Join GuidePoint Security and Partners at Charlotte SecureWorld 2015

SecureWorld Logo-Icon 2015

If you’re an Information Security professional looking for globally relevant education, training and networking, you don’t want to miss the Charlotte SecureWorld 2015 Conference.

GuidePoint Security will be attending the conference, along with two of our premier technology partners, Absolute Software and Varonis.

When: Wednesday, February 11, 2015
Where: Charlotte SecureWorld Conference, Booth #300, at Harris Conference Center, Charlotte, NC

GuidePoint Security is proud to partner with Absolute Software and Varonis. Both companies bring their own innovative solutions to the table, making it possible for us to match the right tools and resources to the unique information security demands of our clients.

Absolute Software was founded in 1993 on the idea that individuals and businesses should be able to track, manage and secure their mobile computers regardless of the physical location of the device. Today, their security-as-a-service solutions protect millions of computers worldwide with subscribers who range from individuals to the largest public and private sector organizations.

Varonis provides an innovative software platform that allows enterprises to map, analyze, manage and migrate their unstructured data. They specialize in human-generated data, a type of unstructured data, such as documents and audio/video files, which often contains an enterprise’s financial information, intellectual property and other forms of vital information.

To learn more and to network with GuidePoint Security and our partners, please stop by booth #300 at the Charlotte SecureWorld 2015 Conference.

For additional information about the Charlotte SecureWorld 2015 Conference, visit http://www.secureworldexpo.com/charlotte/home.

About GuidePoint Security, LLC

GuidePoint Security provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps our clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Reston, Virginia, and with offices in Michigan, New Hampshire, Florida and North Carolina, GuidePoint Security is a small business and classification can be found with the System for Award Management (SAM). Learn more at www.guidepointsecurity.com.

POODLE: SSL 3.0 Fallback Vulnerability

Overview

The SSL version 3.0 POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability (CVE-2014-3566) was officially released on October 14, 2014 by OpenSSL. The flaw was disclosed by a team of Google researchers including Bodo Möller, Thai Duong, and Krzysztof Kotowicz. This vulnerability is a consequence of an implementation flaw associated with the use of block cipher encryption in SSLv3. Block ciphers encrypt data in fixed-length blocks. If the plain text value to be encrypted is not a multiple of the defined block size, the cipher will apply padding to the data to increase the size, so that it can be converted to cipher text. The concern is that the Message Authentication Code (MAC) does not cover the block cipher padding and when the message is decrypted, the integrity of the padding cannot be verified. This can allow an attacker to decrypt cipher text, one byte at a time.

This vulnerability only affects the SSLv3 protocol, which is rarely used by modern web browsers that prefer the usage of TLSv1 encryption. However, due to the widespread support for SSLv3 on both servers and web browsers, an attacker can still leverage this vulnerability by using it in conjunction with a downgrade attack. A downgrade attack could be accomplished by intercepting and manipulating traffic associated with the SSL/TLS cipher suite negotiation, conducted between the client and server.

In the original disclosure article, B.Möller, T. Duong, and K. Kotowicz succinctly illustrate the impact of this vulnerability, referencing a scenario in which it could be used to compromise secure session tokens within the context of a web application (p.2, https://www.openssl.org/~bodo/ssl-poodle.pdf).

“In the web setting, this SSL 3.0 weakness can be exploited by a man-in-the-middle attacker to decrypt “secure” HTTP cookies, using techniques from the BEAST attack [BEAST]. To launch the POODLE attack (Padding Oracle On Downgraded Legacy Encryption), run a JavaScript agent on evil.com (or on http://example.com) to get the victim’s browser to send cookie-bearing HTTPS requests to https://example.com, and intercept and modify the SSL records sent by the browser in such a way that there’s a non-negligible chance that example.com will accept the modified record. If the modified record is accepted, the attacker can decrypt one byte of the cookies.”

An attacker could inject the JavaScript agent in a persistent or even reflected Cross-Site-Scripting (XSS) attack, or inject this code within the context of an established Man-in-the-Middle attack. This could be used to cause the victim’s browser to send the attacker cookie bearing HTTPS requests; which, in turn, can be modified and, if accepted by the server, could allow the attacker to decrypt the cookie, one byte at a time.

