Safer Payments online, in-store and especially during the peak retail periods

Online shopping and retail in-store purchases dramatically increase at certain times, like during the recent festive period, and unfortunately these are also times when we see increases in skimming, phishing attempts, and cyber-attacks. Because of the number of incidents and the alarming statistics released over the years, consumers feel rather insecure when shopping online and more specifically every time they need to use their card details. Recent high profile data breaches have affected consumer’s confidence and the feeling of being insecure during a transaction, which in turn has had an impact on the number of purchase transactions. Businesses need to ensure that all necessary steps are taken towards the security of their customer’s data so that they can eventually bring them back into their trust. 

Enhancing your cyber defence through a physical security assessment

Physical Security Assessments can be viewed as a penetration test against the physical infrastructure of an organisation. Instead of the assessment of computer networks and services, buildings and physical locations are being assessed. During this type of assessment the overall physical security of the location of a building, the facilities and the access controls are in scope. Physical security is often overlooked and the consequences of a physical breach can have the same impact as a computer breach.

Vulnerability Scanners you should know about

The discovery and patching of security vulnerabilities can be a very difficult and a time-consuming task, especially without the use of a proper vulnerability scanner. 

The following, is a list of the most well-known vulnerability scanners currently available in the market. A security consultant should spend some time to familiarise himself/herself with these scanners. Find the scanner that is most suitable for your needs and use it to scan your network infrastructure for security vulnerabilities. Go through the reports these scanners generate and engage in remediating the vulnerabilities discovered. This can be an invaluable experience when it comes to becoming able to understand security issues affecting large network infrastructures. 

Some of these scanner can be used under a free license for personal use. 

01) Nessus - http://bit.ly/1prtrZ3

02) Nexpose - http://bit.ly/1NHBSML

03) CORE Impact Pro - http://bit.ly/19e7dWC

04) OpenVAS - http://bit.ly/1NHCdPy

05) QualysGuard - http://bit.ly/1MUn52l

06) MBSA (Microsoft Baseline Security Analyser) - http://bit.ly/1MJ2NCE

07) Secunia PSI - http://bit.ly/1iiTjGR

08) Retina - http://bit.ly/1MBNHzo

09) Acunetix - http://bit.ly/1PA8rfA

10) SAINTscanner - http://bit.ly/1RLtB9A

11) GFI Lan Guard - http://bit.ly/1RLt8V2

If you know of a vulnerability scanner that you have used and it is worth mentioning here, let me know and I will add it to the list. 

POODLE SSLv3 Vulnerability

Bodo Möller, Thai Duong and Krzysztof Kotowicz from Google who discovered this, released a security advisory which you can find on OpenSSL website [2]. 
The Padding Oracle On Downgraded Legacy Encryption aka #POODLE vulnerability, has already a good write-up [1]. Jesper Jurcenoks explains the vulnerability on his blog [3] in a very detailed manner but at the same time, easy to understand. I am happy to see that Jesper used for his blog-post the logo I made for the poople vulnerability! :) Also, if you are thirsty for more technical details, you should also read this blog-post from ImperialViolet [4]. If you want to see some statistics on how vulnerable we are today in regards to this, you should read this article on netcraft [5]. The following post outlines the steps on how to disable SSLv3 [6]. If you wanna do a quick test and see if your browser supports SSLv3 regarding the poodle vulnerability, then you can visit: www.poodletest.com. On the other hand, www.howsmyssl.com can provide some useful information about the SSL/TLS client you used to render its page. Last but not least, if you need to a server given its domain name for this vulnerability, you may use www.poodlescan.com

CVE­-2014-­3566 has been allocated for this protocol vulnerability.

I had an idea for a logo for this vulnerability which I posted on twitter when the vulnerability came out and I would like to share it with you. We are trying to ditch SSLv3 for quite some time now, the logo had to look a little bit old style, retro and maybe vintage. Let me know what you think. ( you are free to use this logo, it would be nice if you reference it with: @drgfragkos )

Do you want to test manually?
Use this command: 
openssl s_client -connect google.com:443 -ssl3
If the handshake fails then the server doesn't support SSLv3 

Backdoors on Web Applications

There are different types of backdoors being used and deployed, depending on what kind of system/service is being targeted, how stealth it needs to be and how persistent. In this instance, we are discussing backdoors being uploaded through Web Applications to your Web Server, in order to provide access to unauthorised third-parties. 

