Tuesday, 25 November 2014

Username and Password - those days have long gone (Security)

Username and Password - those days have long gone (Security)

Today I am going to write about something quite important in the battle against the bad people. Do I really care how they call themselves?! Not really!!
If they hack n, or chainsaw in, or they butcher in, for me they are still the same to me.

This is my opinion: It is much easier to break something then to build or fix something which is broken.
If I want to break something, give me a hammer and I will smash to bits a phone, PC, TV, Server etc. I want to see anyone putting all the bits together and fixing what is broken....
Anyway, here is my ranting for today!

In the past we used an user name and a password, passwords with 8 characters were considered hard to break. I have seen 12 charactered passwords be broken in 25 seconds.
Even by using complexity, man still no better or safer for brute force attacks, dictionary based attacks etc.

There is something quite nice, it is known by quite few different names:

  • Second-factor authentication
  • RSA Key
  • Two-factor authentication
  • Mobile authentication
  • PIN number authentication
They all do a very similar job; they add an extra layer of security to your account. MOst of them work by requiring a RANDOM generated number, which can be sent to you via text to your mobile. It can be generated by an APP installed onto your mobile like "Google Authenticator".

A lot of Internet services started to offering similar method of authentication.
Just to name some:
  • gmail.com
  • hotmail.com
  • facebook.com
  • Paypal
  • some Banks
  • Dropbox
  • LinkedIN
  • etc
I advise you to set the two-factor authentication for all your services, to all your systems which require login. 
Some two factor providers, allow you to set it for RDP connections, VPN connections, SSH access, webmail access.

I have come across a very nice one from a company called: www.duosecurity.com. It is the nicest and most neat I came across. It is relatively cheap and so easy and quick to set up. Amazing!

If we don't take the initiative to protect ourselves, no one will and guess what, once your system, data, PC, server or device is compromised it is difficult to clean it up. Might as well start all over and might be game over.

Some links on how to set up the Second factor Authentication for various services:

PayPal

Google 

Hotmail

DropBox

FaceBook
We need to start campaigning across the  Internet for each service provider offer similar services. Security needs to come from manufacturers and Service providers.

If you want a second factor mechanism for your webmail, RDP, SSH, VPN, Firewall take a look at the duosecurity website. It is pretty nice.

I hope you make use of this info in a good way and protect yourself.

by Renato de Oliveira

Friday, 21 November 2014

Rename those default Windows accounts (Security)

Rename Default  Windows Account Names

By default, Windows has two built in very well known account names, they are:

  • Administrator
  • Guest
I cannot stress enough, how well known these two accounts are across the Internet . 
So it is very important to take the following steps.

a) Rename both accounts.
b) Choose a very unusual name
c) Guest account is disabled by default. DO NOT ENABLE IT!
d) Set a very strong password for both accounts
e) Disable DIAL-IN for Guest account
f) For admin accounts, choose a 12 character password or longer
g) In the password use Capitals, Numbers, Symbols and lower case

Note we will not prevent a break in by renaming these accounts, but we will make it at least a bit harder. By making it harder, you give yourself time.

Don't just rename the Administrator account to 'admin' this is even easier to guess. Use your imagination, create a theme for your admin account names. Use long numbers.

Rename these accounts before you put your server or client in production, make it part of your security base line policy.

Remember never leave default user names.

by Renato de Oliveira

Security (Default config left behind) a guilty industry

Security (Default config left behind) a guilty industry

Recently about a month ago, a website has gone up which explores video cameras and display images captured from these video links on this Russian website.
Some of these cameras are at homes, companies, public gyms etc see the article at BBC News: http://www.bbc.co.uk/news/technology-30121159

While I understand this is a security risk and can be used with the wrong intentions and be exploited, I also see that this is a wider problem and needs to be addressed at the top.

Once again defaults being left behind! Is that a joke or what?!
As I said in one of my previous articles, it is partially our fault, but majority of the guilty and blame should be passed to manufacturers. They should know better!

In this new world we are living in, anything can be exploited and it will not take long, if you set up a website at home in your PC, it can be accessed in Brazil almost instantly. It is quick and this sort of information spreads even more quickly.

Some of these devices being sold as consumable, they can open up a lot of security issues in your network, home, anywhere.

While we wait for some regulations to be put in place (I think it will take a long time) security is a top down issue. Any product should leave the factory with a basic level of security!

Some easily, guessable user names being used on some of these devices are:

  • Admin
  • Administrator
  • root
  • guest
Information like this can be found anywhere on the Internet. So when you buy any device which requires

  1. Connection to the Internet
  2. Connection to a Network 
Look out for the basic security:
  • Change the default password
  • Change if you can the default username (too easy to guess)
  • Set account lockout 
  • Set idle timeout
  • Set HTTPS
  • Disable HTTP
  • Disable TELNET
  • DISABLE FTP
  • If you can link the account or service to Google Authenticator do it!
  • Enable the built in firewall if available
  • Set IP restrictions to certain IP addreeses

These are just some of the basic security, if followed a lot of problems will be avoided and will keep a lot of bad people out.

by Renato de OLiveira
 


Monday, 17 November 2014

How to Disable SSL V3.0 on Apache Red Hat (POODLE attack part 5)

Disable SSL V3.0 on Apache Red Hat (POODLE attack part 5)

If you are running Apache on Redhat this is how you disable SSL V3.0.

1. Log in to your Linux Redhat
2. Become root or use sudo.
3. Edit /etc/httpd/conf/ssl.conf

Replace the line:

SSLProtocol all -SSLv2 with the line below

SSLProtocol all -SSLv2 -SSLv3

Save the file and restart Apache

/etc/init.d/httpd restart

or

service httpd restart

That is it

By Renato de Oliveira

Security part 5 (Securing your phone)

Security part 5 (Securing your phone)

There were a lot of talk recently on the media about phone hacking. Loads of bad press and a lot of exploitation of unaware users. Some of us do know and understand the risks, but we never really think it can happen to us and to a degree we are complacent. We are used to use defaults, to want the easiest possible.

I Think a certain level of security should be enforced by manufacturers, and not expect users to know how to lock down things. Some of services the default password is: admin or blank or 0000.
Come on, this is like a joke! 
Manufacturers need to take more responsibility and face for the fact that they should know much more than users.

We have to understand a smart phone is pretty much a very powerful, portable PC. Some of these phones are much more powerful than PCs manufactured few years ago, they have better CPU/Processor, they have more memory, even more storage, they are connected to the Internet and guess what where is the firewall?!!!

In this article I am going to try and cover some of the basic security issues we face, and how to try and prevent it from happening, give some tips on what to do in case the worse does happen.

Let's cover the basics
  1. How to prevent unauthorised people from using your phone?
Most phones have a built in mechanism to be enabled and ask for a pass code, PIN number or both.
  • 1. Set your phone to autolock
  • 2. Set a PIN number or pass core
  • 3. Set it for a strong PIN number
These steps will certainly keep most unauthorised users out of your phone.

    2. How to prevent people accessing messages left to you on your voice mail?

Again most phones and network operators allow you to set a password for:
  • Listening to messages
  • Saving messages
  • Deleting messages
Set a password, PIN number for your voice mail. Do not forget to set it..

    3. Set "Restrictions" or "Parental control" for using Apps and placing calls. It is like a second layer of protection in case your PIN number has been compromised.

   4. If you want privacy, disable "Location Services". 
If you have Location services or similar on, any application installed on your smart phone will advertise your location across the Internet to anyone. It will be very easy to track your location as you move from one place to another.

5. Do not even consider Jail breaking your smart phone, you do not know what hidden traps might be left. It is not a good idea for various reasons a) you are violating warranty b)there may be back doors left to allow data leaking.

6. Install an anti virus: Norton, Mcafee, Trendmicro etc.
As I mentioned above, don't treat your smart phone any different from a PC, it is a powerful PC in your pocket.

7. Install a Firewall, there are many different types of Firewalls available for Android and for iPhones IOs.
A Firewall is an application which protects your PC/Phone from unauthorised connections etc.

8. Only install Apps from AppStore and Google store

9. Do no use FREE WIFIs, they are very insecure and sometimes they are set up to collect data, for example: If you read your email using a FREE WIFI, whoever is the owner of the WIFI might be there also reading your messages, they might get hold of your password. SO do not use public FREE WIFI.

10. How to prevent loosing your Phone?
You can buy a dice which will sound a beep if you are distant from it. Something like this:


11. Download and install "Find My iPhone" app for Apple devices or Android. This is an app which if set up correctly and prior to haven lost your smart phone, it can be a very good tool
  • Locate the device
  • Send messages to the lost device
  • Deleting the data off your lost device
12. If you have lost your device
  • Please do notify your Network provider ASAP
  • Do not leave it for the next day, contact Network provider ASAP
  • If the everything above has been followed, then you are in a good proposition
  • Communicate the police
NOTE: Remember if you lost your phone and did not communicate in time to your Network provider, any calls made using your phone you will be the one asked to pay. 

13. Set your phone to auto wipe the data if 10 consecutive attempts to login have failed.

This is not a comprehensive list of security measures you can take, it is only a simple guide to give you some basic protection against many different scenarios.
You can implement other features and security measures, just spend some time researching.

You can use the same advice for many different devices i.e. iPads, Tablets, etc.

I hope this will be helpful to you and will open your eyes to this new world we are living, if we don't protect ourselves, people out there will exploit and take advantage.


By Renato de Oliveira












Saturday, 15 November 2014

How to Disable SSL V3.0 for Google Chrome (POODLE Attack part 4)

How to Disable SSL V3.0 for Google Chrome 

If you use Google Chrome, here it is how to disable SSL V 3.0. 

  1. Right click at your Chrome's desktop icon
  2. Properties
  3. At the end of the target field enter:
    " --ssl-version-min=tls1"
  4. Apply
  5. Quit Chrome
  6. Double Click on it again to open it
To prevent connections falling back to SSLv3 from being created, Google security engineer Adam Langley said that in Chrome 39, the ability to fallback to SSLv3 will be disabled by default.
"SSLv3-fallback is only needed to support buggy HTTPS servers," Langley said in a post to the Chromium security mailing list. "Servers that correctly support only SSLv3 will continue to work (for now), but some buggy servers may stop working.


How to Disable SSL V3.0 For Client (Win7) (POODLE attack part 3)

How to Disable SSL V3.0 For Client (Win7)

Don't forget to disable also for all your Windows clients. Through out the network.
Home users please do follow these steps to disable SSL v 3.0 and if you use IE disable it there as well.

You can disable support for the SSL 3.0 protocol on Windows by following these steps:
  1. Click Start, click Run, type regedt32 or type regedit, and then click OK.
  2. In Registry Editor, locate the following registry key:
    HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client
    Note If the complete registry key path does not exist, you can create it by expanding the available keys and using the New -> Key option from the Edit menu.
  3. On the Edit menu, click Add Value.
  4. In the Data Type list, click DWORD.
  5. In the Value Name box, type Enabled, and then click OK
    Note If this value is present, double-click the value to edit its current value.
  6. In the Edit DWORD (32-bit) Value dialog box, type 0 .
  7. Click OK. Restart the computer.

Note This workaround will disable SSL 3.0 for all client software installed on a system.

Note After applying this workaround, client applications on this machine will not be able to communicate with other servers that only support SSL 3.0.

by Renato de Oliveira

How to Disable SSL V 3.0 for Windows Servers (Protect against POODLE attack) part 2

Disable SSL 3.0 in Windows For Server Software


We have to remember to turn SSL V 3.0 on all servers, especially the ones facing the Internet or hosting IIS and handling HTTPs.

You can disable support for the SSL 3.0 protocol on Windows by following these steps:
  1. Click Start, click Run, type regedt32 or type regedit, and then click OK.
  2. In Registry Editor, locate the following registry key:
    HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server
    Note If the complete registry key path does not exist, you can create it by expanding the available keys and using the New -> Key option from the Edit menu.
  3. On the Edit menu, click Add Value.
  4. In the Data Type list, click DWORD.
  5. In the Value Name box, type Enabled, and then click OK
    Note If this value is present, double-click the value to edit its current value.
  6. In the Edit DWORD (32-bit) Value dialog box, type 0 .
  7. Click OK. Restart the computer.
Note This workaround will disable SSL 3.0 for all server software installed on a system, including IIS.

 You can disable support for the SSL 2.0 protocol on Windows by following these steps:
  1. Click Start, click Run, type regedt32 or type regedit, and then click OK.
  2. In Registry Editor, locate the following registry key:
    HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
    Note If the complete registry key path does not exist, you can create it by expanding the available keys and using the New -> Key option from the Edit menu.
  3. On the Edit menu, click Add Value.
  4. In the Data Type list, click DWORD.
  5. In the Value Name box, type Enabled, and then click OK
    Note If this value is present, double-click the value to edit its current value.
  6. In the Edit DWORD (32-bit) Value dialog box, type 0 .
  7. Click OK. Restart the computer.
 Note This workaround will disable SSL 2.0 for all server software installed on a system, including IIS.

Note After applying this workaround, clients that rely only on SSL 3.0 will not be able to communicate with the server.

POODLE Attack (which stands for "Padding Oracle On Downgraded Legacy Encryption)

The POODLE attack (which stands for "Padding Oracle On Downgraded Legacy Encryption)

Recently a lot of security issues have been uncovered. Poodle was discovered back in  September 2014 by the Google security team, this can lead to a Man in the Middle exploit which takes advantage of Internet and security software clients' fallback to SSL 3.0.

POODLE is an example of a vulnerability that succeeds thanks to a mechanism designed for reducing security for the sake of interoperability.

