Tag Archive for: Security

Cyber Security Awareness Month 2017

Dogsbody Technology is happy to be a champion of National Cyber Security Awareness Month (NCSAM) to get everyone thinking about their security online.

Online safety is our shared responsibility, and it starts with STOP. THINK. CONNECT.

STOP: make sure security measures are in place.
THINK: about the consequences of your actions and behaviours online.
CONNECT: and enjoy the internet.

We actively believe that security is not something you “do” (I’ve built this server now I’m going to secure it), it is something that has to be thought about as part of the culture of the business we are in. It is also something that has to be done at all levels of the business including customers and suppliers.

Follow these basic tips throughout October – and all year-round! – to help protect yourself, your information and promote a more trusted internet for everyone.

Own your online presence – Set the privacy and security settings on websites to your comfort level for information sharing. It’s OK to limit how and with whom you share information.

Personal information is like money. Value it. Protect it. – Information about you, such as purchase history or location, has value – just like money. Be thoughtful about who gets that information and how it’s collected by apps and websites.

Keep a clean machine – Keep all software on internet-connected devices – including PCs, smartphones and tablets – up to date to reduce risk of infection from malware.

Get 2 steps ahead – Your usernames and passwords are not enough to protect key accounts like email, banking and social media. Turn on two-factor authentication (2FA) – also known as two-step verification or multi-factor authentication (MFA) – on accounts where available. Two-factor authentication can use anything from a text message to your phone to a token to a biometric like your fingerprint to provide enhanced account security.

Share with care – Think before posting about yourself and others online. Consider what a post reveals, who might see it and how it could be perceived now and in the future.

Declutter your mobile life –  Most of us have apps we no longer use and some that need updating. Delete unused apps and keep others current, including the operating system on your mobile device.

Do a digital life purge –  Perform a good, thorough review of your online files. Tend to digital records, PCs, phones and any device with storage just as you do for paper files. Get started by doing the following:

  • Clean up your email: Save only those emails you really need and unsubscribe to email you no longer need/want to receive.
  • Back it up: Copy important data to a secure cloud site or another computer/drive where it can be safely stored. Password protect backup drives. Always back up your files before getting rid of a device, too. You can’t go wrong with the classic 3-2-1 Backup Strategy -3 total copies of your data, 2 of which are local but on different mediums (read: devices), and at least 1 copy offsite (for if your house/office burns down).

Know what devices to digitally “shred” –  Computers and mobile phones aren’t the only devices that capture and store sensitive, personal data. External hard drives and USBs, tape drives, embedded flash memory, wearables, networking equipment and office tools like copiers, printers and fax machines all contain valuable personal information.

Clear out stockpiles –  If you have a stash of old hard drives or other devices – even if they’re in a locked storage area – information still exists and could be stolen. Don’t wait: wipe and/or destroy unneeded hard drives as soon as possible.

Empty your trash or recycle bin on all devices and be certain to wipe and overwrite – Simply deleting and emptying the trash isn’t enough to completely get rid of a file. Permanently delete old files using a program that deletes the data, “wipes” it from your device and overwrites it by putting random data in place of your information ‒ that then cannot be retrieved.

For devices like tape drives, remove any identifying information that may be written on labels before disposal, and use embedded flash memory or networking or office equipment to perform a full factory reset and verify that no potentially sensitive information still exists on the device.

 

Most of these suggestions just require time.  There really is no excuse.

HashGate

HashGate: An intrusion detection tool

HashGate is a simple intrusion detection tool we wrote for use internally and in customer environments to monitor files and alert us on any unauthorised changes to them.

We try very hard not to re-invent the wheel and are already big users of tools such as Tripwire and Rookit Hunter but we wanted something lightweight for monitoring site files, not system files.

HashGate is written in Python using only core modules and aims to work on all platforms that can run Python 2.7, not just Linux!

Our main use for HashGate is for monitoring files on WordPress & Magento installations which more commonly are exposed to vulnerabilities allowing hackers to modify files. HashGate records the hashsum of all files in the specified directory and stores them for checking periodically, we run our checks hourly via cron.