MasterCard Global Risk Management Conference in Ireland

I was very excited to be invited by MasterCard EU (@MasterCardEU) to participate in a discussion panel during the Global Risk Management Conference #GlobalRisk [1] which took place in Ireland this year. Sysnet (@Sysnetgs) published an article regarding the event [2] on their blog. 

A variety of talks and presentations about the security of transactions, fraud, micro-payments, biometrics and trends in CyberCrime made the conference extremely interesting. MasterCard wanted to explore the increasing scope, scale, and complexity of cyber crime impacting the industry. After the recent events regarding breaches, the latest trends, and new attack vectors that criminals are employing, it is an opportunity to discuss and share lessons learned and best practices to impede Cyber Crime.

Using On-line Services for Reconnaissance

Ever wanted to use only existing online services to do reconnaissance without having to install or use any other tools. Well, the following URLs will give you a nice starting point. This list is to be expanded and updated with more links. If you believe you know of an online service which can be useful for this purpose do not hesitate to share it with the rest of us. Let me know and I will add it to the list! :)

Bash-ing (Bash Bug, Shell Shock) - All the information you need

The Bash Bug is a severe vulnerability discovered by by Stephane Chazelas of Akamai, who most probably deserves a pwnie award [1]. 
The discovery of this particular vulnerability is a serious risk, similar (maybe proven to be a lot bigger) to the Heartbleed bug [2]. Mostly because Linux not only runs the majority of the servers but also in a large number of embedded devices. Keep in mind that there are approximately about 25 years’ worth of Bash versions! Effectively, Mac OS X [11] and Android devices may also be running the vulnerable version of bash. 
Also, for Windows systems, msysgit contains a vulnerable version of bash (by Joshua McKinney) [12]. Which means, we are going to have more of these popping up very soon under the Windows platform as well.
Just to give you a hint about the severity of this vulnerability, NIST Vulnerability DataBase rated this with "10 out of 10". [3]

44CON 2014

It was really nice catching up with many friends from the industry at 44CON [1] (#44CON) this year in London. 

Also, a new 44Con Cyber Security was announced which will take place at some point next year. 

This year, there were 3 tracks running and a workshop. A number of interesting talks and a variety of subject to choose from. The stages were really nice and you should look for the DVD when it is out! It is very difficult to choose which talk(s) was/were the best. The main reason is because so many things happening at the same time it is hard to tell. So, it is best to assume that all were great. 

[1] http://44con.com

Disconnect Mobile

Finally an App for non-routed/jail-broken mobile devices that will allow you to control your privacy and security. Disconnect Mobile is a privacy and security app. The app actively blocks the biggest mobile trackers and thousands of malware threats when you use an app or browse the web using 3G, 4G, LTE or Wi-Fi. Optionally includes ad filtering and malware protection which you have to pay in order to activate them. 

Why the big fuss? Well, last week, Google kicked Disconnect Mobile out of the Play store. It even made the Wall Street Journal [1]. As always this post is not about promoting this specific app but on the fact that it blocks mobile trackers and that it was kicked from Play store. What has changed and Google finally allowed the app to be on the store?  Google kicked this app because it violated a policy prohibiting software that interferes with other apps. However, interference was precisely the point of Disconnect Mobile, a privacy tool aimed at stopping other apps from collecting data on users. In the six days it was available in Google’s store, it was downloaded more than 5,000 times.

EMF 2014 - Presentation

I was delighted to be given the opportunity to give a talk at EMF camp 2014 [1] about Point-of-Sale devices [2]. 

I would like to thank all of you who attended and I really hope you enjoyed the talk. Also, the talk was being streamed live at the emfcamp.org website [3]
Looking forward to go back next year. 

[1] https://frab.emfcamp.org/en/EMF2014/public/events/274
[2] https://frab.emfcamp.org/en/EMF2014/public/schedule/2
[3] http://webcast.emfcamp.org

Garmin GPS nuvi 2597LTM, 5" - How to..

