Cyber Security

It’s..about..to..go..DROWN

Over the last few years a multitude of servers have been affected by SSL/TLS encryption breaking attacks. First off, SSL stands for Secure Socket Layer. SSL is the standard security technology for establishing an encrypted link between a browser and a web server. Transport Layer Security or TLS is a protocol that guarantees privacy between applications and their users over the Internet.

Although there have been multiple instances of SSL/TLS attacks, the two examples I want to briefly discuss are FREAK and a newly discovered attack called DROWN. (I did not make these names up by the way)  With the DROWN vulnerability researchers have stated that under some circumstances, an attacker can also impersonate a secure website (and you thought Elvis impersonations were scary) in order to intercept or change the content the user sees on the screen.

What does this mean to me?

Whenever you log into a site such as Amazon, Gmail or any other site that holds important data and information, you typically are logging into a secure site. TIP: Always look for the web address prefixed by “HTTPS”. The “S” in HTTPS stands for secure. If a web server for a particular site does not get the proper patches for SSL based attacks like DROWN, any information visitors submit during online transactions can be decrypted and obtained as it travels over the internet. Things such as passwords, addresses and credit card information can be accessed by an attacker a.k.a. the “Man-In-The-Middle” using this exploit.

One example of a previous SSL attack

The FREAK (Factoring RSA Export Keys) attack was announced on march 3rd 2015. The FREAK attack allowed attackers to easily intercept HTTPS connections between vulnerable clients and servers forcing them to use weakened encryption during the session. With this vulnerability exploited, the attacker could break the encryption in order to steal or even manipulate sensitive data. FREAK has since then become remediated as server administrators patched their systems upon hearing about this vulnerability. Vendors also advised them to disable support for all known insecure ciphers.

There are other historic SSL/ TLS attacks such as POODLE, BEAST and HeartBleed. Feel free to click the link for each one to learn more about how they were discovered along with their attack methods.

The Current SSL attack

The DROWN attack or Decrypting RSA with Obsolete and Weakened eNcryption, is a vulnerability that affects HTTPS and other services that rely on SSL and TLS. Websites, e-commerce sites, mail servers (i.e. Yahoo/ Gmail), and other TLS based sites and services are currently at risk for the DROWN attack.

DROWN_diagram1

What makes this a serious security risk is that any server that simply supports SSLv2 (SSLv2 doesn’t have to be active) is a threat to modern servers and clients.  This is demonstrated in the illustration above (illustration credits: Drownattack). The Man-In-The-Middle can launch SSLv2 probes in an attempt to decrypt the traffic and read the information transferred from the client to server.

 

 

 

drown pic

My contribution

Earlier today I used the DROWN website checker to see which sites were vulnerable to this attack. Some of the sites I came across are well known sports sites and e-commerce sites. As part of my research I plan run a few website queries to see which sites are vulnerable to DROWN, contact the site administrators / server administrators of 10 or so websites, give them my findings/results provided by test.drownattack.com and follow up with the site admins to see if they actually fix these vulnerabilities with the appropriate software security patches. This should be fun.

Secure your Selfies!!!

Instagram is in the process of rolling out its new security feature in its latest attempt to further protect you from hackers. With the latest update (to be rolled out in phases), Instagram will add two factor authentication to its app for better account protection.

Two-factor authentication or 2FA adds a second level of authentication to an account log-in. Entering only your username and one password is considered a single-factor authentication. 2FA requires the a user to have two out of three types of credentials before being able to log into an account.

Here are three types of 2FA:

  • Something you know, such as a personal identification number (PIN), pattern or a password.
  • Something you are, i.e.bio-metric like a fingerprint, voice, or eye (retinal scan)
  • Something you have, such as an ATM card, token, or phone.

If you decide to activate 2FA within Instagram, logging into the app will now begin to require your password AND an additional security code. The code will be sent to you via SMS ( Short Message Service a.k.a. Text). With 2FA activated, Instagram will send you an SMS security code every time you login as an extra layer of security. The new input screen that will appear after the regular login page will look like this:

INSTAGRAM-TWO-FACTOR-AUTHENTICAITON-PROMPT

I currently use 2FA for my online banking, Mint, Smarty Pig and Facebook. Again this security feature will be updated over time so if you do not see the 2FA option right now, it will arrive eventually. Continue to make sure your app is updated to the latest version as well. Once the update is rolled out it will be listed under “Posts you’ve liked” option in the settings page of your Instagram account.

INSTAGRAM-SECURITY-AUTHENTICATION-OPTION

Again 2FA is another added layer of security to protect your accounts and online identity from hackers. Though not 100% (like security features in general), it is a very effective security practice to deter malicious activity. Currently Facebook, Twitter, Apple, Google and a host of others use 2FA as well. What other apps or accounts do you currently use 2FA for?

5 ways to tell if your computer is infected with malware

  1. Slow performance

    Have you noticed if it takes longer than normal for your computer to boot up to the desktop? Once you’re logged in are you waiting too long for your programs to startup? More than likely you have some form of malware on your machine. Malware has the tendency to slow down your system, applications and overall functionality of the PC.

    If you do notice something like this and you are not using any resource-heavy programs or applications, keep in mind It could also be a lack of memory available, a fragmented system, lack of space on your hard drive or maybe a hardware issue affecting your drive. Hopefully that is the case instead of malware.