Below is an basic example output where a file has been modified:


alex@dogsbody-alex:~$ ./hashgate.py -ca /tmp/files.cache -f /home/alex/Documents/Junk/ -t check
The following files were modified:
/home/alex/Documents/Junk/wordpress/index.php
----------------------------------

Other features of HashGate include whitelisting, which allows us to ignore files that frequently change and don’t need to be monitored such as WordPress’ cache files or Magento’s sessions directory.

There is also VirusTotal checking, this is where HashGate will check flagged files hashes against VirusTotal’s database of malicious files to determine if the change was malicious or not. Due to the nature of VirusTotal’s API we’re only able to do 4 requests per minute so if lot’s of files are flagged it will add some extra time to hash checks.

We have recently open sourced this tool and you can find some more information and a list of the full features and usage in the Github repo, if you feel something can be written better or there’s a feature you’d like to add we invite you to contribute and help us build a better tool. We make use of tools like HashGate in some of our server monitoring packages so be sure to check them out and get in contact if they could be of use.

Let’s Encrypt: Security Everywhere

Let’s Encrypt is a new Certificate Authority (CA) who are making waves in the web community. They have lowered the access barrier for SSL certificates significantly and are pushing their competition to improve; fast.

“A Certificate Authority is an entity that validates other digital certificates… …Creating a Chain of Trust between a website and the browser.”

Read more about Certificate Authorities or how to trust over the Internet.

Why Lets Encrypt is revolutionary:

  • Let’s Encrypt removes the pay wall for SSL certificate’s making them free for everyone.
  • Its quick. Seemingly instant certificate authentication and provisioning.
  • Open client options for many different programming languages and environments.
  • Certbot (the official client, developed by the Electronic Frontier Foundation (EFF)) is incredibly simple to set up and run HTTPS in seconds. See for yourself.
  • Automated SSL regeneration. A new certificate just when the old one expires.
  • Raising the standards for CA security checks. Let’s Encrypt have implemented new security checks which ensure that you are the domains owner and that it’s secure to issue you the certificate. Read more.
  • Short validation periods. Let’s Encrypt certificates are only valid for three months which in comparison to other CA signed certificates is shorter. You may be thinking this is bad, long validation periods means less work to maintain. But should the next Heartbleed vulnerability come along and your certificate is leaked to the public, the perpetrator only has less than three months to use it then it will no longer be valid.
  • Supported, as of last year Let’s Encrypt are trusted in most browsers. Test it for yourself. Read more.

It’s free, easy and simple to do so there is no reason not to get started straight away.

Quick (nearly instant) certificate provisioning is our favourite benefit. We often have new customers come to us that have been caught out by expiring SSL certificates not leaving enough time for the renewal to take place, which with Extended Validation certificates can be weeks! Let’s Encrypt is our first port of call to mitigate the missing certificate. Giving us a temporary solution while their other certificate is renewed.

At Dogsbody Technology we love SSL and have already started implementing Let’s Encrypt when we can. If you want to see the benefit of SSL drop us a line.

Feature image made by Got Credit licensed CC BY 2.0.

DROWN vulnerability

Dogsbody Technology maintenance customers are already protected against the newly disclosed DROWN attack, but as of the 1st March, 33% of all HTTPS sites are affected by this vulnerability.

The DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) vulnerability affects HTTPS and other services that rely on SSL and TLS, these cryptographic protocols that make security over the Internet possible.

The attack affects all SSLv2 servers and allows attackers to decrypt HTTPS traffic during transfer letting them spy on traffic. In some cases encryption can be broken within minutes!

The fix web servers is to disable SSLv2 support:

  • For Apache: SSLProtocol all -SSLv2 -SSLv3
  • For Nginx: ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

For more information on the attack and research paper take a look at the official DROWN Attack website.

Dogsbody Technology are Linux SysAdmin’s, building secure scalable reliable servers for the internet. We keep our servers up-to date and in doing so have already mitigated this attack.

If you want your site checked or have any questions please contact us.

CVE-2015-7547 glibc vulnerability

In the past few days Google has identified a vulnerability in glibc (GNU C Library). It allows attackers to crash processes and potentially run code remotely on your server.

The vulnerability itself is best described by the Google Security Team’s blog-post. To summarise:

“The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used. Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack… …Remote code execution is possible, but not straightforward.”

glibc is a library which provides many basic functions and system calls to C programs. Since libraries are only loaded in when a program is started, this means that only daemonised (a process which is left running in the background) programs are effected. When those programs are restarted they will load in the new glibc library which mitigates the issue.

You can get a list of all programs using glibc by running a command such as:

sudo lsof | grep libc | cut -d' ' -f 1 | sort | uniq

This shows that glibc is tied into nearly every service on a typical Linux system.  It can quickly become a large job to restart each process, especially in the correct order.  The quickest way of doing this is by rebooting your server.

Our advice regarding this matter is:

  1. Ensure the latest glibc packages are installed.
  2. Reboot your server (or restart all processes that use glibc)

Feel free to get in touch if we can help with this.

Security and The Cloud

Don’t worry this isn’t going to be another post on how security is holding up cloud adoption or how the cloud is destroying security.  There is already too much negativity regarding the reporting of security news (some would say all news).  I do however want to discuss how security is changing due to the cloud and cloud technologies.  In my opinion cloud computing is actually good for security.

What’s in a word

I probably use the word “cloud” too much, I realise it’s an industry buzzword for something that has been around for ages but it works.  Call it Outsourcing, Virtulisation, SaaS or Utility Computing, they are all variations of Internet computing by machines that you do not directly own and have just licensed for the time that you need.

The ring of steel

For years security experts have been saying that companies should stop using the idea of a ring of steel around their internal network. The concept that you are either connected to the internal (trusted) network or the external (untrusted) network is very outdated and just doesn’t work with today’s computing use but companies still insist on using it.

While people have tried to adopt this topology to greater granularity with “Chinese firewalls” (lets separate accounts from development) people will continue to have to move data around between areas of the business to do their work and it quickly becomes an IT vs Business battle.

With more companies needing to get company data outside the building either to access it from a smartphone or share the data with another company the whole procedure falls down altogether.

Smaller rings

One solution is to adapt the model to it’s ultimate conclusion.  A ring of steel for each machine/job/task.  Until now this has been an impossible task, from a practice standpoint but now that companies are moving to cloud and virtual environments resources can be configured in any way needed.  No longer are you required to physically move cables in the patch room to change a networks topology.  Instead of one server with one operating system running web, email and any number of other tasks you can have that same server with many operating systems all locked down to do their one job well.  Most servers in the cloud and virtual environments come with their own firewall and authentication mechanism that can be easily managed on mass.  How many hardware server rooms can say that?

Outside is inside

Given this new model there is no need to have a “corporate firewall” on the edge of your network at all.  Why not let the internet in?  This is in fact what we do at Dogsbody Technology. Every machine on the network is public and even internal switching is treated as public.  If we want to move a private file from one machine to another it needs to be done in a secure/encrypted way.  While that sounds like a lot of work it really isn’t.  You save on a lot of infrastructure from not having to worry about a locked down network and while it does take a while to setup safe transfer methods, once you are set up there is no difference between transferring a private file to the computer next to you or a computer the other side of the world.

Not the end of the story

Of course, like all security, this is not the end of the story and will not fix all your issues.  Monitoring and company policy are still required to stop, find and block exceptions but we’ll discuss that in a separate blog post.

If you have any questions or comments reading this post them please do leave a comment below or contact Dogsbody Technology for more information.

CVE-2014-3566 – POODLE

What is POODLE

The POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability allows an attacker to obtain data transferred with the SSL 3.0 protocol.  An attacker acting as a man in the middle can downgrade a TLS connection to SSL 3.0 and then use a padding-oracle attack to access sensitive information such as cookies.  Since stealing a user’s cookies will allow an attacker to login as that user, they are the most likely target of a POODLE attack.

