Excellent TLS Made Easy

One of the most common findings we discover on assessments is misconfiguration of SSL/TLS implementations. Cryptography is notorious for requiring very specific skills to configure correctly, and on top of that it tends to be a moving target: it seems like every other month there is a new vulnerability specific to SSL/TLS. We find that many organizations become overwhelmed responding to the seemingly constant stream of changes required to maintain a secure web server, or simply throw their hands in the air and stick with a “good enough” configuration that seems to work. However, choosing and using strong TLS configurations doesn’t have to be hard. We wanted to create an easy to digest reference for all your SSL/TLS needs.

We built tlsconfig.neohapsis.com as a living information hub for SSL/TLS secure configurations. We test it regularly against known vulnerabilities and update it accordingly. The configuration examples available on the site will help strengthen your site and will also minimize low and medium risk findings on security assessments. More importantly, by using these configurations that emphasize best practices you can minimize reactionary patches and emergency configuration changes, and reduce time, effort, and risk.

Why Is “Good Enough” Not Good Enough?

Defense in depth is a concept that used a lot in the security world and it is just as important in SSL/TLS. The recent FREAK attack is a prime example of how a known-weak configuration that might currently be classed as a medium or low risk can suddenly become critical, resulting in downtime to fix and a fire drill for your system administrators. Over 12% of the most popular domains had to act quickly to patch the vulnerability which has been a known bad practice for 15 years (in fact, over 8% are still vulnerable and scrambling to update).

This is just one of many examples of the very good reasons that cryptographers are a conservative bunch and regularly deprecate old configurations. In short: proactive, gentle movement to the most current best practice configurations prevents unnecessary emergency maintenance and reduces overall risk.

Old Habits Die Hard

Aspiring for the shiniest new ciphers and configurations may not always be the wisest business decision. Often security best practices can conflict with market realities. Historically, adoption of new web technologies, including SSL/TLS technologies, has been slow; they are usually dependent on either operating system upgrades or hardware purchases, which are costly and rely on the user base willingness to upgrade. The most common reason we hear for use of deprecated cipher suites and weak key strengths is legacy support for Windows XP.

However, since the release of Windows 7, Windows XP has been seeing a steady decline of use across the Internet. By the time Microsoft stopped enterprise support for Windows XP, usage was down to 12.68%. Today usage is down to 7.36% and will only continue to fall. On top of the falling usage of XP, IE 6 usage has flat lined at 0.2% of total browser usage across the Internet. Only 7 years ago, one out of every two browser request was made by IE 6 and it was the driving force on a lot of development decisions. Sites were required to support IE 6 because of it’s wide spread use:today that is no longer the case. So, if your organization has historically made security choices for all users based on the the low bar of XP/IE6 users, now may finally be the right time to revisit that decision. In fact, comparatively strong cryptography choices can still support support browsers back to 2002 while allowing modern systems to take advantage of better ciphers.

Check out the strong, simple baseline configurations available on tlsconfig.neohapsis.com (or see their shiny A+ scan results on SSLLabs) and learn how you can easily choose modern cryptography for your servers.

Decide what starts automatically on your PC

Stephen Tomkinson, of NCC Group PLC, recently presented research and a proof-of-concept demonstrating how just a Blu-ray disc can be used to compromise both PCs and internet-connected Blu-ray players.  The old advice to disable the auto-play function in Windows is new again, so take a moment and go to Control Panel – AutoPlay and either change the AutoPlay options to “Take no action,” or disable the feature completely.  From now on, view the unknown disc just as suspiciously as the unknown USB stick.

Read more from ArsTechnica here: http://arstechnica.com/security/2015/03/more-iot-insecurity-this-blu-ray-disc-pwns-pcs-and-dvd-players/

Talking about AutoPlay made me think of a recently released tool from Microsoft called Autoruns, found on the Windows Sysinternals website.  This powerful tool provides “the most comprehensive knowledge of auto-starting locations of any startup monitor . . .” There is also a command line version of the tool called Autorunsc.

When you launch the tool, you will see everything that is set to start automatically on your PC, all the drivers that get loaded, services running and much more.  The tool also allows you to disable the automatic loading or running of these objects, but remember that just like editing the Windows registry, you can put your computer in a bad state by misconfiguring these settings.

A description and directions for use are found on the TechNet webpage here:  https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

Lastly, you can make sure the programs that do run in Windows don’t use memory in an unsafe way.  To help accomplish this you can use Data Execution Protection (DEP).  The default setting only looks at essential Windows programs and services, but for those with a wish for tighter security, DEP can be enabled for all programs and services.  If you have BitLocker whole disk encryption turned on (which you should), make sure you have your recovery key written down or stored, and disable BitLocker before enabling DEP and rebooting.  Otherwise, DEP will detect a change and prevent winload.exe from running.

