Wednesday, 28 December 2011

28C3

There are several talks at 28C3 regarding pentesting, research and countermeasures when exploring vulnerabilities. Most of the talks are in the next few days:

802.11 Packets in Packets (ID 4766)
SCADA and PLC Vulnerabilities in Correctional Facilities (ID 4661)
Defending mobile phones (ID 4736)
Black Ops of TCP/IP 2011 (ID 4930)
Dont' scan, just ask (ID 4770)
Effective Denial of Service attacks against web application platforms (ID 4680)
Reverse Engineering USB Devices (ID 4847)
The Science of Insecurity (ID 4763)
Time is on my Side (ID 4640)
Ein Mittelsmannangriff auf ein digitales Signiergerät (ID 4758)
Rootkits in your web application (ID 4811)
Reverse-engineering a Qualcomm baseband (ID 4735)
Post Memory Corruption Memory Analysis (ID 4660)
Taking control over the Tor network (ID 4581)
Security Log Visualization with a Correlation Engine (ID 4767)
Ooops I hacked my PBX (ID 4656)
Cellular protocol stacks for the Internet (ID 4663)
Implementation of MITM Attack on HDCP-Secured Links (ID 4686)
Print me if you dare (ID 4780)
The future of cryptology: which 3 letters algorithm(s) coud be our Titanic? (ID 4710)
New Ways I'm Going to Hack Your Web App (ID 4761)
Introducing Osmo-GMR (ID 4688)
Sovereign Keys (ID 4798)
Your Disaster/Crisis/Revolution just got Pwned (ID 4707)
Antiforensik (ID 4828)
The engineering part of social engineering (ID 4856)
Security Nightmares (ID 4898)

This list is just a subjective selection what I think is interesting. You can find more talks when looking in the track "hacking" or the in the schedule of the 28C3 (called "Fahrplan").

These talks and many others can either be seen live as a stream or downloaded later via http or rsync. Via the ID of the talk and the tag "28C3" you should also be able to find all the talks via torrent.

Here are some other interesting links regarding 28C3:

c3netmon (Network statistics at 28C3)
No Nerd left behind
Hacked
FTP Server
Chaos Bay


P.S.: Hacker Jeopardy (ID 4775) was also very funny in the last years. So this talks should be worth to download it :-)

Monday, 26 December 2011

Check SSL/TLS configuration

There are several tools for checking the safety of encrypted communication via HTTPS:

sslscan
- sslyze
- SSL Audit (only available for Windows)

Nessus is also scanning for vulnerable SSL certificates and you can also see via Nmap weak configurations when using the SSL NSE Scripts available in Nmap. (e.g #nmap --script "*ssl*" <target>)

I always check the SSL configuration with sslscan, sslyze and also with Nessus and Nmap.

You can also make an online ssl scan of a website via Qualys, but the result will stay permanently in the Qualys database and is publicly available. If the results of the scan were pretty bad, the domain will also show up in the list "Recent Worst-Rated". So be aware of this fact, before you execute this kind of SaaS.

The most important recommendations, when using SSL/TLS are:

- Use a key >= 128 Bit
- Use strong cryptographic ciphers
- Do NOT use SSLv2 anymore
- Use TLS 1.0, as it it supported by every browser nowadays (even if this implementation is vulnerable to "BEAST" when using a block cipher)
- Use "Secure" Cookie Flag
- Use an Appropriate Certificate Authority
Only Support Secure Renegotiations

In a reverse conclusion everything that is not matching these recommendations is a finding in your pentest.


Further reading:
Testing for SSL (OWASP)
Transport Layer Protection Cheat Sheet (OWASP)
OWASP Application Security FAQ #SSL (OWASP)
BEAST Countermeasures
Still no fix in Windows to close Bug exploited by BEAST