More TLS/SSL Goodness around TLS v 1.0

October 20th, 2014 No comments

For those who have been following, there are some nuances of the latest Crypto Security flaws that may have been missed by most…

Adding to my previous post, you should not only completely disable SSL v 3, and 2, but consider disabling TLS v 1.0 as well.

As well, another good site to test your browser / client for it’s security configuration is https://www.howsmyssl.com/

 

Happy Monday!

 

Categories: Opinions Tags:

Welcome to October! Where happiness abounds and Infosec suffers!

October 16th, 2014 No comments

Wow, that happened FAST!!! (time flies…)

Well, it’s now the middle of October. We’re back, and had a wonderful time in Hawaii, getting married, and spending our honeymoon in Wailea and Kihea on the wonderful island of Maui.  For those who care, we held a very private ceremony on Po’olenalena Beach (aka Changs Beach) with only our officiant and ourselves.  There will be photos, soon… as we’re waiting on them from the photographer.

Now on to what I missed and fell into upon returning.

The POODLE vulnerability

The Great Californian Shakeout

National Cyber Security Month

Read more…

Gap in posting

September 24th, 2014 Comments off

You may, (or may not) have noticed that there is a gap in my posting recently.

I’m getting married on October 4th of this year, and now, I’m running at 110 mph finalizing and preparing to go out-of-town for that event!  [i know, i can't believe it either!]

I plan on returning to this space sometime after the middle of October with some new articles, opinions and thoughts around all things information security related.

 

Hope you all have a great week, and if you wish to contact us, please do so at dc0de at foundpackets dot org.

Categories: Opinions Tags:

Hide your “Smartphones” Las Vegas| #InfoSecMecca coming

July 31st, 2014 Comments off

Ok folks… I know… you don’t want the drivel to end… but, I have to take a break. DEFCON 22 is around the corner, and I’m going into full on preparation mode.

 

However, this post isn’t without some warnings that you should heed if you’re going to be in Las Vegas next week for BlackHat, DEFCON, and/or BSidesLV, (What I like to call InfoSecMecca).

 

Your Smart phone is vulnerable. Period.

 

 

This week’s SANS Daily InfoSec Podcasts have spoken of several smartphone vulnerabilities for both Android and Apple products.  So, you’re going to theInfoSecMecca in Vegas? Here’s a few tips for you.

 

Old Phone, New Phone

Old Phone, New Phone (Photo credit: CJ Sorg)

  • Do’s

    • Lock your smart phone (with battery removed if possible) in a Faraday cage in your hotel room, and don’t turn it on for any reason, except in a life threatening emergency.  (No, I’m not kidding)
    • Disable ANY/ALL automatic update service, either from Google Play, the Apple Store, and/or any other source of software updates.  This also includes the Amazon store, and your carrier automatic updates.
    • Purchase an OLDER pay-as-you-go phone, and forward your mobile number to that one, or simply get with the 20th century, and use Google Voice.  This will set you back a few $30-50, depending on what phone and what services you buy, and how much you plan on using it, but it’s far cheaper than having your smartphone “pown3d”, and your office getting emails from you saying “I went to and all I got was digitally raped”.
  • Don’ts

    • Believe that your [insert security vendor app] is going to protect you.  It won’t.
    • Bother discussing or commenting if you are one of those who takes their smart phone to “see what’s going to happen”.  For you, I have no words.
    • Enable purchasing from any mobile device while in Las Vegas during InfoSecMecca.
    • Worry, be happy.

That’s all I’ve got, and I hope to see you in Vegas during the InfoSecMecca, I’ll be running around between BsidesLV, and working @ DEFCON.

Las Vegas 2006

For those Travelling this and next week, please be safe.

 

 

InfoSec is roaring, yet people aren’t really more secure. Why?

July 29th, 2014 Comments off

In the past weeks, as I’ve restarted blogging about Information Security, I’ve been much more curious as to how non-technical people view Information Security.  In my non-scientific assessment of casually watching people use their computers and mobile devices all around me, I’ve determined, again, very unscientifically, that the majority of the people, simply don’t care.  I’m over being shocked, stunned, or befuddled, now I simply accept it.  So, I’ve been asking myself the following questions.

  • Does Information Security for Consumers need to be fixed?
  • Who is responsible for fixing Information Security for Consumers?
  • Where should Information Security for Consumers be fixed?
  • How should Information Security for Consumers be fixed?

So, in this entry, I’m going to try to tackle the first bullet, and leave the other three (or more, if I get some good suggestions), in follow-up blogs.  So, here goes.

