Category: Security

Pervasive Monitoring and Security in Africa

If you think about the number of attacks on the rise in the world, statistics and figures would proved you all. For example, if you think about preventing attacks such as, Man-in-the-Middle attacks, guidance in implementing the right TLS Protocol, formerly called SSL is important. TLS is the security protocol that underlies the web. Passive attacks such as tapping – Monitoring of unencrypted communications, Encryption – Intercepting encrypted information flows, Scanning – Scanning ports connected on the Internet and Traffic analysis – building  and processing of information from data analysis are surely on the rise. The RFC 7258 as described emphasised on pervasive monitoring mitigations where possible. Pervasive monitoring is also described as an attack and therefore it is an offence.

[google_ad data_ad_slot=” data_ad_format=’rectangle’]

In 2017, we had so many cybersecurity disasters – Active attacks such as the Shadow Brokers which claimed to have breached the spy tools of the elite NSA-linked operation known as the Equation Group. We had also the WannaCry which netted almost 52 bitcoins, or about $130,000. The Wikileaks CIA Vault 7 which contains alleged spying operations and hacking tools. The cyberstorm.mu team, clearly reacted on this issue under the Operation Crypto Redemption and submitted several patches and encouraged many Open Source organizations to patch up those vulnerabilities. According to Africa News, only South Africa seem to be impacted. It can clearly be seen that the attackers know which country they are aiming during mass phishing. 

AFRICA least hit by WANNACRY - Photo credits Africanews.com

AFRICA least hit by WANNACRY – Photo credits Africanews.com

But hey! If you give a thought about it. Did the attackers really aimed Africa? Why Africa was not really impacted? I highly doubt that there was a pervasive monitoring prior to the attack. It may also not be the case due to phishing as it depends who got trapped with the malware. Still phishing on large scale can be behind the intelligence of Pervasive monitoring! On the other hand, Checkpoint demonstrated how the risk is high in Africa with a map below displays the risk index globally (green – low risk, red- high risk risker, white – insufficient data), demonstrating the main risk areas around the world.

Photo Credits: Checkpoint.com
Photo Credits: Checkpoint.com

Several countries were listed as white due to insufficient data which could account to reliable data about the risk index in the African continent. Of course, it describe active attacks risks in the African continent. Attacks over countries are now evolving. What I mean is that there could be first a pervasive monitoring system which help attackers to move further towards their target for example: When to perform a mass phishing to get more money!

The fundamental of pervasive monitoring remain mostly about building profiles of a person. It is clear that many are vulnerable to these type of attacks due to presence on social media and social networks. A nation can be a target! Staffs from a particular company can be a target! But what is most sensible is when the data from pervasive monitoring has already been processed into meaningful information, attackers can sell those information which cost millions and may be billions of dollars.

[google_ad data_ad_slot=” data_ad_format=’rectangle’]

Over the past decade, the billion people who live in Africa have experienced the fastest growth the continent has ever seen, and many of its countries (Nigeria, Ethiopia, Mozambique, Guinea) are among the fastest growing in the world. A growing body of evidence backs our view that as Africa’s population doubles to two billion over the next several decades, its GDP will increase from $2 trillion today to $29 trillion in today’s money by 2050.  What has changed? Many governments have learnt from their mistakes and seen the positive reform examples not just in Asia, but more importantly in Africa itself, from Mauritius to Botswana and Cape Verde, and now Ghana to Rwanda. In most countries there has been no single reform miracle, like China’s in 1978 or India’s in 1991, but rather a series of small steps which taken together have been just as powerful. – cnn.com

Photo Credits: African-markets.com
Photo Credits: African-markets.com

Since Africa is on the edge of a rich economy boom, passive attacks will be on the rise probably from many other countries which will want to invest heavily. But where to invest? How much to invest? The information will be on sale probably from a cheap pervasive monitoring instead of an expensive survey!

We all knew that it is difficult to detect pervasive monitoring. However, I believe that data which had been processed from pervasive monitoring can still be analysed again to understand how it was used. For example: Pervasive data gathered during a previous election campaign comparison with a new election campaign. The dark web is not just being used by individuals. According to Corregedor, private organisations and governments are increasingly using it as a source of threat intelligence.With the threat of cybercrime comes the threat of cyberwarfare, and state-sponsored attacks on multinational corporations or other countries. South Africa, as with any other country, is equally at risk from this kind of threat, Corredegor says, because it is difficult to monitor the dark web for national threat intelligence. – mg.co.za

As first defence, it would be better to adopt TLS to prevent eavesdropping. The use of DNSSEC, SMTP Strict Transport Security and various other security protocols should be taken into consideration. Bear in mind that DNS tells all about you, from where you shop, what you shop online, what web pages you looked out and what you purchased! ISPs should enforced security protocols such as PKIs (Public Key Infrastructure), DANE (DNS Authentication of Named Entities) and DKIM (Domain Keys Infrastructure Mails). Improving internet infrastructure must progress before it is too late. Emails that are not digitally signed are also a good source of data to be processed anew. A simple example of dead.letters can be a source of getting gathering data on the internet.

According to The New York Times, the NSA is monitoring approximately 100,000 computers worldwide with spy software named Quantum. Quantum enables the NSA to conduct surveillance on those computers on the one hand, and can also create a digital highway for launching cyberattacks. A Proof of Concept explained by NetreseC how to detect “Quantum Insert” in the network environment.

[google_ad data_ad_slot=” data_ad_format=’rectangle’]

One of the various reasons we don’t have much privacy in the online world is that people simply don’t realised the amount of information they leak daily. Worst is when companies leak information of staffs. To resolve such scenarios, since computer today are fast enough, norms to ensure that companies are implementing the use of tcpcrypt can be made mandatory.

REFERENCES:

    1.  https://tools.ietf.org/html/rfc7258
    1. https://www.wired.com/story/2017-biggest-hacks-so-far
    1. http://www.africanews.com/2017/05/15/africa-least-hit-by-wannacry-ransomware-cyber-attack/
    1. https://blog.checkpoint.com/2017/06/20/mays-wanted-malware-fireball-wannacry-impact-1-4-organizations-globally 
    1. http://globalpublicsquare.blogs.cnn.com/2013/01/22/get-ready-for-an-africa-boom
  1. https://mg.co.za/article/2016-07-15-00-beware-of-the-webs-dark-side 
  2. https://www.nytimes.com/2014/01/15/us/nsa-effort-pries-open-computers-not-connected-to-internet.html
  3. https://www.netresec.com/?page=Blog&month=2015-09&post=Covert-Man-on-the-Side-Attacks
  4. http://tcpcrypt.org

How i optimised my WordPress website ?

Some days back, I was brewing up some plans to optimise my website source codes, HTTP headers, latency and other security aspects. I had to carry out some analysis and research using some tools available on the internet. I should admit that, at first, it looked pretty simple, but it was not. For instance, I did not permit myself to directly modify the production environment. So, I had to migrate it on a pre-production environment. Page caching was yet another issue which could trick oneself after modifications.

Since my website is behind Cloudflare, which is already an advantage in terms of security, performance, reliability and insight, it does not mean that the website cannot be hacked. According to sucuri.net, websites using WordPress CMS are constantly being hacked. Of course, it depends on the mode of attack and the infection impact.

[google_ad data_ad_slot=” data_ad_format=’rectangle’]

Photo credits: sucuri.net
Photo credits: sucuri.net

Migrating to TLS

Migrating a CMS which already has several articles posted can be an issue as the URLs are already recorded in the database as well as in the source code itself. Also, there were links on the website which were not pointed on HTTPS. After moving to the HTTPS version, errors such as “Mixed content” could be noticed when accessing the website. One of the interesting free feature of Cloudflare is that everyone can have a free SSL certificate issued by Comodo. You will have to generate your certificate and your private key from Cloudflare and point it on your Virtual Host.

Some corrections on WordPress source code needed to be added in the wp-config file as follows:

define('WP_HOME','https://tunnelix.com/');

define('WP_SITEURL','https://tunnelix.com/');

On top of that, there seemed to be lots of URLs on the database itself that needed corrections using the following commands:

[google_ad data_ad_slot=” data_ad_format=’rectangle’]

update wp_options set option_value = replace(option_value, ‘http://www.tunnelix.com’, ‘https://www.tunnelix.com’) where option_name = ‘siteurl’;


update wp_posts set guid = replace(guid, 'http://www.tunnelix.com', 'https://www.tunnelix.com');

update wp_posts set post_content = replace(post_content, 'http://www.tunnelix.com', 'https://www.tunnelix.com');

However, there are some tricks to identify those non-HTTPS URLs by making a dump of the database and do a “Grep” in it, followed by a “Sed” to eliminate those unwanted parameters. Once the “Mixed Content” errors have been identified, I launched a scan on the Qualys SSL Labs website. The result was an “A+”. You can also use the Htbridge free SSL server test which is pretty fascinating especially to verify PCI DSS Compliance, HIPAA compliance, NIST guidelines and industry best practice in general. If all those criteria have been met, then you would score an “A+” rather than an “A” or worse a “F”.

