I don’t know if it’s PCI compliance fever season or what, but I’ve been asked a lot about “weak SSL ciphers” lately. Mostly, having to do with “what the heck are those anyway?” If you don’t have a decent grasp of SSL, start with my previous article on SSL. If you think you do, stay with me for a bit

Let’s start with what ciphers are. Ciphers are the algorithms used to do some kind of cryptography – either encryption or hashing. Well known ciphers you’ve probably heard of are RSA, 3DES, AES, Blowfish, and SHA1. SSL Ciphers are the set of ciphers that are used for all parts of the SSL negotiation – and remember there are several used in one SSL session: both asymmetric and symmetric, and hashing. If you have OpenSSL installed, you can see all of the Ciphers that OpenSSL supports by typing openssl ciphers -v (the -v gives you details that are helpful). You’ll get back a list that looks something like this (except a lot longer):
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1

What each of those lines tells you is what the name of the cipher is (according to OpenSSL), the SSL version that it exists in, the Key Exchange algorithm (Kx), the Authentication (Au) algorithm, the Encryption (Enc) algorithm, and the Hash (Mac) being used. You can see where the cipher naming scheme comes in…

You don’t want any of these ciphers to be “weak”. So you’re really looking at 4 ciphers at a time to determine if the cipher is “weak”. What makes a cipher “weak”? Any algorithm (or key length) that has been determined to be easily breakable through either a flaw or brute force. Examples of weak ciphers would be: EDH-RSA-DES-CBC-SHA which uses 56-bit DES for encryption. Some people claim that MD5 is now a weak cipher. Either way, your organization probably has a list of approved and non-approved algorithms, and you’ll want to compare that list to what SSL supports.

You can use openssl s_client to see what algorithms your server is supporting (rather than just what openssl supports).

In the future, how to configure various web servers to support only the ciphers you want.

The .ORG top level domain (TLD) recently received its DNSSEC signature, and now has the ability to provide integrity information about its underlying domains. This is important because it’s the first TLD to get signed. This also means it might be somewhat of a guinea pig, as any uncaught issues or bugs will probably show up when people invariably start trying to break the system.

We covered DNSSEC a bit in a previous post, and it is interesting to see how much progress has been made since then. DNSSEC isn’t new. In fact, it’s been around for a quite some time in one unfinished form or another. It wasn’t until the Kaminsky DNS cache issue a few years ago that we saw a sudden surge in DNSSEC development and deployment.

But if history is any indication, the transition might not be smooth. Each registrar under a TLD has to support DNSSEC individually. This would create new costs and overhead (especially for small registrars), in addition to exacerbating the issue of fragmentation. And although a spotty DNSSEC is better than none at all, it really needs to be ubiquitous to maximize its usefulness.

Good luck, DNSSEC. You’ll need it.

A few months ago, I described how the Firefox add-on HttpFox could be used for basic traffic monitoring. Another helpful add-on that complements nicely with HttpFox is called HackBar.

HackBar adds a toolbar underneath the main address bar that can be toggled on or off with the F9 key. When enabled, the toolbar provides a miniature console of sorts for various testing tasks. A resizable textbox gives you plenty of room for editing URIs, and you can also issue POST requests or spoof the referrer. Menus across the top of the bar provide common functions for working with different types of data, such as hash algorithms or encoding and decoding in Base64, URI format, and even hexadecimal.

Using HackBar has its limits, and for comprehensive penetration testing you’ll probably need better tools. But if you just want to poke around a web application or send a quick POST request, HackBar is pretty handy to have around. Combined with HttpFox, you may be surprised at how much testing you can accomplish right in your browser.

Each Thursday, Security Musings features a security-related technology or tool. Featured items do not imply a recommendation by Gemini Security Solutions. For more information about how Gemini Security Solutions can help you solve your security issues, contact us!

Applications, specifically web applications, often rely on e-mail to send out error reports to administrators and developers.  While e-mail can be somewhat unreliable in terms of delivering messages in a timely fashion, it is also insecure.  If your application’s error reports contain identifying information about users or sensitive details about your code and what made it break, you should be delivering these messages using encrypted S/MIME e-mail.

This tutorial will show how to send an encrypted message from a .NET application. Read the rest of this entry »

A beta release of HTTPS Everywhere was released today. It’s a collaborative project between those at the Tor project and the EFF.

Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site.

