Monday, April 17, 2017

HOWTO : Secure Surfing

According to OWASP Secure Headers Project, Secure Headers are setting response headers from the web server that can restrict modern browsers from running into easily preventable vulnerabilities.

The following are some of the Secure Headers description that from OWASP Secure Headers Project :

HTTP Strict Transport Security (HSTS)

"HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol."

Public Key Pinning Extension for HTTP (HPKP)

"HTTP Public Key Pinning (HPKP) is a security mechanism which allows HTTPS websites to resist impersonation by attackers using mis-issued or otherwise fraudulent certificates."

X-XSS-Protection

"This header enables the Cross-site scripting (XSS) filter in your browser."

Content-Security-Policy

"Content Security Policy (CSP) requires careful tuning and precise definition of the policy. If enabled, CSP has significant impact on the way browser renders pages (e.g., inline JavaScript disabled by default and must be explicitly allowed in policy). CSP prevents a wide range of attacks, including Cross-site scripting and other cross-site injections."

When secure headers are set in the web servers, it is showing that the sysadmins/developers are concerning about the security of their clients/users. Most attacks, such as XSS and MITM attack, today are via browsers and targetted users.

We can learn more about the web servers response headers setting by using an online tool - Analyse your HTTP response headers. It is recommended to have Grade A or A+ for the testing. However, Grade B may be acceptable.

For the client side, it is recommended to install some add-ons or plugins for the browser security. Firefox is recommended as there are a lot of such kind of add-ons for the purpose. The following are the add-ons that to be recommended.

NoScript

Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks.

* You are not required to enable it as it will block the javascript that most modern websites are using. You need to disable it globally to make the XSS attack protection by default.

uBlock Origin

Finally, an efficient blocker. Easy on CPU and memory. (Please refer to the official site for details)

WebRTC Control

Have control over WebRTC (disable or enable) and protect your IP address.

Self-Destructing Cookies

Self-Destructing Cookies automatically removes cookies when they are no longer used by open browser tabs. With the cookies, lingering sessions, as well as information used to spy on you, will be expunged. Websites will only be permitted to identify you while you actually use them and can not stalk you across the entire web. This is the closest you will get to cookieless browsing without breaking every second site or tedious micromanaging.

HTTPS Everywhere

Encrypt the web! HTTPS Everywhere is a Firefox extension to protect your communications by enabling HTTPS encryption automatically on sites that are known to support it, even when you type URLs or follow links that omit the https: prefix.

If you are a Ubnutu user, you can implement the Apparmor for Firefox to further hardening.

When both server side and client side are secured, it is very hard to be attacked by XSS and MITM attack or some other attacks.

Happy surfing!

That's all! See you.


Saturday, April 15, 2017

Green PadLock is Safe?

According to Wikipedia, HTTPS is only to encrypt the communication traffic between browsers and web servers in order to prevent Man-In-The-Middle (MITM) attack. HTTPS is not indicating that the websites are bearing a green padlock being "safe".

Many people are misinterpreted that if a website is bearing a green padlock with HTTPS URL, it is a "safe" website. The "safe" here is referring to the website that not doing any malicious activities against the users.

Recently, I read an article "When the 'S' in HTTPS also stands for shady". That is also showing that even information security guys and gals may misinterpreted the purpose of the HTTPS.

Since users can revoke and regenerate the Let's Encrypt SSL certificates themselves, to revoke the SSL certificate of malicious websites by Let's Encrypt is meaningless. Without Let's Encrypt, malicious hackers can purchase SSL certificate from others sources to complete the task without any problem.

Ten odd years ago, many experts stated that if the the browser is showing a locked padlock, you are "safe" and the website is "safe". It is misleading for sure.

We should educate the users that even the websites are looking legit and bearing a valid SSL certificate, they should think more before clicking any link on the site. It is because most phishing sites are looking legit and have valid SSL certificate. They should check the URL address of the website before going further especially for banking and payment sites. Beware of the website is being redirected to other URL too.

By the way, malicious hackers can impersonate the HTTPS traffic and doing MITM attack at ease today! No system is safe!

That's all! See you.


Wednesday, April 12, 2017

[RESEARCH] Information Security Scammers?

What Attracted Me

Recently, Nexus Guard and Zenedge catch my eyes. They provide similar products/services, such as DDoS Protection by Content Delivery Network (CDN) and Web Application Firewall (WAF).

Nexus Guard website saying that they are the leader in the market :

"As a longtime leader in DDoS defense, Nexusguard is at the forefront of the fight against malicious Internet attacks, protecting organizations worldwide from threats to their websites, services, and reputations."

Zenedge website provides a free vulnerability and threat assessment for their potential clients :

"The report is produced by our team of cybersecurity experts bring a collective 200 years of cybersecurity experience and have been responsible for mitigating some of the largest attacks. Ever."

Basic and Fast Research

I wonder why there are so many CDN providers recently. CDN requires a lot of proxies around the world in order to absorb very large amount of DDoS traffic. They need to invest a lot on the infrastructure. Therefore, I did some basic and fast research on them.

I find out that they both use Let's Encrypt free SSL/TLS certificates on their official websites. Meanwhile, their official websites are hosting (or domains hosting on proxy) on akamaitechnologies.com.

I further find out that akamaitechnologies.com is registered by akamai.com - Akamai. Akamai provides CDN and cloud computing services which is including WAF. She is one of the famous CDN and WAF providers in the market since 1998. I confirmed that akamai.com is hosting (or hosting the domain on the proxy) on akamaitechnologies.com too on different IP address/subnet with Nexus Guard and Zenedge. Meanwhile, Nexus Guard and Zenedge are in the same subnet.