Impact

Due to the fact that this vulnerability must be exploited within a chosen-plaintext context, the only probable exploitation scenario with any significant impact is within a web context. For an attacker to successfully exploit this vulnerability, multiple highly specific conditions must exist. These conditions include the following:

  • The attacker must be able to intercept and manipulate traffic between the client and server (as in a Man-in-the-Middle scenario)
  • The attacker must be able to execute custom JavaScript code to initiate multiple crafted requests within the context of the victim’s browser

Despite the special circumstances and high level of skill required to exploit this vulnerability, the impact of a successful attack would be significant. Successful exploitation could result in an attacker gaining access to small pieces of highly sensitive encrypted traffic such as session tokens. Acquisition of these session tokens could be used in session hijacking attacks to completely take over a victim’s session within the context of the web application.

Identification

Server Identification

Server Testing with OpenSSL Client:

To determine if a particular service is vulnerable, use the SSL client in SSLv3 mode and supply the server name or IP address in conjunction with the port number of the service in question. If the connection succeeds then SSLv3 is enabled:

Syntax:
openssl s_client -connect <server>:<port> -ssl3

Example:
openssl s_client -connect google.com:443 -ssl3

Server Testing with Nmap:

The SSL-enum Nmap Scripting Engine (NSE) script can also be used to determine if servers are vulnerable. Nmap should be executed with the syntax provided below:

Syntax:
nmap <server> –script ssl-enum-ciphers -p <port>

Example:
nmap google.com –script ssl-enum-ciphers -p 443

If the scan returns a list of support ciphers under the SSLv3 header, then SSLv3 is enabled.

SSLv3:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA – strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA – strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA – strong
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA – strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA – strong
|       TLS_RSA_WITH_AES_128_CBC_SHA – strong
|       TLS_RSA_WITH_AES_256_CBC_SHA – strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA – strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA – strong
|       TLS_RSA_WITH_RC4_128_MD5 – strong
|       TLS_RSA_WITH_RC4_128_SHA – strong
|     compressors:
|       NULL

Server Testing with SSLLabs:

Qualys has made a web-based testing utility available at the URL listed below. This can be used to test public facing servers.

https://www.ssllabs.com/ssltest

If the scan returns indication that there is still support for SSLv3, then the server is vulnerable.

poodle 1

Client Identification

Browser Client Testing with Poodle Test:

A web-based test has been constructed to test client browsers and determine if they are vulnerable to the POODLE attack.

https://www.poodletest.com/

If your browser is vulnerable, the site will display the following image:

poodle 2

Remediation

Unfortunately, there is no patch remediation for this vulnerability. However, SSLv3 is a depreciated protocol and should be disabled on both servers and clients (browsers). Further, both Mozilla and Google have posted that they will be updating both FireFox and Google Chrome, in the coming months, to disable SSLv3 support. However, it should be noted that disabling SSLv3 could potentially break some websites or legacy web applications that support SSLv3.

Browser Remediation

Remediation on Microsoft Internet Explorer:

Click the Settings button at the top-right corner of the browser, and then select ‘Internet Options’. Then browse to the ‘Advanced’ tab. In the Settings menu, scroll to the bottom and uncheck the box labeled ‘Use SSL 3.0’. Once completed, click ‘Apply’ then ‘OK’.
poodle 3

Remediation on Mozilla FireFox:

In the URL address bar, browse to ‘about:config’. You will then be given a warning, indicating that you should only modify these settings if you know what you are doing. We do, so click the button to disregard the warning and proceed. Then, in the Search bar, type ‘security.tls.version.min’. Double-click the setting with that Preference Name and then change the integer value from 0 to 1. Once this change has been made, click ‘OK’. This will disable SSLv2 and SSLv3, and only allow the browser to support TLSv1 and later.

poodle 4

Remediation on Google Chrome:

Ironically, despite the fact that it was a Google team that identified this vulnerability, Chrome’s GUI management interface offers no option to disable support for SSLv3. A common workaround is to start Chrome from a shortcut that leverages the command line argument to disable support for SSLv3.

To do this, right-click your Google Chrome shortcut and select ‘Properties’. Then, append the command line argument ‘ –ssl-version-min=tls1’ to the end of the value in the Target field (as seen in the provided image). Click ‘Apply’ and then ‘OK’. Once this modification has been made, support for any versions prior to TLSv1 is disabled anytime the browser is started from this Shortcut.

poodle 5

Server Remediation

Remediation on Apache Server:

Modify the SSLProtocol directive in the server’s ssl.conf file to disable support for versions earlier than TLSv1 on Apache. The location of this file may vary depending on the build of the server.

For Ubuntu, the file can be modified with:

sudo nano /etc/apache2/mods-available/ssl.conf

If mod-ssl is enabled, the location will be:

sudo nano /etc/apache2/mods-enabled/ssl.conf

For CentOS, the file can be modified with:

sudo nano /etc/httpd/conf.d/ssl.conf

In the configuration file, modify the SSLProtocol directive to include the following:

SSLProtocol All -SSLv2 -SSLv3

To verify the configuration change, use the following:

apachectl configtest

Once support for SSLv2 and SSLv3 has been disabled, the Apache service will need to be restarted. This can be done with the following command:

sudo service apache2 restart

Remediation on IIS:

To disable support for SSLv3 on Microsoft IIS, a registry tweak is required. Open the registry editor (with command ‘regedit’) and then browse to the following key:

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

Inside the Protocols key, there should be a key called ‘SSL 3.0’ and inside that key, there should be a key called ‘Server’. If these keys do not exist, create them. Then, inside the ‘Server’ key, create a DWORD value called ‘Enabled’ and then leave its value at 0 (default). Once completed, restart the server to implement the new changes.

poodle 6

Remediation on NGINX:

Modify the ssl_protocols directive in the nginx.conf file to disable support for versions earlier than TLSv1 on Nginx. This file is located at /etc/nginx/nginx.conf and can be modified with:

sudo nano /etc/nginx/nginx.conf

Modify the ssl_protocols directive in the file to include the following:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

To verify the configuration change, use the following:

sudo nginx -t

Once support for SSLv2 and SSLv3 has been disabled, the nginx service will need to be restarted. This can be done with the following command:

sudo service nginx restart

What is TLS_FALLBACK_SCSV?

In the event that you are not prepared to disable the use of SSLv3, downgrade attacks can be alternatively mitigated in some distinct scenarios by using a browser that supports a new cipher suite value called TLS_FALLBACK_SCSV. In the event that both the server and client browser support this option, a more secure negotiation process is used that prevents downgrading to a protocol or cipher that is less secure than the highest mutually supported option.

Unfortunately, at this time, limited support on the server-side and limited adoption by client browsers has made this an ineffective, comprehensive solution for this problem.

Presently, TLS_FALLBACK_SCSV is only supported by Google Chrome 33.0.1750 (February 2014 Build) and later. Other major web browsers will likely adopt support in the following months.

 References

About GuidePoint Security

GuidePoint Security, LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Reston, Virginia, and with offices in Michigan, New Hampshire, Florida and North Carolina, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

Securing People and Assets Via Mobile Security

Banner two

GuidePoint Security is adding another partner to its portfolio of technologies.  In an effort to provide its clients with best-of-breed solutions, GuidePoint Security has expanded its list of partners to include Bluebox Security™. Bluebox was chosen as a new partner for its unique ability to deliver enterprise visibility, security, and control of mobile data, while simultaneously enabling mobile productivity for employees, without compromising their privacy.

GuidePoint Security understands the importance of mobile security and how it plays a significant role for the people and businesses it protects.  By adding another mobile security vendor, GuidePoint Security has expanded it’s reach to provide the best service possible to its existing and future customers.

“Mobile Security has been redefined, and Bring Your Own Device is here to stay,” said Justin Morehouse, Founder and Principal at GuidePoint Security.  “This partnership expands our offerings to confirm us as a leader in Information Security.”

“GuidePoint Security was founded by Information Security veterans who understand the importance of a data-first security strategy, and we are thrilled to have their endorsement both as a customer, and a partner,” said Caleb Sima, CEO, Bluebox Security. “The combination of GuidePoint Security’s deep domain expertise with Bluebox’s next-generation solution, will allow companies to rethink their mobile security approach to reduce risk in today’s rapidly changing mobile landscape.”

In order to further solidify the relationship between the two companies, GuidePoint Security and Bluebox are co-hosting a live webinar: 10 Questions CISOs Should Ask About Mobile Security. The webinar will be an interactive conversation about factors CISOs should be considering when implementing a mobile security solution.

The mobile landscape is changing rapidly, creating new challenges and opportunities for CISOs tasked with balancing business enablement and risk. This webinar provides a great opportunity for people to get in-depth information about how the partnership works and how it can benefit their business.  Click here to register.

Read additional news about this partnership: GuidePoint Security Secures Mobile Data With Bluebox Security.

About GuidePoint Security

GuidePoint Security, LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. GuidePoint Security is a small business. Classification can be found with the System for Award Management (SAM).  For more information visit  www.guidepointsecurity.com.

About Bluebox Security

Founded in 2012 by a team of security experts, Bluebox Security offers the first mobile data security solution to safeguard corporate data across the device, application, and network. The cloud-based solution provides complete visibility and security of corporate data, while providing employees the freedom, ease of use, and privacy that ensures widespread adoption. Bluebox Security has received a total of $27.5 million in funding from Andreessen Horowitz, Tenaya Capital, Sun Microsystems co-founder, Andreas Bechtolsheim, SV Angel, and Google Board member Ram Shriram. The company is headquartered in San Francisco. For more information visit  www.bluebox.com.

 

What Universities and Colleges Do the Best Hackers Come From? Here’s One in Particular: UCF!

University of Central Florida (UCF) won 1st Place at the National Collegiate Cyber Defense Competition (CCDC) that took place April 25-27 in San Antonio, TX.  This annual competition was started in 2005 in conjunction with the Department of Homeland Security to improve cyber security education and increase the number of highly qualified cyber security graduates in the U.S.  This Championship brings the best of the best hackers from universities all over the U.S. to fend off cyber-attacks from penetration professionals and ethical hackers.

Among those winners are GuidePoint Security interns, Carlos Beltran, the Captain of the winning UCF team; and Alex Davis, his team member.

“What sets UCFs CCDC team apart from others is that they focus on the hackers perspective. We want to know how they got in, in order to keep them out,” explained Carlos Beltran.  “There are many reasons I chose to work at GuidePoint Security, but the main reason is because I have a strong desire to learn about security and the methodologies used to perform in real-world environments. GuidePoint Security gives me the opportunity to better my trade and excel in the areas I want.”

“Competitions like this foster learning about computer security, which is something businesses need, as shown by recent breaches like Target. The people coming out of competitions like CCDC will help prevent data breaches such as the ones we have seen on the news from happening,” said Alex Davis.  “I like learning how technology works, and I discovered that the best way to learn how things work is to focus on how systems can be exploited, and how to secure them. I enjoy the field, and working at GuidePoint Security allows me to do what I enjoy.”

According to the WSJ article, “University of Central Florida wins 2014 Raytheon National Collegiate Cyber Defense Competition”, more than 180 colleges and universities and 2,000 undergraduate students participated in the competitions that lead up to this year’s national championship.  The Raytheon website listed the following 10 regional champions with UCF coming in first place:

  • University of Central Florida – Southeast Regional
  • Air Force Academy – Rocky Mountain Regional
  • Dakota State University – North Central Regional
  • University of Alaska, Fairbanks – At Large Regional
  • Southern Methodist University – Southwest Regional
  • Rochester Institute of Technology – Northeast Regional
  • Western Washington University – Pacific Rim Regional
  • University of California, Berkeley – Western Regional
  • Towson University- Mid-Atlantic Regional
  • Northern Kentucky University – Midwest Regional

“While the competition has existed since 2005, UCF only very recently started competing. Shortly after I started teaching at UCF in August 2013, two of my students approached me to ask if I would be willing to sponsor a UCF team for this competition.  I realized the tremendous opportunities this competition would provide for our students.  I eagerly agreed and this is the second year UCF has entered a team.  It is also our second appearance at the National competition.  Each year, the team enters a virtual qualification round.  Eighteen teams from our 7-state Southeast region entered the qualification round including UCF, FSU, and USF from Florida.  The top 8 teams from the qualification round are invited to compete in a regional competition.  The UCF CCDC Team finished 1st in the Southeast Collegiate Cyber Defense Competition held in Kennesaw, GA in both 2013 and 2014.  The regional winner earns the privilege to compete in the National Collegiate Cyber Defense Competition in San Antonio, TX along with the winning teams from the other 9 U.S. regions.  In 2013, the UCF CCDC Team finished 10th nationally in our very first year of competition.  This year, the UCF team has captured the national title as the top Collegiate Cyber Defense Team in the nation,” explained Dr. Thomas Nedorost, Department of Electrical Engineering & Computer Science of the University of Central Florida.

