Hackin9

Adobe Rushes Flash Fix for 0-Day Exploit
SPAMfighter News (press release)
Adobe, of late, hurriedly released one Flash update that fixes vulnerability which Infosec researchers spotted, before cautioning users of Windows 10 about a potential exposure of the computer program to the vulnerability spanning a week or more.

and more »
 

The Register

Uninstall QuickTime for Windows: Apple will not patch its security bugs
The Register
Word of the end of support comes from infosec biz Trend Micro. It discovered two critical flaws in the Windows build of QuickTime and reported them to Apple. In response, Trend told The Register, the iPhone maker said it won't fix the bugs, and is ...

and more »
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

If your Windows computer is running Apple's QuickTime media player, now would be a good time to uninstall it.

The Windows app hasn't received an update since January, and security researchers from Trend Micro said it won't receive any security fixes in the future. In a blog post published Thursday, the researchers went on to say they know of at least two reliable QuickTime vulnerabilities that threaten Windows users who still have the program installed.

"We’re not aware of any active attacks against these vulnerabilities currently," they wrote. "But the only way to protect your Windows systems from potential attacks against these or other vulnerabilities in Apple QuickTime now is to uninstall it."

Read 2 remaining paragraphs | Comments

 

Google addresses found in short URLs associated with a single user in Austin, Texas, courtesy of Google's old 5-character short URL tokens. (credit: Vitaly Shmatikov)

Two security researchers have published research exposing the potential privacy problems connected to using Web address shortening services. When used to share data protected by credentials included in the Web address associated with the content, these services could allow an attacker to gain access to data simply by searching through the entire address space for a URL-shortening service in search of content, because of how predictable and short those addresses are.

Both Microsoft and Google have offered URL shortening services embedded in various cloud services. Microsoft included the 1drv.ms URL shortening service in its OneDrive cloud storage service and a similar service (binged.it) for Bing Maps—"branded" domains of the bit.ly domain shortening service; Microsoft has stopped offering the OneDrive embedded shortener, but existing URLs are still accessible. Google Maps has an embedded a tool that creates URLs with the goo.gl domain.

Vitaly Shmatikov of Cornell Tech and visiting researcher Martin Georgiev conducted an 18-month study in which they focused on OneDrive and Google Maps. "We did not perform a comprehensive scan of all short URLs (as our analysis shows, such a scan would have been within the capabilities of a more powerful adversary)," Shmatikov wrote in a blog post today, "but we sampled enough to discover interesting information and draw important conclusions." One of those conclusions was that Microsoft's OneDrive shortened URLs were entirely too easy to traverse.

Read 5 remaining paragraphs | Comments

 

SANS to Host First-Ever Salt Lake City, Utah Information Security Training Event
PR Newswire (press release)
BETHESDA, Md., April 14, 2016 /PRNewswire-USNewswire/ -- SANS Institute, the global leader in information security training, today announced its first-ever Salt Lake City, Utah training event. Scheduled for June 27 through July 2, SANS Salt Lake City ...

and more »
 

[Thanks to Felix aka @nexusnode for inspiring this post. Also, see his blog post [1] for more details]

One of the underutilizedsecurity measures I mentioned recently was HTTP Public Key Pinning, or HPKP. First again, what is HPKP:

HPKP adds a special header to the HTTP response. This header lists hashes of public keys which may be used with a particular site. If an imposter manages to convince a certificate authority to hand her a certificate for your domain name, then the browser can reject the certificate based on the hash it learned from the valid site.

Why is this so important? Did you get rid of SSLv3? How many public breaches can you point to that are due to someone leaving SSLv3 (not v2..) enabled? I am not talking about lab experiments. I am talking about people losing customer data as a result. On the other hand, here are some news reports of unauthorized individuals obtaining certificates from valid certificate authorities[3]. The new Lets Encrypt project may make this a bit easier. Anybody able to upload files to your web server may be able to obtain an SSL certificate.

The header looks like (the base 64 encoded hashes are abbreviated to fit them in one line):

Public-Key-Pins: pin-sha256=ABCE...1234= pin-sha=ECBA...5321== 

First of all, you need AT LEAST two hashes. The idea is that you create two key pairs. One of the public keys you send to the certificate authority (CA) as part of a certificate signing request (CSR) to have it signed. The second key pair you keep in a safe place. But you do add hashes for both keys to the pinning header. This way, should the current live key get compromised, you can use the backup key, and browsers will already know it is valid.

