libssh vulnerability

An open source library, libssh, announced a fixed vulnerability today. I’ll let them explain:

libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully authenticate without any credentials.

Good thing we use openssh in my company! I don’t have to monitor a bunch of software systems for security fixes and deployment–

$ nc github-enterprise.server 22
SSH-2.0-libssh_0.7.0

Shit.

Splunk Data Models

Splunk data models are a security professional’s best friend in terms of alerting, investigation, and audit. Splunk ES has an entire suite of baked-in correlation searches, but I want to talk about models a bit.

If you don’t know what Splunk is, hey, stop and go check out their free demo. I’ve never made a dime from Splunk as of this writing, but I like their software and wish Kibana were as functional for security purposes.

Continue reading “Splunk Data Models”

Wireless Security: WPA3 and Wifi Cracking

WPA3 certification has begun. I’m not sure there’s a lot to say about the current state of wireless security beyond keeping routers up to date and using nice long passwords.

I’ll briefly revisit the ez-mode version of the testing I’ve done in the past, but it’s pretty straightforward.

Continue reading “Wireless Security: WPA3 and Wifi Cracking”

Signal SMS: A Quick Plug

I just want to take another opportunity to hawk the Signal SMS app. It’s a good client, it’s run by one of the smartest and seemingly nicest people in security today, and it’s funded as a nonprofit.

Why do I mention it? This is a little political, but it’s related to everyone’s privacy and security, so I’m going to chime in about this tidbit that came out this week:

According to a transparency report (PDF) released by the Office of the Director of National Intelligence, the agency got its hands on 534 million call and text records from telecommunications companies like AT&T and Verizon in 2017. That’s over three times the number (151 million) it collected in 2016, which was the first full year since new surveillance rules under the USA Freedom Act took effect.

Security Onion 2018

Something I’ve had reason to play a lot with over the last few months is Security Onion, a free and open source product that frankly compares damn well to a number of *very* expensive proprietary products.

It requires no small amount of Linux and tech knowledge to start digging into, but you get an ELK stack, full packet capture, a number of GUI options for visibility into network and file system alerts.. it’s really neat.

I struggled to get my ELK stack working properly but the eventual culprit was memory: I’d recommend a minimum of 4-8 gigs of RAM.

I’m now looking into ways to build cheap nsm sensors out of something akin to Raspberry Pis, but I don’t know how feasible that is yet.

Cisco CCNA Cyber Ops

.. Cisco is introducing the Global Cybersecurity Scholarship program. Cisco will invest $10 million in this program to increase the pool of talent with critical cybersecurity proficiency. Cisco also has enhanced its Security certification portfolio with a new CCNA Cyber Ops certification.

Through the scholarship program, Cisco will offer free training, mentoring, and testing designed to help you earn CCNA Cyber Ops certification and hone the skills needed for the job role of security operations center analyst. The new CCNA Cyber Ops certification has been designed to address the critical skills deficit, providing the job-ready knowledge needed to meet current and future challenges in network security.

I haven’t had any luck getting into this program yet, but this is 1) free training and 2) free testing for a CCNA cert, which definitely has some market value, so join me in waiting!

My understanding is part of the application process involves an entry-level security questionnaire, FYI.

Google Advanced Protection

Google has introduced the Advanced Protection Program. As far as I can tell, these are the big takeaways:

To provide the strongest defense against phishing, Advanced Protection goes beyond traditional 2-Step Verification. You will need to sign into your account with a password and a physical Security Key. Other authentication factors, like codes sent via SMS or the Google Authenticator app, will no longer work.

A physical key being a Yubikey in this case, looks like.

When you sign up for new apps or services, you are sometimes asked for access to your data, like your emails or documents. By giving permission, you might introduce vulnerabilities that could be used to access your personal data. For example, an app you trust could be exploited or impersonated.

To protect you from this threat, Advanced Protection will automatically limit third-party apps from accessing your most sensitive data – your emails and your Drive files.

I suspect this is going to be implemented more broadly over time to non-Advanced Protection accounts, but we’ll see.

A common way that hackers try to gain access to your account is by impersonating you and pretending they have been locked out of your account.

To provide you with the strongest safeguards against this type of fraudulent account access, Advanced Protection adds extra steps to verify your identity. If you ever lose access to your account and both of your Security Keys, these added verification requirements will take a few days to restore access to your account.

Another thing that will probably see parts trickle to mainstream account protection, but yeah.

Looks like it’s intended to target high-risk Google users as customers, but it’s free, so I’m imagining a number of tech folks will hop on board too. Looking into signing up for it myself this morning.

I’d like to write up something about the WPA2 flaw ongoing but I’m waiting for a bit more to develop.

Paper problems

A timely reminder that good information security practices don’t necessarily have anything to do with computers:

The health insurer Aetna is facing criticism for revealing the HIV status of potentially thousands of customers after it sent out a mailer in which information about ordering prescription HIV drugs was clearly visible through the envelope’s clear window.

For example, in a letter sent to a customer in Brooklyn, the window revealed considerably more than the address. It also showed the beginning of a letter advising the customer about options “when filing prescriptions for HIV Medic … .”

It’s funny; usually those envelope letter windows are considered best practice because it lowers the risk of address/letter screw ups. In this case, though..

haveibeenpwned.com Database Made Public

Troy Hunt, the guy that runs the extremely useful haveibeenpwned.com, has released his working password database in the form of SHA-1 hashes.

What this is: an extremely useful tool for people working in security as they can hash passwords in use and see if it’s in this existing list, and thus, probably in a dictionary file somewhere and vulnerable to a dictionary attack.

What this is not: a usable password list useful for crackers, because everything is in SHA-1 hash form.

Troy deserves all the credit in the world for doing a public service for free, and props to Cloudflare for offering to host a 6GB file (also for free).

Humble Book Bundle: Cybersecurity

This isn’t a bad bundle for $15, all told. I’d consider it a buy if you want to understand some of the underlying security and crypto concepts, but not if you’re looking for up to the minute exploits or state of the industry type stuff.

For example: The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws, 2nd Edition is a book from 2011. A fair bit of it is still relevant, but six years is a long time. On the other hand, something like Cryptography Engineering: Design Principles and Practical Applications is going to be a solid foundational crypto book for a long time.

If you have zero certs or industry experience, the CEH isn’t the worst place in the world to start to get a beginning job, but it’s basically just a memorization test and the industry knows it.