The HTTPS Everywhere extension fixes these problems by rewriting all requests to these sites to HTTPS.

It’s good to see a project like this, especially after giants like Google finally step up and start offering more secure search features in their search engine. It’s only in beta so far, but it does look very promising.

One area to look out for though, just because you have a plug-in like this doesn’t mean every site you go to is going to be secure. You still need to check your browser’s security notifications/icons to ensure you’re on a protected site.

I recently had a project to help spec out a DLP project for a customer from a high-level perspective. Having never done anything with DLP previously I embarked on a research mission. What I found was interesting. There’s not much out there on the intarwebs. As such, I thought I’d offer a few quick suggestions, just in case you want to go research solutions, too.

1. Start with Securosis! Their reports are freely available, comprehensive, and more informative than anything else I found.
2. Search for Gartner and Forrester reports. While these analyst firms charge for their reports, vendors will often post them for free. Specifically, try these search strings:
   • “forrester wave content security suites”
   • “gartner magic quadrant data loss prevention”
3. Beware DLP (as in Digital Light Processing) from Texas Instruments. You might need to use advanced search functions to -television -TI and so on.

Happy hunting!

If you haven’t already heard about LIGATT security, you need to.  I won’t do them a favor of linking to them from this blog post, but I would like to provide some information about why I’m afraid of them.  No, it’s not because they have the world’s #1 hacker.

There is a lot of terrific information about the company, its misgivings and wrongdoings on attrition.org’s Charlatan page for Gregory Evans, the LIGATT founder and CEO.  Convicted of wire fraud in the beginning of last decade, Mr. Evans made good upon his release from prison by… marketing a caller ID spoofing service starting two days after the US House of Representatives made caller ID spoofing illegal.

Another fantastic resource is the book review issued today by Ben Rothke on Gregory Evans’ book How To Become The Worlds No. 1 Hacker.  In the review, Rothke explains:

In short, this is merely a work of cut and paste.  In the parts of the book where the author attempts to write original text, it’s ripe with various errors.  I could list many such errors, but why bother… But the real offense is the author’s blatant use of unattributed sources.  I am not talking about a paragraph here or there, it is about wholesale plagiarism, often taking the form of an entire chapter.

So what scares me about them?  No, it’s not that they have the “#1 hacker for hire”.  I’m more scared of my own employees than this joker. It’s because they are a marketing machine that is escaping the ire of the media.  In fact, they’re getting fluff pieces on Fox News and publicizing frightening commercials, taking out full page ads in hakin9 magazine, talking on radio stations, and issuing press releases and ALL CAPS tweets regularly. There’s even a movement to get LIGATT profiled on Oprah.

They proclaim on their front page “LIGATT Security is a leader in cyber security.” If anyone treats and respects this company as a “leader” it will put the community of hard working information security professionals many steps behind.  Organizations like this give the whole security community a bad rap.

Recently at Gemini we evaluated basic security implications of deploying a particular large-scale desktop virtualization package. Many people have heard of “virtual machines” that enable you to run different operating systems concurrently on one physical computer. But enterprise virtualization solutions go far beyond that scenario, enabling companies to do everything from stream specific applications from a server rather than installing them or have users share the same desktop configuration running on a central server. Companies can even mix and match various types of virtualization in the same environment.

The variety of virtualization options means each situation can carry specific security demands. But certain benefits and risks factor into many deployment decisions. On the positive side, virtualization can simplify maintenance and help ensure consistency by centralizing certain administrative tasks. The added layers of abstraction can also assist in isolating resources or adding flexibility to data storage options.

But those same new abstractions mean increased complexity and potentially much more data flowing between various parts of a network. Administrators also need to stay aware of how data retention is handled in a virtual environment. Adding virtualization to an existing environment can blur traditional notions of access, authentication, and management. Securing each aspect may require rethinking old approaches and policies; for instance, stealing an entire virtual desktop basically involves copying a file.

An article from last month in The Register explores these and other aspects of virtualization security. And as an earlier piece had noted, many deployments introduce security risks from a failure to fully evaluate the effects of such a setup: “Oddly enough, in many cases, security seems to not even be an afterthought, much less a forethought. Gartner’s surveys show that 40 per cent of server virtualization projects were done without bringing the company security experts in from the get-go as the virtualized infrastructure was planned.”

If you’re thinking of adding desktop virtualization to your enterprise, don’t make the same mistake – contact Gemini to ensure your data remains safe.

