Apr 29, 2014

How To Beat Heartbleed

If you watch the news, or logged into your online banking account you've no doubt heard about the Heartbleed bug that affects anything that uses OpenSSL 1.0.1 through 1.0.1f, as well as 1.0.2beta (CVE-2014-0160). Sadly, since much of the web uses Apache for web servers with OpenSSL, a lot of websites are affected by this.

If you haven't heard about Heartbleed according to US-Cert.gov it is:
A vulnerability in OpenSSL could allow a remote attacker to expose sensitive data, possibly including user authentication credentials and secret keys, through incorrect memory handling in the TLS heartbeat extension.
At my company we work with a lot of banks, and because of this vulnerability they are all literally shitting bricks over it. I'm getting questionnairres from them every day asking if we are patching our systems.

Well, the truth is none of our sites are vulnerable. Why is that? Well because we are either using Microsoft IIS for web servers which don't use OpenSSL, or we are using GnuTLS on our Linux webservers. Again, GnuTLS is not vulnerable.

So if you want to beat Heartbleed and you are currently using Microsoft IIS, don't worry, you are fine. If you are using Apache, you might want to get rid of OpenSSL and switch to GnuTLS. I wrote about how to do that on Ubuntu here: (How to upgrade to GnuTLS in Ubuntu).

You can test your sites quickly against Heartbleed at SSLLabs.com.

Good luck!
Enhanced by Zemanta

Apr 25, 2014

Are Apps Threatening Your Device's Security?

Image representing iPhone as depicted in Crunc...
Image via CrunchBase
There are apps to track your dog, an app for smoking (Fake Smoker) and apps to teach you how to play an instrument. Think about all those inexpensive apps you download onto your device for fun. They can help you in so many ways, but what do they get in return? What are your apps doing with, or to, your personal information?

Once you accept the terms of the application you are downloading, information about your profile is captured. Most people don’t read the fine print, but within that document you are granting the app developer permission to use and possibly sell your demographic data, social media habits, shopping habits and even your contact list. In a recent study by Zscaler’s VP of Security, 92 percent of the top 25 social networking apps request access to user’s address books.

What makes your cell phone vulnerable? Security measures, such as firewalls, encryption and antivirus software are not commonly utilized on portable devices, according to the U.S. Computer Emergency Readiness Team. Operating systems on those devices are also not updated as often as on a personal computer. Social networking applications for your portable devices seldom follow the privacy controls that you may have on your PC and most people believe that searching the Internet on the cell phone is completely safe.

Attacks on portable devices are becoming more and more intelligent, targeting commonly used apps such as email, calendars, contact information and passwords on your device. Until legislation enforces changes that regulate the ability for these application developers to capture and ‘sell’ your information, the only way to protect yourself is to change your habits.

Portability: Cell phones are small, easily lost or stolen. Install a password or a screen lock on your device, anything to deter a criminal from accessing your information.

Scams: Do not open text messages, emails or any electronic message received from unknown sources.

Oversharing: Each time you access a shared network you are leaving yourself open to threat. Consider if you truly need to access the Internet at every single café or if it is just for convenience purposes.

Change passwords frequently: The ‘token’ that is given to the third party application developer when you download a new app may capture your sign-on information. After installing a new third party application, promptly change your password. Better yet, put reminders on your calendar to change your password every three months.

Turn off Bluetooth and Wi-Fi: There are different levels of Bluetooth accessibility. Most operate in module 1, which allows your device to connect to any other Bluetooth or wireless device before authentication. You run the risk of someone tapping in to your data.

Nothing Like a Good Offense: People do not realize their personal information has been stolen or is being used by someone until it is too late. LifeLock’s identity theft protection scans for identity threats and notifies you of potential use of your personal information immediately. This allows you the time to notify all other owners of your personal information, such as banks, schools, lenders, that you have experienced a potential threat and you want to make them aware. Being proactive is the first line of defense when it comes to protecting your identity.
Enhanced by Zemanta

Apr 10, 2014

How To Enable HTTP Strict Transport Security in Apache on Ubuntu

So you have all heard of the new Heartbleed exploit in OpenSSL right? It's all the buzz at work since my company works with a lot of banks. All of the banking security people are contacting their vendors to make sure we are not vulnerable. if you haven't heard Heartbleed is:
...is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
So I checked all of our web servers using SSL Labs, and luckily none of our sites are vulnerable. However, since I did the checking I noticed that my Apache web servers, although they had A or A- ratings on SSL Labs, I could improve my SSL implementation and security by enabling HTTP Strict Transport Security (HSTS) which according to Wikipedia is:
...a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL[1]). HSTS is an IETF standards track protocol and is specified in RFC 6797.

The HSTS Policy[2] is communicated by the server to the user agent via a HTTP response header field named "Strict-Transport-Security". HSTS Policy specifies a period of time during which the user agent shall access the server in only secure fashion.
To implement it just do the following in Ubuntu:
  • Run sudo a2enmod headers to enable headers
  • Edit your ssl config in /etc/apache2/sites-enabled and add the following line under <VirtualHost *:443>:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
  • Restart Apache by running sudo service apache2 restart
After doing that you can run a test against SSL Labs again and you will see that your rating has gone up! Here is a screen shot from my personal email server with an A+ rating!


Incidentally 3153600 is the equivalent of 12 months which should be good enough, however you can adjust that number however you want!

Enhanced by Zemanta

Apr 7, 2014

How Secure is The IRS's SSL Implementation? Not very

I write posts like this periodically. Mainly because implementing SSL is one of my duties at my day job. Not only that, I have to implement it and make sure it follows best practices for PCI Compliance.

Every time I use a site that uses SSL, I always look at their certificate information then I also go a step further and run a server test against the site using the SSL Labs tool. It spits out a report of which ciphers and protocols are implemented, and what kind of attacks can be used against that server to compromise security.

Well I happened to be on the IRS site to request old tax transcripts and I decided to run a test. The IRS received an F rating!


As you can see the IRS site is vulnerabe to man in the middle attacks, and if you scroll down further on the report page you see they are vulnerable to The BEAST. Kind of pathetic for a government website if you ask me. However they aren't the only government agency with poor SSL implementation.
Enhanced by Zemanta

Apr 4, 2014

Securing Ubuntu: Use UFW Firewall

A lot of you probably already know this, then again some of you might not of thought about it too much. I mean, you're using Linux right? Nobody is going to be able to hack it right? Not necessarily.

I got to thinking about this because I use Ubuntu exclusively for work and for home, and the other day I was working remotely from a coffee shop in Grand Junction Colorado. I had just recently re-built my laptop with Ubuntu and hadn't installed a firewall yet. Mainly because I usually work from home and I'm behind an appliance firewall there.

So anyway, not wanting to be hacked by some guy in a coffee shop I installed my favorite firewall for Ubuntu, gufw. It is the gui front end to the ufw firewall.

To install it is easy, just run:
sudo apt-get update && sudo apt-get install gufw
Once installed setup is super easy. Just turning it on will block all incoming connections and allow all outbound connections.


Having that installed and running, especially in a place with shared wifi, it makes me feel a little bit better.

Do you use a different firewall in Ubuntu? Which one do you use? Let us know in the comments!
Enhanced by Zemanta



Twitter Delicious Facebook Digg Stumbleupon Favorites More

 
Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | stopping spam