Thursday, 10 April 2014

Heartbleed Proof of Concept Demo Video

We've just released a short PoC video showing exploitation of a Magento e-Commerce server using Heartbleed.

Check it out and let us know your thoughts!


Wednesday, 9 April 2014

Heartbleed: A summary

(Image courtesy of http://heartbleed.com)

What's happened?

A critical vulnerability in OpenSSL was released on Monday 7th April. OpenSSL is a very popular, open source SSL/TLS library used by millions of websites and other systems to encrypt and decrypt data.

A bug in the "Heartbeat" functionality of SSL/TLS means a remote, unauthenticated attacker can send a specially formatted request to an affected server which discloses the contents of memory, including information that would normally be protected by the SSL/TLS encryption.

Am I vulnerable?

There are a number of proof of concept exploits available along with websites which can tell you if a target site is vulnerable. 4ARMED have used the following website but we should stress, we cannot vouch for the security or privacy of these sites and therefore the following link is offered for use at your own risk.

http://filippo.io/Heartbleed/


Have I been attacked?

Exploiting this vulnerability does not leave any evidence in web server logs as the issue occurs as part of the SSL/TLS connection and before the web server process begins handling the HTTP message it expects to find inside.

4ARMED expects to see widespread, automated exploitation of this vulnerability and therefore time is of the essence in avoiding becoming a victim of this attack.


What to do?

OpenSSL have released a patch for this issue and operating system vendors have produced package updates so in the first instance these patches should be applied to any affected system.

However, the problem does not stop there necessarily. As the attack allows reading of memory contents it is possible to disclose SSL/TLS private key information which means any future encrypted data that an attacker can intercept can be decrypted.

The full solution is therefore, once the patch has been applied, to generate new private/public key pairs and create new SSL/TLS certificates associated with these new key pairs.


Further information

This is a very short article summarising the key information. There are many resources available but the primary resource is the following website where the vulnerability was originally disclosed.

http://heartbleed.com/


Want help?

4ARMED are working with our clients to understand and mitigate this issue. If you would like us to help you too call 01832 372000 or email hello@4armed.com.



Tuesday, 31 May 2011

I did my job: we got hacked

I read this blog post today by a friend and fellow information security professional. It is an interesting article taking a sales psychology oriented approach to gaining approval for information security budget.

There was one line in particular which caught my eye and I wanted to delve a little deeper on my philosophy on this point.

The line is:

"You can either continue an ideological objection to FUD or .... get that security improvement you know that really needs to be done."

For the uninitiated FUD is "Fear, Uncertainty, Doubt" and is characterised by the "sky is falling" approach unfortunately taken by many information security professionals trying to get the attention of senior management.

This blog post is not particularly about whether or not I agree with using FUD to gain buy in to security initiatives, I can understand both sides of that argument and I suggest you go read Rakkhi's blog post as the line above, out of context, can look like something it is not.

The part of that line I particularly wanted to pick up on is "get that security improvement you know that really needs to be done".

Needs to be done? Need is a strong word but I would argue it is subjective.

I have sat in meetings with CEO's of companies listening to their security staff telling them that they "need" to do something otherwise we'll "get hacked" (I'd be lying if on some of those occasions it wasn't me saying it) and the CEO casually accepts the risk and ushers the security staff away.

"How can he do that?!" they ask after the meeting. The answer is simple. It's his company and he is (or should be) best placed to assess what is an acceptable risk to the business.

As an information security professional our job is to assess threats and risk as accurately as we can and then ensure we raise awareness of those to the correct people, through whatever processes we and the business have defined.  What matters most is that you are sure the person responsible for deciding whether to mitigate or not is 100% aware of the full, undiluted risk.

They need to know how likely it is, what systems, data or other company assets it could affect.  Worst case scenario, best case scenarios, what options there are to mitigate and how much they will cost.

If your CEO is looking back at you calmly over the meeting table, fully understanding the decision he is taking, go back to your desk and give yourself a quick pat on the back, maybe do a little happy dance and then get on with your day. Put that risk in your risk register or what risk management process you use and monitor it.

The next thing to remember is that security is not static. Threats and risks evolve and that same risk assessment you just made might just have gone out of the window with some new snippet of information. This is why a top-down security endorsement is essential as you need the lines of communication to be open with the senior management so you can go back in to the CEO and say "things have changed, are you still happy for me to ignore it?"

Of course, in the real world, it doesn't make it any more palatable when you do get hacked and it won't stop your CEO wanting to understand what's happened and if you could have done anything to stop it but, ultimately, you did your job despite the result.

Wednesday, 25 May 2011

Memorable words: Just lie!

Much has been written of the recent attacks on the Sony network but one of the smaller details I noticed made me want to write this short article.

One of the types of data that was lost in the data breach were the answers to users security questions. You know the ones I mean, when you sign up for a service and you get asked questions like "What is your favourite colour" or "Mother's maiden name". These questions are designed to be used if you forget your password in order to verify your identity before allowing access to your account where, you can reset your password (best) or it displays your password on screen (worst).

