InfoSecGyan

You are at right place.

InfoSecGyan 1

InfoSecGyan 1

Critical 'Shellshock' Vulnerability Found in Bash..

Shellshock aka Bash Bug FAQ. Your all questions will be answered.

InfoSecGyan3

InfoSecGyan3

InfoSecGyan 2

InfoSecGyan 2

Friday, 24 October 2014

Upload & Share Files From Command-line



Hello All,

Today I am going to talk about a Great implementation ever done for file sharing on web. Transfer.sh offers Command-line and web file sharing service which is much better than pastebin.

Instead of following lazy steps like opening up a browser, loading "free file uploading" website, login in or signup, then browsing a desired file and uploading it, You can now share your files on web directly from Command-Line. This service is totally free of cost and no registration is required for it. This is also combined with some cryptography and encoding tools. This may help evade simple content filters.

Lets start,

Upload any single file using curl: (No Encryption)
e.g.
# curl --upload-file /home/InfoSecGyan/myfile.txt  http://transfer.sh/myfile.txt

After entering above command, you will receive urls for downloading files in output.

Upload multiple files using curl: (No Encryption)
e.g.
# curl -i -F filedata=@/home/InfoSecGyan/myfile.txt -F filedata=@/home/InfoSecGyan/myfile1.txt https://transfer.sh/

After entering above command, you will receive urls for downloading files in output


Transfer.sh also offers Encryption. You can encrypt files using gpg and upload your files. It encrypts the data before it leaves your server using the password you enter and upload it to transfer.sh.

To Encrypt and Upload File:

# cat /home/InfoSecGyan/myfile.txt|gpg -ac -o-|curl -X PUT --upload-file "-" https://transfer.sh/myfile.txt
Enter your passphrase (Password) and press enter.

Note: If you try to access above resultant URL (https://transfer.sh/c77vJ/myfile.txt) from browser or command-line, you will receive only PGP key but not the actual requested file. You need to enter passphrase to decrypt it.

To Decrypt and Download File:

# curl https://transfer.sh/c77vJ/myfile.txt|gpg -o- > /tmp/savehere.txt
Enter passphrase you entered during encrypting file. And Done
Read the file:


Happy Sharing..!!

Thursday, 16 October 2014

POODLE Vulnerability saying Goodbye to SSL 3.0



      Secure Sockets Layer (SSL) encryption we’ve relied on from so long time, for secure communication on the Internet has a vulnerability. Google engineers (Bodo Möller, Thai Duong and Krzysztof Kotowicz) has discovered this particular vulnerability and points out that SSLv3.0 should not be used.

Before SSLv3.0, SSLv2 was first widely used transport protocol however, later multiple vulnerabilities were discovered in it which made it insecure and thereafter, SSLv3 came into the picture. A successors SSLv3 and TLSv1 are widely supported now a days. TLS1.1[RFC4346] andTLS1.2[RFC5246] are newer. Most of all web browsers have support for it.

The vulnerability, Google called it as "Poodle" vulnerability. It’s an attack on the SSL 3.0 protocol. It's not an implementation issue, it's a protocol flaw. All implementations of SSL v3.0 suffers from it. Here, I am talking about old SSL 3.0 and not TLS 1.0 or later. The TLS or DTLS versions are not affected. CVE-2014-3566 has been reserved for this vulnerability.

SSL protocol, introduced in 1996, supposed to prevent MITM or eavesdropping to secure communication since the information being shared is encrypted. When a client (browser, apps) pings a server and they gets engage in a handshaking process that creates security keys to encrypt and decrypt information being shared. SSL is designed to secure the transport level on the internet. It's not only used for securing web communication (HTTP) but also used for other application protocols.
SSL3.0 (RFC6101) is an insecure protocol. It is nearly 18 years old protocol. Most importantly, nearly all browsers support it. The protocol handshake provides for authenticated version negotiation hence normally the latest protocol version common to the client and the server will be used. While for most practical purposes it has been replaced by its successors TLS1.0 [RFC2246], TLS1.1[RFC4346], and TLS1.2[RFC5246], many TLS implementations remain backwards compatible with SSLv3.0 to interoperate with legacy systems in the interest of a smooth user experience.

