Showing posts from 2015

Is DHS running honeypots?

When in September 2015 DHS published its own Security Audit Report, I was rather speechless I could not find any mention of "SSL" or "TLS" in the text, but apparently DHS has been aware of Transport Layer Security earlier than that.

Today KrebsOnSecurity published a post titled DHS Giving Firms Free Penetration Tests containing a link to a document which include the status update about the ongoing cyber programs and efforts underway at the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC).

In a rather confusing timeline, we read first about a DHS ignoring SSL/TLS during its own Security Audit Report (Sept. 2015) and today about how SSL (TLS) related vulnerabilities occupy 5/5 of the Top 5 (Occurring) Vulnerabilities list in the DHS NCATS Year-Engagement Report 2014 (which indeed might have more conveniently be published at an earlier date).

The reason for this post is not the confusing order with which DHS ha…

#insecureTLS implementations report

This post is meant to support the launch of the #insecureTLS hashtag;
an insecure Transport Layer Security implementation is in itself outrageous but some are more than others.

...I collect insecure TLS samples for fun and profit (not really)

why I started collecting data from Qualys SSL (Server) Test
first sample;
a second batch [video];
something the @DHSgovSecurity Auditdid not report.

More insecure https samples (batch #2)

SSL Test executed on July 5 2015.

[batch #1 video]
[2 parts post about]

OrganisationURLUS Department of Homeland Security, Electronic System for Travel Authorization Custom and Border Protection (likely API endpoint for online payments) Judiciary portalhttps://courts.arkansas.govVirginia Department of Motor Vehicleshttps://www.dmv.virginia.govOklahoma State Treasure Officehttp://www.treasurer.ok.govUS Consumer Financial Protection Bureauhttps://www.consumerfinance.govUS Payment system used by various state and local agencies Govt. Malware Submission Form State Department Cooperation portal National Security Information System Department of Infrastructure and Environment Secure Authentication Service for access to public services …

Bad SSL: security awareness in interesting times (1)

[traduzione italiana] Secure websites, browsers and the difference with plain text websites The details behind a (web) connection may not be interesting for a general audience and anyway not immediately meaningful to bother.
The intention of this post is to make a rather delicate issue understandable to as many non-technical people as possible: an effort is made to clarify the substantial aspect of the issue and its implications, trying to avoid the geeks' stuff and jargon.

Securing communication with a website takes more than using https.Technology and cryptographic science behind the security of internet communication is highly complex but nevertheless, at any given time, publicly and freely available best practices exist to keep the level of actual security consistent with the purpose of a given resource.This is nowadays important, given the indiscriminate surveillance system operating on global scale which stores - in an unbelievably detailed timeline - profiles, actions,…

Bad SSL: security awareness in interesting times (2)

(part 1)
The reason I started collecting third party's data Through my numerous visits to the SSL Test webpage, in that particular list on the lower right of the page I have seen ...attack ships on fire off the shoulder of Orion.

I got intrigued by the idea of assessing the density of technologically advanced organisations - some of these professionally active in security -, state departments, healthcare institutions, military hosts, service providers, remote access portals for teleworkers, hardware/software management dashboards that can be so badly protected to achieve such a negative evaluation.

It is interesting to know that although SSL Labs offers the option to not publish the results of the test (which might inconveniently appear in the worst scores list) many sensitive sites show up in the list: is it paranoid to think that several tests are executed not only by the organisations themselves (who would probably use the privacy option), but also by users or employees?

I find t…

Bad SSL: comunicare sicuri nell'era della sorveglianza globale (1)

[english version] Siti web sicuri, browser e la differenza con i siti web in chiaro I dettagli dietro una connessione (web) non sono in genere interessanti per la maggioranza degli utenti o vengono comunque - incautamente - ritenuti validi o adeguati.
L’obiettivo di questo post è quello di illustrare una questione piuttosto complessa evidenziandone aspetti sostanziali e implicazioni, evitando tematiche e tecnicismi, materia di esperti informatici.

Proteggere la comunicazione con un sito web richiede di più che usare https.La sicurezza della comunicazione in internet si avvale del complesso supporto tecnologico della scienza crittografica; nonostante i continui progressi, quindi revisioni e perfezionamenti di implementazioni e protocolli - è in qualsiasi momento possibile accedere gratuitamente ad informazioni e metodi pratici pubblicamente disponibili, che possono essere utilizzati al fine di verificare e mantenere adeguato il livello di sicurezza di una ciascuna risorsa..Questo …

BadSSL: comunicare sicuri nell'era della sorveglianza globale (2)

(parte 1)
La ragione per cui ho iniziato ad acquisire dati da un servizio di terzi Nel corso delle mie numerose visite alla pagina dell'SSL Test, in quella particolare lista in basso a destra ho visto ...navi da combattimento in fiamme al largo dei bastioni di Orione.

Sono rimasto intrigato dall'idea di verificare la densità di organizzazioni tecnologicamente avanzate - alcune di queste professionalmente attive nel settore della sicurezza -, ministeri, istituzioni della sanità, sistemi militari, fornitori di servizio, portali di accesso remoto per telelavoratori, interfacce di gestione di hardware/software protette tanto male da meritare un giudizio così estremamente negativo.

Kernel exploits and hardening

Apache/Ngnix log statistics and charts

OpSec heads up: WebRTC/STUN deanonymizing

OS X Gatekeeper Bypass

BlackPwn: BlackPhone SilentText Type Confusion Vulnerability

EFF’s Game Plan for Ending Global Mass Surveillance

Qualys Security Advisory CVE-2015-0235
GHOST: glibc gethostbyname buffer overflow

#include #include #include #include #include #define CANARY "in_the_coal_mine" struct { char buffer[1024]; char canary[sizeof(CANARY)]; } temp = { "buffer", CANARY }; int main(void) { struct hostent resbuf; struct hostent *result; int herrno; int retval; /*** strlen (name) = size_needed - sizeof (*host_addr) \ - sizeof (*h_addr_ptrs) - 1; ***/ size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) \ - 2*sizeof(char *) - 1; char name[sizeof(temp.buffer)]; memset(name, '0', len); name[len] = '\0'; retval = gethostbyname_r(name, &resbuf, temp.buffer, \ sizeof(temp.buffer), &result, &herrno); if (strcmp(temp.canary, CANARY) != 0) { puts("vulnerable"); exit(EXIT_SUCCESS); } if (retval == ERANGE) { puts("not vulnerable"); exit(EXIT_SUCCESS); } puts("should not happen"); exit(EXIT_FAILURE); }

IPv6 Security Myth #2
IPv6 Has Security Designed In

Carnal0wnage & Attack Research
Shmoocon Notes: Userland persistence on OS X

Defining Threat Intelligence

Matthew Green
On the Practical Exploitability of Dual EC in TLS Implementations

Subject: [Fwd: RE: Minding our Ps and Qs in Dual_EC] Date: Wednesday, October 27, 2004 at 12:09:25 PM Eastern Daylight Time From: John Kelsey To: ---------------------------- Original Message ---------------------------- Subject: RE: Minding our Ps and Qs in Dual_EC From: "Don Johnson" Date: Wed, October 27, 2004 11:42 am To: "John Kelsey" -------------------------------------------------------------------------- John, P = G. Q is (in essence) the public key for some random private key. It could also be generated like a(nother) canonical G, but NSA kyboshed this idea, and I was not allowed to publicly discuss it, just in case you may think of going there. Don B. Johnson -----Original Message----- From: John Kelsey [] Sent: Wednesday, October 27, 2004 11:17 AM To: Don Johnson Subject: Minding our Ps and Qs in Dual_EC Do you know where Q comes from in Dual_EC_DRBG? Thanks, -John

Powershell Popups + Capture -

Powershell Popups Capture - cool thing about this is you can leave it to execute on a system without any other code on disk and get creds constantly as any level of user. No admin, no UAC bypass needed. Just a bunch of creds for free.. over SSL. ;–)