Does Information Security need to be “fixed” for consumers?

Combination Lock on top of a Credit card e.g. ...

Wow, what a loaded question.  The short answer? There isn’t one.  On this question, I see a variety of issues, opportunities, and simply, a bunch of FUD.  There will be companies claiming that they do this for you, for your mobile devices, and IMHO, there are that do this job adequately, however, they don’t have a desktop equivalent, preventing the consumer from having ONE tool to use.  Remember, consumers want the “Easy” Button.  (Thanks Staples, you ruined it for the next guy).  Most of the tools are cumbersome, written with technical experts as the audience and are filled with bloat.  What happened to the software community? There once was a time when a tool simply did it’s job & functioned, without damaging, or [severely] impacting performance.  Can we get back to that please? (Looking at you Symantec and a few others)  I truly want to be able to recommend some tools to the consumers who are in my life that aren’t tech savvy, and when I do, I end up supporting said tools.  So, [insert big software companies names here], I’m done recommending your tools and utilities.  I’m simply going to tell those people, that they’re on their own and that Your Mileage May Vary (YMMV).  But I’m straying from the question… back to point… should Information Security be fixed for Consumers? In order for Information Security to be functional for the Consumer, it needs to be simple.  It needs to continually, and repeatedly remind Consumers what data they are l̶e̶a̶k̶i̶n̶g sharing, and give them the options to return to a more secure posture.  The updates should be automatic, and secure.  Sign everything that you do with your code/software/updates.  If it takes a little longer, background the process so that it notifies the Consumer that it’s going to take a few minutes/hours, and that the tool/software will let them know when it is completed.  These are SIMPLE things.  And yet, it seems that it has to be called out.

So, the  simple answer to this question?

HELL YES.
It needs to be fixed. 

 

Do you have any thoughts on this? Any suggestions for any more bullet points? Comments? Let me know…

 

Think you’re now untrackable? Think again. HTML5 is now tracking you.

July 22nd, 2014 Comments off

We have worked long and hard in the Information Security world to keep ourselves anonymous for many reasons on the internet, and yet, he were are, with some new revelations, that we’re being tracked yet again.

CIA seal

CIA seal (Photo credit: Wikipedia)

We have seen may articles on the use of TOR, it’s beginnings, and how the CIA, DARPA and others have actually funded it to enable their resources to use the internet with anonymity, and that they have methods available to actually find the actual end user communicating using the service. (see Almost everyone involved in developing Tor was (or is) funded by the US government) for more info.

 

English: Tor Logo

English: Tor Logo (Photo credit: Wikipedia)

However, what I’m talking about here, is something that I heard this morning on the SANS Daily InfoSec Podcast for July 22, 2014, There is a topic of great interest to me.  Recently, I disabled flash in my browser, (Firefox on Linux), and moved to HTML5.  I did this to make my browsing more secure, however, the report from the Podcast showed me that this comes with a new privacy leak.  Meet the Online Tracking Device That is Virtually Impossible to Block, is the title of the writeup, and it shows, that in HTML5, there is;

Information Security Wordle: RFC2196 - Site Se...

Information Security Wordle: RFC2196 – Site Security Handbook (Photo credit: purpleslog)

“A new kind of tracking tool, canvas fingerprinting, is being used to follow visitors to thousands of top websites, from WhiteHouse.gov to YouPorn.”

Basically, as I understand it, canvassing is a method in HTML5 that allows a website to draw pixels in your browser, meant for drawing objects, and the difference in fonts, operating systems, and many other variables, there are now methods to fingerprint the system, and potentially the end user.  One of the primary offenders is the popular blog plugin called “AddThis

 

“First documented in a forthcoming paper by researchers at Princeton University and KU Leuven University in Belgium, this type of tracking, called canvas fingerprinting, works by instructing the visitor’s Web browser to draw a hidden image. Because each computer draws the image slightly differently, the images can be used to assign each user’s device a number that uniquely identifies it.”

The article is very disturbing, and they include a proof of concept URL to test your own browsers. If you want to see an example of fingerprinting, also take a look at http://www.browserleaks.com/canvas.

 

The only method that I can use to prevent this action is to use No-Script in Firefox, however, it makes any HTML5 page useless.

 

 

 

Stay tuned, I’m hopeful someone will create a browser plugin to selectively stop HTML5 from rendering pixels on your canvas, in a hidden format.  I’m proposing the name NO-CANVAS, something that works like No-Script, and allows you to whitelist sites, and or objects that request access to the HTML5 canvas.

