Hubert’s TLS Scan results for September 2014

2014-09-29 Leave a comment

Eric Christensen:

I’ve been enjoying watching these trends.

Originally posted on securitypitfalls:

Ciphers

This time the results are not really different from past month’s ones. About two percent of servers more use SHA-256 signed certificates and 1% more has configuration that allows negotiation of PFS suites.

Small change to reported results: I’ve added “Insecure” entry which counts the number of servers that will use completely insecure cipher suite like single DES, RC2 or export grade ciphers. It doesn’t include the “controversial but not broken” IDEA and SEED ciphers.

SSL/TLS survey of 402742 websites from Alexa's top 1 million Stats only from connections that did provide valid certificates (or anonymous DH from servers that do also have valid certificate installed) Supported Ciphers         Count     Percent -------------------------+---------+------- 3DES                      349454    86.7687 3DES Only                 164       0.0407 AES                       374868    93.0789 AES Only                  1017      0.2525 AES-CBC Only              553       0.1373 AES-GCM                   172322    42.7872 AES-GCM Only              7         0.0017 CAMELLIA                  170577    42.3539 CHACHA20                  15137     3.7585 Insecure                  79666     19.7809 RC4                       355750    88.332 RC4…

View original 1,216 more words

Categories: Uncategorized

Okay, this is a neat attack…

2014-08-22 1 comment

This morning I received an email from my “administrator” saying that I needed to validate my email address within the next 48 hours or my email account would be suspended.  Seeing as how I’m my own email administrator, I couldn’t remember sending out such a message, I decided that this was likely spam.  I’m always interested in seeing how these attacks are actually going to be played out so I clicked on the link.

OWA Verify Screen

OWA Verify Screen

Neat, Microsoft-y looking screen!  And it looks like the backend is WordPress!  It looks like the attacker is using the account system in WordPress to collect the information.  When you submit your information for validation you get this response:

Your information was successfully submitted, please ensure that you entered your email details correctly; to enable us complete your security updates. If you have entered your details wrongly kindly click back and refill in details correctly.

N.B Please be informed that filling in the wrong details will be resulting to the deactivation of your email address.

I’m guessing my address will not be closed down, since I did not provide my correct email information.  I don’t know, maybe I’ll disable my own email… you know, just for the weekend.

Categories: stuff

Answering questions regarding the Fedora Security Team

2014-07-31 4 comments

Wow, I had no idea that people would care about the start of this project.  There seems to be a few questions out there that I’d like to address here to clarify what we are doing and why.

OMG!  Fedora is just getting a security team?  Does this mean Fedora has been insecure this entire time?!?

Umm, no, it doesn’t mean that Fedora has been insecure this entire time.  In all actuality Fedora is in pretty good shape overall.  There is always room for improvement and so we’re organizing a team to help facilitate that improvement.

What exactly is the security team responsible for?

We here to help packagers get the patches or new releases that fix vulnerabilities into the Fedora repositories faster.  Most of our packagers are very good at shipping fixes for bugs when upstream rolls a new version of their software.  Bug fixes can usually wait a few days, though, as most aren’t critical.  Security vulnerabilities are a bit different and fixes should be made available as soon as possible.  A little helping hand is never a bad thing and that’s what we’re here to do… help.

Can the security team audit package x?

No.  This may become a service a different team (also falling under the Security SIG) can provide but I/we haven’t gotten there yet.

I read where Fedora has 566 vulnerabilities!  How can you say that Fedora isn’t insecure?

Well, it’s actually 573 right this second.  That’s down from 577 last week.  566 was Monday’s number.  It’s important to not get caught up in the numbers cause they are, well, just numbers.  The numbers only deal specifically with the number of tickets open.  Many of the tickets are duplicates in that the same vulnerability might have several tickets opened for it if the finding is in only certain Fedora versions and EPEL versions.  Since the same packager is likely responsible for all versions and the same fix can be made we can likely close several bugs at a time with minimal work.

I should also point out that the majority of these bugs fall well below the “world is on fire” level of Critical and the “this isn’t good” level of Important.  This doesn’t mean we should just ignore these lower vulnerabilities but rather we should understand that they aren’t something that is likely to be exploited without many other bad things happening.  Should they be fixed?  Yes, but we should probably be more concerned with the Critical and Important vulnerabilities first.  If you’d like to know more about the process for coming up with the severity rating my friend Vincent wrote an excellent article that you should read.

“6. Close bug when vulnerability is shipped in Fedora repos.”

Yeah, that isn’t correct.  This is what happens when I try to multi-task.  Glad I don’t get paid to write….  err… never mind.  Luckily it’s a wiki and someone fixed it for me.  Whew!

(We try to not deliberately release a package with a vulnerability.  It seems people don’t appreciate vulnerabilities in the same way they like other features.  Who would have thought?)

I’d like to help!  How can I join up?

Go to the Security Team wiki page and look for the link to the mailing list and IRC channels, sign up, join up, and use the work flow to start digging in.  Questions?  Feel free to ask in the IRC channel or on the mailing list.  You can also contact me directly if can’t otherwise find the answer to your question.

“You’re not allowed to join this video call.”

2014-07-30 Leave a comment

“You’re not allowed to join this video call.” was the greeting I found while trying to log into my astronomy class tonight.  Thanks to Google and their Hangout app I’ve missed my last night of classes.  Fantastic.

I blame Google for this, honestly, but I wonder if they are really the problem.  They provide a service that has complex relationships with their other “products” and they provide this all for “free” to anyone that is willing to sign up (and allow them to track your every move).  I’m sure they never said the thing would have certain availability (how could they, they are utilizing the Internet as a transport layer) so I have no expectation of this thing working… ever.  And this is what happens when, as a society, we continue to embrace proprietary services that are completely out of our control.  Even if there was some sort of agreement that this stuff would work all the time I would still be sitting here unable to join my class.  Even from my FOSS software-running computer I am at the mercy of our proprietary overlords.  It’s sad.

Wanted: A small crew for working on security bugs in Fedora

2014-07-02 1 comment

Do you hate security vulnerabilities?

Do you want to help make Fedora more secure?

Do you have a little extra time in your week to do a little work (no coding required)?

If you answered yes to the questions above I want you for a beta test of an idea I have to help make Fedora more secure.  I’m looking for just a few people (maybe five) to sort through security bugs and work with upstream and packagers to get patches or new releases into Fedora and help make everyone’s computing experience a little safer.  If you’re interested please contact me (sparks@fedoraproject.org 0x024BB3D1) and let me know you’re interested.

YouTube, now with less RC4

2014-06-24 2 comments

Eric Christensen:

This is awesome news. Passing it along.

Originally posted on securitypitfalls:

After everybody said not to use RC4 any more, Google finally enabled one additional cipher on Google video servers: TLS_RSA_WITH_AES_128_GCM_SHA256.Unfortunately, this cipher is not supported either by Firefox 30 nor by Internet Explorer on Windows 8.1 or earlier.

Users of Firefox will have to wait for the bug 1029179 to be fixed.

This cipher is though supported by Google Chrome and Chromium, so if you’re a user of those browsers, you can finally disable RC4 for everyday browsing. You can do it either by creating a wrapper script, or modifying the shortcut you use to run those browsers to have one additional option:

chrome --cipher-suite-blacklist=0x0003,0x0004,0x0005,0x0017,0x0018,0x0020,0x0024,0x0028,0x002B,0x0066,0x008A,0x008E,0x0092,0xC002,0xC007,0xC00C,0xC011,0xC016,0xC033

This will disable following cipher suites:

