Wednesday, 23 December 2015

Biometrics: the Future of Mobile Payments?

Billions of people are now using smartphones, even in the most remote areas of the planet. Global adoption of these new mobile technologies opens up the discussion for more advanced methods of identification, authentication, and verification, especially when it comes to protecting against fraud, identity theft and financial crime. One of these promising new technologies, available to end users as a result of the acceptance of mobile devices such as mobile phones, tablets, and laptops, is biometrics.
Biometrics look promising when it comes to simplifying the processing, authentication, and confirmation of transactions in general, but more importantly when it comes to payments. Technological advances, along with pattern recognition and multi-factor biometrics, are expected to tackle cybercrime by making it very expensive and time-consuming for cybercriminals to attempt to target these systems. 

Saturday, 19 December 2015

Message Header Analyzer (Microsoft & Google)

Spear-phishing attacks still happen and are still successful. According to Symantec: “The FBI estimates that the amount lost to BEC (Business Email Compromise) between October 2013 and August 2015 was over $1.2 billion. With such huge returns, it’s unlikely that these scams will cease any time soon.”

Symantec researchers also explained that “BEC attackers target senior-level employees rather than consumers as it’s easier to scam them out of large amounts. In one incident, we observed the scammers asking the target to transfer over US$370,000. By requesting large amounts of money, the scammers only need to be successful a couple of times to make a profit,”.

Usually spear-phishing emails are used for untargeted attacks. Lately we saw spear-phishing attacks becoming more targeted. An example is the CEO fraud attacks. A cyber criminal sends an email that appears to be from an executive (usually from the CEO to the CFO) asking for a specific payment to be processed immediately. The payment may be in any currently or even BitCoin(s). 

There are a couple of tools online that you can use to check the email headers of incoming emails. The email headers allow you to check if a suspicious incoming email is actually a spoofed email as part of a spear-phishing attack campaign.

Friday, 18 December 2015

FireEye critical vulnerability

Google's team in Project Zero discovered a critical vulnerability in FireEye NX, EX, AX and FX network security devices that run on security content version 427.334 or prior versions.
An attacker could exploit this vulnerability to gain persistent access and remotely exploit code. It is good to see that FireEye focused this time towards patching the security flaw and did not try to take legal action, like previously, for the vulnerabilities discovered by the German security firm ERNW). 

FireEye responded with a support alert stating that a patch was released through automated security content updates for all of the affected devices. FireEye is making the patch available for “out-of-contract customers” and the firm warned customers who perform manual security content updates, to “update immediately”.

The flaw discovered by Project Zero follows an earlier series of vulnerabilities discovered by the German security firm ERNW. FireEye filed an injunction against ERNW in September after learning that the firm was planning to release findings on vulnerabilities that it discovered in FireEye's operating system

It was proven that it was possible for an attacker to root the FireEye's network security device by simply tricking a victim into clicking on a link contained in an email. 

"Unauthorized code" in Juniper firewalls decrypts encrypted VPN traffic

Juniper Networks published an advisory saying that NetScreen firewalls using ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 contain unauthorized code that surreptitiously decrypts the VPN traffic by giving attackers administrative access. 


This system "backdoor" requires immediate patching! The vulnerability was discovered during a recent internal code review[1]. The "unauthorised code" in ScreenOS could allow a knowledgeable attacker to gain administrative access to NetScreen appliances and to decrypt VPN connections. 

Juniper Networks explained in a separate advisory that there are two separate vulnerabilities which are both described as “Unauthorised Code”.

The first flaw allows unauthorized remote administrative access to an affected device over SSH or telnet. Exploits can lead to complete compromise. "The second issue may allow a knowledgeable attacker who can monitor VPN traffic to decrypt that traffic," the advisory said. "It is independent of the first issue. There is no way to detect that this vulnerability was exploited." [2]

This Github repository contains notes, binaries, and related information from the analysis of the CVE-2015-7755 & CVE-2015-7756 issues within Juniper ScreenOS. See a detailed analysis by Rapid7

Wednesday, 16 December 2015

Joomla Critical 0day Remote Command Execution Vulnerability - Patch Now

A vulnerability that affects all versions of Joomla from 1.5.0 to 3.4.5 have just been released (CVE-2015-8562). 

The Joomla security team released a patch to address this critical remote command execution vulnerability that is already being exploited in the wild. 

Joomla is one of the most popular Content Management Systems (CMS), alongside Wordpress, Drupal and Magento. Joomla CMS is used to build web sites and online applications in conjunction with the many supported shopping cart, e-commerce and payment gateway extensions.  

Joomla users need to upgrade to version 3.4.6 immediately. For Joomla 3 and above, updating is a simple one-click process through the admin panel. For the unsupported versions 1.5.x - 2.5.x the users need to patch using the Joomla hotfixes.

