Monday, December 31, 2012

Microsoft EMET

Over the holidays some of you may have seen some version of this story:
http://thenextweb.com/microsoft/2012/12/29/criminals-use-adobe-flash-and-new-ie-vulnerability-in-targeted-attacks-ie9-and-ie10-users-are-safe/

or if you are a security geek, this one:
https://community.rapid7.com/community/metasploit/blog/2012/12/29/microsoft-internet-explorer-0-day-marks-the-end-of-2012

Once again, a new 0-day Internet Explorer vulnerability was discovered that affects IE7 and IE8. On the 29th an exploit for it was introduced into Metasploit, and you know they say, crimeware advances at the pace of Metasploit. (Metasploit is open source, so any programmer can see exactly what they did to expolit the bug and copy that if they have not already figured it out for themselves.)

You may note that aside from upgrading to IE9/IE10 there is a suggestion that you could mitigate this vulnerability by running EMET. The only realistic action for many businesses to take would be EMET.

This is not the first time you might have seen this suggestion, but most people I have talked to who are not well read on IT security have never even heard of EMET.

The tl;dr executive summary is:
EMET stops malicious programs running in the context of legitimate programs by killing the whole process before the malicious code can do it’s damage. This allows us to protect against some unpatched vulnerability exploits. It is free and MS supports it.


What does EMET do?
EMET (Enhanced Mitigation Experience Toolkit, I think that’s a rather poor name, so I will always refer to it as EMET) is a free program from Microsoft (fully supported by MS) that allows you to specify various security mitigations that are built into Windows, but not often implemented in software.

DEP, ASLR, and SEHOP can be turned on at a system level (although they are not by default)
DEP, SEHOP, NULL Page, Heap Spray, Mandatory ASLR, EAF, and Bottom-up ASLR protections can be turned on for individual applications. (see manual for more info)

DEP is already mandatory on 64bit Windows for all 64 bit processes, but not for 32bit programs. All of the rest are optional, and often not implemented by software developers even if there is no reason they need to avoid them. EMET allows you to turn these abilities on even for programs that were not designed for them. (Caution, some of these may break things for some programs, but they are easy to switch on and off)


EMET has 3 lists of defaults that can be set for applications. These defaults have already been tested by engineers at Microsoft. They can be set by importing one of the 3 default lists that come with it, or via GPO (more details below)

Friday, December 14, 2012

SANS's New Monthly Awareness Video Page

Securing The Human is a corporate security awareness training program based around a bundle of 2-6 minute computer animated videos that each highlight an aspect of computer security. The full corporate training program costs $3000 or more per year (unless you are in the government or education sectors), and includes tracking employee views to allow for completion certificates to be e-mailed out and to give managers a log of employee completion of the training so that you can use that for compliance purposes. It also allows custom content such as policy documents to be attached to the training materials.

The good news for really small organisations that cannot afford even the $3000 small business package (which allows you to have upto 750 seats) is that they now offer one video per month for free, but obviously you'd have to track who watched it yourselves. Maybe you could hold a monthly staff meeting and review the video together. Better yet, this allows private individuals who are not employed by a company that subscribes to the Securing the Human program to have access to the materials at home.


Monday, December 03, 2012

Secure Browser Settings

I know this is going to be long and technical, but it is important for everyone regardless of your technical ability to look at.
The one line TLDR version (TLDR is internet speak for "too long, didn't read") is this:
Secure sites use SSL. TLS is the newer SSL. You should be using the newest one you can.

Ok, so for a while now webmasters, IT people, developers etc, have been slowly transitioning the internet away from SSL 2.0 to newer versions of the protocol. SSL is the s in https:// it is the secure part of secure websites. Version 1 was phased out before most folks even knew there was an internet, but version 2.0 has stuck with us, despite being broken in many different ways, for a long time.  The payment card industry, via their PCI-DSS rules by which individual merchants have to run their payment networks, and banking systems have to communicate with merchants across data networks like the internet, has outlawed the use of SSL 2.0. A while back. And so, most websites and some browsers (I think all browsers except Internet Explorer) have abandoned the old clunker of a security protocol. By default most newer web browsers support SSL 3.0 and TLS 1.0 (which can be thought of as SSL 3.1 or 4.0).