I recently purchased a Garmin GPS and more specifically the nuvi 2597LTM, 5" screen. Compared to other makes, I find Garmin to be the best GPS devices out there for all sort of reasons. I have used different models of Garmin GPS over the years and I was fully satisfied with them every time.

However, my recent purchase put me off a little bit and the reason was that I was expecting more from Garmin. What I mean is that I purchased one of the latest models in 2014 and I was expecting to see the graphics to be a bit more smooth, without any delays in drawing/redrawing the map. It feels like they haven't upgraded the processor over the years and its performing exactly like a GPS bought at least 6-8 years ago. Also, it would be really nice if the screen had better resolution. We have retina displays now, I don't think increasing just a little bit the screen resolution would make such a bit difference to the final price. Despite the above the GPS is picking up the satellites very fast, the antenna picks up the satellites in semi-covered places as well, the real directions are very nice and useful, and of course the bluetooth allows you to take calls on the GPS which are loud and clear! 

The issue I had to face though, came a couple of months after during a trip. The GPS decided that the auto-brightness feature will start working as it pleases. More specifically, during the trip, it decided to switch from bright to 10% brightness. Every time I set it back to 70%-100%, after a random number of seconds/minutes it switched back to 10% for no reason. 

UnPHP - The PHP decoder

UnPHP is a free service for analysing obfuscated and potentially malicious PHP code. 

Test your PHP code online

For various reasons you might want to test your PHP code (or code written by others) and see if it works or check what it does. If this is something you would like to do, then you can use a couple of websites which will do this for you. 

Outbox.. have you heard???

Outbox apparently is a "novel" service in the US. It is refereed as a "disruptive innovation". Basically, their innovation is that they will open the mail that it was post to you (read it maybe), scan it, and email it to you.
Effectively, the idea behind this is to have your mail delivered to you through email, wherever you are. Of course there is a monthly fee that you need to pay in order to use this service.
There is a huge debate between the founders of Outbox and the postal service in the US regarding this "disruption of the postal service". The following article summarises pretty well the views from both sides [1] and give you a nice inside on what is going on.

This blog post is about the security/privacy of the contents of the postal mail, by also taking under consideration is it is ethical as well, looking into the recipient's and the sender's perspective. It is not intended to discuss/debate if the Outbox idea is an innovation or a disruption of the postal service.

Electromagnetic Field 2014 - EMF Camp

Electromagnetic Field [1] is a UK camping festival for those with an inquisitive mind or an interest in making things: hackers, artists, geeks, crafters, scientists, and engineers.

This is actually the first day out here for this year (Fri 29th - Sun 31st Aug 2014). It is a lovely site with power to your tent (if you remembered to bring an extension) and Wi-Fi. Tickets are approximately £100 and if you are thinking of driving down, you need to purchase in advance a parking ticket for £15. 

As a side note; as it is not clear on the website, the parking area is a field. Also, to get there you will have to drive through mud, dirt, grass and about 500 yards of rocks which seem pretty sharp. So, be prepared before you decide to drive to EMF. I suggest renting a car for the weekend if you don't wanna risk getting your car out here!

UPS Store tills infected by Malware in the US

UPS Store tills in the US are infected by debit and credit-card-reading malware in 51 of its branches. [1] UPS says the security breach may have exposed credit and debit card data at the affected stores between January 20, 2014 and August 11, 2014. As many as 100,000 transactions may have been snooped on, we're told, out of the millions normally running through the UPS network.

US-CERT has been warning about point-of-sale vulnerabilities for some time now. An advisory was released on January regarding Malware Targeting Point of Sale Systems [2]. 

The only way businesses could prevent carder raids is to look into adapting point-to-point encryption (P2PE).

[1] http://www.theregister.co.uk/2014/08/20/ups_raises_hands_owns_up_to_hack/
[2] https://www.us-cert.gov/ncas/alerts/TA14-002A

Outlook 365 Full Reset

I tried to set up Outlook 365 but I entered the wrong credentials. For some reason, which there is no point investigating further at this stage, I managed to crash Outlook 365. I was stuck with the forever loading splash screen of Outlook. There was no way for me to change the values from that loading interface. On top of that I believe the profile data file was corrupted, so there was no way to start Outlook at this stage. 