Vulnerability allows attacker to initiate a downgrade dance that tells the client that server doesn't support TLS protocol and forces it to connect via SSL3.0. From there, secure HTTP cookies can be decrypted by a MITM attack. Google calls this the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack. In simple words, your information is no longer encrypted/secure. Hence, I recommend you to disable SSL v3.0 on servers as well as on clients. In order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue.

According to Bodo Möller, written on his blog, "Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore, I recommend you to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks."

If your browser supports SSLv3.0, disable it or better use tools that support TLS_FALLBACK_SCSV (Transport Layer Security Signaling Cipher Suite Value) which prevents downgrade attacks. In next few weeks, Google will remove SSLv3.0 support completely from all their products. Currently, they have started testing it, they are reviewing chrome changes that disable using SSL3.0 fallback. In fact,  Chromium patch is already available which disables SSL 3.0 fallback.
Mozilla are planning to turn off SSL 3.0 in Firefox. Mozilla post says “On Nov, 25th's release, SSLv3 will be disabled by default in Firefox 34.
 
FAQ:

Only servers are affected or clients too  ?
As a server admin you should disable SSLv3 now for the security of your users.
As a user, you should disable SSLv3 in your browser now to secure yourself when visiting websites which still support SSLv3.

How do I know that I am affected and How do I patch it?
The attack scenario requires the attacker to be able to inject data of his own, and to intercept the encrypted bytes. The only plausible context where such a thing happens is a Web browser, as explained above. In that case, Poodle is, like BEAST and CRIME, an attack on the client, not on the server.

All Web browsers users are affected. But that also depends on the server. The protocol version used is a negotiation between client and server, SSL 3.0 will happen only if the server agrees. Thus, you might consider that your server is "vulnerable" if it allows SSL 3.0 to be used (this is technically incorrect, since the attack is client-side in a Web context, but I expect SSL-security-meters to work that way).

Conditions for the vulnerability to occur: SSL 3.0 supported, and selection of a CBC-based cipher suite (RC4 encryption has no padding, thus is not vulnerable to that specific attack -- but RC4 has other issues, of course).

Below are some workarounds /remediations:
1. Disable SSL 3.0 support in the server.
2. Disable SSL 3.0 support in the client.
3. Disable support for CBC-based cipher suites when using SSL 3.0 (in either client or server).
4. Implement that new SSL/TLS extension to detect when some active attacker is breaking connections to force your client and server to use SSL 3.0, even though both know TLS 1.0 or better. Both client and server must implement it.

You can't really patch it (unless you're changing the design of the old SSLv3.0). This vulnerability allows the plaintext of secure connections to be calculated by a network attacker. The exploit could be used to intercept critical data that’s supposed to be encrypted between clients and servers.

Firefox browser

Open up about:config, search for security.tls.version.min and set the value from 0 to 1. Then restart your Mozilla Firefox browser. Restart is only require to drop any open SSL connections.
Firefox from version 34 onwards will disable SSLv3 by default and thus require no action.


Apache HTTPD Server:
If you own Apache server, just include the following line in your configuration among other SSL directives:

SSLProtocol All -SSLv2 -SSLv3

And restart Apache service
If your site is publicly available, test it using Qualys' SSL Labs tool.

Nginx server:
If you're running Nginx, just include the following line in your configuration among other SSL directives:

ssl_protocols: TLSv1 TLSv1.1 TLSv1.2;

And restart Nginx service.

Sources: Google

Saturday, 11 October 2014

Disable or Remove Directory Listing in Apache


If you create a new directory on your website and "index.html" file is not present in that particular directory, anyone access that directory e.g. from web browser, he/she can get a directory listing of all the files in that directory. For example, if you create a folder called "upload", you can see everything in that directory simply by typing "http://www.example.com/upload/" in your browser and that too without password.
Apache comes with this feature enabled but it’s always a good idea to disabled it unless you really need it.