TLS 1.0 was first introduced back in 1999. In 2002 a theoretical exploit was discovered. About a year ago that exploit, dubbed the BEAST (Browser Exploit Against SSL and TLS) was made easy to do. It allows a person who can insert themselves between the user's browser and the secured web server to pick and choose what bits of encrypted data get sent and use the chosen length bits of ciphered text to get a head start on decrypting the conversation. This is effective only against SSL 3.0 and TLS 1.0, and only when they use block ciphers like AES and 3DES not stream ciphers like RC4. Because they have decided that we've had enough time, the payment card industry is starting to insist that merchants protect against the BEAST attack. This can cause someone with inadequate security settings on their browser to get a blank page when trying to connect to a secure website.

So far TLS 1.1 and 1.2 are still quite secure, but not used everywhere yet and not supported by every browser.

I'm going to show you how to turn on the best protocol available to you in the most popular browsers and then if you are also a techie running a server, I'll go into how to do the server side.

First Internet Explorer:


For Internet Explorer:  In internet options, under the advanced tab, scroll almost all the way to the bottom and you will find these settings.
By default SSL 2.0, SSL 3.0 and TLS 1.0 should be on, I am recommending that all users switch off SSL 2.0 as no sites on the internet rely on that anymore, and it is a very broken protocol.
Also,  if available (if you have Windows 7 or higher) you should turn on TLS 1.1 and TLS 1.2 as well.


Now Firefox:



Firefox  already should have only SSL 3.0 and TLS 1.0 enabled. If it does not have TLS 1.0 checked please make sure you enable it.
Again, TLS 1.0 dates back to 1999 there has been over a decade of use ensuring that all sites and browsers are compatible.
The only reason to have it turned off is if you are US Government and required to use only 1.1 and 1.2  :)  but as we can see with the Firefox example, not having anything older than 1.1 means breaking compatibility.

On the server side...

IIS:

IIS uses the Microsoft SChannel settings. The protocol versions it supports are turned on in the registry. Paste the following code into a file called saferSSL.reg or something like that. then double click on your new .reg file to import those settings.
Windows Registry Editor Version 5.00 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56] 
"Enabled"=dword:00000000 
 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL] 
"Enabled"=dword:00000000 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128] 
"Enabled"=dword:00000000 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128] 
"Enabled"=dword:00000000 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128] 
"Enabled"=dword:00000000 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128] 
"Enabled"=dword:00000000 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128] 
"Enabled"=dword:00000000 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server] 
"Enabled"=dword:00000000 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] 
"Enabled"=dword:00000000


And optionally (this one will break compatibility with IE6):
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server] 
"Enabled"=dword:00000000


And then to enable TLS 1.1 and 1.2:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1] 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\client] 
"Enabled"=dword:00000001 
"DisabledByDefault"=dword:00000000 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] 
"Enabled"=dword:00000001 
"DisabledByDefault"=dword:00000000 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2] 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\client] 
"Enabled"=dword:00000001 
"DisabledByDefault"=dword:00000000 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] 
"Enabled"=dword:00000001 
"DisabledByDefault"=dword:00000000 
 
Then go into the group policy editor (type gpedit.msc into the run box or command line)
Find the section: Local Computer Policy -> Administrative Templates -> Network -> SSL Configuration Settings
edit the Cipher Order value to include only RC4 ciphers for SSL 3.0 and TLS 1.0.
Move "TLS_RSA_WITH_RC4_128_SHA" to the top of the priority list, and get rid of any SSL 3.0 or TLS 1.0 ciphersuites with CBC in the name. You can keep whatever TLS 1.1 or 1.2 ciphers you need (hint anything with SHA256 or higher is fine). If you are not sure what to include just copy this string into that box and click OK.

IIS 7.5:

TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5,SSL_CK_RC4_128_WITH_MD5,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521

IIS 7.0:

TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5,SSL_CK_RC4_128_WITH_MD5


Apache:
Put this into your config

SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH