the initial phase of negotiating the key exchange.
TLS/SSL supports a large number of cipher suites, where the cipher suite is a combination of symmetric and asymmetric encryption algorithms used to establish secure communication.
Supported cipher suites can be classified based on encryption algorithm strength, key length, key exchange and authentication mechanisms. Some cipher suites offer a stronger level of security than others (e.g. weak cipher suites were developed for export to comply with US export law).

Understanding cipher suites


There are a number of different naming conventions

The Open SSL naming convention, which is probably the most common uses at least nodes in the naming of the ciper suite
  • key exchange,
  • server certificate authentication,
  • stream/block cipher
  • message authentication
For example
DHE-RSA-AES256-SHA

DHE for key exchange, RSA for server certificate authentication, 256-bit key AES for the stream cipher, and SHA for the message authentication.

Often the cipher name is prefixed with the protocol such as SSL or TLS and an additional node to indicate the mode used in the stream/block cipher such as

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Which indicates it is for TLS and uses cipher block chaining in the implementation of 256 bit key AES. Some additional terms that may be found are
  • Anon - Anonymous cipher suites with no key authentication. Highly vulnerable to man in the middle attack.
  • Export -  Intentionally crippled cipher suite to conform to US export laws. Symmetric cipher used in export cipher suites typically does not exceed 56bits.
  • NULL - Null cipher suites do not provide any data encryption and/or data integrity

Auditing and compliance


One of the problems for those tasked with auditing or ensuring compliance with the regulations/standards is know what strength cryptography has been deployed on the servers.

Vulnerability assessment tools that assess the security profile of servers using SSL/TLS will integrator the server to assess its capabilities and will attempt to connect using all versions of SSL and TLS and a range of ciphers from the weak to the strongest. If the tool supports a PCI DSS test will report if the server is secure to the requirements of the standard. However even without a specific PCI DSS test for secure servers the tools will report the capabilities of the server which can be examined to see if the requirements of the standard are being met. The Nessus scanner has the capability of checking SSL services on arbitrary ports, and will report weak ciphers and includes a PCI DSS audit checks.

The nmap scanner, when used with the service/version scan “–sV” option will identify SSL services. Additionally tools such as openSSL can be used to manually audit

openssl s_client -no_tls1 -no_ssl3 -connect <server_Name>:443

Other tools are sslscan which is included in BackTrack and the ssl_tests script can be used.

References


http://www.thesprawl.org/research/tls-and-ssl-cipher-suites/
http://en.wikipedia.org/wiki/Transport_Layer_Security
http://en.wikipedia.org/wiki/Cipher_suite
http://www.openssl.org/docs/apps/ciphers.html
http://www.iana.org/assignments/tls-parameters/tls-parameters.txt
http://www.pentesterscripting.com/discovery/ssl_tests

Sunday 7 April 2013

New Talk being developed


Been asked to give a talk on Internet Security to a group of  Occupational Health and Safety professional at one of their safety association meetings, so the talk will be low level on the technicality but the synopsis of the talk is given below

Title: How the web hacks you


The internet has become a feature of all our lives whether at work or at home. Recent developments such as cloud services and the government's push to move its activities online mean that more and more in our personal and work life we are conducting transactions over the web. The web has made a wide range of interactions from finding information to purchasing and banking activities so much more convenient for us. However it has also made it easier for us as individuals and organisations to be attacked via the web with phishing, scams, malware and hacking occurring. Not a day goes past when some form of attack via the web is reported in the news. This talk will outline the reasons why the web is vulnerable, explain some of the more frequent attacks and suggests countermeasures that make it less likely you will be hacked via the web.


Saturday 6 April 2013

WiFi talk Feb 2013


Received some pictures of the talk I did in Feb this year to the Bedford branch of the BCS at Bedford College.

"WiFi Networks: The Practicalities of Implementing A WiFi Network" is the topic of a talk by Geraint Williams, Information Risk Consultant and Trainer, IT Governance Ltd., and Honorary Visiting Fellow at the University of Bedfordshire.



Secure configuration is becoming ever more important as an increasing number of devices are incorporating wireless technology - from laptops, smartphones, tablets, projectors and cameras, to multimedia entertainment systems and games consoles. The growing demand for allowing BYOD ("Bring Your Own Device") within the corporate network means that larger numbers of organisations are implementing wireless networks.

The wireless network standard 802.11 was originally released in 1997 by the IEEE and, by computing timescales, is a mature technology with a large base of manufacturers and both commercial and domestic users. Despite initiatives like Wireless Protected Setup (WPS) to make installation easier, there are still issues in implementing a network using wireless technology in both the corporate and home environments.

The courts have already convicted paedophiles for piggybacking neighbours wireless networks to download material, and hackers for using wireless networks for pirating software, music and films and for spying on occupants using their own security cameras.

Wireless networks have a history of security problems with flaws in the implementation of WEP and recently with WPS. This talk will look at these issues, the (open source) tools that can be used, and how these apply to the wireless environment. The talk will include practical demonstrations of the tools and techniques discussed in the presentation and will unravel the alphabetic soup of the available standards.


Mar 2013 ADSL Router Analysis

The latest analysis of my ADSL logfiles and a new twist for March, China has dropped completely from the results and the new bad boys are the United States or rather Akamai Technologies, Inc. The underlying scans from Turkey continue.


20122013
CountrySource IPsAttacksCountrySource IPsAttacks
Turkey7171Turkey5858
China240United States13134
United Kingdom229Germany325
Germany113France221
Russia11United Kingdom24



Azerbaijan22



Russia16

There is no clear correlation between the date of the attacks, although in 2013 the scans are concentrated on two days, the most prolific scanning IP addresses belonged to Akamai Technologies, Inc. who I have discussed previously on my blog.


My previous discussions on Akamai Technologies, Inc



Tuesday 2 April 2013

Tools Update (2nd April 2013)

My slightly irregular update on new and updated Information Security tools that I have come across or use. The tools are mainly those for PenTesting although other tools are sometimes included. As a bit of background into how I find these tools, I keep a close watch on twitter and other websites to find updates or new releases, I also search for pen testing and security projects on Source Forge. Some of the best sites I have found for details of new tools and releases are http://www.toolswatch.org/ & http://tools.hackerjournals.com

Wireshark
http://www.wireshark.org/download.html
The current stable release of Wireshark is 1.8.6. It supersedes all previous releases, including all releases of Ethereal. You can also download the latest development release (1.9.2) and documentation.

Sysinternals
http://blogs.technet.com/b/sysinternals/archive/2013/03/27/updates-autoruns-v11-5-du-disk-usage-v1-5-procdump-v5-14-procmon-v3-04-ru-registry-usage-v1-0.aspx
Updates: Autoruns v11.5, Du (Disk Usage) v1.5, Procdump v5.14, Procmon v3.04, Ru (Registry Usage) v1.0


Scylla
http://code.google.com/p/scylla-v1/
Scylla is another tool that you can use for penetration testing protocols used by different applications.