Tag Archives: Security

Fix for CrowdStrike Windows Crashes

Earlier today CrowdStrike release an update that can cause Windows based computer to crash to a bluescreen of death. An update to their product has been provided to stop this from impacting further computers.

If a computer is crashing to a BSOD the following can be done to get the computer to work normally.

1. Boot Windows into Safe Mode or the Windows Recovery Environment
2. Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
3. Locate the file matching “C-00000291*.sys” and delete it. 
4. Boot the host normally.

Hopefully this helps my fellow techs.

CrowdStrike Source if you’re not comfortable with my instructions: https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts

SSLv3 POODLE Bug CVE-2014-3566

What is it:
POODLE stands for Padding Oracle On Downgraded Legacy Encryption. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack.

POODLE affects older standards of encryption, specifically Secure Socket Layer (SSL) version 3 which was release in 1996. It does not affect the newer encryption mechanisms known as Transport Layer Security (TLS).

How Can I Fix my Browser?
Follow some recommended steps to disable SSLv3 support in your browser. Patches and software updates are mentioned latter in this article.

Chrome – Windows

Chrome had an update released in February that added a feature that in theory protects against this vulnerability, however someone people have claimed the adding –ssl-version-min=tls1 to the short cut will disable SSLv3 and earlier but I have not seen this work as in actually disabling SSLv3.

Chrome – Linux (Ubuntu) – gertvdijk on AskUbuntu

Open /usr/share/applications/google-chrome.desktop in a text editor
For any line that begins with “Exec”, add the argument–ssl-version-min=tls1
For instance the line Exec=/usr/bin/google-chrome-stable %U should become Exec=/usr/bin/google-chrome-stable –ssl-version-min=tls1
Reboot

Firefox

Put “about:config” in your address bar and press enter
Search throught he list of entries for “security.tls.version.min”
Double click on this item and enter the number 1, click ok

Internet Explorer

Launch “Internet Options” from the Start Menu
Click the “Advanced” tab
Uncheck “Use SSL 3.0”
Click “OK”

I’m a Server Admin What Can I Do to Protect My users:

Disable SSLv3 or lower on your servers, review your SSL Settings & make sure things are in the right order & following best practice which is pretty much to use TLS 1.0 or greater.

In large networks it may be necessary to deploy a group policy setting to disable SSLv3. Guide

How to I disable SSLv3 on X?:

I don’t feel that I’m experienced enough to give advice on Apache or any Linux HTTPS Deamons so I would advise that your check out the Linux community for your distro as they will most likely have information on securing your servers.

As I’m more familiar with IIS (Internet Information Server) I’m happy to  provide a link to Nartac Software Inc. GUI tool that allows you to set YOUR SSL settings, I recommend you set you server to the FIPS-140-2 standard using this software.

Changing the settings on windows will also effect other services on you system so make sure you test production environments after making these changes.

How do I know if a Site I’m Visiting is Vulnerable/How do I test My site?:

Qualys, Inc. provides a wonderful tool, SSL Server Test, it can tell you how well your server is doing when it comes to your SSL configuration in general. If you don’t have an A- A or A+ ratting you seriously need to look at your websites security then again maybe you don’t give a site about the people who visit your site. (Your pretty negligent aren’t you)

But remember even if you have an A ratting your site might still be poorly configured or have other issues. e.g. Some sites preference SSLv3 over TLS even though they have TLS enabled.

When are the software updates going toe be available?:

SSLv3 = Never, the Bug is a fundamental design flaw of the protocol.
Firefox = Mozilla has indicated that a patch will be available on the 24/25th November 2014, this update will remove SSLv3 from Firefox
Chrome = Google has not specified when or iff SSLv3 will be removed yet but claims that “Any version of Chrome since February 2014 (Chrome 33 onwards) is protected against this vulnerability.” They have also said “In the coming months, we hope to remove support for SSL 3.0 completely from our client products.”
Internet Explorer = “Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs” , Microsoft provides updates after or on the Second Tuesday of the month unless need arises that it be fixed sooner. (Should be on November 11 or the day after)

20 Common Passwords

The following list is the result of an attack on RockYou.com whereby a hacker managed to obtain all the account details of 32M users.

