image1
Yesterday an interesting snippet was placed on the Register about yet another SSL flaw that was tipped to be announced [1].

The details are now emerging from the Google researchers on the attack [2] & [3]; specifically that SSLv3 is seriously flawed, and that it is possible to force even TLS negotiated sessions back down to SSLv3, to aid in exploiting the issue.

Our opinion is that this is just another variant of the same kind of client-side attacks that have plagued SSL/TLS in recent years, not unlike BEAST. Contrary to the hype, this isn’t another Heartbleed or Shellshock event.

The broad recommendation is disabling SSLv3, but clearly there remain serious potential usability issues associated with dropping the protocol (some older browsers simply won’t support the protocols and cipher sets that remain).

Mitigating strategies include supporting TLS_FALLBACK_SCSV [4] to avoid the downgrade attack, so at least when both ends of the connection do support the more secure versions of TLS, they can’t be tricked into downgrading to the insecure ones.

 

[1] http://www.theregister.co.uk/2014/10/14/nasty_ssl_30_vulnerability_to_drop_tomorrow
[2] http://googleonlinesecurity.blogspot.ca/2014/10/this-poodle-bites-exploiting-ssl-30.html
[3] https://www.openssl.org/~bodo/ssl-poodle.pdf
[4] https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00

 


Written by
Glyn-frameGlyn Geoghegan
Security Consultant
Corsaire

Coffee-is-bad-for-you‘MY TYPICAL VISIT TO A COFFEE SHOP’, BY VICTORIA

A few months ago I visited a bespoke coffee shop in London and ordered my normal skinny latte from the nice gentleman behind the counter. ‘Another new employee’, I thought, ‘I wonder how long it will take him to remember my order…’. Upon paying for my coffee, I was handed an invitation card to sign up for extra discounts at this and other coffee shops. ‘Nice, discounts for doing nothing! Just my cup of tea (well, coffee)’. Once I got home, I signed up to the discount website and was promised my discount card in the post. This is the last I thought of it.

Now let’s look at what really happened…

Victoria walked into the coffee shop one morning when it was quiet. ‘How can I help you Madam?’, the new employee asked. ‘Hi, can I have a large skinny latte please?’, ‘Of course, what’s your name?’, ‘Victoria’, she replied.

Victoria went to pay for her coffee using her debit card. The debit machine by the till was out of order, so the employee asked for her card, produced a new machine from behind the counter and passed it over to Victoria.

As you are already aware, Bob, the new employee is not a nice fella and as Victoria types her PIN into the machine, Bob is watching. The transaction goes through, Victoria removes her card and Bob passes her the receipt, along with an invitation card for extra discounts. Bob speaks highly of the discount scheme and convinces Victoria to sign up.

Victoria enjoys her coffee and heads home. She visits the website on the invitation card and fills in the registration form. The form has the usual details:

First Name
Surname
Address
Date of Birth
Email address
Telephone number
Password
Secret Question ‘Name of your first pet’

Victoria completes the form as she normally would; her real name, her real address, real date of birth, her only email address, her usual password and the real name of her first pet.

Of course, the discount scheme isn’t real; it’s a phishing website designed to capture information from soon-to-be victims

WHAT BOB KNOWS:

1. Her name is Victoria Wilson-Smith
2. He has skimmed her debit card using a modified card machine.
3. Her knows her PIN
4. Her knows her full postal address
5. Her date of birth
6. Her email address
7. Her telephone number
8. Her usual password
9. Her answer to the secret question

From here, it would be trivial for Bob to start building up a more complete history of Victoria’s life. Using her usual password or password reset questions, etc. he could gather information from:

  • Social media sites (Facebook, Twitter, etc.
  • Email

Searching information in the public domain, such as:

  • Electoral roles
  • Companies House
  • BMD (Births, Marriages and Deaths) Index
  • Telephone directories


WHAT CAN BOB DO?

Just about everything. Withdraw cash from her current account; obtain credit under her name; request copies of her birth certificate; attempt to obtain a passport, or driving license… The list goes on and on.

Of course, Bob didn’t stay in that job too long, but by the time he left he had skimmed cards and gathered personal details on 50 or so people.


WHAT DID VICTORIA DO WRONG?

Not much in the coffee shop; perhaps just allowing someone to see her entering her PIN, as the modified card machine would have been difficult to recognise.

The real problem for Victoria was entering all of those REAL details into a website and re-using the same password for multiple sites.


WHAT SHOULD VICTORIA HAVE DONE?

Unless it’s really official (HMRC, Banks, Government, etc.), never use your real details or your personal email address.

Create an online alias with different details (e.g. name, address, secret questions and answers etc). Set up a second email account and use this for all of those dodgy marketing, spam and discount sites. Never use the same password on multiple sites. This is an opportunity to be the person you always wanted to be!

For example, I’m Victor Parnevik, born 14th December 1978 in Solihull for websites – and just plain old ‘Bruce’ in coffee shops.

Remember, it’s easy to change email addresses or passwords if they are compromised, but very difficult to change who you really are…

So who will you be? Protect your real identity!

For more information about keeping yourself safe online see:
https://www.getsafeonline.org/protecting-yourself/privacy/


Written by
Ant-frameAnthony Dickinson
Security Consultant
Corsaire

Shellshocked!

Posted: 25 September 2014 in Uncategorized

Shellshocked 3

When a new vulnerability starts feverous discussions amongst security professionals, you make a note to keep an eye on it. However, when it is given a name, gets a logo and then the mass-scanning starts [1], you know to buckle-up for the ride!

For the second time in 2014, the world has been hit by a monstrous vulnerability. First there was the infamous Heartbleed and now … now there’s Shellshock – a vulnerability which some are arguing makes Heartbleed “look more like heartburn”.

So what is Shellshock, what’s vulnerable, how can you verify whether or not you are affected and what can you do about it?

What is it?
Shellshock is a vulnerability which affects the command interpreter Bash, which you’ll find underlying the majority of *NIX based platforms, like Linux and Mac: in fact just about anything that is not made by Microsoft!

The vulnerability itself is 22 years old and is a form of code injection in Bash’s handling of environment variables. In short, during assignment of a function to a variable, Bash will execute any ‘additional’ code in a specially crafted string.

There are already several good write-ups of the deeper technicalities [2].

Why it is bad?
Whilst it is a local shell vulnerability, the shell itself is used by many applications too, so it can be remotely exploitable. In particular, webservers running CGI scripts will be at risk as it is highly likely that they will be using Bash and environment variables in some way. This means a remote attacker, will be running commands on your server. Not a good thing, really.

 What’s vulnerable?
This is the kind of vulnerability that will rapidly spiral out of control as more and more obscure attack vectors are discovered.

For now though, the big ticket items are:

  • Web servers running on *NIX that execute CGI scripts which are either written in bash, or spawn subshells. Approximately 50% of all web servers on the Internet run Apache on *NIX and many will have CGI scripts enabled.
  • Locked down SSH environments that use the ForceCommand to limit command execution capabilities for remote users. This flaw can be used to bypass this and provide arbitrary command execution.
  • Any other application which is hooked onto a shell or runs a shell script using bash as the interpreter. Shell scripts which do not export variables are not vulnerable to this issue, even if they process untrusted content and store it in (unexported) shell variables and open subshells.


Are you vulnerable?
There is already an automated scanning tool available to remotely confirm if your host is vulnerable [4].

Nota bene: This kind of remote scanning is very simplistic and there may be a large risk of false-negatives: the tool may say your site is clear but the flaw will still exist.

There are also manual tests you can perform on the host which are much more representative [5].

What can you do?
First, as above, check if you are affected. If you are not, then you don’t need to do anything.

Secondly, at this stage we would normally say apply the patch and relax, however the initial patch that has been released apparently doesn’t do a very good job! [6]. We’d still recommend that you apply the patch, to protect against the initial wave of scripted attacks but then also monitor your vendor’s support pages to see when another patch is released, apply it and then relax!

Lastly, if you can change your shell from bash to one of the unaffected alternatives, then do so.

 

[1] http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html

[2] http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html

[3] https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

[4] https://community.qualys.com/blogs/laws-of-vulnerabilities/2014/09/24/bash-shellshock-vulnerability

[5] http://askubuntu.com/questions/528101/what-is-the-cve-2014-6271-bash-vulnerability-and-how-do-i-fix-it

[6] https://news.ycombinator.com/item?id=8365158

 


Written by
Jan-FrameJan Fry
Security Consultant
Corsaire

 

Isolate the Stupid

Posted: 18 September 2014 in Uncategorized

ISOLATE-THE-STUPIDEarlier today I wandered straight into the middle of a conversation between colleagues and overhead one of them say the wonderful phrase “isolate the stupid”. To be fair, I have taken it completely out of context of the original conversation, but I liked the phrase so much I thought I would use it for my own nefarious ends.

We are regularly called upon to provide help to organisations that have suffered a breach, and now need to quickly find out what happened so that they can bolt the door so no more horses escape.

A common contributing factor we see in this kind of situation is a huge, flat internal network structure – one that mixes together on the same logical wire: servers, desktops and peripherals, and horror-of-horrors, bring-your-own devices. All it takes is one stupid simple mistake, such as a user clicking on a misleading phishing email, and the attacker suddenly has unrestricted physical access to the whole internal network environment.

In security parlance, compartmentalisation is the concept of breaking environments into discrete, logical components, whereby a failure is contained from spreading. In almost all these situations, a modicum of compartmentalisation would have either prevented, or greatly reduced the impact of the breach.

Isolate the stupid.


Written by
Martin-frameMartin O’Neal
Managing Director
Corsaire

 

My Placement Year at Corsaire

Posted: 15 September 2014 in Uncategorized

Doors

At the start of my second year of University it was time to find a work placement for the following year. My tutor kept telling us how employers are increasingly looking for experienced graduates as well as those with academic achievements and that the right work placement will increase our chances of securing a good job. After hearing this, I told myself, “I’ll definitely find a good company and job for my placement year!”

After failing to secure one of the jobs listed on our University website I remembered that my tutor had said we could find our own placement, as long as it was related to our course. Whilst I was updating my profile on LinkedIn, I discovered that I could apply for jobs on the site, so I searched for IT Security positions. The first one I found was at Corsaire, for a Junior Security Consultant. I enjoyed reading the job description, it was the ideal job for me. Then I noticed it was not specifically asking for a graduate but I thought I’d give it a go.

I sent my CV and covering letter asking if I could do the job as a placement for University. After a couple of days, I received an email inviting me for a telephone interview which I gladly accepted and managed to pass. I was then invited for a face–to-face interview with the Managing Director, followed by another face-to-face interview with the Operations Manager and a Security Consultant. After a few days, I received a call from the Operations Manager offering me a job as their first ever Technical Intern!

Expectations
Through my placement year with Corsaire, I was looking to accomplish three things:

  • To put everything I have learnt so far at University into practice
  • To expand my knowledge and skills in security and other areas of IT
  • To use the experience I will gain as a gateway to future opportunities


What it was like
Everything I have experienced within Corsaire has exceeded my expectations. Taking into consideration that this is the first time they have had a student intern in their company, I have received great supervision and training from my supervisor as well as colleagues; I have been given regular feedback about my performance, as well as the chance to experience a range of learning opportunities and to demonstrate my skills and knowledge. Working in a team has allowed me to ask questions and mix with likeminded people who work within my chosen industry. It has also given me first-hand experience of what the job entails and what has been developing in the industry. Corsaire has provided me with all the necessary skills to successfully complete any task allocated to me.

What the people are like
Everyone at Corsaire is very friendly and they have all treated me as their professional equal despite me being a student. Whenever I am in the office, it feels like I am just home with family because they treat me like family even those people with the higher positions within the company.

Overall
Entering the professional world of work can certainly be daunting for anyone, regardless of your age, experience or knowledge but for me, it has been one of the best and most rewarding experiences of my life. My placement has been superbly aligned to my course and has made me more focused on what I want to achieve with my degree.  I feel very honoured and lucky to have been able to work with Corsaire and if I was given the chance to go back in time, I would definitely still apply to this company.

Now that I have finished my placement at Corsaire, there are a lot of things I am going to miss, like learning new things from my supervisor and other workmates, hanging out with everyone after work, listening to our Project Coordinator’s bagpipe music that everyone loves (NOT!) and of course most of all I’ll miss the bacon and sausages that our Managing Director cooks every morning.


Written byDarlene-frame

Darlene Concepcion
Technical Intern
Corsaire

Always Use Protection

Posted: 5 September 2014 in Uncategorized

EvilClippy

Since joining Corsaire in April my eyes have truly been opened to the world of Internet Security. I always knew it was a deep and dark place filled with secrets, unknown sources and even more secrets, but I always figured the statistics were in my favour and I would never be a victim.

Now I’m not saying that I ever sent money to that desperate lady emailing me from Bulgaria, or clicked on one of those ‘Leaked Nude Photos of *insert hot celebrity here*’ ads and I do know the difference between http and https. But I did think that avoiding such obvious scams would leave me safe in my Internet browsing. How wrong could I be?