Browsers will actually ignore the header if they only find one key listed. This is an important measure to prevent self-inflicted DoS conditions. In addition, the HPKP header is only considered if it is received over HTTPS.

To test your pin, all around SSL testing site https://ssllabs.com is helpful as usual. It will calculate the pin for each certificate it finds. Personally, I am using a simple shell script to create the hash from the CSR:

openssl req -in test.csr -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | base64 (based on the one Felix has on his site)

just replace test.csr with your CSR filename. The script extracts the public key, then converts it to DER (binary) format, calculates a sha256 digest and finally encodes that digest in BASE64. You can use the certificate as well if you didnt keep the CSR around.

There are also a couple of additional helpful parameters:

- includeSubDomains : This will extend the key pin to any subdomains of yours.
- report-uri: If you would like to be notified whenever a browser runs into a bad certificate, you can ask the browser to post a report to this URI. The report is a JSON snippet that will include details like the certificate that was found and any pins that resulted in its rejection. You can use report-uri.io If you dont want to create your own system to catch the reports.

If you are afraid of false positives, you can also use the Public-Key-Pins-Report-Only header. This will result in a report, but the site will not be blocked.

So what should you do:

  • Start out with the Pubic-Key-Pins-Report-Only header to get comfortable with key pinning
  • Create a spare key spare and keep it offline (three copies... three different locations... I like DVDs, but it doesnt hurt to print them just in case)
  • Watch your reports. Any false positives?
  • After a couple months, pull the switch and remove the -Report-Only part.

[1]https://tools.ietf.org/html/rfc7469
[2]https://www.felixrr.pro/archives/425/http-public-key-pinning-hpkp
[3] just search Google news for certificate authority issued ssl certificate unauthorized and a few nice stories should come up.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

iT News

ANZ Bank turns to peers for infosec intelligence
iT News
Businesses that rely solely on vendor signature feeds for malware detection are leaving themselves open to targeted attack, according to ANZ Bank's top cyber expert. Speaking to the Australian Cyber Security Centre conference yesterday, Adam Cartwright ...

and more »
 

Badlock vulnerability proves a bust for responsible disclosure
TechTarget
"It is almost totally hype," said Jacob Williams, founder of consulting firm Rendition InfoSec LLC, in Augusta, Ga., echoing the opinion of most experts. "The guys behind the Badlock preannouncement, with its shiny little website and fancy name, should ...

 

SANS to Host First-Ever Salt Lake City, Utah Information Security Training Event
PR Newswire (press release)
BETHESDA, Md., April 14, 2016 /PRNewswire-USNewswire/ -- SANS Institute, the global leader in information security training, today announced its first-ever Salt Lake City, Utah training event. Scheduled for June 27 through July 2, SANS Salt Lake City ...

and more »
 

iT News

How Airbus defends against 12 big cyber attacks each year
iT News
Civil aircraft manufacturer Airbus Group is hit by up to 12 major systems attacks each year, its chief information security officer has revealed, mostly through ransomware and state-sponsored hackers. Stephane Lenco told the Australian Cyber Security ...

 
Django CMS v3.2.3 - Filter Bypass & Persistent Vulnerability
 
Mybb Cms (private.php Page) Denial Of Service Vulnerability
 
[SECURITY] [DSA 3548-2] samba regression update
 

iT News

How Airbus defends against 12 big cyber attacks each year
iT News
Civil aircraft manufacturer Airbus Group is hit by up to 12 major systems attacks each year, its chief information security officer has revealed, mostly through ransomware and state-sponsored hackers. Stephane Lenco told the Australian Cyber Security ...

 

Korea Times

AIA Korea earns InfoSec certification
Korea Times
The insurer said in a statement that it earned an "i-Safe Mark" from the Korea Online Privacy Association, a private organization promoting information security (InfoSec). The announcement was made on the company's official website www.aia.co.kr and ...

 
[SECURITY] [DSA 3548-1] samba security update
 
Internet Storm Center Infocon Status