To read more about this feature and learn how to use it, check here: http://windows.microsoft.com/en-us/windows7/Change-Data-Execution-Prevention-settings?SignedIn=1

Disabling BitLocker: http://windows.microsoft.com/en-us/windows-vista/what-is-the-difference-between-disabling-bitlocker-drive-encryption-and-decrypting-the-volume

Operational Security – Home Rules

A story from a friend of mine about a holiday travel incident reminded me that when it comes to information security, even a single lapse in vigilance can result in painful long-term consequences.   He travels fairly frequently in the U.S., Canada and Europe and in addition to following his company’s travel policies; he’s also asked me for advice and recommendations on how to best protect his informational assets while he travels. I’ve offered some of the standard security industry advice. My suggestions to him were:

  • If possible, don’t travel with your company laptop and primary cell phone to prevent the possibility of data loss via copying or theft
  • If you must carry one or both with you, use your phone’s screen lock, encrypt the phone and any external SD cards, and make sure whole disk encryption and firmware/EMI passwords are active on your laptop
  • If there is any chance your company or personal laptop might be out of your possession for longer than the security line, keep its hard drive in stored separately, and away form the laptop. Preferably, in your pocket.
  • Travel with a loaner/burner laptop with no sensitive information on it, and keep any sensitive data on an encrypted USB stick or in secure, encrypted cloud storage
  • Physically disable external ports (USB, Firewire, etc) on your burner/loaner laptop
  • Use two-factor authentication on ALL connections to company and personal resources
  • Only access sensitive data via VPN to your company’s secure private location or cloud and never save documents locally

The list could go on, but you get the idea. We’ve also talked about physical security and I’ve reminded him about one of the basic tenets of information security; if you can’t provide adequate physical control of your assets and another party can have unfettered access, consider them compromised.

The Story

My friend and his wife and son had made separate trips over the holidays to visit friends and family, and he was in a position to go to the airport to pick up his wife and son when they returned. He met them in the baggage claim and they waited for their bags. His son’s baggage came off the carousel, but unfortunately his wife’s did not. When they went to the airline’s customer service desk to inquire about the missing luggage, the airline representative said they don’t track bags and took her name. The agent assured them that the next flight from Denver would arrive early the next morning, the bag would likely be on it, and they would give her a call once it arrived.

Driving home, he asked what she had in her bag and the first thing she said was her laptop. Surprised, he had asked why she had her laptop as it had sat at home for years. She said she had taken it so she could fill out a financial aid application for their son’s college and all the information she needed was on it.

His wife was a realtor, and he asked her what other information she might have on her laptop. She said her work and personal email, all of the real-estate contracts she had ever written, some personal documents and some family pictures. When it came to the computers in the house, he had never thought to encrypt her hard drive because for years she had used it like a desktop, he never imagined it would leave the house.

They could change all the website passwords she used for banking, social media, shopping, etc., but the contract information was a bit more problematic. Dozens or possibly hundreds of records may be compromised. Granted, much of this information would be public record, but there would also be personal financial information of buyers and sellers. They would have to notify her office and let them decide how to proceed.

I reminded him she needed to change all her email account passwords as well, and suggested that from this point forward she change every password on every site she logs into the next time she visits. I also told him to have her change all her banking and credit card site passwords immediately, based on the assumption that at some point, someone could gather all the passwords on the PC.

He told me his wife called the airline after the first Denver flight came in the next day and no bag. My friend decided to assume the bag was gone for good. He asked his wife to start thinking about everything that was in the bag so they could write it all down on the claim, and she listed a long list of things, such as the original claim form from her son’s recent auto accident, their last year’s tax return, along with his and her last paystubs, and a copy of his and her driver’s licenses, all in the lost bag.

Stunned, he asked her why all those documents were in her bag and she said she needed to complete her son’s financial aid paperwork while she was on her trip, so she grabbed the docs she needed and stuffed them in her bag so she could fill them out before the deadline. Someone with that bag would know everything they needed to steal his, his wife’s and his son’s identities and socially engineer attacks against all the businesses, organizations and government entities they interact with for a very long time. With just paper documents, that person wouldn’t even need specialized computer skills. Information he told me that could be compromised for all three of them:

  • SSN’s
  • Potential access to his son’s medical history
  • His son’s financial and university information and accounts
  • Banking institutions and brokerage account numbers and balances
  • Past and present home addresses
  • Past and present employers, including contact information
  • Income, investments, and sources
  • Email addresses

I told him he should weigh the possibility of all scenarios; that his bag may have just been lost by the airline and sitting somewhere; that someone rifled through it, took the laptop and sold it to someone who has no interest in stealing his information; or that someone took the bag, knew what they had found, and then took steps to leverage the information for personal gain. While the probability of one of the first two occurring outweighed the third, it provided him little comfort.

The best things I could tell him to do were:

  • Call one of the three major credit agencies (Experian, TransUnion, or Equifax), and put a fraud alert on all three of their credit files. Whichever agency you call will alert the other two within 24-hours so you don’t have to call all three. That should prevent anyone from opening any new credit or charge accounts in their names
  • Change all of their email address passwords and consider establishing new email addresses altogether
  • Consider closing any bank or brokerage accounts that may have been listed and open new ones
  • Start going over every bank and credit card statement line-by-line every month for at least the next year and match up receipts for everything
  • Change every password on every website they use
  • Enable two-factor authentication on every website that offers it
  • Enable two-factor authentication on their email accounts that offer it
  • Encrypt every hard drive, every phone and every device they use remaining in their house. Also make sure every device has PIN or password protection turned on

He asked me if he should enroll his family in one of the services that guarantee protection against identity theft. I said that was his decision, but they are potentially very invasive and don’t have a great track record of doing what they promise.

I talked to him again a couple weeks ago and he mentioned some good news. The airline had eventually found the bag six days later and it had been sitting at the destination airport the whole time. The agent at check-in had put the son’s name on both checked bags, which is why they couldn’t find a bag with her name anywhere. When they went to pick it up, she said everything looked exactly as it had when she packed it.

It was a wake-up call for me as well and subsequently I too encrypted everyone’s PCs and laptops, made sure everyone had passwords and PINs in use, and reminded everyone to keep sensitive devices and documents in their control at all times when traveling – including not leaving phones\tablets\laptops unattended and in plain view in a vehicle. What we tell those we advise in business also applies to friends and family; the time you spend preparing now may save you countless hours of worry and expense down the road.

Neohapsis Announcement

As our clients and friends in the industry know, Neohapsis has been a key player in the security, risk and compliance market. Today, we are excited to announce plans to join Cisco, who we believe will be the perfect strategic match for us, given our services and research mission.

We share with Cisco a global enterprise customer base, and a commitment to help our customers address their most challenging threats, especially in the rapidly evolving mobile and cloud arenas. Because of Neohapsis’ and Cisco’s shared focus on the Internet of Everything, the opportunity to do groundbreaking work together is enormous. Together, what we bring to enterprise customers, IoT device manufacturers, and associated service providers will be unique in the market.

Please read Hilton Romanski’s blog which outlines more about the strategy driving this acquisition: http://blogs.cisco.com/news/cisco-announces-intent-to-acquire-neohapsis.

 

James Mobley,

President & CEO,

Neohapsis

Is there a business case in planning for data breaches?

When I was learning to fly, one of the many pearls of wisdom imparted to me by my instructor was, as I transitioned from pre-flight planning and considering a myriad of “what-if” scenarios to prevent problems, to actually going aloft was to mentally move to continually considering what to do “when” an event, such as an failure, eventually takes place.  The primary objective remained constant: to ensure a safe outcome with minimal consequences (you may call it applied risk management).  This shift in attitude appears to be apt for custodians of information systems, moving from planning services and incident prevention to operational preparedness in order to best ensure a successful outcome in the event of an unplanned incident.    Sadly, even with sophisticated layers of defense, many organizations are facing similar thought processes of what to do “when” a data breach takes place rather than “if”.  Staples looks like it is the next addition to the list of notable incidents that includes Target, Home Depot, Chase, Goodwill, Michaels and P.F. Chang’s.

The recent Ponemon Institute benchmark research “2014 Cost of Data Breach Study : United States” identified a number of factors that could materially affect the impact and cost of managing a data breach. Apart from the headline average cost of an incident of $5.4 million with a per record number rising to $201 there were some interesting observations relating to the root causes.

The involvement of a third party was one of the biggest contributors to the cost of managing a data breach, at 12.5% above the mean cost.   There is ample indication that this is an extremely common situation that is developing rapidly with the adoption of computing and application services .  As well as the HVAC issue that was a vector for the Target breach, incidents at Lowe’s, Goodwill and AutoNation earlier this year were attributed to third-party vendors (E-DriverFile, C&K Systems and Trademotion respectively).  The need for third party diligence has been identified as necessary by financial and healthcare regulators. If we look at the potential for loss avoidance, effective vendor security management that includes incident management makes good sense as both preventative and response measures.

The maturity of breach response plan represented another interesting opportunity to either increase or reduce the cost of a breach.  Typically organizations that provided quick, less coordinated announcements and response activities that did not follow a clear protocol experienced management costs 7% above the mean.   On the other hand, those with a clear incident response plan reported average costs around 8.5% below the mean.  The difference in response approach represents over $830,000 in a $5.4 million event.  To return to the pilot analogy: preparedness training and the effective use of checklists have been proven to significantly improve the outcomes.

MPTCP Roams Free (By Default!) – OS X Yosemite

Further to the BlackHat USA Work by Patrick Thomas (@coffeetocode) and I (@secvalve).

MPTCP is enabled by default in Mac OS X Yosemite. So we can expect to see Multipath TCP on most networks, and on a total of tens to hundreds of millions of devices.

Embedded image permalink

Thanks to Ilias Marinos (@marinosi) who tripped my twitter search bot 

More to come…. We have stuff as yet unreleased that has suddenly become VERY relevant.

Shellshock bug exposes web servers, home routers

With Shellshock, the recently discovered vulnerability in Bash yet to hit full stride in exploitation, there are numerous systems and devices that are immediately at significant risk of exploitation across the Internet.  Neohapsis Labs has released advance Shellshock guidance to our clients, including immediate considerations, and short and medium term remediation steps to mitigate the impact of the vulnerability. What follows is a guest post by industry acclaimed journalist Byron Acohido on the immediate impact of this vulnerability:

Shellshock bug exposes web servers, home routers

By Byron Acohido

Yes, you should be very concerned about Shellshock, the latest software bug to arise with the potential to degrade the overall safety of the Internet by several notches.

Shellshock, also referred to as Bash, is a glaring weakness in an otherwise innocuous bit of coding that’s been around since 1987. Bash, shorthand for Bourne-Again Shell, is a program that allows you to type commands on computing devices that use the Unix, Linux, Apple Mac and Android operating systems. You’ve encountered  Bash if you’ve ever typed text commands on the black screen sitting behind the graphical interface of your computing device.

The existence of the Shellshock flaw was made public on Tuesday, riveting the attention of the global security community. It’s almost certain elite hacking groups have been aware of the vulnerability for some time prior, and have been taking advantage.

And now the rest of the cyber underground can make hay. The mad scramble is on. Much as they did earlier this year upon disclosure of the Heartbleed bug, companies of all sizes must identify and patch systems exposed to the Shellshock flaw.

“It’s at least equal to Heartbleed for sure,” says Garve Hays, software architect at NetIQ. “Heartbleed was ephemeral, you could gather personal data and move on. But with Shellshock, you can plant a backdoor on a server and stay there for years. It’s the gift that keeps on giving.”

Apache servers targeted

White hat researchers have begun probes to find vulnerable systems. The biggest, most obvious targets are Apache web servers. These Linux-based machines are used to run about one-third of the websites on the Internet.

“System administrators will be working long shifts to go through every single server, router and other piece of equipment that uses the bash shell,” says Jerome Segura, senior security researcher atMalwarebytes Labs.

Big enterprises have the resources and motivation to expedite patching. But hundreds of thousands of small and medium sized businesses will be slow to patch, or never patch at all. In the meantime, every hacker from script kiddies to spammers to account hijackers can now do simple reconnaissance to find and infect unpatched Apache web servers and related networking equipment.

“It’s a race against time,” Segura says. “The bad guys are hard at work trying to hack into affected systems.”

That’s just the first wave. Another obvious target that hacking gangs surely will triangulate are the routers used in home networks and small businesses. Up until about two years ago, Bash was widely used in Linksys, Belkin and many other brands of consumer-grade routers, says NetIQ’s Hays.

Home routers ripe for attack

So if you’re using an older router in a home or small business setting, you should assume the bad guys will soon turn their attention towards seeking out your unpatched router and taking control of it – because it’s simple and profitable to do so.

Bash also comes into play on certain Apple Macs, and certain older versions of Android handsets. Apple issued a statement saying the majority of Mac OSX users are safe from bash exploits.

Even so, it will take some time to determine the full extent of the ramifications of this flaw, says Dr. Mike Lloyd, CTO of RedSeal Networks.

“It’s relatively easy to tell whether the flaw is present, but it’s hard to tell if it’s reachable,” Lloyd says. “The maze of software and configuration interactions is too complicated for a human analyst to be able to say categorically ‘the cheese is exposed, or is not exposed, to the rat.’”

So what can individuals and companies do? Pay close heed to patches and get them installed. Tools are readily available to check whether your network is using a vulnerable version of Bash, says Jeff Schilling, CSO at FireHost.

Advised Schilling: “Step one is to figure out if you have any systems that are vulnerable. If so, how many? Step two is to figure out how to put a compensating control in place to buy time to wait for a patch. Step three, patch your systems in a methodical manner to ensure your most important servers are fixed first.”

More on emerging best practices

3 steps for figuring out if your business is secure

Encryption rules ease retailers’ burden

Tracking privileged accounts can thwart hackers

Impenetrable encryption locks down Internet of Things