So, I had to reset Outlook 365 like it was the first time it was being used:

Black Hat: Hackers execute code on mobile POS devices, play their version of Flappy Bird

Researchers who discovered vulnerabilities in mobile point-of-sale devices (mPOS), which could allow malicious code execution on targeted payment systems, demonstrated their findings at Black Hat 2014 in Las Vegas. 

[1] http://www.scmagazine.com/black-hat-hackers-execute-code-on-mobile-pos-devices-play-their-version-of-flappy-bird/article/365390/

Gamma International; a Hacker's Hacking Guide

The original document was found at pastebin [1]. 

[1] http://pastebin.com/raw.php?i=cRYvK4jb

                _   _            _      ____             _    _ 
               | | | | __ _  ___| | __ | __ )  __ _  ___| | _| |
               | |_| |/ _` |/ __| |/ / |  _ \ / _` |/ __| |/ / |
               |  _  | (_| | (__|   <  | |_) | (_| | (__|   <|_|
               |_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_)
                                                 
     A DIY Guide for those without the patience to wait for whistleblowers

Windows 8.0/8.1 Start Button

I don't know how useful this can be for you but for those of us who needed to buy a new laptop and had Windows 8.0/8.1 this little application may be use. Classic Shell brings back the Start Button [1]. 

[1] http://www.classicshell.net/gallery/

SanDisk 64 GB USB 3.0 Extreme - Speed Test

Recently purchased one of the SanDisk Extreme USB 3.0 Flash Drives which claims to be x45 times faster than USB 2.0. Based on the company's specifications, this Extreme USB is capable of 245MB/s read speed and 190MB/s write speed. 

I wanted to test it over different systems in order to note the speed variations. 
So, this post is just to give out some figures to anyone who wants to have an idea about the performance of this flash drive.

upnp.ninja

U Plug, We Play, was the title of David Middlehurst’s (@dtmsecurity) presentation at the BSides Manchester conference. The presentation was about a new open source tool called 'UPnP Pentest Tookit' [1]  he developed and released on the day of the conference. I had the chance to catch up with David at the London Trust Forum the other day and shared some thoughts about the tool. I am 'a bit' of a geek so the next day after the BSides Manchester conference, it was the first thing I wanted to test. I downloaded the tool and started scanning my home devices. 

Well done David!

[1] upnp.ninja

London Trust Forum

I was invited to attend the London Trust Forum organised by NCC where Andy Davis talked about CANimation and highlighting the security threats to automotive systems. A very interesting talk on how you can hack into cars when you have physical access to them or in some occasions, remotely! 

It was really nice to see familiar faces at the event and catch up with Dr. Jessica Barker (@drjessicabarker), David Middlehurst (@dtmsecurity) , @netbiosX and @Emil_i.

Looking forward to the next Trust Forum event already!

BSides Manchester 2014

It was really nice to be invited to present at BSides Manchester (@BSidesMCR) this year [1]. Very interesting talks and one of the most organised events I have ever been. On-time information on the website and clear instructions about the event . I really enjoyed both days and tried to attend as many talks as I could. 

On the second day, I was presenting about the security of Point of Sale (POS) devices. These devices have a number of “features” which can be used to allow someone to deviate from payment process in a number of different ways. More specifically, it is possible to complete a transaction without actually being charged, pay with someone else’s card without knowing the PIN or even get paid instead of paying. The presentation gave a good understanding on how these devices work and basically demonstrated a number of “magic tricks” on how one could actually live for free! I was overwhelmed from the number of people attended the talk and their enthusiasm on the subject. Thank you all for your kind words, tweets and re-tweets, much appreciated.

The Subterfuge Project called Artemis

Artemis [1] is an advanced malware simulation suite capable of emulating the Advanced Persistent Threat (APT). Artemis raises the bar allowing ethical hackers and penetration testers the luxury of an advanced set of features equivalent to many of the tools employed by criminal gangs today. By abstracting polymorphism to a server based platform at cevincere.com Artemis is able to stay one step ahead of anti-virus vendors, and ensure that penetration testers can give their clients the value that they deserve.

[1] https://code.google.com/p/subterfuge/

BSides London 2014 - POS Devices

I was given the opportunity to present at this year's BSides London [1]. The talk was a 15 minutes presentation about Point of Sale (POS) devices, during a no-camera, no-recording session due to the sensitive content. 

I have been researching the features of POS devices for more than a year and I wanted to share my findings before someone else does something similar. However, due to the fact it is not easy to fix the issues overnight, I decided to keep the presentation "behind closed doors". During the presentation I demonstrated how it is possible for anyone to become a "hacker" and abuse these little devices with simple key combinations. 

Critical OpenSSL vulnerability

OpenSSL released a security advisory yesterday (7/Apr/2014) regarding the TLS heartbeat read overrun (CVE-2014-0160). [1] This is a CRITICAL vulnerability affecting 1.0.1 and 1.0.2-beta releases of OpenSSL, including 1.0.1f and 1.0.2-beta1.

An attacker can read memory contents of the remote server . The server will not crash or otherwise exhibit suspicious behaviour. Successful exploitation leaks usernames, passwords, web application session cookies or other sensitive information. 

Currently, some of the vulnerable websites are: 
yahoo.com
okcupid.com
flickr.com

The quickest way to test your server is by using the following link:
http://filippo.io/Heartbleed/

Remediation:
Affected users should upgrade to OpenSSL 1.0.1g. The alternaltive at this point if you cannot upgrade to OpenSSL 1.0.0g is to recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS

For remediating against an Apache install you will also need to upgrade libssl (libssl1.0.0).

Note that Ubuntu 1.0.1-4ubuntu5.12 of OpenSSL resolves the issue.

Temporary Snort signatures:
a) alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"Heartbleed attack with ssltest.py";flow:to_server,established; content:"|18 03 02 00 03 01 40 00|"; rawbytes; isdataat:!1,relative; reference:cve,2014-0160; sid: 6000000; rev:1;)

b) alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"Heartbleed attack";flow:to_server,established; content:"|18 03|"; rawbytes; depth:2; byte_test:1, &, 3, 0, relative; byte_test:2, >, 200, 3, relative, big; reference:cve,2014-0160; sid: 6000001; rev:2;)


[1] http://www.openssl.org/news/secadv_20140407.txt

So many Computer Forensics tools but no time

Do you want to get your hands in Computer Forensics but you don't really know where to start. Are you looking for a tool that does a specific job but you don't know which one to download and use. Forensic Control [1] have a list of free tools as a free resource for all. The tools are grouped in categories and a detailed description allows you to find what you are looking for. 

The main categories of the tools you can find are:

• Disk tools and data capture
• Email analysis
• General tools
• File and data analysis
• Mac OS tools
• Mobile devices
• File viewers
• Internet analysis
• Registry analysis
• Application analysis
• Abandonware

[1] https://forensiccontrol.com/resources/free-software/

Booby-trapped documents in Rich Text Format are being used for targeted attacks

There are booby-trapped documents being circulated in the Rich Text Format (RTF) that exploit a vulnerability in the 2010 version of Microsoft Word [CVE-2014-1761]. 

Microsoft Advisory published on Monday 24/Mar/2014 (2953095) [2] warns about the Vulnerability in Microsoft Word which could allow Remote Code Execution. A Temporary fix is available by Microsoft [3].

[1] ​http://arstechnica.com/security/2014/03/zero-day-vulnerability-in-microsoft-word-under-active-attack/

[2] http://technet.microsoft.com/en-us/security/advisory/2953095

[3] https://support.microsoft.com/kb/2953095

SANS Investigate Forensic Toolkit (SIFT) Workstation Version 3.0

SANS SIFT 3.0 Virtual Machine Released [1]

Developed and continually updated by an international team of forensic experts, the SIFT is a group of free open-source forensic tools designed to perform detailed digital forensic examinations in a variety of settings. With over 100,000 downloads to date, the SIFT continues to be the most popular open-source forensic offering next to commercial source solutions.

[1] http://digital-forensics.sans.org/blog/2014/03/23/sans-sift-3-0-virtual-machine-released

Guest Speaker for Derby University (Digital Forensic Investigation Course)

I had the pleasure to be invited as a guest speaker to Derby University in order to give a talk about Penetration Testing in the real world and more specifically for the Digital Forensic Investigation course.

The talk included an introduction to the Payment Card Industry (PCI),  Payment Card Industry Data Security Standard (PCI DSS) and the Payment Card Industry Security Standards Council (PCI SSC). The participant had an opportunity to understand what is an Approved Scanning Vendor (ASV), a Qualified Security Assessor (QSA) and last but not least a PCI Forensics Investigator (PFI).

The students were introduced to penetration testing types, practices, methodologies, real stories from the industry, tools, and techniques. Black Box testing versus White Box testing was explained, the significance of white-listing was discussed and comparison of ASV, Vulnerability Assessment and Penetration Testing was given.

The second part of the talk focused on malware and included a more practical approach with a hands-on session. The talk focused on how easy could it be to create malware that is capable of evading AntiVirus detection (including reputation based detection). The students were given an executable file and a hex editor which allowed them to modify the given binary. Social engineering and spear phishing were also discussed. The purpose was to raise their awareness and allow them to understand with examples why we say there is no 100% security.

I had a wonderful day at the University, the students were very excited and I do hope they learned a lot. All the best with their course. The industry needs these knowledgeable future professionals. 

Apple's SSL/TLS Bug

Yesterday, Apple pushed a rather spooky security update [1] for iOS that suggested that something was horribly wrong with SSL/TLS in iOS but gave no details​. 

A very quick test site for testing if you are vulnerable to this bug (use Safari browser) can be found here: https://www.imperialviolet.org:1266 

Note the port number (which is the CVE number), the normal site is running on port 443 and that is expected to work. On port 1266 the server is sending the same certificates but signing with a completely different key. If you can load an HTTPS site on port 1266 then you have this bug.

[1] http://support.apple.com/kb/HT6147

Kali Linux Virtual Box Resolution

There are several ways people are suggesting for adjusting Kali Linux [1] resolution in Virtual Box. First of all, make sure you have the latest Virtual Box [2] along with the latest Extension Pack. 

Lets assume that you downloaded a VM image of Kali Linux from the aforementioned URL. I suggest you make sure your Kali Linux is up-to-date. To update your system, bring up the terminal and run the following command in order to fetch all the new updates: 
apt-get update

Then, run this command to upgrade your system: 
apt-get upgrade

It is not necessary to restart  your system at this state, but for those of you who might want to do this, just type in the terminal: reboot

Guest Speaker for Derby University (Digital Forensic Investigation Course) - Cyber-Security and Cyber-Defence

I was very excited to be invited by the Derby University once more and more specifically by the Digital Forensic Investigation Course in order to give a talk. The title of the talk was "Cyber-Security and Cyber-Defence in the industry and financial services utilising Penetration Testing and Computer Forensics".

The talk focused on the current Cyber-Threats, Cyber-Security and Cyber-Defense tactics. It introduced to the participants different types of security services, which included threat assessment, threat intelligence and threat management solutions. The talk also gave the students an opportunity to hear about the most successful vendors in the security industry.

Figure 1 - Guy Fawks Mask as a Rorschach Test

The trends in cybercrime were discussed along with why cybercriminals participate in cyber-gangs and the reasons why cybercrime is still successful. More specifically the talk looked into the reasons why cybercrime has a presence, how much does it pay, explored the increasing scope, scale, and complexity of cybercrime impacting the industry at the moment, how cyber-espionage is involved and how can we focus on real-world strategies to avoid being targeted.

A number of tools and techniques were introduced to the students along with a practical session on how easy would it be to create their own version of a malware capable of evading AntiVirus detection. All this raised their awareness and made start thinking outside-the-box when it comes to this fast evolving threat landscape of cyber-threats.

I do believe the students enjoyed the talk as the feedback was exceptional. I do hope they gained enough information during the day to go back and start looking into cyberthreats more closely and with a better understanding.