Hackin9

The expanding options for communicating over the Internet and the increasing adoption of encryption technologies could leave law enforcement agents “in the dark” and unable to collect evidence against criminals, the Director of the FBI said in a speech on Thursday.

In a post-Snowden plea for a policy more permissive of spying, FBI Director James B. Comey raised the specters of child predators, violent criminals, and crafty terrorists to argue that companies should build surveillance capabilities into the design of their products and allow lawful interception of communications. In his speech given at the Brookings Institute in Washington DC, Comey listed four cases where having access to a mobile phone or laptop proved crucial to an investigation and another case where such access was critical to exonerating wrongly accused teens.

All of that will go away, or at least become much harder, if the current trend continues, he argued.

Read 15 remaining paragraphs | Comments

 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

CSO Online

The Paradox of STEM Training
CSO Online
Trending: CSO Daily Dashboard · Social Engineering · InfoSec Careers · Mobile Security · CSO Events · Resources/White Papers · cso online. Most read: descend. Dreaded SSLv3 bug no monster, only a POODLE · Microsoft's monthly update fixes two ...

 
OpenSSL CVE-2014-3513 Information Disclosure Vulnerability
 
OpenSSL 'no-ssl3' Build Option Security Bypass Vulnerability
 
OpenSSL Session Ticket Memory Leak Remote Denial of Service Vulnerability
 
Multiple Huawei Switches Information Disclosure Vulnerability
 
OpenSSL CVE-2014-3566 Man In The Middle Information Disclosure Vulnerability
 

With POODLE behind us, it is time to get ready for the next SSL firedrill. One of the questions that keeps coming up is which ciphers and SSL/TLS versions are actually in use. If you decide to turn off SSLv3 or not depends a lot on who needs it, and it is an important answer to have ready should tomorrow some other cipher turn out to be too weak.

But keep in mind that it is not just numbers that matter. You also need to figure out who the outliers are and how important (or dangerous?) they are. So as a good start, try to figure out how to log SSL/TLS versions and ciphers. There are a couple of options to do this:

In Apache, you can log the protocol version and cipher easily by logging the respective environment variable [1] . For example:
CustomLog logs/ssl_request_log %t %h \{User-agent}i\%{SSL_PROTOCOL}x %{SSL_CIPHER}x

Logs SSL protocol and cipher. You can add this to an existing access log, or create a new log. If you decide to log this in its own log, I suggest you add User-Agent and IP Address (as well as time stamp).

In nginx, you can do the same by adding$ssl_cipher $ssl_protocolto the log_format directive in your nginx configuration. For example:

log_format ssl $remote_addr $http_user_agent $ssl_cipher $ssl_protocol

Should give you a similar result as for apache above.

If you have a packet sniffer in place, you can also use tshark to extract the data. With t-shark, you can actually get a bit further. You can log the client hello with whatever ciphers the client proposed, and the server hello which will indicate what cipher the server picked.

tshark -r ssl -2R ssl.handshake.type==2 or ssl.handshake.type==1 -T fields -e ssl.handshake.type -e ssl.record.version -e ssl.handshake.version -e ssl.handshake.ciphersuite

For extra credit log the host name requested in the client hello via SNI and compare it to the actual host name the client connects to.

Now you can not only collect Real Data as to what ciphers are needed, but you can also look for anomalies. For example, user agents that request very different ciphers then other connections that claim to originate from the same user agent. Or who is asking for weak ciphers? Maybe a sign for an SSL downgrade attack? Or an attack tool using and older SSL library...

[1] http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#logformats[2]

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Adobe Flash Player and AIR CVE-2014-0564 Unspecified Memory Corruption Vulnerability
 
Mozilla Firefox/Thunderbird CVE-2014-1578 Out of Bounds Memory Corruption Vulnerability
 
Mozilla Firefox/Thunderbird CVE-2014-1581 Use After Free Memory Corruption Vulnerability
 
[SECURITY] [DSA 3052-1] wpa security update
 
[security bulletin] HPSBMU03126 rev.1 - HP Operations Manager (formerly OpenView Communications Broker), Remote Cross-site Scripting (XSS)
 
[security bulletin] HPSBHF03125 rev.1 - HP Next Generation Firewall (NGFW) running Bash Shell, Remote Code Execution
 
Bypassing blacklists based on IPy
 
Cisco Security Advisory: SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability
 
Advisory 01/2014: Drupal7 - pre Auth SQL Injection Vulnerability
 
Cisco Security Advisory: Multiple Vulnerabilities in Cisco TelePresence Video Communication Server and Cisco Expressway Software
 
Cisco Security Advisory: Cisco TelePresence MCU Software Memory Exhaustion Vulnerability
 
Oracle MySQL Server Username Enumeration Weakness
 
MySQL MyISAM Insecure Temporary File Creation Vulnerability
 

Posted by InfoSec News on Oct 16

http://www.healthcareitnews.com/news/hipaa-breach-letters-go-out-after-email-hack

By Erin McCann
Associate Editor
Healthcare IT News
October 14, 2014

An academic medical center in California is notifying patients of a HIPAA
breach after officials discovered a physician's email account had been
hacked by an outside source.

University of California Davis Health System has notified 1,326 patients
that their protected health information,...
 

Posted by InfoSec News on Oct 16

http://dealbook.nytimes.com/2014/10/15/cyberattack-at-jpmorgan-chase-also-hit-website-of-banks-corporate-race/

By MATTHEW GOLDSTEIN, NICOLE PERLROTH and JESSICA SILVER-GREENBERG
The New York Times
OCTOBER 15, 2014

The JPMorgan Chase Corporate Challenge, a series of charitable races held
each year in big cities across the world, is one of those feel-good events
that bring together professionals from scores of big companies.

It was also a...
 

Posted by InfoSec News on Oct 16

http://arstechnica.com/security/2014/10/the-secure-smartphone-that-wont-get-you-beaten-with-rubber-hoses/

By Peter Bright
Ars Technica
Oct 15, 2014

Interest in secure communications is at an all time high, with many
concerned about spying by both governments and corporations. This concern
has stimulated developments such as the Blackphone, a custom-designed
handset running a forked version of Android that's built with security in
mind....
 

Posted by InfoSec News on Oct 16

http://www.washingtontimes.com/news/2014/oct/15/inside-the-ring-chinese-tried-to-hack-nsa-using-us/

By Bill Gertz
The Washington Times
October 15, 2014

Chinese telecommunications equipment giant Huawei Technologies sought to
gain access to National Security Agency computer networks this year in a
failed cyberespionage attack, U.S. officials said.

The company, which the U.S. government has linked to China’s military,
sought to penetrate...
 



Advisory ID: cisco-sa-20141015-poodle

Revision 1.0

For Public Release 2014 October 15 17:30 UTC (GMT)

+---------------------------------------------------------------------

Summary
+======

On October 14, 2014, a vulnerability was publicly announced in the Secure Sockets Layer version 3 (SSLv3) protocol when using a block cipher in Cipher Block Chaining (CBC) mode. SSLv3 is a cryptographic protocol designed to provide communication security, which has been superseded by Transport Layer Security (TLS) protocols. By exploiting this vulnerability, an attacker could decrypt a subset of the encrypted communication.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141015-poodle


(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Mozilla Firefox/Thunderbird CVE-2014-1576 Remote Heap Buffer Overflow Vulnerability
 
Oracle Java SE CVE-2014-6504 Remote Security Vulnerability
 
Oracle Java SE CVE-2014-6511 Remote Security Vulnerability
 
Internet Storm Center Infocon Status