 

Until then, I’m going to be taking a much closer look at what sites are doing with HTML5, and I’ve already added “AddThis” to my Adblock and No-Script plugins.

 

What are your thoughts, is this paranoia, or a significant risk?

 

 

 

 

 

 

Walmart – The *new* fence for credit card thieves

July 16th, 2014 Comments off

Walmart FailSo, I went to Walmart with my fiancé, and while we were checking out, I showed my credit card and ID to the employee at the checkout, and the person said, “I don’t know why people do that, it’s not like we check ID for credit cards.”  The checkout clerk didn’t even want to look at my card, or my ID, nor did he validate that my card was signed.  (Which it’s NOT)
I tried to explain that when using a credit card that identification is also supposed to be checked, and this person replied, “What if someone gave their card to another person to buy things for them?, it’s not like we [Walmart] have a policy against people using other people’s cards, it’s not like we can stop them or anything.” They followed with, “we allow people to use cards that aren’t theirs, we do it all the time.”

Credit Card Fraud

 

I took a moment to try to explain that this was fraud, but the person behind the register simply said, “Well how can it be illegal, we do it all the time?”

I finally finished with the statement, “Well, now I know how my credit card was used illegally in Lawrenceville Georgia last month at a Walmart.” It seems to be the place to purchase goods with stolen credit cards.

 

Needless to say, Walmart seems to be the lowest common denominator when it comes to Credit Card Fraud.  Read some of the stories below to learn more…

 

Do you have a retailer that doesn’t check cards well? Please comment and let us know.

HeartBleed – still lingering

June 12th, 2014 Comments off

Today while going through some of our logs, I was alerted to several instances of systems that are susceptible to a “reverse HeartBleed” attack. As the company I work for is very risk averse, I tried to contact the hosting company (SoftLayer) to discuss this with them.  I reached out to them via their online chat application, and chatted with a nice fellow, presumably named “Jason S.”  The transcript of the conversation appears below, with my name redacted, and my companies information redacted.

Thank you for choosing SoftLayer. A representative will be with you shortly.
You are now chatting with ‘Jason S’
Jason S: Hello, thank you for contacting SoftLayer. How can I help you today?
dc0de: Jason, how can I get in contact with your Information Security Group? We are receiving attempts to break into our systems from one of your hosted IP Addresses
dc0de: Actually, from several.
Jason S: I’m sorry to hear this dc0de
Jason S: May i have your account number?
dc0de: We do not have an account number.
dc0de: I’m with , and I’m a Sr. Information Security Analyst, working for the VP of Information Security.
dc0de:dc0de Information Security Analyst

,<telephone#>,

dc0de: ^^ My information
dc0de: If you could put me in contact with your information security team, I would greatly appreciate it.
Jason S: You will need to email abuse@softlayer.com
Jason S: Put all the information you have in the email and our abuse team will take care of it
dc0de: I would like to speak to someone on the phone or we will have to block your IP ranges from coming to our data centers, thereby potentially impacting your customers.
dc0de: Could you have someone in your Information Security team contact me directly, or provide me with a phone number to call?
Jason S: You can try our support number
Jason S: SUPPORT: 866.403.7638
Jason S: But I’m afraid they are going to tell you the same thing.
dc0de: are you saying that you do not have an information security department?
Jason S: We do take these things seriously and will look in to it
Jason S: That would be our abuse team
dc0de: and they are only available via email? That’s not very approachable.
Jason S: Is there anything else I can assist you with dc0de?
dc0de: Nope.
Jason S: Thank you for choosing SoftLayer.  We value your feedback.  Please click the “Close” button at top right to answer a few questions about your experience with us today.

As you can see, there wasn’t a very simple method to get in touch with their “InfoSec” people, and as such, I’ve gone to Twitter, and posted this, to show how poorly hosting providers are these days, and how difficult they make doing our jobs in InfoSec.

The worst part? SoftLayer is hosting several systems for a company based out of Nigeria, in their Dallas Data Center that are at the heart of the problem.  Whelp, if you’re a SoftLayer customer and have difficulty communicating with some businesses in North America, don’t blame us, we just blocked the SoftLayer network blocks at our border.

Note to SoftLayer – We tried to get in touch with you, and you made it very inconvenient, if not impossible to work together.  Kthnxbye.

 

Categories: Opinions Tags:

Keeping your portable devices safe and secure

May 23rd, 2014 Comments off
Cellphone Keyboard

Cellphone Keyboard (Photo credit: Wikipedia)

 

Today, many of us have at least one portable device (smart phone/tablet/mobile hotspot/etc) in our households. These devices provide us the ability to do more things when we are in and out of the office. This new era of technology is certainly changing the landscape of how we work, play, and communicate. We would like to explore a scenario that could happen to you, that has already happened to countless others, so that we can explore the risks and pitfalls that also come with this new technology.

What we’re talking about is having your device infected, lost, or stolen. Understanding the risks will help you recover more quickly from these events, and hopefully make you a smarter portable device user. So let’s start out with the basics, the risks of smartphones.

Smartphone Risks

Smartphone Risks

These top risks have one thing in common, data theft or loss. This is a huge area where criminals are eager to gain a larger foothold. Let’s take a minute to think about the data on your device.

First, you have your name, most likely, your home address, some contact information for friends and family, and most of the time, you have information about your employer, and perhaps even email, remote access, and other sensitive data. Some people actually do their banking from their devices; send information via SMS/Test Messaging, social networks, and much more.

Most people store this on their phone, and save passwords, so that someone gaining access their phone, could potentially gain access to all of the accounts and data that your phone is enabled to connect to.

Thankfully, there are a few simple things that you can do, to make this much more difficult for these actors to get YOUR data and information.

  • Notify your carrier immediately if your device is lost or stolen. This allows your carrier to try to locate and/or wipe your device remotely, reducing the risk of data loss or malicious use of your device.
  • Password Protect and Encrypt your device. These steps can decrease the risk of data loss in the event that your phone is lost or stolen. Install remote detection, remote wipe, and remote photo capturing software applications. If your device can be remotely wiped it will ensure that a lost phone does not turn into a Data Breach.
  • Install only approved applications from approved application sources (Google Play, or the Apple Store). Beware of “free” applications, many applications that appear to be “free” also collect data from your device, WITH YOUR consent.
  • Do NOT automatically connect to Wireless Networks. Many devices are set to connect automatically to wireless networks, however, there are many public places with open wireless, which are not secure and are easily spoofed. How do you know that the wireless network you connected to really is the official “coffee shop” wireless access point(s)? There could be someone sitting in the coffee shop with a fake Wireless device in their backpack, spoofing the same wireless ID of the “coffee shop”. It happens more frequently than many would like to admit, and is a great way to get people’s account information, personal data, and install back doors on mobile devices. Use care when connecting and only connect to wireless networks that you are certain aren’t under malicious control.
  • Disable auto-discovery of your Bluetooth on mobile devices and laptops. Many devices are left in the “broadcast” mode of bluetooth, allowing other devices to find, and potentially connect to your device. While some strides have been made to make this a more secure method of communications for short distance, many devices still are broadcasting their Bluetooth ID’s blatantly, for the world to see.

 

 

Five Steps to Mitigate the Risks of BYOD(shoretel.com)


BYOD continues to revolutionize communications(shoretel.com)


Wolverton: With smartphone theft on the rise, it’s time to protect yourself(mercurynews.com)


How to Find a Lost or Stolen Android Smartphone or Tablet(gottabemobile.com)


Minnesota enacts 1st law on cellphone disabling(kansascity.com)


The Beginners Guide to Bring Your Own Device (BYOD)(marblesecurity.com)


Smartphone Security: 5 Tricks that Will Help Keep Your Phone Secure(epicagear.com)


Top Ways To Protect Gadgets(smartsign.com)


Why You Should Do More to Secure Your Smartphone(dailyfinance.com)


Mobile Operator Takes a Stand Against Stolen Devices(mylookout.com)


Why you need privacy in communications – You can still have it… in IM.

November 6th, 2013 1 comment

Today, more than ever, with the release of the recent NSA Spying scandal, the new version of CALEA going forward in Washington, and ever present movement by governments to read into the private messaging of individuals, we all need to get smarter, and use tools that we may have never touched before, to regain the privacy in interpersonal communications across the internet. There are many tools out there, and there are many different ways to achieve the same goals, however, today, I’m going to talk about a few p̶r̶o̶d̶u̶c̶t̶s tools that I use on a daily basis for Instant Messaging (IM) from my Windows 7 computer.