Rank Password Number of Users with Password
1 123456 290731
2 12345 79078
3 123456789 76790
4 Password 61958
5 iloveyou 51622
6 princess 35231
7 rockyou 22588
8 1234567 21726
9 12345678 20553
10 abc123 17542
11 Nicole 17168
12 Daniel 16409
13 babygirl 16094
14 monkey 15294
15 Jessica 15162
16 Lovely 14950
17 michael 14898
18 Ashley 14329
19 654321 13984
20 Qwerty 13856

What is the most popular password?

Commonwealth Bank Vishing Scam

There have been some reports around the place of a vishing scam targeting the Commonwealth Bank. An automated phone message is used and tells you to call the number (02) 8005 6713, if you call this number you will be asked to provide your credit card number and your four digit pin number.

Some people have reported receiving this phone number via email also.

If you have fallen for this scam and called 02 8005 6713 then you should contact the Commonwealth Bank immediately.

Articles:

WOT – Web Of Trust

OK so I got sick of McAfee SiteAdvisor the new layout of their site is horrible and not user friendly, the button in your browser interferes with the aesthetics of the browser. SO now I have replaced it with WOT.

WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It’s easy and it’s free.

The best part about WOT is that it’s community driven and not rapped up in the interests of a company like McAfee.

Free Internet Security - WOT Web of Trust

Open Redirect at Ask.com

Spammers have found an open redirect in the ask.com website. These redirects are often used to mask their URL’s from RBL’s and services like Spamcop.

Redirect:
http://wzeu.ask.com/r?t=lyc&u=http://www.microsoft.com/

I have put Microsoft in as an example here anyone can put any URL in at he end to use this redirect. I have filed a support ticket with Ask about this.

A redirect that they were using at Go.com is still open a month later even after I sent them notice of it. (Lazy)

Classification Board Site Defaced

The ABC is reporting that the Office of Film and Literature Classification (OFLC) has been defaced. At present the site appears to be down displaying the message “Bad Request (Invalid Hostname)”, however the ABC has been kind enough to capture a screen shot with there article.

The defaced page reads:
This site contains information about the boards that have the right to CONTROL YOUR FREEDOMZ. The Classification Board has the right to not just classify content (the name is an ELABORATE TRICK), but also the right to DECIDE WHAT IS AND ISNT APPROPRIATE and BAN CONTENT FROM THE PUBLIC. We are part of an ELABORATE DECEPTION from CHINA to CONTROL AND SHEEPIFY the NATION, to PROTECT THE CHILDREN. All opposers must HATE CHILDREN. All opposers must HATE CHILDERN, and therefore must be KILLED WITH A LARGE MELONS during the PROSECUTION PARTIES IN SEPTEMBER. Come join our ALIEN SPACE PARTY.

The last paragraph sounds kind of odd and is very random. Funny thing is the person who has done this is completely off target when it comes to who they should be after.

‘Control yr freedomz’: Classification Board site defaced

Open Redirect At Go.com

Some spammers have found an open redirect in the go.com website. Today I received a peace of spam that was exploiting this redirect.

Become loveworthy one! - Click!
Your Discount code #xetf

Under the link an address like the following that points to a spammers site is found:

http://log.go.com/log?srvc=fuyct&goto=http://www.google.com/

Google is used purely as an example.

Is the next Blaster Worm in the Winds

Microsoft has dropped an out of cycle patch on everyone, the patch covers a fault in RPC which is very similar to the fault in RPC/DCOM that was exploited by Blaster Worm. The consequences of not patching could potentially be the same, thousands of computer infected to do the bidding of those who would exploit it. Patch or die folks, patch or die.

Info Links: