TLS 1.2 support at Microsoft

This post is authored by Andrew Marshall, Principal Security Program Manager, Trustworthy Computing Security.

In support of our commitment to use best-in-class encryption, Microsoft’s engineering teams are continually upgrading our cryptographic infrastructure. A current area of focus for us is support for TLS 1.2, this involves not only removing the technical hurdles to deprecating older security protocols, but also minimizing the customer impact of these changes. To share our recent experiences in engaging with this work we are today announcing the publication of the “Solving the TLS 1.0 Problem” whitepaper to aid customers in removing dependencies on TLS 1.0/1.1. Microsoft is also working on new functionality to help you assess the impact to your own customers when making these changes.

What can I do today?

Microsoft recommends customers proactively address weak TLS usage by removing TLS 1.0/1.1 dependencies in their environments and disabling TLS 1.0/1.1 at the operating system level where possible. Given the length of time TLS 1.0/1.1 has been supported by the software industry, it is highly recommended that any TLS 1.0/1.1 deprecation plan include the following:

  • Application code analysis to find/fix hardcoded instances of TLS 1.0/1.1.
  • Network endpoint scanning and traffic analysis to identify operating systems using TLS 1.0/1.1 or older protocols.
  • Full regression testing through your entire application stack with TLS 1.0/1.1 and all older security protocols disabled.
  • Migration of legacy operating systems and development libraries/frameworks to versions capable of negotiating TLS 1.2.
  • Compatibility testing across operating systems used by your business to identify any TLS 1.2 support issues.
  • Coordination with your own business partners and customers to notify them of your move to deprecate TLS 1.0/1.1.
  • Understanding which clients may be broken by disabling TLS 1.0/1.1.

Coming soon

To help customers deploy the latest security protocols, we are announcing today that Microsoft will provide support for TLS 1.2 in Windows Server 2008 later this summer.

In conclusion

Learn more about removing dependencies on TLS 1.0/1.1 with this helpful resource:
Solving the TLS 1.0 Problemwhitepaper.

Stay tuned for upcoming feature announcements in support of this work.

from Microsoft Secure Blog Staff

USA has just increased the security for under 19 basketball tournament in Egypt

U.S Boosts security for U19 basketball team going to Egypt

The U.S is about to enter a country that is already being torn apart by violence to defend the under 19 world cup for men in basketball. But they are not going in unprepared.

The 12-star team will receive the same kind of high-level security as all other NBA team players and stars receive. This includes a comprehensive cyber security program that will also protect the players from cyber warriors of foreign countries when they are out on the field.

Read more details 

The post USA has just increased the security for under 19 basketball tournament in Egypt appeared first on Cyber Security Portal.

from Gilbertine Onfroi

Cybercrime and freedom of speech – A counterproductive entanglement

This post is authored by Gene Burrus, Assistant General Counsel.

As cybercrime becomes ever more pervasive, the need for states to devote law enforcement resources to battling the problem is apparent. However, states should beware using cybercrime legislation and enforcement resources as a vehicle for restricting speech or controlling content. Doing so risks complicating essential international cooperation and will risk de-legitimizing cybercrime legislation and enforcement. With the growing need for enforcement to thwart cybercriminals, without which the economic and social opportunities of the Internet may well flounder, using “cybercrime” as a label for attacking speech and controlling content may only serve to dilute support, divert resources, and make international cooperation more difficult.

At present over 95 countries either have or are working on cybercrime legislation. This is a good thing, as the more states that have cybercrime laws, especially laws that are largely harmonized to better enable international cooperation, the better for everyone (except the criminals). Cybercrime thrives across borders and between jurisdictions, relying on the internet’s global reach and anonymity, but if cybercriminals are based in a country without adequate cybercrime laws, it becomes even harder to bring them to justice. But defining cybercrime properly is important.

Cybercrime is a word we have all encountered more of in recent years. It tends, rightly so, to bring to mind “hackers”, infiltrating computer systems and disrupting them or stealing from them. However , most cybercrime statutes are actually broader than that. They also cover a whole slew of criminal activity mediated by information communication technology (ICT). They deal with the theft of personal information, from credit card details to social security numbers, which can be used for fraud. It includes acts against property, albeit virtual property, from simple vandalism to sophisticated ransomware. (If “virtual property” sounds too abstract to be a concern, bear in mind that this is the form in which many of our most valuable ideas, from patented designs and trade secrets to copyrighted creative material, are now to be found.) It will increasingly bleed into the real world too, thanks to devices connected to the Internet (will cybercriminals soon be stealing self-drive cars through the Internet of Things?) and due to attacks on critical infrastructures such as power grids (which will also affect issues of national security).

This broad swathe of cybercrime is widely accepted to be “a bad thing” by most governments and on that basis, cooperation among and between governments in pursuing cybercriminals is possible.

However, many countries’ cybercrime legislation also categorizes publishing or transmission of illegal content in a particular country via computer networks or the internet as “cybercrime”. And on this, countries are not in wide agreement. When state’s laws criminalize content that other countries don’t recognize as criminal, and then devote cybercrime enforcement resources to chasing this kind of “crime” rather than what people generally think of as cybercrime, it complicates or prevents international cooperation, discredits cybercrime legislation and enforcement efforts, and diverts resources from solving the serious problem of cybercrime. While there is certainly content that is universally reviled, i.e. child pornography, there are many disagreements about the creation and dissemination of other content, e.g. political materials or art work. For some states, free speech is an exceptionally important principle. For others, the control of offensive or dangerous content is essential. Achieving agreement on how to approach these differences is, frankly, going to be a challenge. Once again the Budapest Convention provides a salient example. In 2006, the Convention was added to by a Protocol that criminalized acts spreading racist and xenophobic content. Even some states that signed up to and ratified the original Convention have proved reluctant to add themselves to the Protocol. This is almost certainly not because of they approve of racist or xenophobic content, it’s simply a complicated issue in the context of their own laws or their perspectives on free speech or legal sovereignty.

If these kinds of disagreements are expanded across other types of content and then brought into the heart of global cooperation against cybercrime, the whole process runs a serious risk of breaking down. States may well be unwilling to cooperate in cybercrime investigations, fearing they might expose people whose actions are in no way criminal by their own standards. And, once again, the only ones to benefit will be the cybercriminals who can play off jurisdictions against one another, ducking and diving across borders and through gaps in legal enforcement.

In many ways, the “cyber” in these “content crimes” is just about distribution and they do not have to be included in cybercrime statutes and enforcement efforts. Because states have different types of speech they want to regulate and different levels free speech they are willing to tolerate, these issues need to be kept separate from efforts to address what everyone agrees on as cybercrime: attacks on data, on property, on infrastructure. Crimes of content creation and distribution, beyond the most universally reviled such as child exploitation, should be dealt with outside of the essential cooperation on cybercrime itself. This will allow governments to work together globally to protect citizens, businesses and their own national security from cybercriminals.

from Microsoft Secure Blog Staff

[SANS ISC] Systemd Could Fallback to Google DNS?

I published the following diary on isc.sans.org: “Systemd Could Fallback to Google DNS?“.

Google is everywhere and provides free services to everyone. Amongst the huge list of services publicly available, there are the Google DNS, well known as 8.8.8.8, 8.8.4.4 (IPv4) and 2001:4860:4860::8888, 2001:4860:4860::8844 (IPv6)… [Read more]

 

[The post [SANS ISC] Systemd Could Fallback to Google DNS? has been first published on /dev/random]

from Xavier

SSTIC 2017 Wrap-Up Day #3

Here is my wrap-up for the last day. Hopefully, after the yesterday’s social event, the organisers had the good idea to start later… The first set of talks was dedicated to presentation tools.

The first slot was assigned to Florian Maury, Sébastien Mainand: “Réutilisez vos scripts d’audit avec PacketWeaver”. When you are performed audit, the same tasks are already performed. And, as we are lazy people, Florian & Sébastien’s idea was to automate such tasks. They can be to get a PCAP, to use another tool like arpspoof, to modify packets using Scapy, etc… The chain can quickly become complex. By automating, it’s also more easy to deploy a proof-of-concept or a demonstration. The tool used a Metasploit-alike interface. You select your modules, you execute them but you can also chain them: the output of script1 is used as input of script2. The available modules are classified par ISO layer:

  • app_l7
  • datalink_l2
  • network_l3
  • phy_l1
  • transport_l4

The tool is available here.

The second slot was about “cpu_rec.py”. This tool has been developed to help in the reconnaissance of architectures in binary files. A binary file contains instructions to be executed by a CPU (like ELF or PE files). But not only files. It is also interesting to recognise firmware’s or memory dumps. At the moment, cpu_rec.py recognise 72 types of architectures. The tool is available here.

And we continue with another tool using machine learning. “Le Machine Learning confronté aux contraintes opérationnelles des systèmes de détection” presented by Anaël Bonneton and Antoine Husson. The purpose is to detect intrusions based on machine learning. The classic approach is to work with systems based on signatures (like IDS). Those rules are developed by experts but can quickly become obsolete to detect newer attacks. Can machine learning help? Anaël and Antoine explained the tool that that developed (“SecuML”) but also the process associated with it. Indeed, the tool must be used in a first phase to learning from samples. The principle is to use a “classifier” that takes files in input (PDF, PE, …) and return the conclusions in output (malicious or not malicious). The tool is based on the scikit-learn Python library and is also available here.

Then, Eric Leblond came on stage to talk about… Suricata of course! His talk title was “À la recherche du méchant perdu”. Suricata is a well-known IDS solution that don’t have to be presented. This time, Eric explained a new feature that has been introduced in Suricata 4.0. A new “target” keyword is available in the JSON output. The idea arise while a blue team / read team exercise. The challenge of the blue team was to detect attackers and is was discovered that it’s not so easy. With classic rules, the source of the attack is usually the source of the flow but it’s not always the case. A good example of a web server returned an error 4xx or 5xx. In this case, the attacker is the destination. The goal of the new keyword is to be used to produce better graphs to visualise attacks. This patch must still be approved and merge in the code. It will also required to update the rules.

The next talk was the only one in English: “Deploying TLS 1.3: the great, the good and the bad: Improving the encrypted web, one round-trip at a time” by Filippo Valsorda & Nick Sullivan. After a brief review of the TLS 1.2 protocol, the new version was reviewed. You must know that, if TLS 1.0, 1.1 and 1.2 were very close to each others, TLS 1.3 is a big jump!. Many changes in the implementation were reviewed. If you’re interested here is a link to the specifications of the new protocol.

After a talk about crypto, we switched immediately to another domain which also uses a lot of abbreviations: telecommunications. The presentation was performed by  Olivier Le Moal, Patrick Ventuzelo, Thomas Coudray and was called “Subscribers remote geolocation and tracking using 4G VoLTE enabled Android phone”. VoLTE means “Voice over LTE” and is based on VoIP protocols like SIP. This protocols is already implemented by many operators around the world and, if your mobile phone is compatible, allows you to perform better calls. But the speakers found also some nasty stuff. They explained how VoLTE is working but also how it can leak the position (geolocalization) of your contact just by sending a SIP “INVITE” request.

To complete the first half-day, a funny presentation was made about drones. For many companies, drones are seen as evil stuff and must be prohibited to fly over some  places. The goal of the presented tool is just to prevent drones to fly over a specific place and (maybe) spy. There are already solutions for this: DroneWatch, eagles, DroneDefender or SkyJack. What’s new with DroneJack? It focuses on drones communicating via Wi-Fi (like the Parrot models). Basically, a drone is a flying access point. It is possible to detected them based on their SSID’s and MAC addresses using a simple airodump-ng. Based on the signal is it also possible to estimate how far the drone is flying. As the technologies are based on Wi-Fi there is nothing brand new. If you are interested, the research is available here.

When you had a lunch, what do you do usually? You brush your teeth. Normally, it’s not dangerous but if your toothbrush is connected, it can be worse! Axelle Apvrille presented her research about a connected toothbrush provided by an health insurance company in the USA. The device is connected to a smart phone using a BTLE connection and exchange a lot of data. Of course, without any authentication or any other security control. The toothbrush even continues to expose his MAC address via bluetooth all the tile (you have to remove the battery to turn it off). Axelle did not attached the device itself with reverse the mobile application and the protocol used to communicate between the phone and the brush. She wrote a small tool to communicate with the brush. But she also write an application to simulate a rogue device and communicate with the mobile phone. The next step was of course to analyse the communication between the mobile app and the cloud provided by the health insurance. She found many vulnerabilities to lead to the download of private data (up to picture of kids!). When she reported the vulnerability, her account was just closed by the company! Big fail! If you pay your insurance less by washing your teeth correctly, it’s possible to send fake data to get a nice discount. Excellent presentation from Axelle…

To close the event, the ANSSI came on stage to present a post-incident review of the major security breach that affected the French TV channel TV5 in 2015. Just to remember you, the channel was completely compromised up to affecting the broadcast of programs for several days. The presentation was excellent for everybody interested in forensic investigation and incident handling. In a first part, the timeline of all events that lead to the full-compromise were reviewed. To resume, the overall security level of TV5 was very poor and nothing fancy was used to attack them: contractor’s credentials used, lack of segmentation, default credentials used, expose RDP server on the Internet etc. An interesting fact was the deletion of firmwares on switches and routers that prevented them to reboot properly causing a major DoS. They also deleted VM’s. The second part of the presentation was used to explain all the weaknesses and how to improve / fix them. It was an awesome presentation!

My first edition of SSTIC is now over but I hope not the last one!

[The post SSTIC 2017 Wrap-Up Day #3 has been first published on /dev/random]

from Xavier