First and foremost, I use Pidgin for all my IM needs. Pidgin is available, for free, to anyone, simply by going to http://pidgin.im/. For those of you who are reading this with limited experience with Free Open Source Software (FOSS), this will be a revelation, that yes, there are free tools out there that allow you to download, install, and use, with no charge, no catch, no penalties. Pidgin is my main tool for chatting inside, and outside of work. It also allows me to have multiple connections to different IM services, as seen by the list that they have on their website:

AIM, Bonjour, Facebook Chat, Gadu-Gadu, Google Talk, Groupwise, ICQ, IRC, MSN, MXit, MySpaceIM, SILC, SIMPLE, Sametime, XMPP, Yahoo!, & Zephyr

I’m only using AIM, Google Talk, IRC, MSN, and Yahoo! & also use SIPE, which allows connection to my internal Microsoft Communicator, through the use of the rich plugin architecture built into Pidgin.  Pidgin allows developers to build plug-ins, so that you can extend the functionality of the tool, and SIPE, is one of those that works very well, allowing me to use one client to “rule them all” so to speak, with regards to my Instant Messaging.  While there isn’t a Pidgin for mobile devices yet, (I’m ever so hopeful), this tool does allow me to have all of my IM contacts available in one tool, where I spend the majority of my day, on my computer.  This plugin architecture is critically important for the privacy aspect that I mentioned above, as there is an external plugin that is needed, in order to achieve secure Instant Messaging.

Once you have installed Pidgin, and have gone through the setup of the client, you should easily find how to add your accounts into the tool.  Once this is done, and you’ve tested the functionality with your Instant Messaging contacts, it’s time to go private… Now here is the difficult part.  If you want to encrypt your communications end to end, the person you’re Instant Messaging with, has to have the same type of encryption.  In this write up, we’re talking about the tool called OTR, or Off-The-Record Messaging.  OTR supports several IM clients, to date, they’re Pidgin, from the https://otr.cypherpunks.ca/ page, I see that OTR can function with the following IM clients: Pidgin, Adium, Miranda, Kopete, and they also support an AIM proxy.  You can read more and view video tutorials on their page

Simply put, adding OTR to pidgin is a trivial windows install, requiring that you specify the location of the installed Pidgin program, (if you changed it from the default when you installed Pidgin), and a restart of the Pidgin application.  Once installed, you simply launch Pidgin, go to the Tools menu, select Plugins (or press CTRL-U), in the plugins list, scroll down to Off-the-Record Messaging, put a check in the box to the left of the title, and select the “Configure Plugin” button on the bottom.  Inside the plugin’s configuration dialog box, you’ll find two tabs, Config and Known fingerprints.

Config Tab

The config tab has the configuration for your Default OTR settings, as well as the ability to generate private and public key pairs, for use when communicating secure with someone else.  You will see your defined IM accounts in a drop down list, and you can select each one, and generate a key.  You should only need to generate these keys once per computer, and there are methods to back these keys up, and take them with you, however, I will not be covering that process here.  There are many sources of how to do this on the internet, and google is your friend (giyf).  If you’d like to know how to do this, bookmark this post, and come back to it later, as I’ve added a google search for the instructions here.

Once you have that setup done, now it’s time to find your friends and get them using one of the OTR supported IM clients, and setup some conversations.  I’ve looked through the data that passes through the OTR plugin, and saw that it was completely encrypted, appears as total garbage to whomever is spying on your communications.  Bear in mind, that you are responsible for ensuring that your communications are encrypted, and the OTR plugin adds informational messages into your IM window, showing you the status of your communications.

 

receiving encrypted IM, when you’re not encrypted

 

setup of encrypted communications and confirmation of encryption

 

Note, that even though I do not log my OTR conversations, doesn’t mean whomever I’m communicating with, isn’t logging theirs, so it’s no guarantee that your conversations won’t come back to haunt you, but it does encrypt the transport end-to-end to ensure that no one can snoop on the wire.

When you first setup your communications, you’ll receive a notice that your buddy is not “Authenticated”.  This page, shows how that authentication can be accomplished.  Please use NON IM methods of confirming your identity if you are not sure who you are chatting with.  A more full step through process of how to setup and use Pidgin and OTR can be found here.  (https://securityinabox.org/en/pidgin_securechat – no affiliation)

Once you’ve got everything working, it’s wonderful to know that your communications cannot be intercepted by your employer, your government, your enemies, or anyone else out to remove your privacy from your communications.

 

If I have time, I’ll follow up on how to setup some other methods to increase your privacy on the internet.  Please stay tuned.

 

 

.

© 2008-2014 dc0de\'s notes... & dc0de.com All Rights Reserved -- Copyright notice by Blog Copyright