Saturday, August 06, 2016

Protect yourself against the HEIST + BREACH vulnerability



The new HEIST vulnerability demonstrated at Black Hat this week  makes it possible to use BREACH and/or CRIME vulnerabilities to decode HTTPS traffic (or HTTP/2) without the hacker having a man-in-the-middle position.

[EDIT: Just to be clear, This will not protect against all instances of the HEIST attack, but as it disables BREACH, it protects against the specific technique of combining HEIST and BREACH]

CRIME requires TLS compression which was dropped by most products that supported it in 2012. BREACH requires HTTP compression within the HTTPS session, which they manipulate to determine the plaintext contents of the encrypted message.

Many web site admins have been shutting off HTTP compression on encrypted sites for a while, but you cannot trust that everyone else is as diligent, so a browser based approach is best for protecting your own info.

In order for compression to work the browser and the server both need to support it, so the server relies on a request from the browser.

To prevent Google Chrome from requesting compressed pages it is required to modify the Accept-Encoding request header. There is a plugin for Google Chrome called ModHeader that will allow you to do that. simply install ModHeader and insert an entry for Accept-Encoding with a blank value as shown below:

Inline image 1



You can test this at the following site: http://www.whatsmyip.org/http-compression-test/

The drawback to turning HTTP compression off is that sites that do use compression (which is still perfectly safe for non-encrypted sites as there are no secrets to be revealed) will load up a little bit more slowly as the GZIP or Deflate compression can decrease size of sites by about 60%


Friday, August 05, 2016

Speeding up Windows 10

Windows 10 can feel a little sluggish if you have been using a fairly peppy system under Win 7 or 8.1

Here are a few things you can do to make it feel less sluggish.

first click on the notifications icon in the taskbar

Now click the "All Settings" button

I know, it's not the most intuitive place to look, but click on "Ease of Access"

Now click "Other Options"

At the top you will see this switch for play animations in Windows... turn it off.
Your start menu will come up as soon as you click it now, instead of feeling like the computer needs to wake up from it's nap first.


Now there is another place where animations that are not really necessary can be switched off. This is pretty much mandatory for old systems that have been upgraded to Win 10.

open up the System Control Panel (from the old control panel, not the new metro/modern system)
Click on "Advanced System Settings"

Click the first "Settings" button under Performance

Uncheck any animation features you don't care about.


Now this one is something I've done for every Windows install for ages, but not everyone knows it:
While you are in here, click the "Advanced" tab and click the "Change" button

Windows by default will have Automatically manage paging file checked, uncheck that box.
Now look at the recommended size near the bottom of this window, that will be different for your computer than it is for mine, but highlight one of your drives and enter the recommended amount of virtual memory (AKA page file, swap) space in both the initial size and maximum size.

Here you can see that I had a largish virtual memory space on my F: drive previously, but I have also added some space in the recommended amount to my C: drive. C: is only a 128GB SSD, so I had put this swap space on F: (a standard laptop HDD) initially, and that was fine, but putting some swap on the SSD really perked it up. I had to move the C:/Windows/Installer folder to one of my other drives to make some room (a lot of room) on C: to make this even possible.

If you have additional tips add them to the comments.

Thursday, July 14, 2016

Breaking news: Edward Snowden to Speak at SecTor 2016

Former CIA, NSA, and DIA intelligence agent and famed whistleblower Edward Snowden will be giving a keynote via video link from Russia at SecTor 2016. http://sector.ca/speakers/edward-snowden/

The keynote presentation will start at 9am on Tuesday, October 18 in the SecTor Keynote Hall on level 800 of the South Building in the Metro Toronto Convention Centre in downtown Toronto. If you don't already have tickets for the convention get 'em now. 

This will be the Infosec/IT event of the year in Toronto.

http://sector.ca/register/

Wednesday, June 01, 2016

Powershell tidbit of the week

Some of you are familiar with SSLLabs.com

Of those who have used it, some of you probably have run into at least one of these limitations:
It doesn't work for sites on your intranet. It doesn't work for sites with no DNS. It doesn't work with SNI sites (sites whit more than one site on a server under different DNS names). It doesn't work  for any port other than 443, and it has to be a web server, not a mail server. so no way to test TLS is working  on your SMTP server and what ciphers it uses.... but NMAP has that if you can remember what command line options to feed it.

I put these 3 lines in a file called testTLSCiphers.ps1 to make it easier for me to remember, and you might want to do that too.

$ServerName = Read-Host -Prompt 'Input your server  name'
$Port = Read-Host -Prompt 'Input your server TCP port number (443 is most common)'
nmap --script ssl-enum-ciphers -p $Port $ServerName



The output looks something like this:
PS C:\Users\rod> C:\scripts\Powershell scripts\testTLSCiphers.ps1
Input your server  name: internalsite.local
Input your server TCP port number (443 is most common): 443
Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2016-06-01 15:29 Eastern Daylight Time
Nmap scan report for internalsite.local (192.168.1.6)
Host is up (0.0010s latency).
PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (dh 256) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 256) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 256) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (dh 256) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 256) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 256) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|   TLSv1.1:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (dh 256) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 256) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 256) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (dh 256) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 256) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 256) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (dh 256) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (dh 256) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (dh 256) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (dh 256) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 256) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 256) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 256) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 256) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (dh 256) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (dh 256) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 256) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 256) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 256) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 256) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|_  least strength: A
Nmap done: 1 IP address (1 host up) scanned in 3.38 seconds

Thursday, January 09, 2014

So You Want To Be A CISSP?

This post is for those who've been doing some network security and want to make it official and get the CISSP certification.

ISC2 has a set of intro videos to get you started. They are about 15 minutes each. The first is an introduction and then there is one for each of the 10 domains. This is not a course on becoming a CISSP, just an introduction to the type of information you would need to be familiar with.

If you are at that point of your career that moving firmly into the domain of security is appealing to you, this is a nice little preview of what's ahead of you.

http://education.isc2.org/cissp-webcast-1/
http://education.isc2.org/cissp-webcast-2/
http://education.isc2.org/cissp-webcast-3/
http://education.isc2.org/cissp-webcast-4/
http://education.isc2.org/cissp-webcast-5/
http://education.isc2.org/cissp-webcast-6/
http://education.isc2.org/cissp-webcast-7/
http://education.isc2.org/cissp-webcast-8/
http://education.isc2.org/cissp-webcast-9/
http://education.isc2.org/cissp-webcast-10/
http://education.isc2.org/cissp-webcast-11/



Tuesday, November 05, 2013

Sophos UTM (with 10 licenses for Endpoint Protection) Free For Home Use

Sophos previously didn't have a full featured home-use antivirus.
They had one that you could run manually if you think you have an infection, and they had a home-use clause for their business customers that let them give it to employees for use at home for free, managed by the IT folks in the office, but there wasn't a way to buy it for home unless you wanted to buy the minimum size of 5 licenses for small business use.

Recently they made their UTM product (the firewall formerly known as Astaro Linux) available for free to home users and it comes with 10 licenses for home use for the full featured Endpoint Protection client.

The central configuration console on the UTM is not as slick as the Enterprise console, and it doesn't allow you to control Sophos' hard drive encryption software, but it does let you set up the Antivirus, Web Filtering, Firewall, and Intrusion Protection features. It doesn't need a Windows domain, so you can use it on Windows Home editions. The one thing that makes it really only for techie home users is that the UTM has to be installed on dedicated hardware or in a Virtual Machine.

If you already know how to set up a VM, then you are ready to go, just download the pre-built VM, or the software ISO and give it a try. http://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspx

So with this you get a full featured Endpoint Protection program and a network based firewall system with more different VPN options than I have ever seen in one product. This is great for people running home labs for networking courses or Infosec research.

Having played around with it a bit at home I would rank it's UTM firewall capabilities fairly low in terms of flexibility compared to the FortiGate UTMs I'm familiar with, but you can't beat free for home networks.


Thursday, September 19, 2013

Is It a VM?

Having a hard time keeping track of which machines on your network are virtual?

I have just the script for you. I wanted to have a way to quickly find out what machines were virtual at work, so I whipped this up in PowerShell today.

Param(
    [string]$ComputerName = 'localhost',
    [string]$ComputersListFile
)

if ($ComputersListFile) {$computers = Get-Content -Path $ComputersListFile} else {$computers = $ComputerName}
if ($ComputerName -eq'localhost')
    {
        if((Get-WmiObject -Class win32_bios).SerialNumber.StartsWith("VMware")) {Write-Output "This machine is a VM!"} else {Write-Output "This machine is probably not a VM"}
    }
else
    {
        invoke-command -ComputerName $computers -ScriptBlock {$hostname = hostname; if((Get-WmiObject -Class win32_bios).SerialNumber.StartsWith("VMware")) {Write-Output "$hostname is a VM!"} else {Write-Output "$hostname probably is not a VM"}}
    }

This only works as it is for VMWare virtualization, not for Hyper-V or VirtualBox, but it would be easy to add tests for those too. The test is to look at the BIOS SerialNumber and see if it starts with the string "VMware". It's just that simple. ...You could also look at the MAC address of the NIC and see if the first few digits match one of the VMWare prefixes, but the BIOS string was easier.


Run it like this:

.\IsItAVM.ps1 -ComputerName computer1, computer2, computer3

or like this if you have a list of computers already in a file:

.\IsItAVM.ps1 -ComputersListFile U:\computers.txt

Of course, this will only work if the computer you are testing is Windows with PowerShell and has PowerShell remoting enabled, and you are not blocked by a firewall... but in an IT environment where PowerShell is being used for management this fits nicely.

Have fun!

--
Edit: Added a little bit of code to better handle the localhost case. If you just run it as .\IsItAVM.ps1 or manually specify just localhost in the -ComputerName then it will not try to use Invoke-Command, so it will not need remoting turned on for a localhost check. Also it gives a slightly different message on a localhost check.