During one of my first weeks working at Corsaire I made the mistake of leaving my computer unlocked. The number one rule in our office, as I’m sure in most offices, is ‘Do Not Leave Your Computer Unlocked’. My colleague took this opportunity to teach me a little lesson. Returning to my desk I found my browser open on the Gmail login page. Nothing suspicious there, until little Clippy popped up; you know, that annoying Office assistant always on hand to help circa 2008? It appeared that my colleague had full control of my browser window, setting up a fake Gmail login to steal my credentials, with the power to send me to any corner of the Internet they so wished.

This was scary in itself, but it also got me thinking about all of my passwords; I can be rather lazy when creating new ones. I like to have two or three on rotation, changing the odd number or adding in a capital letter to differentiate. If that wasn’t lazy enough already, I then save them to my browser’s password autofill function. You wouldn’t need to be a genius to crack the code and gain access to my saved payment methods, social media sites and personal details.

Needless to say I have updated my passwords to slightly more cryptic ones, deleted my browser’s password storage and removed my credit card details from all shopping sites. I have also learned the joys of the Password Safe, a pin-secured digital safe place that I can store my credentials and easily access them when I need to. Just remember people, lock your computer and securely store your passwords (in your head if possible). Happy browsing!


Written by
faye-frameFaye Brennan
Marketing Assistant
Corsaire

 

I Can Like to Hack

Posted: 13 August 2014 in Uncategorized

Hi DanHi Dan!
In the last few days a new article was posted to Ars Technica [1], allegedly detailing the approach taken by the hacker behind the Gamma Group International data leak. Now, before I go any further, I need to point out that all the normal disclaimers apply: things you read on the Internet may be closer than they appear.

The article itself is interesting, but what is more so is the link it provides to the hacker’s methodology [2]. Anyone reading the hacker’s document, who has any vague knowledge of the Internet and security, should be impressed with the meticulous approach taken by the attacker.  But more than this, it is painfully clear that there is No Magic Sauce ™. The methodology uses off-the-shelf tools, simple scripts, and a manual analysis approach to match them against the target environment.

This simply underlines the fact that acceptable security, for the most part, is all about getting the basics right consistently.

How could Gamma Group International have avoided ending up in this situation?

  • Understand the threat surface well
  • Remove any unused functionality
  • Configure the remaining functionality conservatively
  • Patch any flaws promptly

 

Now, being truly honest, how many of you can put your hand on your heart and say that you do this thoroughly and consistently?

[1] http://ars.to/1q1CxIA
[2] http://pastebin.com/raw.php?i=cRYvK4jb

 


Written by
Martin-frameMartin O’Neal
Managing Director
Corsaire

Android Wildwest

Posted: 5 August 2014 in Uncategorized

Trojan software has been around for a long time but its effectiveness in targeting individuals and businesses has increased in parallel with the ever-improving usability of Internet connected devices. The smartphone and tablet era has brought millions of new users onto the Internet.Android_robot

Unfortunately, Internet use does not require a “driving license” and at the moment we are looking at an increasingly diverse horde of unlicensed, sometimes drunk, drivers who are being conned into lemming-like self-destruction.

It shouldn’t come as a big surprise that Norton last week reported a “Fake ID” vulnerability, distributed by Trojan apps, which could allow malicious apps to access legitimate applications and steal sensitive data such as passwords or financial information by falsifying built-in security certificates. The vulnerability could reportedly affect millions of users as the threat spans across Android version 2.1 up to 4.4.

The potential reach of the vulnerability is indeed a prospect but one which astute businesses and security teams should be well prepared for. If, however, you are feeling a little lost, here are a few tips to tackle the threat:

For the lemmings: Buy an iPhone and/or never install anything on your Android. Anti-virus would be a classic recommendation but even some of those are Trojanned, so you are best staying away unless you know what you are doing or can call upon someone who does.

For the businesses: Approach “Bring Your Own Device” schemes with great care. Consider introducing Mobile Device Management software to lockdown BYOD and internal devices. The details of what to lockdown are beyond the scope of this ranty little blog but at the very minimum look to: restrict installation of software; control carefully what data is accessible from Mobile devices; ensure you have corporate level anti-virus software installed; and use a principle of least privilege wherever possible.