Prevention

This vulnerability can be fixed either on the server or in the client.

Site owners can protect their users against POODLE attacks by disabling TLS fallback or SSL 3.0 (Note that disabling SSL 3.0 will break the site for IE6 users):

  • For Apache: SSLProtocol all -SSLv2 -SSLv3
  • For Nginx: ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Browsers are rolling out fixes but for users the quickest fix is to disable SSL 3.0:

  • In Firefox this is done by going to about:config and setting security.tls.version.min to 1
  • Chrome users have to use the command line flag --ssl-version-min=tls1

Going deeper

This attack is possible because SSL pads requests to fill the last block before encryption.  SSL 3.0 only requires the last byte to be checked by the server; it must have a value equal to the number of bytes that have been used for padding.  The values of the other padding bytes are not validated, this allows an attacker to move the block they want to decrypt to the the last block and try all 256 possible values until the server accepts the request, allowing them to decode one byte of the cookie.  An attacker in a privileged network position (or sharing public WiFi) just needs to downgrade the SSL connection from TLS to SSL 3.0 and then use JavaScript to quickly obtain a cookie one byte at a time.

For more technical information I would recommend this article by ImperialViolet.

Feature image made by Koji Ishii licensed CC BY 2.0

CVE-2014-6271 – Shellshock

Shellshock is a bug in the bash shell.  The main issue comes from the fact that commands can be executed if they are crafted into environment variables.  This means anyone who can send a user agent to Apache can run commands as the user running Apache.

Am I affected?

You can test if your server is vulnerable by logging in and running

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If it outputs vulnerable there are a few steps you can take to try to prevent it being exploited.

Prevention for website owners

The easiest solution is to update to a version of bash that isn’t vulnerable however if one has not yet been released on your distribution you will have to consider other prevention methods.

Since an attacker needs to exploit a vulnerable service two likely targets being SSH and Apache you can mitigate most attack vectors by stopping these services.
As long as you have another way to login it is worth stopping SSH since it is likely to be running as root it could allow an attacker to gain root access to the server.
Stopping Apache is a more difficult decision since it will prevent customers from accessing your site however if you are very concerned then it may be the best cause of action.

A more complex solution is to switch to a different shell instead of bash but this is more complex and may have unexpected consequences to how applications run so we don’t recommend doing this blindly.

If you have a maintenance agreement with us then you don’t need to worry because we are updating bash whenever possible.

Feel free to get in touch if we can help with this.

Feature image – “Shellshock” by Linux Screenshots is licensed under CC BY 2.0

CVE-2014-0160 – Heartbleed

A vulnerability has been discovered that allows anyone over the internet to read data straight off of your server.

“Catastrophic” is the right word. On the scale of 1 to 10, this is an 11.
– Bruce Schneier

Labelled “Heartbleed” this vulnerability leaves your servers memory vulnerable and accessible to be read by anyone. A lot of private information is at risk, everything from passwords to SSL certificate keys are loaded into memory so often it is only a matter of time until a malicious user gets them.

The affected software, OpenSSL is a library that provides tools for encryption. OpenSSL is installed by default on many Linux systems as many core tools depend on it for SSL. It is widely used by servers for web, email, remote shell, VPN, file transfer and much more…

Test your website for the Heartbleed vulnerability.

The following command lists all services using libssl:

sudo lsof | grep libssl

The only fix is to upgrade OpenSSL to a non-vulnerable version and restart all services using it. Since it is used by so many services it can quickly become a large job to restart each process, especially in the correct order. The quickest way of doing this is by rebooting your server.

For more reading see the official Heartbleed website.

Our advice regarding this matter is:

  1. Ensure a fixed OpenSSL package is installed.
  2. Reboot your server (or restart all processes that use OpenSSL)

Feel free to get in touch if we can help with this.

Feature image by Alan O’Rourke under the CC 2.0 license.