Saturday, August 06, 2016

Protect yourself against the HEIST + BREACH vulnerability



The new HEIST vulnerability demonstrated at Black Hat this week  makes it possible to use BREACH and/or CRIME vulnerabilities to decode HTTPS traffic (or HTTP/2) without the hacker having a man-in-the-middle position.

[EDIT: Just to be clear, This will not protect against all instances of the HEIST attack, but as it disables BREACH, it protects against the specific technique of combining HEIST and BREACH]

CRIME requires TLS compression which was dropped by most products that supported it in 2012. BREACH requires HTTP compression within the HTTPS session, which they manipulate to determine the plaintext contents of the encrypted message.

Many web site admins have been shutting off HTTP compression on encrypted sites for a while, but you cannot trust that everyone else is as diligent, so a browser based approach is best for protecting your own info.

In order for compression to work the browser and the server both need to support it, so the server relies on a request from the browser.

To prevent Google Chrome from requesting compressed pages it is required to modify the Accept-Encoding request header. There is a plugin for Google Chrome called ModHeader that will allow you to do that. simply install ModHeader and insert an entry for Accept-Encoding with a blank value as shown below:

Inline image 1



You can test this at the following site: http://www.whatsmyip.org/http-compression-test/

The drawback to turning HTTP compression off is that sites that do use compression (which is still perfectly safe for non-encrypted sites as there are no secrets to be revealed) will load up a little bit more slowly as the GZIP or Deflate compression can decrease size of sites by about 60%


Friday, August 05, 2016

Speeding up Windows 10

Windows 10 can feel a little sluggish if you have been using a fairly peppy system under Win 7 or 8.1

Here are a few things you can do to make it feel less sluggish.

first click on the notifications icon in the taskbar

Now click the "All Settings" button

I know, it's not the most intuitive place to look, but click on "Ease of Access"

Now click "Other Options"

At the top you will see this switch for play animations in Windows... turn it off.
Your start menu will come up as soon as you click it now, instead of feeling like the computer needs to wake up from it's nap first.


Now there is another place where animations that are not really necessary can be switched off. This is pretty much mandatory for old systems that have been upgraded to Win 10.

open up the System Control Panel (from the old control panel, not the new metro/modern system)
Click on "Advanced System Settings"

Click the first "Settings" button under Performance

Uncheck any animation features you don't care about.


Now this one is something I've done for every Windows install for ages, but not everyone knows it:
While you are in here, click the "Advanced" tab and click the "Change" button

Windows by default will have Automatically manage paging file checked, uncheck that box.
Now look at the recommended size near the bottom of this window, that will be different for your computer than it is for mine, but highlight one of your drives and enter the recommended amount of virtual memory (AKA page file, swap) space in both the initial size and maximum size.

Here you can see that I had a largish virtual memory space on my F: drive previously, but I have also added some space in the recommended amount to my C: drive. C: is only a 128GB SSD, so I had put this swap space on F: (a standard laptop HDD) initially, and that was fine, but putting some swap on the SSD really perked it up. I had to move the C:/Windows/Installer folder to one of my other drives to make some room (a lot of room) on C: to make this even possible.

If you have additional tips add them to the comments.

Thursday, July 14, 2016

Breaking news: Edward Snowden to Speak at SecTor 2016

Former CIA, NSA, and DIA intelligence agent and famed whistleblower Edward Snowden will be giving a keynote via video link from Russia at SecTor 2016. http://sector.ca/speakers/edward-snowden/

The keynote presentation will start at 9am on Tuesday, October 18 in the SecTor Keynote Hall on level 800 of the South Building in the Metro Toronto Convention Centre in downtown Toronto. If you don't already have tickets for the convention get 'em now. 

This will be the Infosec/IT event of the year in Toronto.

http://sector.ca/register/

Wednesday, June 01, 2016

Powershell tidbit of the week

Some of you are familiar with SSLLabs.com

Of those who have used it, some of you probably have run into at least one of these limitations:
It doesn't work for sites on your intranet. It doesn't work for sites with no DNS. It doesn't work with SNI sites (sites whit more than one site on a server under different DNS names). It doesn't work  for any port other than 443, and it has to be a web server, not a mail server. so no way to test TLS is working  on your SMTP server and what ciphers it uses.... but NMAP has that if you can remember what command line options to feed it.

I put these 3 lines in a file called testTLSCiphers.ps1 to make it easier for me to remember, and you might want to do that too.

$ServerName = Read-Host -Prompt 'Input your server  name'
$Port = Read-Host -Prompt 'Input your server TCP port number (443 is most common)'
nmap --script ssl-enum-ciphers -p $Port $ServerName



The output looks something like this:
PS C:\Users\rod> C:\scripts\Powershell scripts\testTLSCiphers.ps1
Input your server  name: internalsite.local
Input your server TCP port number (443 is most common): 443
Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2016-06-01 15:29 Eastern Daylight Time
Nmap scan report for internalsite.local (192.168.1.6)
Host is up (0.0010s latency).
PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (dh 256) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 256) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 256) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (dh 256) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 256) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 256) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|   TLSv1.1:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (dh 256) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 256) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 256) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (dh 256) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 256) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 256) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (dh 256) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (dh 256) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (dh 256) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (dh 256) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 256) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 256) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 256) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 256) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (dh 256) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (dh 256) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 256) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 256) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 256) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 256) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|_  least strength: A
Nmap done: 1 IP address (1 host up) scanned in 3.38 seconds