 


Written by
Jan-FrameJan Fry
Security Consultant
Corsaire

 

Au revoir to Piracy?

Posted: 31 July 2014 in Uncategorized

NIGHT OF THE LIVING DEAD, 1968 Earlier this year the City of London Police and the Intellectual Property Office (IPO) established the Police Intellectual Property Crime Unit (PIPCU), which is a cool-sounding acronym, right?

The PIPCU will be working with HMRC, UK Border Agencies, Trading Standards, Europol and NCA to develop strategies to help prevent IP crime (both counterfeits and piracy) affecting physical and digital goods (with the exception of pharmaceutical).  As well as this, they will be informing and educating businesses and users about criminal activity on counterfeit and piracy sites.

Currently PIPCU have funding of £2.56 million pounds, and with this, they plan to police the Internet and respond to threats of online intellectual property crime.

One focus will be on copyright infringement by illegal sites, such as Pirate Bay. When someone visits a site that a complaint has been registered against, the PIPCU will dynamically replace any banner adverts on the site with the PIPCU’s very own anti-piracy equivalents.  As the revenue from this kind of advertising is one of the main reasons the pirate sites exist at all, this should hit the criminals right where it hurts the most: in their wallet.

So what does this mean for the public and for businesses? Well for businesses, it’s good both for advertisers that don’t want to be associated with pirate sites and also for companies who want to stop their IP being used illegally. However, for the public it may end up being a different story. The reality is that in the short-term, things are not going to change all that much; the pirate sites and their content will still be available, just with no advertising. However, in the long-term, if the pirates can no longer make any money from these sites, then the chances are that they will close them down and move on to easier pickings  – which may mark the beginning of the end of the illegal free-stuff Internet movement…


Written by
Gary Frame Gary Carvey
Business Consultant
Corsaire

 

Zombies_NightoftheLivingDeadSecurity consultants can tend to live a bit like nomads: wandering from office to office, plying their trade along the way. We get to see lots of different organisations, and a surprising variety of datacentres. Mostly these are full of shiny racks of new equipment, but every now-and-then we’ll see something out of the ordinary. Some form of legacy system: mysterious, ancient boxes, left to their own affairs in the darkest corner of the room.

Of course, whilst these systems are simply interesting museum-pieces to us, to the poor soul who is tasked with owning the risk, they are something much more ominous. Legacy systems that dramatically outlive their intended lifespan tend to do so for one glaring reason: they are important to the organisation, and both difficult and expensive to replace.

To add to this growing pile of legacy, this week Oracle announced the end of Java support for the Windows XP platform [1]. This isn’t that much of a surprise, considering that Microsoft had already dropped support for XP in recent months [2]. However, what is notable about this though is the dramatically different threat landscape. Almost no-one is interested in your old PDP-11 or Cray supercomputer, but Windows XP is quite a different kettle of fish.

Windows XP is the doyenne of the exploit writers. Not only does it lack the remote code execution protection that later version of Windows have built-in (making it easier to get an exploit working reliably) but it still has a large enough install-base to warrant the effort of writing one. On top of this, in recent months Java has been found to be riddled with flaws: the April patch bundle [3] contained no less than 37 discrete flaws, 4 of which were rated with the highest severity possible under the CVSS scheme.

So here you have a perfect storm: a critical system, relatively easy to exploit, with no patches available. Given that you can no longer patch these servers, our recommendation to you is to first have a nice cup of tea, then secondly apply some common sense:

  1. We know you would have already replaced these systems if you could have done so, but if there is any possibility of you rethinking this stance, now is a good time. The situation will not get better with time.
  2. Segregate all your legacy systems behind an internal firewall if possible. Keep them away from the general-use LAN segments and especially from desktops.
  3. Restrict remote access methods to essential users and enforce strong cryptography.
  4. Implement file-system fingerprinting to detect any unauthorised changes to the host.
  5. Make sure anti-malware and anti-virus applications are up-to-date.

 

Oh, and one last happy thought before you go: you are prepared for when Windows 2003 Server goes end-of-life next year, aren’t you?

  1. http://java.com/en/download/help/sysreq.xml
  2. http://windows.microsoft.com/en-gb/windows/end-support-help
  3. https://blogs.oracle.com/security/entry/april_2014_critical_patch_update
  4. http://support.microsoft.com/lifecycle/search/default.aspx?alpha=Windows+Server+2003+R2

written by
Martin-frameMartin O’Neal
Managing Director
Corsaire