I am not go into too much details about this vulnerability. if you really want to understand it fully and the ins and outs I suggest you read this article: https://www.us-cert.gov/ncas/alerts/TA14-290A

We must disable the support for SSL V 3.0 and this is what I will show you. How to disable it for various different OSs and different servers, devices and applications. 
I would like to stress this is a serious vulnerability and it is strongly recommend you do disable SSL V 3.0.

Let's deal with the easy part. 
How to disable SSL V 3.0 support for Internet Explorer.

  1. Click on "Tools" menu option
  2. Click on "Internet Options"
  3. Click on [Advanced] tab
  4. Scroll the bar on the right, right to the bottom
  5. Dis-Select "Use SSL 3.0"
  6. Dis-Select "Use SSL 2.0"
  7. Select "Use TLS 1.0"
  8. Select "Use TLS 1.1"
  9. Select "Use TLS 1.2"
  10. Click on [OK]
Note  After applying this workaround, Internet Explorer will fail to connect to Web servers that only support SSL up to 3.0 and don’t support TLS 1.0, TLS 1.1, and TLS 1.2. 

Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy

You can disable support for the SSL 3.0 protocol in Internet Explorer via Group Policy by modifying the Turn Off Encryption Support Group Policy Object.
  1. Open Group Policy Management.
  2. Select the group policy object to modify, right click and select Edit.
  3. In the Group Policy Management Editor, browse to the following setting:
    Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Advanced Page -> Turn off encryption support
  4. Double-click the Turn off Encryption Support setting to edit the setting.
  5. Click Enabled.
  6. In the Options window, change the Secure Protocol combinations setting to "Use TLS 1.0, TLS 1.1, and TLS 1.2".
  7. Note It is important to check consecutive versions. Not selecting consecutive versions (e.g. checking TLS 1.0 and 1.2, but not checking 1.1) could result in connection errors.
  8. Click OK.
Let's make a bit more difficult for these people who want to take advantage!

Nets post I'll show how to disable for Windows client and server by editing the registry.

by Renato de Oliveira

What am I doing here

What am I doing here
I don't believe it
What am I doing here
It goes against my beliefs
What am I doing here
It goes against my principals
What am I doing here
Have I been corrupted by the system?
What I doundn't do
To support my family?
What lengths woudn't I go
to make sure
They are well and sound
It is hard to think
I am not who I was
I've changed so much
I can hardly recognise me
Am I who I was
or just someone else?
Am I doing this for love
Or because society expects?
I don't feel love
I feel pressure, responsibilities
I feel overwhelmed
Insensibility
Life is no joy
Just the sense to provide

by Renato de Oliveira


Security a long battle

I have been off writing for quite some time. I have been so overwhelmed by work and stress that I neglected something I enjoy.
I like writing my experiences and sharing with everyone, you might benefit from some of the stuff I write here.
If you do benefit, I will be happy at least I've helped someone.

I will be writing a series of posts about security, by no means I am an expert in security and what I will share are just my experiences, opinions and some advice. Once again I hope they will be useful to you in some way.

I understand there are many different reasons why people hack into systems and try to steal data or disrupt system. Companies trying to find out some plans, some projects, financial data market to give edge advantage. Government trying to keep an eye on enemy countries, hackers wannabe to show off, hackers trying to gain advantage and make money by stealing credit cards, steal your identity and many more.

As a whole we need to be alert, as an individual, as an employee and as a citizen. There is an infinite pressure to make services cheaper and 24x7. This means many companies will set up on-line services without considering and assessing the risks involved for the company and for the users of the these potential on-line services.

I believe the responsibility for security is complex, companies need to accept their responsibilities and securing their services and not taking the easy route, assuming and quoting probabilities. I can tell you this: If something has the potential to go wrong, it will go wrong. I have been in this industry for too long to know it is just a question of time, lack of attention and bad intention.

Just to give you an idea, few years ago a 6 characters was considered a strong password, for various reasons: a) Computer power was not that great b) Technology was not that developed c)Internet was limited to Universities pretty much d) Information did not travel so fast.

With every good thing, people twist and make it bad, Is the Internet bad or good, is dissemination of information bad or good? is 24x7 services a good thing or a bad thing? I can go on and on, but for each thing there will be voices in favour and voices against...

But as we connect and interconnect and we adequate to this new style of life 24x7, on-line and available immediately we must be aware of the danger which lives and resides in this new world.
The danger as we perceived has changed, we cannot see or even know our enemies most the time, sometimes we won't be able to even realise our information has been compromised  until it is too late.

While it is hard and difficult to completely eliminate the danger of being hacked or having our sensitive data compromised, or our identity stolen we can certainly make it more difficult, right?!

In the next post I will talk about security awareness.

I hope you enjoy it and see you next

by Renato de Oliveira