Wednesday, 9 December 2015

Combating cybercrime during the holidays. Advice for retailers and shoppers

Online shopping, especially during the holiday period, is a massively important trading platform for many businesses. For online retailers their ability to service high customer demand and ensure the availability of their website throughout this period is crucial to their success.
The shopping frenzy has already started, with the adoption of Black Friday and Cyber Monday in many countries adding additional pressure on high street, and online retailers. In the UK and Europe, this only increased further during the holiday week and the discounts the day after Christmas. With these periods being hugely busy on the high street, an increasing number of shoppers are moving to the Internet to hunt for their bargains.

During this overwhelming period of spending, online retailers and shoppers need to be wary since this also is a lucrative period for Cybercriminals. In this article, we have highlighted a few key steps retailers and shoppers can take to keep themselves safe from cybercrime during the holidays.

Wednesday, 25 November 2015

Restore Points in Windows 8.1

How to create a Restore Point:
1. Press the WinKey+X to display the system menu and click System.
2. On the left side menu, click System Protection.
3. In the Protection Settings section, click the C: (system) drive.
4. Click the Create button.
5. Type a name for the System Restore file (The Date and Time will be added automatically).


Rolling Back to a Restore Point in Windows 8.1:
1.Save your work and then close all running programs.
2.Press the WinKey+X to display the system menu and click System.
3.On the left side menu, click System Protection.
4.Click the System Restore button.
5.Click Next
6.Select the restore point you’re considering and then click the Scan for Affected Programs button.
7.If you don’t see any major problems with the restore point click Close, and then click Next.
8.Follow the instructions to save any open files, close all programs, and then click Finish.

Monday, 23 November 2015

IRISSCON 2015 Recap - IRISSCERT

I had the pleasure of attending the 7th Irish Reporting and Information Security Service Computer Emergency Response Team (IRISSCERT) Cyber Crime conference (#IRISSCON) in Dublin, Ireland. See: www.iriss.ie


The event took place on Thursday, 19/Nov/2015 in the Berkley Court Hotel, in Ballsbridge Dublin. 

The annual all-day conference focuses on providing attendees with an overview of the current cyber-threats most businesses are facing; primarily in Ireland and throughout the world. During IRISSCON, experts share their thoughts and experiences on cybercrime and cybersecurity, while a number presentations provide the opportunity all attendees to discuss the issues that matter the most.

Thought leaders from the industry, academia and the government present at IRISSCON and the main audience is primarily the business community within Ireland, discussing the following topics:
  • Cyber Crime
  • Cyber Security
  • Cloud Security
  • Incident Response
  • Data Protection
  • Incident Investigation
  • Information Security Threats
  • Information Security Trends
  • Securing the Critical Network Infrastructure
In case you are not aware of this, IRISSCERT is a not-for-profit company that provides a range of free services to Irish businesses, related to Information Security issues. Effectively, the mission is to help raise the awareness and counter the security threats posed to Irish businesses and its Internet space. 

Tuesday, 17 November 2015

POS Malware Alert - AbaddonPOS and Cherry Picker

Two new malware files have been identified targeting point-of-sale (POS) terminals called AbaddonPOS and Cherry Picker

The AbaddoPOS malware is delivered by the Angler Exploit Kit or through an infected Microsoft Office document. The malware targets the memory of all processes running on the infected system (excluding its own memory space) looking for card data. Once the card data has been found, it is sent back to a Command and Control (C&C) server. 

The Cherry Picker also targets card data but there is some further functionality built-in to it. It tries to clean up after itself and this is the main reason why it went undetected for such a long time. Another characteristic of the Cherry Picker is that it focuses on just one process that is known to contain card data. That way it attracts as little attention as possible, compared to trying to target all running processes on the infected system.

Wednesday, 11 November 2015

Guest Speaker for Cardiff University - CyberSecurity and the Payment Card Industry

I had the pleasure to be invited as a guest speaker to Cardiff University in order to give a talk about: "CyberSecurity and the Payment Card Industry". 


The talk starts with an introduction to the Payment Card Industry (PCI),  Payment Card Industry Data Security Standard (PCI DSS) and the Payment Card Industry Security Standards Council (PCI SSC). The participants are given the opportunity to understand what is an Approved Scanning Vendor (ASV), the responsibilities of a Qualified Security Assessor (QSA) and last but not least the job of a PCI Forensics Investigator (PFI).

Tuesday, 10 November 2015

Adobe Flash patches 17 remote code execution vulnerabilities

Adobe Flash version 19.0.0.245 was released today. This version patches 17 remote code execution vulnerabilities if exploited [see here]. Adobe said that there are no reports of public exploits for any of the patched flaws.

In addition to the desktop version of Flash for Windows and Mac OS X, Adobe also updated Flash for Internet Explorer 11 and Microsoft Edge, both of which are expected to be included in today’s Microsoft Patch Tuesday security bulletins. Adobe also updated Flash Player for Linux and various Adobe Air products for Windows, iOS and Android mobile devices. 

To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. To verify the version of Adobe AIR installed on your system, follow the instructions in the Adobe AIR TechNote

For those of us using multiple browsers, perform the check for each browser you have installed on your system. The Flash updated packages can be found here.

CVE numbers: CVE-2015-7651, CVE-2015-7652, CVE-2015-7653, CVE-2015-7654, CVE-2015-7655, CVE-2015-7656, CVE-2015-7657, CVE-2015-7658, CVE-2015-7659, CVE-2015-7660, CVE-2015-7661, CVE-2015-7662, CVE-2015-7663, CVE-2015-8042, CVE-2015-8043, CVE-2015-8044, CVE-2015-8046

During last month’s scheduled update, Adobe patched Flash and Acrobat Reader addressing 69 critical vulnerabilities that could lead to code execution and information disclosure. Just three days later, Adobe updated Flash once again with an emergency patch that addressed a zero-day type confusion* vulnerability. The zero-day was being exploited by a Russian-speaking APT group during Operation Pawn Storm.

*Type confusion vulnerabilities occur when the code doesn't verify the type of object that is passed to it, and uses it without type-checking. 

Friday, 30 October 2015

October’s Cyber Aftermath, CyberSecurity Awareness Month


October is known as being the Cyber Security Awareness Month. Many campaigns especially during October are trying to teach and raise the awareness about Cyber Security. Public and private initiatives especially during this month, are trying to raise the awareness further on online security and safety. 

Unfortunately there are still many steps that need to be made towards awareness and Cyber Security. Businesses and individuals are still affected by cyber-attacks and security breaches. The discovery and investigation of a breach can be a very time-consuming process and this is the main reason it takes so long to be reported.

Even though patches and updates are available for most security vulnerabilities as soon as they are discovered, new threats and zero days (0day) are constantly surface and exploited. 

During this month a number of security breaches, cyber-attacks and vulnerabilities were announced. Let's see this month's aftermath...

CyberSecurity Strategy and Essentials

Cybersecurity becomes even more complicated in the context of today’s threat landscape, which is not only constantly changing, but is also expanding at an increasingly fast rate. This is the most problematic element of Cybersecurity; its evolution is so fast and unpredictable while the nature of the risks involved are constantly changing.

Managing security by diverting resources to the most crucial system components in order to reduce the likelihood of a successful breach, is now considered to be an insufficient approach in the current environment of advanced cyber threats. Threats are changing faster than traditional risk management approaches can deal with, and a more proactive, focused and adaptive approach is needed to manage an effective Cybersecurity strategy.

Good security management is a continuous effort with preparation, readiness, and good planning being the best approach. To achieve this, there are some basic best practices that can be considered essential to organisations that need to protect their assets from the most common and opportunistic cyber-attacks.

Friday, 23 October 2015

Security BSides Athens 2016, Greece

I am happy to announce that I am involved in organising Security BSides Athens 2016, in Greece. More information you will find at the BSides Athens website www.bsidesath.gr (currently under construction).

Most of the information about the status of the event can be also found at the official Security BSides wiki page in the following URL: goo.gl/pseoow

The 1st ever BSides Athens conference is scheduled to take place on Saturday, 25 June 2016. The entrance to the event will be free of charge, but attendees will need to book a ticket online in advance, when these are made available (we expect them to become available around March 2016). 

Please follow us on Twitter @BSidesAth and send us a message if you would like to sponsor, support, volunteer or just give us a hand on the day

Please use hashtags #BSidesAth #BSidesAthens when talking about BSides Athens on social platforms (i.e. Twitter) and spread the word! Even though Twitter is our main form of communication for reaching out to you, and for you to reach us, there is also an official BSides Athens group on Facebook and one group on Linkedin

CFP (Call for Presenters) is scheduled to open on Monday, 30 November 2015 and it will close in March 2016. 
The mobile applications allows you to find information about the conference on the spot, have real-time access to the track schedule and directions on how to the get to the venue. So, for this event #goPaperless by downloading the mobile application suitable for your phone and tablet!

In the following links you can find the Security BSides Athens 2016 logo in different dimensions and use it freely to promote the event on your webpage and/or social media. 
Visit www.bsidesath.gr and stay tuned for more to come!


Wednesday, 21 October 2015

Secure a Sapce ?

This is one of the biggest fails ever! How can you misspell your own URL on the tickets you are issuing and more importantly, in the section where you actually ask people to visit that non-existent misspelled URL and pay a parking fine?! Yes, they did! This is not a hoax!