2014 UCF Champs

Photo compliments of UCF Collegiate Cyber Defense Club

The winning members of the 2014 UCF Collegiate Cyber Defense Competition Team are: Carlos Beltran, Team Captain Jason Cooper, Team Co-Captain Austin Brogle Alexander Davis Kevin DiClemente Dale Driggs Grant Hernandez Mark Ignacio Heather Lawrence Troy Micka Cody McMahon Joe Pate “The team’s strength lies in their teamwork, cross-training, and dedication to continue learning and improving,” said Dr. Nedorost.  “National CCDC brings together the top 10 cyber defense teams in the nation.  Having the ability to compete at this level is an honor in itself.  The level of competition is fierce.  Seeing UCF bring home the Alamo Cup, the 1st Place trophy, is priceless.”

“We are very proud of our two interns who worked so hard and won this challenging competition” said Michael Volk, Managing Partner at GuidePoint Security. “Congratulations to all who made it and to all who participated!”

About GuidePoint Security, LLC
GuidePoint Security provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps our clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Reston, Virginia, and with offices in Michigan, New Hampshire, Florida and North Carolina, GuidePoint Security is a small business and classification can be found with the System for Award Management (SAM). Learn more at www.guidepointsecurity.com.

Visit GuidePoint Security at InfoSec World, Orlando

Join GuidePoint Security as we highlight and showcase two of our technology partners, Bromium and Skybox.

When:  Monday, April 7-8, 2014
Where:  InfoSec World Conference & Expo, Booth #219, at Disney’s Contemporary Resort, Orlando, FL

GuidePoint Security partners with vendors that offer unique technologies that address the security needs of our clients.  With the complexity of security threats ever increasing, GuidePoint Security offers the right solutions and technologies for our clients’ specific needs. 

These two technology partners offer the following solutions to address today’s advanced security threats.

Bromium provides protection at the endpoint with vSentry, an innovative product that protects against all advanced malware. vSentry automatically creates hardware-isolated micro-VMs that secure every user task – such as visiting a web page, downloading a document, or opening an email attachment.

Skybox delivers cutting-edge risk analytics for enterprise security management.  Their solutions give complete network visibility, help to eliminate attack vectors, and optimize security management processes. Protecting the network and the business.

GuidePoint Security uses their expertise to lead security innovation by helping clients recognize threats, understand solutions, and mitigate risks throughout their IT environment by determining which solutions fit their clients’ needs.  GuidePoint Security offers the people, processes, technologies, and oversight that deliver results to your organization.

Be sure to visit GuidePoint Security at the InfoSec World conference in Orlando, booth #219.

For additional information about the InfoSec World Conference and Expo, visit http://gpsec.me/1hmTEAm.

About GuidePoint Security, LLC
GuidePoint Security provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps our clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Reston, Virginia, and with offices in Michigan, New Hampshire, Florida and North Carolina, GuidePoint Security is a small business and classification can be found with the System for Award Management (SAM). Learn more at www.guidepointsecurity.com.

GuidePoint’s David Bressler Presenting on Data Visualization at RSA’s Security Analytics Summit

David Bressler, Senior Security Consultant at GuidePoint, will be presenting on data visualization at RSA’s Security Analytics Summit on Wednesday, September 11, 2013 at the Hilton Alexandria Mark Center in Alexandria, Virginia. His presentation, entitled Using Maltego to Pimp Big Data from NetWitness, will discuss using Maltego, primarily an offensive OSINT tool, to help defenders visualize data within NetWitness. The presentation’s abstract, which will be presented along with Rich Popson, is:

Imagine what it would be like to utilize an OSINT tool that can use the NetWitness API to visualize the data being captured. Rich and David are going to show you how they turned what is known primarily as an offensive OSINT tool into a tool to help defenders visualize data within NetWitness.

The presentation will take place from 9:00 AM to 9:45 AM in the Arbors room. For more information on this presentation and the RSA Security Analytics Summit, visit https://blogs.rsa.com/th_event/rsa-security-analytics-summit-formerly-known-as-the-netwitness-user-conference/.