Thursday 16 March 2017

IBAN Country List

IBAN (International Bank Account Number) that originates from a member or joining country of the EU or the EEA. FYI: Switzerland and other countries that have adopted the use of IBAN. 

A couple things about the IBAN

Instructions for Screen or Braille Reader users

  • This IBAN Checker validates the format of an IBAN which you can either type or paste into the input boxes.
  • The results of validation are normally shown on the screen. To receive the IBAN Checker results in a dialogue box that your screen reader should be able to interact with, check the first checkbox that you come across in the form. The prompt for this box reads 'Screen reader users please check this box to receive the results of the IBAN Checker as a dialogue box'.
  • Two sets of input text boxes are provided for you to enter your IBAN for checking.
    • The first set of nine input text boxes allow you to type in the IBAN four characters at a time.
      • You will need to tab from one text box to the next.
      • Each text box will only allow a maximum of four characters.
      • The IBANs have a specific format, and some possible formatting errors are detected as you are keying characters into these text boxes.
      • These errors are notified to you in dialog boxes with an OK button which you must action before you carry on.
      • When you action these dialogue boxes you should be aware that incorrect input is not cleared out of the input text boxes.
    • After the multiple input boxes there is a single longer input box into which you can type the complete IBAN. Or alternatively you can paste the IBAN into this box if you have received it electronically - ie in an email.
    • Typing into any of the multiple input text boxes will clear out any characters you may have typed or pasted into the longer input text box.
    • Similarly typing or pasting into the longer text box will clear out any characters you may have typed into the multiple input text boxes.
  • Two buttons are provided on the form.
    • The first button triggers the checking of the IBAN you have entered.
    • The second button clears out all the input text boxes.
- Each IBAN has a predefined length (depending the country it belongs to).
- Each IBAN has a country prefix.
- The IBAN should not contain spaces when processed electronically (or the word 'IBAN').

In case someone needs this information, I will just leave that list below :)


Thursday 9 February 2017

Ticketbleed (CVE-2016-9244)

A vulnerability similar to the well-known heartbleed was discovered in the TLS/SSL stack of F5 BIG-IP appliances that allows a remote attacker to extract up to 31 bytes of uninitialized memory at a time. This vulnerability is called Ticketbleed as it lies in the implementation of Session Tickets, which is a resumption technique used to speed up repeated connections. The vulnerability affects the proprietary F5 TLS stack which exposes 31 bytes at a time.

Test
You can test your domain using the automated script which you can find at: https://filippo.io/Ticketbleed/

Alternatively, you can test for Ticketbleed yourself with a Go script: here

Fixes and mitigation
The full list of affected versions is available on the F5 website. At the time of this public disclosure not all releases have upgrade candidates available.

Disabling Session Tickets is a complete mitigation, which will only cause a performance degradation in the set-up phase of resumed connections.

Reproduced here are the instructions provided by F5 and available at the link above.

  1. Log in to the Configuration utility
  2. Navigate on the menu to Local Traffic > Profiles > SSL > Client
  3. Toggle the option for Configuration from Basic to Advanced
  4. Uncheck the Session Ticket option to disable the feature
  5. Click Update to save the changes

Source: https://filippo.io/Ticketbleed/

Monday 6 February 2017

Guest Speaker for University of South Wales (Information Security Research Group) - InfoSec Community; Stepping into the security industry

I had the pleasure to be invited as a guest speaker to the University of South Wales by the Information Security Research Group (ISRG). The talk was about the Information Security community and more specifically how young professionals can step into the security industry.
During this talk, the students (graduates & postgraduates) had the opportunity to understand and discuss what they can do today in order to ensure they are well prepared when it comes to stepping into the security industry.

The talk included an introduction to what is considered to be a security oriented mindset, provided a number of quick tips, mentioned several online resources, and last but not least how to prepare for an interview. The students among a number of subjects that were raised during the talk, were also introduced to penetration testing types, practices, methodologies, real stories from the industry, tools, and techniques. Black Box testing versus White Box testing was explained, the significance of white-listing was discussed and a brief comparison between Vulnerability Assessments and Penetration Testing was given.


Saturday 31 December 2016

Representing DeepRecce - Conferences list 2016

IRISSCERT Cyber Crime Conference – November 2016

irisscertIRISS is Ireland’s CERT team and provides a range of services to its clients to help them defend and secure their networks and data. This annual conference is now recognised as Ireland’s premier Cyber Security event where experts on various aspects of cyber security share their thoughts and experiences. DeepRecce was represented by Dr. Grigorios Fragkos who delivered a really forward looking talk on Cyber Resilience with the interesting title: All aboard, next stop; Cyber Resilience. The talk familiarised the audience with what Cyber Resilience really is, how a holistic approach to cybersecurity problems is better to protect us from cyber threats, and last but not least, how Cyber Resilience will change once and for all the way cybersecurity is discussed in the boardroom, as it will provide companies the means to stay within budget.

BruCON – October 2016

finalgamingdefOne of the most important security conferences for ethical hackers in Europe is BruCON. The event started with security training sessions that lasted for three days and concluded with a two-day conference composed of outstanding security presentations and workshops. It comes without surprise to see so many people arriving to the event from all over Europe to join an interesting atmosphere for open discussions related to critical InfoSec issues, privacy, information technology and its cultural/technical implications on society. DeepRecce was represented at the conference by Dr. Grigorios Fragkos who was invited to present his talk on Point of Sales (POS) and more specifically on Point of Interaction (POI) devices and Virtual Terminals. Even though the research started almost three and a half years ago, the findings were never made publicly available, and have only been presented behind closed doors and to by invitation only events/conferences, in order to be given enough time to acquirers, payment processors and affected parties to remediate the issues disclosed.

Securing Online Gaming – October 2016

finalgamingdefThe challenges involved when it comes cyber resilience were discussed at this year’s annual “Securing Online Gaming” in London, on the 4th October 2016. DeepRecce is not only a strategic sponsor to the event, but was also represented by Dr. Grigorios Fragkos with an innovative and forward-looking talk on “Online Gaming towards Cyber Resilience”. The talk focused mainly on:
• Today’s challenges & requirements towards security online gaming
• How attacks are evolving, and what should we expect
• Taking steps for an effective Cyber Resilience strategy


44CON – September 2016

44conlondonDeepRecce had a presence at this year’s 44CON in London. We had the chance to meet and catch up with friends and colleagues from the industry. As Cyber Security becomes a more and more boardroom discussion it was a pleasure to see the department of MoJ Digital & Technology at the event who also designed a fun yet challenging Capture the Flag. Information Security professionals from all industries, mostly interested in cybersecurity and ethical hacking, had the change to attend a series of interesting talks and workshops related to security from speakers around the world.

Security BSides Manchester – August 2016

bsidesmcrDSecurity BSides events are Information Security community based conferences happening all over the world and DeepRecce was present at this year’s event in Manchester. Information Security Professionals, experts, researchers, ethical hackers and InfoSec enthusiasts come together to discuss the next “big thing”, not only to ethical hacking, but instead the conference is open to a wide range of subjects related to security such as incident response, IoT security, computer forensics, security standards and of course compliance. DeepRecce was represented at the event by Dr. Grigorios Fragkos with a talk about “Accessing the personal details of most of the InfoSec professionals & the Responsible Disclosure process”. Due to the sensitive nature of the contents, the talk was not allowed to be recorded.

Electromagnetic Field – August 2016 – EMF Camp

cpl-kqywyaak1qfA UK based camping festival that takes place every two years for those with an inquisitive mind or an interest in making/breaking things: hackers, geeks, digital artists, scientists, engineers and technology enthusiasts. DeepRecce was represented at the event by Dr. Grigorios Fragkos with a talk on the myths and truths when it comes to hacking airplanes.


SnoopCon – July 2016

DeepRecce was represented by Dr. Grigorios Fragkos at SnoopCon 2016 invited by the Cyber Security Testing and Validation Team at British Telecoms (BT) in order to attend their annual internal conference, as a guest speaker. This is actually the second time Grigorios attended this by-invitation-only conference, where he was awarded the Best External speaker award in 2015. The conference is known as SnoopCon and it is BT’s Penetration Testing and Ethical Hacking annual meet-up event which lasts five days overall.

Monday 26 December 2016

TP-LINK Modem / Router (ADSL2+) Security and Vulnerabilities

I really hope this blog post starts a small trend when it comes to the security of home-based routers. I started searching online for home routers (SOHO) and wanted to compare them based on how secure they are, up to a reasonable price for a household. I have seen all these different makes that have been found in the recent years to contain hard-coded credentials and other known backdoors, and I wanted to investigate this a bit further. 

It is very hard to find security related information about routers before deciding which one to buy. Also, it is really annoying to see that manufacturer only care and promote the features and functionality of a router, and do not consider security at all.

From where I stand, when a company sells a router, should be in their best interest that router to have no security vulnerabilities. Otherwise, it is like having a company that wants to sell bulletproof vests that doesn't stop bullets, other than those fired from Airsoft BB guns.

I do understand that most people might choose a router based on its cost, colour, shape and if it is shiny. However, from my experience, these people just want to get online and want to simply replace the really bad modem/router their ISP provided for "free". Most of the time the real reason behind that decision is because when more than two devices are connected to those "free" devices, the Internet experience becomes annoying, to say the least. For such use, it is not hard to find a replacement for these "free" routers at a very reasonable price, and 90% of the time, it is totally worth it.