FREAK ( Factoring RSA Export Keys) : Vulnerability Forces Weaker Encryption

According to Freak attack tracking website, the HTTPS connection is vulnerable “If the server accepts RSA_EXPORTS Cipher suites and the client either offers an RSA_EXPORT suites or is using a version of OpenSSL that is vulnerable to CVE-2015-0204”

You forget last year disastrous POODLE Flaw which let downgrade the security of the whole SSL/TLS communication to the weakest level.

Even before POODLE and now FREAK, the Heartbleed flaw existed in OpenSSL.

FREAK is similar to these attacks in that it also exploits vulnerabilities in OpenSSL to downgrade secure connections from "strong" RSA to "export-grade" RSA cryptography, allowing cybercriminals to intercept, decrypt and access personal information.

Mechanism

A vulnerable client such as your web browser, Smartphone Apps start talking to a server working on HTTPS, and start list the encryption algorithms and key lengths it supports and those it prefers meant these should be strong ciphers and long keys.

An Attacker (MAN-IN-THE-MIDDLE) able to intercept traffic between the client and the server and can tamper with that message to say the client only wants weak export-grade keys encryption, for example 512-bit RSA Key.

Due to Bugs in OpenSSL and Secure Transport, Server replies with a weak key, the client will accept it and after that encryption process will start.

An attacker can go to a cloud provider and can decode a key for around $100 and half a day.

An analysis of the attack by Assistant Research Professor Matthew Green of Johns Hopkins University's Information Security Institute in Maryland summarizes the situation thus:

1.      In the client's Hello message, it asks for a standard 'RSA' ciphersuite.

2.      The MITM attacker changes this message to ask for 'export RSA'.

3.      The server responds with a 512-bit export RSA key, signed with its long-term key.

4.      The client accepts this weak key due to the OpenSSL/SecureTransport bug.

5.      The attacker factors the RSA modulus to recover the corresponding RSA decryption key.

6.      When the client encrypts the 'pre-master secret' to the server, the attacker can now decrypt it to recover the TLS 'master secret'.

7.      From here on out, the attacker sees plaintext and can inject anything it wants.

How to downgrade the SSLversion

For Practical, I am taking the www.nsa.gov website,

You can see in below image before MITM attack over SSL, website was running on the TLS Higher version TLS 1.2, that means SSL Connection between browser and server has been encrypted by TLS 1.2

 

                                                                                

But after Man-In-The-Middle attack,  SSL Connection between browser and server encrypted by lower version of TLS 1.0

Popular Sites Affected

According to reports, 37% of browser-trusted sites are affected by this flaw. Affected sites include Bloomberg, Business Insider, ZDNet, HypeBeast, Nielsen, and the FBI. It bears stressing that there are country-specific sites that were also affected.

Microsoft has confirmed all version of Windows are vulnerable. Red Hat confirmed that versions 6 and 7 of Red Hat Enterprise Linux (RHEL) are vulnerable as well. Browsers that are vulnerable to the FREAK vulnerability include Internet Explorer, Opera (Mac OS X / Linux), and Safari.

Addressing the FREAK Flaw

OpenSSL has provided a patch for CVE-2015-0204 in January. Apple is reportedly deploying a patch for both mobile devices and computers.

Advise for Android users to refrain from using the default Android browser in their devices. They can instead use the Google Chrome app as it is not affected by the bug. Furthermore, connections to the Google search site are not affected.

Read more..

CryptoWall Ransomware Malware - Introduction

Popular category of malware known as ransomware and Cryptowall is another entry in this category.

The malware displays a message that their files have been encrypted and need to pay the ransom in Bitcoins.

CryptoWall is a file encrypting malware that first version was released around the end of April 2014 and that targets all versions of windows OS.

In October 2014, the malware developers released a new version called CryptoWall 2.0

In First version, malware developers were utilizing other organization's gateways Web-To-TOR, So victim was not able to discover servers that are located on the TOR.

When TOR developers discovered that CryptoWall was using then they blacklisted thegateway.

So in new version, Malware developers appear to have created their own gateway to TOR.

CryptoWall will scan your computer for data files and encrypt them using RSA-2048 encryption so you will not able to open your file.

After infection, it will open a Notepad file that contains instructions on how to access the Decryption Service where you need to pay bitcoin to purchase a decryption program.

CryptoWall is distributed via emails with Zip PDF files And it will install malware files either in the %AppData% or %Temp% folders.

After encryption, it will run the below write command for deleting the SHADOW VOLUMES COPIES,

C:\Windows\Sysnative\vssadmin.exe  Delete Shadows /All /Quiet

SHADOW VOLUMES Copies used to restore your encrypted files.

Mechanism of Cryptowall :

1. CryptoWall begins by collecting details about your computer such as,

  a. Computer Name

  b. Processor Model

for generating an MD5 hash that can identify the infected computer.

2. Start the Event, creates a new instance of explorer.exe and injects itself, malware again creates a new instance of svchost.exe and again injects itself into it. From here encryption takes place.

3. Hash value is sent to the Server which then responds with an encrypted message containing...

   a. TOR Address of website

   b. USER ID for Victim's PC

   c. Public Key used to encrypt the files using RSA-2048

   d. COUNTRY CODE (Determined by Victim IP Address)

4. All Communication with the Server is encrypted using RC4.

5. To search for files, CryptoWall scans the system for all mounted drives using GetLogicalDriveStringsW

6. After encryption, Cryptowall will add the full path to the file as a value under the HKEY_CURRENT_USER\Software\<random>\CRYPTLIST Registry key.

 

7. Cryptowall will create two more file  DECRYPT_INSTRUCTION.TXT and DECRYPT_INSTRUCTION.HTML that was created on victim Desktop.

For find the files that have been encrypted by CryptoWall check the Windows Registry. The location of the key is in the below format :

HKCU\Software\<unique computer id>\<random id>

This is the introduction thread for Cryptowall Malware. In my next thread, we will discuss How to prevent your computer becoming infected by CryptoWall by using Software Restriction Policies.

Read more..

How To Secure Small Company Network By Cost View

Today , many small companies not able to buy expensive security devices like Firewall , so fault increase randomly in network security. The main issues here, how to increase the network security in small companies. I am going to giving you introduction about it, also tell you that how can you increase your company security by only making some enhancement in Router.

In this article , I am going to cover below write topic...

1. Context Based Access Control (CBAC)

2. IOS URL Filtering

3. Zone Based Firewall

I hope that after read my this article you will be able to build your company network smart.

Context Based Access Control

CBAC works as a true stateful inspection for IOS Router . Means CBAC used to protocol specific inspection in traffic flows going across the router and dynamically open holes for returning traffic.  Flow of the traffic is from Protected Network (inside of company) to the Unprotected Network (outside of company). When any packet of information gone inside to outside then it registered on the CBAC table and when packet come back then CBAC check the table and then allow or deny the return packet according to information of table . It's look like echo and echo-reply.

 For do this work in better way, CBAC uses the Access Control List (ACL). However , we use the Extended Access List with CBAC. CBAC can inspect generic TCP/UDP connections just to check integrity and open a hole for returning traffic.

I am showing you FTP Application Traffic inspection configuration:

R2(config)#ip inspect name INSPECT ftp

R2(config)#ip access-list INBOUND permit udp any any eq rip

R2(config)#int f0/1                    

R2(config-if)#ip access-group INBOUND in

R2(config-if)#ip inspect INSPECT out

There many use of CBAC , this is only introduction.

IOS URL FILTERING

Configure HTTP URL filtering for achieve below write goal…

1.Filter Java applet from http response.

      2.Filter URL using Websense Server service.

      3.Permit the DNS www.hackarde.com to be accessed at any time.

We will filter URL by using CBAC inspect rule. We need a URL filtering Server with CBAC configuration.  

We will be blocking Java Applet downloads from www.hackarde.com sites.

R2(config)# access-list 1 deny any

R2(config)#ip urlfilter server vendor websense 10.0.0.50

Going to activate Filtering:

R2(config)#ip inspect name INSPECT http java-list 1 urlfilter

R2(config)#ip urlfilter exclusive-domain permit hackarde.com

R2(config)#ip urlfilter allow-mode on

Apply it on Router R2 outside interface f0/1:

R2(config)#int  f0/1

R2(config-if)#ip inspect INSPECT in

Zone Based Firewall (ZFW)

Before the ZFW , the IOS firewall offered stateful inspection using the CBAC Feature (Told you about it already). The problem with CBAC is that traffic passing through the interface was subject to the same inspection policy. In ZFW , inspection can now applied on Zone Based model meant interface of IOS Router assigned to different Zone like INSIDE (Private Zone), OUTSIDE (Public Zone), and DMZ zone.

In above picture, I am showing you that R2 Router works as IOS Firewall and his interface Fa0/0 woks in PRIVATE ZONE , interface Fa0/1 works in PUBLIC ZONE and interface Fa1/0 works in DMZ ZONE.

The following steps are required for configure ZFW in IOS Firewall (R2)…                                                  

1.  Define Zone

      2.  Define Zone Pair

      3.  Define Class Map for identify traffic

      4.  Define a Policy Map to apply action to the traffic in a class map

      5.  Apply Policy Map

      6.  Assign interface of Firewall to zones

I hope that my new article helpful for you.

Read more..