Many people have used OpenVPN for a simple and effective VPN solution, but did you know that you can use it for real two-factor VPN authentication? How you do that depends on the two-factor solution you are using. There is support for PKCS11 token stores, and Windows CAPI, with patches submitted for OS X’s Keychain. In order to get the OS X patch into the testing/stable branch of OpenVPN, it needs more testers though (please help!). So, if your token supports one of the above, and most do, you can use OpenVPN as a (relatively) inexpensive two-factor VPN. The tokens are still rather expensive however

To use the CAPI functionality, add cryptoapicert “thumbprint” to the client’s command line or configuration file.

To use the KeyChain functionality, add keychaincert “thumbprint” to your configuration file or command line.

In both cases, thumbprint needs to be in quotes and is the MD5 or SHA1 hash of the certificate to use.
ex. “MD5: f8 72 98….”

To use the PKCS11 functionality, you use two options:
pkcs11-providers /usr/lib/pkcs11/ (or other path to the pkcs11 library)
and
pkcs11-id ‘serialized id‘
Where serialized id is a unique serial number that you can find by using the “openvpn –show-pkcs11-ids /usr/lib/pkcs11/” command

You’re now all set up to use two-factor authentication with OpenVPN on multiple operating systems. OpenVPN has more detailed information on the PKCS11 functionality at the HOWTO.

I’m fairly certain I unwittingly committed a serious crime. I went through airport security using someone else’s boarding pass, bearing a name that only resembled my own completely legitimate and self-representative government-issued ID in that our last names shared the same first letter. The TSA agent, you know the one, with the little hologram-checking flashlight, looked at my ID, my boarding pass, my ID again, me. I thought he seemed a tad skeptical, taking longer than necessary on a process he must step through about a million times a day. I will admit that passport photograph was taken when I was 16, and I can look a little like a fraud at 7 am after several nights of limited sleep. Rather than being annoyed at the slight holdup, though said lack of sleep had me about at the end of my rope with the usual ubiquitous airport annoyances, I realized this man was only doing his job to protect my safety. I can certainly hang around an extra 30 seconds so I don’t get blown to bits. Then he marked a bunch of esoteric jargon on the boarding pass I was not yet aware was not mine and sent me on through security. Who needs Bruce Schneier’s boarding pass switching trick when you can make it through security with just any old boarding pass that you find lying around the airport?

I thought there might be a snafu in the whole thing once I realized the flight I was waiting for was not my own and examined the boarding pass realizing Mr. W____/S____ was not in fact me. The problem I anticipated was the lack of said marks on my boarding pass. However, this was not the case, and I boarded my correct flight without incident.

How did I end up with someone else’s boarding pass? By what strange luck did I happen to have my own boarding pass waiting in the bottom of my backpack to save the day, no doubt saving me from a lot of awkward questions, possible detainment, and at the very least missing my flight by having to go back out through security to get the whole mess sorted out? As it happens, I took advantage of the online check-in and boarding pass printing option the evening before the flight. I decided to check my bag (mainly because I didn’t feel like lugging around my mammoth cissp book in not one but two airports). So I had to wait in line at the kiosks anyhow. I did not instruct the kiosk to print out another copy of my boarding pass; however before taking off towards security, I noticed a boarding pass in the kiosk. Not one to leave personal information lying around, I grabbed the pass, assuming the kiosk was living up to their generally unreliable reputation. Now that I had two copies of my boarding pass, why wouldn’t I opt to use the thick, newly printed one rather than the day old, wrinkly one cluttered with weather and restaurant information? I should have inspected the boarding pass for accuracy; I humbly admit this. I’m sure kiosks spit out the wrong boarding passes on occasion and even more often dazed and overwhelmed individuals leave their boarding passes behind. In my defense it was quite early, I suffer from severe flight anxiety that only massive doses of Xanax can assuage, and I did after all have another boarding pass on hand that I had carefully inspected for accuracy.

I did not attempt to board the other individual’s flight, but I did feel somewhat concerned for my safety. I won’t go into the specifics of ideas that came to mind for how black hats and terrorists might leverage this lack of constant vigilance on the part of TSA employees. I have enough trouble flying with fears of mechanical failure and turbulence. So please Washington Dulles International Airport and any other airports with this problem, step it up. Our safety is on the line.

Not to mention I had my lock picks in my bag by mistake and no one noticed.