To disable or remove directory listing/browsing in Apache,
1. Open up terminal
2. Go to $Web_Server/conf directory
3. Open httpd.conf or apache2.conf using vi
# vi /etc/apache2/apache2.conf

4. To prevent directory listings, Search for Directory and change Options directive to ‘None’ or ‘-Indexes’ (without quotes)
Example:
<Directory /home/webuser/public_html>
  Options -Indexes
</Directory>


Or 

<Directory /home/webuser/public_html>
  Options None
</Directory>


5. Restart Apache Service
# /etc/init.d/httpd restart
Or
# /etc/init.d/apache2 restart 

Using .htaccess Files with Apache
Make sure .htaccess file support is enabled and you can place below line Options -Indexes in .htaccess file.
Append following apache directive:
Options -Indexes

After disabling directory listing if you try to access directories via web browser, you should get below page.


Wednesday, 8 October 2014

What is DLP and how do I protect my Organization’s data with it?

What is Data Loss/Leakage Prevention?

DLP solutions help organizations protect the sensitive information that flows across and is stored on your networks. It allows data handling to be controlled using policies that describe attributes defining the data and the kinds of operations users can perform with the data. DLP solutions typically fall into two categories: “DLP light,” which typically takes the form of advanced content filtering bundled into gateway security and desktop protection products and “full DLP,” which adds much more control, flexibility, and capability and delivers data protection across the organization’s entire infrastructure from the USB drive to the network firewall and beyond.

DLP stands for Data Loss Prevention or Data Leakage Prevention?

DLP stands for Data Leakage Prevention, sometimes also called as Data Loss prevention. However, there is more or less difference between data Leakage and Loss. Everyone speaks their language. In simple English, Data Loss means something which actually affects availability of data where as Leakage means something which doesn’t affects availability of data. In other words, Loss means Information is completely lost (No copy of information is available in your organization) and Leakage means Information is stolen or leaked out (however, copy of Information is still available in your organization).

But in Information Security era, Loss can be define as accidental leakage of data due to inadequate controls, poor process or lack of policy awareness whereas Leakage can be define as malicious and intentional theft of data for nefarious purposes.
Both terms are correct in their own way.


How does DLP work?

DLP monitors data at rest, in motion, and in use. Using content-aware analysis, it determines if specific data items match predefined patterns that describe what sensitive data looks like in your organization. It monitors users’ actions with respect to the data and evaluates whether those actions are appropriate for the data based on company-defined policy. If data use is in violation of policy, a number of different actions can be triggered to mitigate the risk posed by the action. Actions can include coaching, notification, monitoring, encrypting, redirecting, quarantining, and even blocking.

What problems does DLP solve?

DLP protects sensitive data. This includes data that is covered by regulations such as credit card numbers, patient records, or account information, and it includes intellectual property and other data that is of high value to organizations, like product plans, financial fillings, and acquisition targets. Securing this kind of data is not easy because the data needs to be transmitted, stored, and manipulated in order for the organization to function. DLP applies controls to this kind of information through the use of content inspection and safe-handling policies that protect the data while still allowing authorized use.
Why do I need DLP?

In any business, If you store or process regulated data such as customer records, account numbers, credit card numbers, patient records, or even personal information about employees or if you produce sensitive company data like financial reports and product designs, then you have data that you either must protect or that is in your best interest to protect. Securing sensitive data without a comprehensive solution is almost impossible. You can lock down your endpoints and restrict Internet access, and that may help protect some of your sensitive data, but it will miss large amounts of it and it will slow your business down in the process. DLP lets you secure your data while keeping your employees productive and your business flexible.

How do I deploy DLP?
Most DLP solutions require you to engage in lengthy deployment cycles where you have to build servers, patch operating system vulnerabilities, install third-party databases, and more. Then you need to engage consulting firms for protracted business risk analysis to determine what policies are needed. To find best solution for your organization is sometimes challenging which reduces complexity and cost and greatly reduces the need for those expensive consultants.
 
Isn’t DLP only for regulated industries?
No. Any organization that handles sensitive data of any type, such as product designs, partnership plans, or internal financial information needs to protect the access to that data to retain its public reputation and competitive edge. At home, you lock your valuables in a safe. At work, you need to take equally good care of the data that has high value.


Is DLP better than encryption?
DLP is a great companion product to encryption. Encryption alone can be enough to achieve “safe harbor” status for complying with regulations. However, it can also be an obstacle to flexible and responsive business. Let’s say you just use encryption to secure all the data on your servers, desktops, and laptops. As long as the encryption is deployed correctly, it will secure the data stored on
those devices.

There are two problems with this approach. First, it only protects the data while it’s stored in particular places. There is no protection for data when it is emailed to the wrong person, posted to inappropriate websites, or stolen by malware that transmits it out of the boundaries of your network.
Second, encrypting everything is overkill, as a lot of data on your network doesn’t need this level of protection. It also increases the difficulty of finding information. If you have to produce documents as the result of a legal discovery motion, it can be almost impossible to comply with the court’s timelines if you have to first decrypt everything to find what must be submitted.

DLP adds to the power of encryption. The content awareness built into DLP allows it to impose controls on the data when it leaves encrypted stores. This means that the protection follows the data wherever it goes. This is key to really protecting your data assets. DLP also makes encryption smarter by requiring that only the sensitive data you want to protect be encrypted. This lightens the burden of securing your data, keeping business processes nimble and responsive to change.

How do I find all my data?
With Data Loss Prevention solution, its challenging to find all sensitive data in your organization. Sometimes, its require that you tell DLP solution every single file share and universal naming convention (UNC) that might contain data you want to protect. But most of the times, you may not know where all the sensitive data is present in your organization and there you need to find out a solution which can crawl into your networks, servers, file shares, and desktops looking for data that you either know to be sensitive or that you have defined as being information you want to protect. This makes data discovery much less difficult and more effective.

It’s necessary to use technology that listens on the wire to all the data that passes through your network. You don’t have to even know the data exists. If it matches your criteria for protection, our capture technology will identify it in real time and apply the protection you specify in your policies. Because this technology listens at the packet level on your network, you never have to worry about which application created it, which protocol is being used to transport it, or which port number is being used. None of those details are necessary for our solution to secure your information at line speed.

Does DLP only protect data on the corporate network?
Some other solutions have severe limitations on what they can protect when a laptop or other mobile device is taken off the corporate network. They either only apply limited protection or no protection at all. Neither is acceptable, as both create huge holes in your data defense. Hence, you need to choose solution that provides the same bulletproof protection regardless of where you chose to do your computing. This means you can embrace mobility to free your field workers from performance-limiting restrictions and extend the reach of your business with confidence.

Does DLP affect my business?
Some data protection technologies can really slow you down. They require massive amounts of effort to set up and then a similar investment in time and effort to regularly update them as your data, business, and the regulations that govern data change. Also, some products try to lock down data rather than enable its safe use. This leads to intense user frustration as they are thwarted at every turn when trying to be the creative professionals that your business demands they be.
Very few solutions are available in market which is modular, flexible, and highly responsive to the changes in your data handling environment. It can be quickly updated with new policies, and its unique data analytics give you unrivaled insight into the data use inside your organization, making it easy for you to anticipate changes that are needed before the business is even aware of an issue.

Stay tuned for my next article on how to successfully manage and protect your data..!!

Monday, 6 October 2014

Disable or Remove Directory Browsing in IIS



Directory browsing is disabled by default in Microsoft's IIS server so that users cannot see the contents (files/folders) present in directories. For security purpose, you should keep the directory browsing disabled. If necessary, enable it only for particular directory that you wish to allow.

Below are easy steps to disable directory browsing/listing in Microsoft's IIS server.

From User Interface:

1. Open IIS Manager and select the level you want to manage.
2. In Features View, double-click Directory Browsing.
3. In the Actions pane, click Disable if the Directory Browsing feature is enabled.

From Command Line:

1. Open command prompt with administrative privileges.
2. Navigate to C:\Windows\System32\inetsrv
3. To disable the directory browsing at server level, use the following syntax:
appcmd set config /section:directoryBrowse /enabled:false

To disable directory browsing at site level, type following command and press enter:
appcmd set config ["SITE_NAME"]/section:system.webServer/directoryBrowse /enabled:false

The enabled attribute is set to true if that directory browsing is ON.
The enabled attribute is set to false if that directory browsing is OFF.

e.g. To disable directory browsing at server level, type following command and press enter:
appcmd set config /section:directoryBrowse /enabled:false

e.g. To disable directory browsing at site level, type following command and press enter:
appcmd set config "www.shopping.info/sales" /section:system.webServer/directoryBrowse /enabled:false

If you have any issues, leave your comments below.. :)