  • 0x0003 – TLS_RSA_EXPORT_WITH_RC4_40_MD5
  • 0x0004 – TLS_RSA_WITH_RC4_128_MD5
  • 0x0005 – TLS_RSA_WITH_RC4_128_SHA
  • 0x0017 – TLS_DH_anon_EXPORT_WITH_RC4_40_MD5
  • 0x0018 – TLS_DH_anon_WITH_RC4_128_MD5
  • 0x0020 – TLS_KRB5_WITH_RC4_128_SHA
  • 0x0024 – TLS_KRB5_WITH_RC4_128_MD5
  • 0x0028 – TLS_KRB5_EXPORT_WITH_RC4_40_SHA
  • 0x002B – TLS_KRB5_EXPORT_WITH_RC4_40_MD5
  • 0x0066 – SSL_DHE_DSS_WITH_RC4_128_SHA
  • 0x008A – TLS_PSK_WITH_RC4_128_SHA
  • 0x008E – TLS_DHE_PSK_WITH_RC4_128_SHA
  • 0x0092 –…

View original 87 more words

Categories: Uncategorized

Signing PGP keys

2014-06-21 2 comments

If you’ve recently completed a key signing party or have otherwise met up with other people and have exchanged key fingerprints and verified IDs, it’s now time to sign the keys you trust.  There are several different ways of completing this task and I’ll discuss two of them now.

caff

CA Fire and Forget (caff) is a program that allows you to sign a bunch of keys (like you might have after a key signing party) very quickly.  It also adds a level of security to the signing process by forcing the other person to verify that they have both control over the email address provided and the key you signed.  The way caff does this is by encrypting the signature in an email and sending it to the person.  The person who receives the message must also decrypt the message and apply the signature themselves.  Once they sync their key with the key server the new signatures will appear for everyone.

$ gpg --keyserver hkp://pool.sks-keyservers.net --refresh-key

There is some setup of caff that needs to be done prior but once you have it setup it’ll be good to go.

Installing caff

Installing caff is pretty easy although there might be a little trick.  In Fedora there isn’t a caff package.  Caff is actually in the pgp-tools package; other distros may have this named differently.

Using caff

Once you have caff installed and setup, you just need to tell caff what key IDs you would like to sign.  “man caff” will give you all the options but basically ‘caff -m no yes -u ‘ will sign all the keys listed after your key.  You will be asked to verify that you do want to sign the key and then caff will sign the key and mail it off.  The user will receive an email, per user id on the key, with instructions on importing the signature.

Signing a key with GnuPG

The other way of signing a PGP key is to use GnuPG.  Signing a key this way will simply add the signature to the key you have locally and then you’ll need to send those keys out to the key server.

Retrieving keys using GnuPG

The first thing that you have to do is pull the keys down from the keyserver.

$ gpg --keyserver hkp://pool.sks-keyservers.net --recv-keys ...

Once you have received all the keys you can then sign them.  If someone’s key is not there you should probably contact them and ask them to add their key to the servers.  If they already have uploaded their key, it might take a couple of hours before it is sync’d everywhere.

Using GnuPG

Signing a key is pretty straightforward:

$ gpg --sign-key 1bb943db
pub 1024D/1BB943DB created: 2010-02-02 expires: never usage: SC 
 trust: unknown validity: unknown
sub 4096g/672557E6 created: 2010-02-02 expires: never usage: E 
[ unknown] (1). MariaDB Package Signing Key <package-signing-key@mariadb.org>
[ unknown] (2) Daniel Bartholomew (Monty Program signing key) <dbart@askmonty.org>
Really sign all user IDs? (y/N) y
pub 1024D/1BB943DB created: 2010-02-02 expires: never usage: SC 
 trust: unknown validity: unknown
 Primary key fingerprint: 1993 69E5 404B D5FC 7D2F E43B CBCB 082A 1BB9 43DB
MariaDB Package Signing Key <package-signing-key@mariadb.org>
 Daniel Bartholomew (Monty Program signing key) <dbart@askmonty.org>
Are you sure that you want to sign this key with your
key "Eric Harlan Christensen <eric@christensenplace.us>" (024BB3D1)
Really sign? (y/N) y

In the example I signed the MariaDB key with my key.  Once that is complete a simple:

gpg --keyserver hkp://pool.sks-keyservers.net --send-key 1BB943DB

…will send the new signature to the key servers.

Categories: Integrity, OpenPGP
Follow

Get every new post delivered to your Inbox.

Join 223 other followers