Friday, March 24, 2017

HTTPS Interception Can Weaken Security

The US-CERT[1] recently published an alert detailing how HTTPS interception can weaken security. This is a topic that was recently discussed in Security Now episode 599[2]where Steve Gibson[3] talks about an awesome research paper[4] (PDF) on the impact of HTTPS interception.

The research paper goes into detail about how they were able to analyze eight billion TLS connections to identify which of those had their connections intercepted. Their results show that about 10% of all US based connections had their TLS broken at some point. This could be from a corporate TLS proxy, a host based Anti-Virus solution, or possibly a malicious actor using a MITM attack.

A TLS proxy acts like a person at the post office opening all of your mail, inspecting it, re-sealing it, and shipping it to the original destination. The problem is when re-sealing it and shipping it off, they aren't always using the same level of security that you started with, leaving you vulnerable to all sorts of attacks.

This is an important topic to be aware of and I'm personally researching how we can raise visibility to problematic TLS proxies, and alert end users when their "assumed secure" connections aren't actually as secure as they should be. I'm hoping to find a browser extension that can detect this, or maybe I need to build a solution myself :).

Credits:
[1] US-CERT
[2] Security Now Podcast
[3] Steve Gibson of GRC
[4] "The Security Impact of HTTPS Interception" by Zakir Durumeric, Zane Ma, Drew Springall, Richard Barnes, and Nick Sulli

Friday, February 10, 2017

Wrestling with a TLS proxy

Some large corporate networks have a TLS proxy to break SSL and inspect traffic for malicious activity. For this to work all of the endpoints on that network need to have the right certs installed so that SSL connections continue to work.

I recently ran into an issue caused by a TLS proxy where my Kali Linux VM (running via Parallels on my Macbook Pro with OSX 10.11.6) was unable to make SSL connections because the TLS handshake was failing due to the invalid chain of trust. So I began to poke around to find and install the correct certs to fix SSL on my VM. I found three certs from a local CA in the OSX keychain, exported those in PEM format and dropped them into my Kali VM via SCP after enabling SSH. Copy/paste would have worked here too except I haven't finished installing the Parallels tools due to a dependency issue I'm still working on solving.

I had to convert the three PEM files into CRT format via openssl like this:

openssl x509 -in certificate.pem -inform PEM -out certificate.crt

Then I copied them to the /usr/local/share/ca-certificates/ folder and ran the "update-ca-certificates" command to import the certs. To test it out I ran an openssl s_client command to Wikipedia:

openssl s_client -showcerts -connect en.wikipedia.org:443

This command initiates a TLS connection and displays the certificates used. I discovered what appeared to be an intermediate cert for the TLS proxy so I copied that and pasted it into a new file, copied it to the ca-certificates folder and ran update-ca-certificates again. Now when I ran openssl showcerts it appeared to be working, but my browser was still encountering cert errors. I suspected that Firefox ESR uses it's own cert store so I went ahead and imported all four certs into Firefox too.

Success! :)

Wednesday, February 1, 2017

Pro tips for basic security online

I wanted to share some basic security advice I give to family, friends, and my users at work.

1. Keep everything up to date!

The internet is full of bad guys doing bad things. When a new vulnerability in Windows is discovered, Microsoft releases a patch, but that patch isn't any good unless you install it. I know it can be annoying to stop what you're doing and update your computer or phone, but it is essential to staying safe in a modern world where we're surrounded by technology.

2. Maintain a healthy level of suspicion.
  • Don't implicitly trust anyone online.
  • Be careful what links you click. Especially in email, but also on Skype, Facebook, and anywhere else links can be shared.
  • Don't install any software or apps that aren't from a trusted source.
  • Even if they appear to be from a trusted source, review reputation information, and verify the site/store that you're downloading it from. Very recently an app called "Meitu" became popular and everyone was installing it and disregarding the permissions it requested (just about all of them!). The app turned out not to be malicious, but users who installed it have already sent their data to the Meitu servers... will they use that data for good?

3. Use strong passwords, enable two factor authentication everywhere possible, and avoid sharing your password across multiple websites.

  • Your passwords should have length, complexity, and be unique. This isn't as hard as you think it is. XKCD has a popular comic talking about password strength. A password like "Hunter1" includes a capital and a number, but it's very short and easy to guess. A password like "correct Horse52 battery staple!" is very long, has a capital letter, numbers, several symbols (spaces are considered symbols), and is easy to remember.
  • Two factor authentication is when you are asked to enter a code (usually sent to your phone via SMS or by opening an app that displays the code for 30 seconds) after you've entered your username and password. It is especially important because if a bad guy steals your username and password, he still needs your phone to finish logging in. Most popular sites offer 2FA in some form, I recommend checking out Two Factor Auth.org.
  • When you register on a website and use the same password you used somewhere else, you're trusting them to store that password securely for as long as that website exists. In 2016 alone there were hundreds of millions of accounts that were hacked. I highly recommend you go to Have I Been Pwned? and sign up with all of your email addresses. It's a site run by Troy Hunt, who collects data breaches and sends out notifications when your information has been found in one.
  • Use a password manager like LastPass, KeePass, or 1Password to securely store your passwords. Make sure you use a unique master password, in addition to 2FA. Ideally you would also utilize the "generate random password" feature so that all of your passwords look like this: "JzeKO7OXwN!GyHN&68Ue". You can just copy/paste or autofill the password, and only have to memorize your master password.
There is a lot more to security than what I've listed here, but this is a good start :)