  2. Pop ups


    Another sign of malware is represented by unwanted pop-up windows. Unexpected (and annoying) pop-ups are typical signs of a spyware/ adware infection. To avoid potential spyware via pop ups:

    • avoid clicking on suspicious pop-up windows
    • do not download the recommended software listed on the pop ups
    • be careful when downloading free applications (always check to see if unnecessary software will be installed, i.e. un-check the checkboxes)

    If you do notice your system has pop ups, consider using malware removal tools such as Malwarebytes, Spybot Search and Destroy, Lavasoft’s Ad-Aware.

  3. Weird web-browser (IE, Chrome, Firefox) activity 


    Have you noticed if your browser home page changed to a random site? Are there toolbars placed at top of your web browser? If you try to go to one of your favorite sites, are you re-directed to another unrelated site? These could be symptoms of malware. Malware can install unwanted browser configurations, change the browsers home page, redirect you to unexpected sites, install toolbars, and/ or open unwanted Search engines. One way this can happen is when you visit a website and you accidentally click an malicious online ad or a unexpected pop-up window.

    The action that follows triggers a download/ install malicious software.If you notice this activity, run a complete scan with your Anti-Virus software asap. Your machine at the very minimum should have antivirus programs such as Microsoft Security Essentials, Avast, or AVG. These type of threats may not be initially captured by your anti-virus software so it wont hurt to run additional scans with  the anti-spyware programs mentioned in point #2.

  4. Suspicious hard drive activity 

    Another warning sign of a potential malware infection on your system is unusual hard drive activity. If you notice that your disk continues to have excessive activity (performing either very, very slow or sounding as though your computer is about to take off) this could be a good indicator to check your system for malware. More than likely there are malicious processes running which affects the production of the overall system.

  5.  Anti-Virus software / features disabled 

    When trying to run scans on your machine, you notice that your antivirus isn’t working anymore or the update feature appears to be disabled. Believe it or not there some malware programs that are designed to disable anti-virus/ security programs. Remember the overall goal of malware is to steal information from your system without any interruption.

    Some variants of malware will even prevent you from accessing security vendor websites. I experienced this when I was attempting to remove the conficker virus one time and could not get to security vendor websites like Symantec or McAfee sites as part of my troubleshooting. If you experience this situation more than likely your system has been infected with malware.

    Always try to keep your system virus free and that starts with looking out for the signs of infection listed above.

How safe is your email address?

Target, Home Depot, VTech all have something in common besides taking our money from time to time. These companies (and several more) were breached by hackers in 2013, 2014 and 2015 respectively.

A “breach” is an incident where a hacker illegally obtains data from a vulnerable system, usually by exploiting weaknesses in the software. All the data in the site comes from website breaches which have been made publicly available. The information hackers seek ranges from data such as addresses, phone numbers, credit card information, social security numbers and email accounts.

Here is a tip:

To see if your email account has been released into the wild because of a company that was breached check out: https://haveibeenpwned.com/ , enter your email address, click Pwned? and see what it comes back with.

pwned1

Hopefully your email doesn’t show up on the Pwned list. If it does (like my Gmail account did as seen in the screenshot) make sure you change your password and monitor any accounts associated with that respective email account.

pwned2

Credit (https://haveibeenpwned.com – Troy Hunt)

Featured software for PC protection – January 23

Malwarebytes anti-malware (Free version)

Malwarebytes Anti-Malware is by far one of my favorite anti-malware programs. I use malwarebytes as a backup to my Anti-Virus program, in case my AV program misses a threat. The free version of Malwarebytes Anti-Malware contains two types of scans, Threat scan and custom scan. The Threat scan, scans all of the possible places malware is known to hide such as in the startup process, registry and other parts of the file system.

Malwarebytes Anti-malware

The Custom scan gives you the option to choose what files and folders you want to scan.

Malwarebytes Anti-Malware custom scan

For example on one of my computers (yes I have several) I have omitted a folder containing viruses (used for testing) and another folder containing investigative tools. Had I not done so, malwarebytes or my Anti-Virus program would have deleted my testing / tool files.

I recommend downloading Malwarebytes Anti-Malware (https://www.malwarebytes.org/antimalware/) and running it at least weekly in order to further protect your computer.

If you have a Mac you can download the Mac version here (https://www.malwarebytes.org/antimalware/mac/)

The worst passwords of 2015

According to Splash Data’s yearly “Worst passwords list” here are the most common passwords used in 2015:

Rank      Password            Change from 2013

1              123456                 No Change

2              password            No Change

3              12345                  Up 17

4              12345678            Down 1

5              qwerty                 Down 1

6              123456789           No Change

7              1234                      Up 9

8              baseball               New

9              dragon                 New

10           football                  New

11           1234567                  Down 4

12           monkey                  Up 5

13           letmein                  Up 1

14           abc123                   Down 9

15           111111                     Down 8

16           mustang               New

17           access                   New

18           shadow                Unchanged

19           master                 New

20           michael               New

21           superman            New

22           696969               New

23           123123                  Down 12

24           batman               New

25           trustno1              Down 1

If you log into your personal accounts using one of these passwords above please change it. As you can see the secret is out there. If you need help refer to Up your password game