Nexus Guard

Nexus Guard conducted an unprofessional research on Android TV boxes with 3 popular anti-virus programs, such as Dr. Web and ESET in July 2014 and posted on a Hong Kong local magazine - East Week Vol. 568. They just posted the results of the scanning and misled the readers that some Android TV boxes are vulnerable to so-called backdoors. However, they did not confirm if the so-called backdoors are exploitable or not.

Nexus Guard also released an article about DDoS in May 2016 where they mentioned that DDoS by NTP is on the top of the list of the attacks. However, it seems that they do not know that the NTP attacks at that time is because of the zero day vulnerability on NTP protocol.

Most of their reports, threat advisories and whitepapers are restate the information security news that are all available in the public. Thinking of writing so many reports, threat advisories and whitepapers will make them more looking like a professional information security firm?

Zenedge

Since Zenedge provides free vulnerability and threat assessment on their website, I tried to contact the sales agent on the Zenedge site and he redirect me to contact Nelson Chen who is CISSP, CISA, CISM and Director Security Solutions of Zenedge. I requested a free vulnerability and threat assessment on my personal site on April 10, 2017 via direct email with Nelson. However, I did not have any reply from him since then (3 days at the time of this writing).

That make me thinking that they are pretending to provide free service in order to obtain information of their potential clients for their promotion purpose? Or, Neslon is thinking too much when an infosec (information security) guy is approaching them as they are thinking that their customers should be noob? Or, they do not have any professional infosec guy to do assessment on my personal site? Or, my personal site is too lame that they disdain to do the job?

Questions in Mind

If Nexus Guard and Zenedge have their own CDN and products/services, why their official websites are hosting (or hosting the domains on proxy) on Akamai? They do not believe that their products/services are better than Akamai? Nexus Guard and Zenedge are resellers/Value Added Resellers of Akamai? They are all information security scammers?

Conclusion

Think carefully before you purchase information security services or products. Do more researches on the providers/vendors of infosec before making any decision. Finally, it is difficult to determine professional and unprofessional in general.

Reference

Distributed Denial-of-Service Attack
Content Delivery Network
Web Application Firewall

(a) Nexus Guard - https://www.nexusguard.com/
Domain is registered on Sept 9, 2008
Server common name : secure0009.hubspot.com
Server domain #1 : a184-50-88-78.deploy.static.akamaitechnologies.com (184.50.88.78)
Server domain #2 : a184-50-88-3.deploy.static.akamaitechnologies.com (184.50.88.3)
Server IP : 128.177.173.177:443

(b) Zenedge - https://www.zenedge.com/
Domain is registered on Jan 7, 2013
Server common name : secure0004.hubspot.com
Server domain #1 : a184-50-88-76.deploy.static.akamaitechnologies.com (184.50.88.76)
Server domain #2 : a184-50-88-3.deploy.static.akamaitechnologies.com (184.50.88.3)
Server IP : 69.31.76.226:443

(c) Akamai - https://www.akamai.com/
(Akamai Technologies - akamaitechnologies.com)
Domain is registered on Aug 17, 1998
Server domain : a23-75-36-144.deploy.static.akamaitechnologies.com (23.75.36.144)

That's all! See you.


Sunday, April 09, 2017

Catch Me If You Can 4

It is the fourth article in "Catch Me If You Can" series. The previous three articles were talking about how to prevent from being catch. However, this article is talking about once you have been arrested what can you do to prevent from being charged for hacking.

Once you have been arrested, your digital devices (such as personal computers, laptops, smartphones and other devices) should be seized. The "device" below is applied to Personal Computers and Laptops only. Laws enforcement would conduct digital forensic on all your devices in order to seek any evidence of cyber crime that you have conducted. However, if your devices are still switching on when you are arrested, laws enforcement would not turn your device off and would conduct the digital forensic right away.

You can use Bleachbit to delete all deleted files, logs and backups. However, some valuable files may not be deleted. Therefore, Bleachbit may not be a very good solution even it is good practice to use it for the purpose.

Offense Security's Kali Linux development team ported a Self-Destruction Luks encryption on Kali Linux since version 1.0.6 that allows the hard drive (or SSD) to be encrypted fully with normal and nuke passphrases. Once the nuke passphrase is entered, all the passphrase for the decryption will be deleted and the hard drive (or SSD) cannot be recovered. Therefore, the hard drive (SSD) is safe for being digital forensic. If you are not using Kali Linux for the hacking, you can apply self-destruction Luks encryption for some other Linux distributions.

It is recommended that the self-destruction nuke passphrase is much shorter than the normal passphrase in order to prevent your device from being brute forcing. Meanwhile, it is not recommended to backup your normal passphrases somewhere.

How about the device is still switching on? It is recommended to force turn off the device by long pressing the power button or unplug the power supply if you can while you are being arrested. Make sure you setup your device to turn off when the power button is long pressed instead of suspension.

Difference countries should have difference cyber crime laws. Even laws enforcement cannot get any evidence from your devices but you may be charged for other offences under the laws of your country.

That's all! See you.

Reference

Emergency Sef-destruction Luks in Kali
Luks and Nuke Key Installation on Ubuntu
Bleachbit

See Also

Catch Me If You Can
Catch Me If You Can 2
Catch Me If You Can 3