This data being available to bad people is obviously not a good thing as they can theoretically go through the password reset process, answer your security questions and gain access.

Those in security are always banging the drum about avoiding password re-use between sites but this is still incredibly common despite reasonably good password management programs being available these days to aid the process (KeePass, LastPass, even vi with OpenSSL or GnuPG).

However, even if you're using a different password for every site, if the bad guy can just reset it he wins, you lose.

So I'll let you in on a little secret, when you register for something and it asks you what your favourite colour is "you don't actually have to tell the truth". Furthermore, you don't even need to enter a colour!

Here's a suggestion, use the same random password generator (you do use one right?) and generate some random string as your answer. Then use that same password manager application (or text file encrypted) to store the question and your answer. Use different answers for every site, just like you use different passwords and lo, if the answers to these questions make it into the hands of people of ill will you can at least be confident that your only exposure is from that one website.

This approach also affords you protection against people attempting to guess your security answers. How many goes will it really take to guess your favourite colour for example? There aren't that many to choose from.

So, in summary, the recommendation should be widened. Avoid not only password re-use but also any other data which could be used to gain access to the account when the data is a free choice.

Thursday, 17 March 2011

E-Crime Congress 2011 - Part 3 - Verizon Data Breach Statistics 2011

It's that time of year again soon where information security businesses get to pore over Verizon's latest data breach statistics.  I wait with interest to hear the FUD and marketing spin employed by some of those businesses to try and prise money from cash strapped CTO/CSO's this year.

As we know, 65% of all statistics are made up on the spot so I listened with interest to the sneak preview given to the audience of this years numbers by the charismatic Jelle Niemantsverdriet.  His slide deck is now available but Verizon are still crunching most of the numbers as we speak. I did however want to share two figures which were included and are interesting.

The first is the overall number of breaches investigated in 2010.  Over 800. Given that in the years 2004-2009 a total of 900 breaches were investigated this represents a huge spike in breach investigations.  Of course, statistics never tell the whole story.  It's important to remember these are breach investigations, not breaches themselves.  This either means more people are requesting investigations, more people are requesting investigations from Verizon specifically, or we, as a collective industry are getting better at detecting breaches.  None of those is a bad thing in my opinion.  I await Verizon's analysis of this aspect with interest.

The second and more interesting statistic to me was this.  In the 2010 report, the percentage of data breaches discovered by "Log analysis and/or review process" was a shockingly low 3%.  In 2011, the percentage has decreased........to zero!

This is despite all of the industry push towards "Log Management" and SIEM solutions and advanced correlation engines, etc.  Not one, of over 800 breaches was detected by reviewing logs.

Log review is one of the basic cornerstones of security and, while I certainly believe it has many limitations, particularly those of scale and noise, ignoring your logs is like ripping the speedo and warning lights out of your car and going for a drive.  It's not just a security problem but a basic operational issue too.  How do you know things are functioning if you're not looking at your logs?


Without knowing how many of the affected businesses had some sort of regulatory requirement to review logs it is hard to be too critical however, I think it likely based on last years figures that we can assume a great proportion at least were dealing with credit card data and therefore were required to be compliant with the PCI DSS.  Requirements 10 and 12 of the PCI DSS clearly set out the need for daily log review and incident response procedures.  I'm not anti-PCI DSS or compliance by any stretch (separate blog post to come) but it is yet more indication that the check-box approach most companies take to compliance is not producing more secure networks and businesses.

All those turnkey log management solutions are great but time and again companies are missing the fact that the investment they need to make is not in hardware but in people.  Of course you need to find a way to pull all of this log data together and assemble it in some meaningful way but don't spend all your budget on that and then forget to employ someone or train someone and give them the time to review the logs properly.  You'll be amazed what you find.

For many small companies where their IT is entirely outsourced already, it is important to understand what your IT company is providing you in terms of log review and ensure that clear and agreed procedures clearly stipulate what will happen if something erroneous is detected.  Your contract should enforce this.

If your existing IT provider is not able to provide the kind of log review you need feel free to get in touch with us to see how 4Armed can help.

E-Crime Congress 2011 - Part 2 - NorCERT

I was interested to hear the talk by Christophe Birkeland who is the Director of NorCERT in Norway.  NorCERT is the Norwegian Cyber Emergency Response Team.  The thing about it which caught my attention was their "VDI" system. VDI stands for Varslingssystem for Digital Infrastruktur, in English, the Alert and Warning System for Digital Infrastructure.

Essentially this boils down to a national intrusion detection system with sensors deployed in public and private business networks.  The sensors upload data back to NorCERT who use it to detect and profile attack information across Norwegian Internet space.

It's an interesting idea, especially when you discover that the businesses signed up to the scheme are also paying for the privilege, approx $50,000 USD annually.  For this they receive a sensor which is specified by NorCERT for them to place in their network at their Internet ingress point.

As a paranoid and suspicious security professional this idea was initially quite frightening and the mind races at the prospect of government data tapping, etc.  This point was clearly not lost on the Norwegian authorities who have built the whole platform on trust.  The sensor is bought and owned by the companies themselves.  They maintain all access to it and manage all aspects of its operations.  Companies can spend as much time as they like going over the devices to ensure they are doing what they expect (and nothing more).

Christophe stated the three principles on which the scheme runs:

  • Trust
  • Value added
  • Information sharing


The trust I have already discussed.  The value added is what's in it for businesses in return for this annual investment and participation. Essentially it boils down to a wealth of information the NorCERT is able to disseminate about attacks against Norwegian businesses backed up with real data.  Which leads in to the final point, information sharing.  This is all made possible by scheme members sharing information, implicitly.  Closed forums for the discussion of pertinent criminal activity against parties with common interests are not new (High Street banks for example) but the way that this scheme works allows the flow of information for independent correlation and analysis in an open and unfiltered way.

I cannot comment on the effectiveness of this approach with any hard data but I welcome the pro-active way in which NorCERT has attempted to deal with a national issue.  Having an early warning system of this nature is a good idea but of course, it remains essential for the companies who are targeted to have in place good quality, well rehearsed incident response plans to deal with whatever is being thrown at them.

E-Crime Congress 2011 - Part 1 - The Government perspective

I was invited this year to attend the E-Crime Congress 2011 in London. Due to other time commitments I was only able to attend one of the two days and, based on the talks on the two days decided I would attend Day Two. Most of the "big boys" like Adobe and Facebook were all talking on Day One and, while I'd have been interested to hear what they had to say, I thought there was likely to be more new content to be had on the Wednesday.

The conference is a single track with two breaks for "Education Seminars".  All talks were limited to twenty minutes.

The day kicked off with an opening speech by Rt Hon The Baroness Neville-Jones, the government Security Minister.  A lot of the speech was, as you might expect from a politician, a re-statement of existing policy commitment but for those of us who don't manage to keep up with Whitehall as much as we'd like it served as a useful update on where the government sees the state of electronic crime in the UK.

"Cyber Security" is viewed as one of four "Tier 1" risks the UK faces.  Tier 1 is the most severe on the scale. The government has committed £650m over the next four years in to tackling the problem and will be publishing its Cyber Security Strategy in the next few months.

Partnership was a word which kept being reused. The government acknowledges that in order to succeed in fighting electronic crime it will require partnership with the private sector. The Baroness stated that she believes the UK has a significant advantage when it comes to dealing with the problem due to a strong security sector.  As a business trading in the information security industry we are obviously aware of the number of firms providing services.  As with all sectors of course, numbers don't tell the whole story.  There is a skills shortage in the UK at the moment, a position understood by the government itself and something the UK Cyber Security Challenge hopes to address.

Baroness Neville-Jones came over well to me, seemingly up to date and well advised.  She was animated on such topics as "Hacktivism" stating that we need to rid it of "false glamour".  I agree.

This leads nicely in to the topic of Sir Ian Andrews, Chairman of SOCA's talk.  Though the two did not follow one after the other, it was nice to see some cohesion between those in power and those at the coalface.  Sir Ian discussed briefly the challenges the Internet has brought in law enforcement, lack of borders being an obvious one but he picked up on anonymity as the biggest issue.  While the UK has committed to privacy for all its citizens it clearly causes issues for those attempting to police the Internet.  Anonymity does not mean no accountability.  There is a perception that you won't get caught and perhaps even a sense that it's not "real".  The fact that so many decided to download the LOIC and voluntarily participate in illegal DDOS actvity has, I think, surprised a number of people, including the government. 

The average person is probably not aware of the Computer Misuse Act and probably not aware of how easy it is to track individuals using their own IP address. The arrests recently have hopefully shown that their are consequences for this type of behaviour and that perhaps people should find other, legal, ways to demonstrate support for causes they believe in.

Of course, for those who know how, the Internet is a very easy place to hide and so, in its present form, anonymity can be virtually guaranteed which by implication means no accountability.

As highlighted by Sir Ian, with the exhaustion of IPv4 addresses and the inevitable uptake of IPv6 the criminals will have a virtually limitless space in which to hide.

So how do we defeat it?  The government is calling on every citizen to stand against it.  This all sounds very stirring but essentially it does boil down to every one doing their bit, getting educated about the risks and removing the low hanging fruit which is making easy pickings for the criminals.  They advise everyone to have a look at the government site http://www.getsafeonline.org/ for a starter. It's a pretty good reference for the home user or small business owner and gives some good advice on getting the basics in place.  Some of the information is a little out of date in terms of software versions but the advice is still relevant.

There's a lot of information and I suspect the average non-technical reader is going to get lost pretty quickly and perhaps the focus shouldn't be there anyway.  It doesn't matter how patched or up to date your anti-virus is, if a criminal can get you to visit one of their malicious websites or open a malicious email attachment it is, unfortunately, game over.  For this reason the page I suggest that everyone starts with is actually "Avoid Criminal Websites".

So, the government's done a good job of brain-washing me and making sure I spread the word as an Information Security professional.  I decided to keep the "on message" government stuff in one post.  I will post some separate posts about the other talks.