Source code optimisation and Page speed verification

This can be verify using the GTmetrix tool available for free online. I noticed that my rank was a “C”. This was caused due to lack of minified HTML and CSS, and Image dimension. To handle the minify HTML errors, I enabled the plugin Minify HTML Markup on WordPress itself which corrected these errors. To tweak the Image dimension i downloaded the tool Optipng from Epel repository:

optipng.x86_64                  0.7.6-1.el6                        @epel        

For example, if you want to optimize a specific image, use the following command:

optipng -o2 Screen-Shot-2016-12-24-at-1.04.45-AM.png

Another verification was made on GTmetrix website and i noticed that the result was then an “A”

from GTMETRIX.COM

Tweaking the Web server HTTP headers

Htbridge will surely give you an overview of the web server security and will accompany you step by step to get a better result.

[google_ad data_ad_slot=” data_ad_format=’rectangle’]

Of course, since the website is behind cloudflare,  it is limited to certain security tweaks such as Public-key-pins.The Public Key Pinning Extension for HTTP (HPKP) is a security feature that tells a web client to associate a specific cryptographic public key with a certain web server to decrease the risk of Man-in-the-Middle (MITM) attacks with forged certificates. I found an interesting article on https://raymii.org which explained how to activate the HPKP. 

[google_ad data_ad_slot=” data_ad_format=’rectangle’]

Once you are in possession of your certificate and Private key, you can create the public key and a token will be received to activate the HPKP extension. The following commands can be used to get the token and the public key.

# openssl x509 -noout -in certificate.pem -pubkey | openssl asn1parse -noout -inform pem -out public.key;

# openssl dgst -sha256 -binary public.key | openssl enc -base64
 4vr+koFuogsfghGjgvpsqQIIikg5KowHTIGNQ5Prspc=

However, it looked that HPKP is not supported on Cloudflare. But, there are other issues such as HSTS. HTTP Strict Transport Security (HSTS, RFC 6797) is a web security policy technology designed to help secure HTTPS web servers against downgrade attacks. HSTS is a powerful technology which is not yet widely adopted. CloudFlare aims to change this. I enabled it as per recommendations by Cloudflare.

[google_ad data_ad_slot=” data_ad_format=’auto’]

A curl on the url https://tunnelix.com now prompts the following headers :

No system is perfectly secure, but I believe that these modifications are worth to adventure around. I should say I was really impressed by free tools such as the Qualys SSL test, HTbridge free SSL and Web security test and Gtmetrix in terms of page speed.

 Hello Tunnelers, this is my first article for the year 2017, I seize this opportunity to wish my readers a Happy New Year 2017 and wish you all lots of prosperity. – TheTunnelix


Web Security Fundamentals by Varonis

Some days back, i received an invitation to attend an online course by Varonis on Web Security Fundamentals which has been conducted by Troy Hunt. I should say though this course is for beginners, its worth watching and pretty interesting. Troy Hunt is a security developer and author of PluralSight tutorials. You can join the course at Web Security Fundamental on Varonis website.

Some world biggest data breach examples were enumerated at the beginning of the mini course followed by some statistics and the impact of web security. The following points were enumerated:

  1. SQL Injections
  2. Insufficient Transport Layer Security
  3. Insecure Password Storage
  4. Cross site Scripting (XSS)
  5. Weak account management

The course composed of the impact of the risk, how it works with examples and demos as well as defense techniques to be used to strengthen  the system.

SQL Injection

screenshot-from-2016-10-15-09-38-54
Photo credits: varonis.com

An example given using tool such as Havij to automate SQL injection. This tool is a GUI pretty straight forward such as to enter the URL, followed by the tables, columns etc.. to retrieve information from a database. This will result in leaking of information from a website is same is not secured. Several ways to defend against SQL injection attack is to :

  • Validate untrusted data – Has the user provided valid input to the system?
  • Parameterize queries – Seperate the query and the data
  • Lock down the Database permission – Apply the ‘principle of least permission’
  • Apply ‘Defence in depth’ – Web application firewall and cryptographic storage

 Transport Layer Security

screenshot-from-2016-10-15-09-56-00
Photo credits: varonis.com

This part was elaborated on the lack of encryption on network layer such as missing HTTPS security, especially how the risk manifest. An example of a key logger was used to retrieve information from a web page. Defense of such type of attacks were emphasized on the following points:

  • Apply TLS – Literally apply TLS to encrypt by default
  • Strengthen TLS – Ensure it is a strong implementation of TLS
  • Lock down Application – Use construct that disallow  communication over insecure connections.
  • Apply the same control internally – Attacks on the Transport layer can occur behind firewall too

Insecure Password Storage

screenshot-from-2016-10-15-10-07-12
Photo credits: varonis.com

Encryption and Decryption mechanism need to be mastered at this level as this is the basic concept of preventing attacks on insecure password storage. An example of brute force attack was demonstrated. One of the tool is Hashcat which was used as proof of concept. To prevent such types of attacks:

  • Always hash and never encrypt – This work on the assumption that the entire system may be compromised.
  • Choose the right algorithm – Get the balance between workload and performance right.
  • Enforce password rules – Stronger password are significantly harder to crack.
  • Encourage strong password – Do not place arbitrary limits on password strength

Cross-Site Scripting (XSS)

A demo was shown on this aspect using a “search” example on a website search engine. The aim is to search  mechanism that can be exploited.

screenshot-from-2016-10-15-10-18-04
Photo credits: varonis.com
  • Defense against such type of attacks were on the following points:
  • Validate untrusted data – Has the user provide valid input to the system?
  • Always Encore output – Ensure that any reflected input is rendered in the browser
  • Encode for the correct context – HTML / HTML attribute / CSS / JavaScript are all different
  • Protecting cookies – Flag cookies as ‘http only’ so they cannot be accessible by client script.

Weak Account Management

screenshot-from-2016-10-15-10-33-15
Photo credits: varonis.com

To manage weak accounts, the following factors need to be taken into consideration:

  • Poor password rules
  • Lack of brute force protection
  • Insecure ‘remember me’ feature
  • Vulnerable password change feature
  • Enumerable password resets

Here are some tips against account enumeration attacks:

  • Always respond identically – Return the same message to anonymous users
  • Use email for verification – Email the address and confirm or deny account existence there
  • Consider other enumeration vectors – Login and registration are other common channels for disclosure.
  • Consider the risk in context – Different application have different levels of privacy expectation.

To resume, its important to grasp the fact that good security is ‘defense in depth’. Security needs to be considered in the context of cost as well as usability as many of these attacks provide vectors into the internal network. Security goes well beyond. The tutorial ensures that questions are being asked at all levels to ensure security such as:

  • Is access to data logged and auditable?
  • Do you have visibility to resource accessible via access controls?
  • How many of these permissions excessive?
  • Is anyone actually reviewing entitlements?
  • How are you prioritizing security efforts?

 


Introducing MariaDB MaxScale 2.0 – Webinar

Today, I attended a webinar conference on MariaDB MaxScale carried out by Roger Bodamer at 10.00 AM PDT. That was really interesting and I strongly feel the future of system and database administrators are going to be enhanced with this technology.

It started with a thorough introduction about the challenges faced by the IT industry today especially large firms to market agility, system integration, real-time insights, security, and high availability. Some basic explanations on both application (customer-centric front-end) and database(transaction focused back-end) levels were addressed. At the application level, this deal mainly with continuous delivery of the application, microservices and modular deployment whereas at database level, it lays emphasis on security, scalability, high availability and high quality data management.

“MariaDB MaxScale makes it easy to handle the scalability and availability of your database cluster, and also secure it and manage the maintenance downtime. MaxScale is a next generation database proxy that goes well beyond routing, with advanced filtering, enhanced security and authentication. It is a multi-threaded, event-driven engine, that has its main functionality provided by plugins loaded at runtime. With MaxScale’s innovative architecture you can update the data layer on scale-out architectures, without impacting application performance.” – MariaDB

Photo Credits: MariaDB MaxScale
Photo Credits: MariaDB MaxScale

There are so many features in MaxScale that have really amazed me in the security pillar such as data motion, data in use and the DB firewall. Emphasis was laid on the type of job MaxScale that can be performed compared to simple master-slaves environments. MaxScale is really good at replication when it comes on one master having hundreds of slaves which prevents load on the master which means that MaxScale can take great care of replication issues. Another feature of MaxScale is when database is used to store information, a specific route can be defined for traffic within the database itself. Keymaps also comes into a great feature to manage those issues. Schemas can be updated. The goal is high availability. Another feature is data streaming which can be controlled. I noticed a heavy emphasis on security especially when it comes to whitelisting/blacklisting at database level to reduce DDOS attack drastically at database level.

A demo was then displayed live showing some interesting features of MariaDB MaxScale. An interesting GUI web interface called MaxPanel is used to connect with the servers Master-Slave-Slave (All three instances on docker instances) which give indications about the server names, addresses, ports, connections, and status (Server running). A load was generated on of the slave server where writes were configured on the master and read only on the slaves. The tool which was used to generate the load is HammerDB. In the conf file, under the dbfw-blacklist, rules can be inserted there to prevent certain type of query for example a “select * from tablename” which if the table have too many records, this will consume heavy amount of resources. To remediate this issue, a rule can be specified to use the “where” statement. An example of such entry is rule safe_order deny no_where_clause on_queries select which means that no select to be made with a where clause. Also rule query_regex deny regex ‘*.orders*’ which is going to be applied on the table called orders.

After the demo, the questions and answers session were tossed out. This includes different architectures where plugging architectures can be used with specific protocols. Some answers still need to be cleared out as regards to MUSL compatibility with MaxScale which was pointed by me. Some days back, cyberstorm.mu have enhanced MariaDB to be MUSL compatible. That was really an interesting and educational session for MariaDB MaxScale especially for administrators. I am looking forward for MariaDB MaxScale installation soon.


Counter DNS Attack: Enabling DNSSEC

To reach another person on the Internet you have to type an address into your computer – a name or a number. That address has to be unique so computers know where to find each other. ICANN coordinates these unique identifiers across the world. Without that coordination we wouldn’t have one global Internet. When typing a name, that name must be first translated into a number by a system before the connection can be established. That system is called the Domain Name System (DNS) and it translates names like www.icann.org into the numbers – called Internet Protocol (IP) addresses. ICANN coordinates the addressing system to ensure all the addresses are unique. – ICANN

Screenshot from 2016-07-23 20-56-11

Finally, i decided to enable DNSSEC on Tunnelix.com. It can be tested on the http://dnssec-debugger.verisignlabs.com link and its really cool. This is just another security addons to kept away from being attacked. For example, an attacker can take control of the session with the aim to make the user believe that the hijacker deceptive website is the right one. We also need to understand the basics of how  DNS traffic work. We are normally like three players in the normal DNS world that is your computer, the ISP’s recursive DNS servers, and the website’s authoritative DNS servers. Of course there are cached DNS servers that facilitate the DNS query. So to get into more detail how the attack goes on is where the attacker try to trick the resolver making it to believe that, lets say, tunnelix.com lives at the IP xx.xx.xx.xx and even to remember it for lets say 7 days. Its important to understand that since most of the traffic pass on UDP, it is kind difficult to prevent attackers from sending a flood of responses to the resolver.

DNSSEC is a technology which acts as a security layer on top of the DNS traffic by means of cryptographic tools to re-assure you that the website you are visiting is the real one. In 2008, Dan Kaminsky revealed a flaw that could allow attackers to easily perform cache poisoning attacks on most nameservers. Here is a link from the ISC (Internet System Consortium) which shed lots of interesting material about the DNSSEC technology. For bloggers behing Cloudfare, you can easily activate DNSSEC on for your domain, of course, if the root domain name is supporting DNSSEC, otherwise its impossible to achieve it. For example .mu domain does not support DNSSEC. On cloudflare, the steps are easy. You just need to activate the DNSSEC with a simple click and save all those informations like DS records, Digest, Digest type, Algorithm uses, Public key etc.. and feed it to the domain name registrar. The information will be verified by Cloudflare after which you are happily DNSSEC enabled domain owner.

Screenshot from 2016-07-23 21-48-53

To test out on your linux  terminal if a domain is signed use the following command:

[email protected]:~# dig tunnelix.com +dnssec

; <<>> DiG 9.10.3-P4-Ubuntu <<>> tunnelix.com +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36645
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;tunnelix.com. IN A

;; ANSWER SECTION:
tunnelix.com. 177 IN A 104.18.41.96
tunnelix.com. 177 IN A 104.18.40.96
tunnelix.com. 177 IN RRSIG A 13 2 300 20160724190355 20160722170355 35273 tunnelix.com. L5t/xVbsuB99HntpdpHkYu4ig52YL9QA+Vvi509KFgdgKrtY3pvZfKfD LGjtT0Ev0UFEn73TObofJyOmzIEmUg==

;; Query time: 46 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Sat Jul 23 22:05:57 MUT 2016
;; MSG SIZE rcvd: 181

“To fix this, all major DNS servers implemented Source Port Randomization, as both djbdns and PowerDNS had before. This fix is widely seen as a stopgap measure, as it only makes the attack up to 65,536 times harder. An attacker willing to send billions of packets can still corrupt names. DNSSEC has been proposed as the way to bring cryptographic assurance to results provided by DNS, and Kaminsky has spoken in favor of it.” – blackhat.com

Domain owners might consider enabling DNSSEC on their domains to increase the security of letsencrypt in their infrastructure for ACME, as there is a return on investment in terms of security. Loganaden of cyberstorm.mu

Other article i wrote on BIND: Anatomy of a simple dig result