Lets look at the ticket. The parking fine has instructions on how to pay it online. There is a header which says: HOW TO MAKE A PAYMENT. Below that you will see the name of the company and its postal address. However, you will notice that they have misspelled their own URL! 


Tuesday, 22 September 2015

A Weapon for the Mass Destruction of Computer Infrastructures

Disclaimer: This is NOT a weapon. This is AN EXPERIMENT. 
You MUST NOT try this at home. The tests were performed under the supervision of licensed electricians, in a controlled environment. 
I intentionally do not provide any technical details about the devices. The purpose of this blog post is not to tell you how to do this, but to raise the awareness that this can actually happen. I believe, entities should be aware of this threat and take any necessary actions to protect their infrastructures. 

Having done a number of physical security assessments over the years, I started wondering how vulnerable our computer infrastructures are. I tried to think of a way for a malicious insider or an external third-party, to target a company’s computer network and take it down by damaging it (someone who doesn't have physical access to the server room). I started thinking about this from a different perspective and I tried to approach this "question" with an outside-the-box point of view. 


Due to my experience with physical security assessments I noticed that there are many unattended Ethernet ports (sockets) everywhere around a building. These ports might not be “active” but most of the time they are connected at the far-end on a managed or unmanaged network switch

I started wondering what would be the effect if one tried to apply electric current on an Ethernet socket from a power socket directly. The picture on the left illustrates a cable which sends electric current (220V-250V) directly from the power socket to the Ethernet port (This is very dangerous, do not make one, and do not try to use it). In reality, such attempt is actually pointless, as it will only "toast" the device you connect this modified power cable. 

The hypothetical network switch at the other end will end up toasted in a split second and the person doing this will experience a loud bang and a bright flash, along with the smell of burned plastic at the Ethernet socket side. 

This is a very dangerous thing for one to do and not a very convenient or an effective way for taking down the whole computer infrastructure. The whole point is to manage to "fry" all the devices behind the network switch!!! (..even after the network switch is "toasted", and the circuits are burned). Also, without exposing ourselves to any danger, as it would have happen if someone have used the cable mentioned earlier on. 

Monday, 21 September 2015

Skype is down!


Skype seems to be having technical difficulties! Most users can login but they appear offline. Skype said that it is still possible to chat in most occasions but not possible to receive or make calls. It seems though that the web.skype.com is working! Also, Skype for business seems to be working without issues. 
According to the Down Detector website the service appears to be out in a number of different countries worldwide. Maybe it is related to a major AWS outage which knocked Amazon, Netflix, Tinder and IMDbThe official twitter account of Skype (@Skype) posted the following message: 

"We are working to fix an issue which is preventing some users from logging in & using Skype. We apologize for any inconvenience."

Even thought this message was posted about an hour ago the Skype Support team (@SkypeSupport) posted a message four hours ago about the issue. More specifically, the message was saying that "We are aware of an issue affecting Skype status at the moment, and are working on a quick fix: sk.ype.ms/1KuQTL".
The URL sk.ype.ms/1KuQTL takes you to the skype.com domain where you can read more about the issue. This is what has been posted about the issue: 

We have detected an issue that is affecting Skype in a number of ways. 

If you're signed in to Skype, you will not be able to change your status and your contacts will all show as offline even if they are online. As a result, you won’t be able to start Skype calls to them.. 

A small number of messages to group chats are not being delivered, but in most cases you can still instant message your contacts.. 

If you aren’t signed in to Skype, you may be experiencing difficulty when attempting to sign in. Any changes to your Skype account such as your Credit balance or your profile details might take a little while to be displayed.. 

You may also have difficulty loading web pages on the Skype Community. For that reason, please check back here for future updates.. 

We're doing everything we can to fix this issue and hope to have another update for you soon. Thank you for your patience as we work to get this incident resolved.


Wednesday, 2 September 2015

Registering a .dll under Windows (solutions for 64-bit / 32-bit compatibility issues)

If you find yourself missing a .dll under the latest versions of Windows, you will have to download the missing DLL and register it in order to make it work. Also, due to the the 32-bit and 64-bit versions of Windows, you might end up with errors which you need to troubleshoot further. In this blog-post I am trying to give you a couple of hints on how to solve these compatibility issues when registering a .dll (32-bit/64-bit). 

Friday, 14 August 2015

The truth about CyberSecurity

Many articles have been written about CyberSecurity. Most have focused on the broad meaning of the term and in some cases have treated CyberSecurity as an "off-the-shelf" product. The truth is that CyberSecurity is more complicated than that. In this article, we will discuss some of the reasons why Cyber Security is not only difficult to define, but just how complex it really is.


Saturday, 1 August 2015

How to force downloading/upgrading to Windows 10 on a VM for testing

I really wanted to test Windows 10 migration before I updated my Windows laptop. I decided to install a copy of Windows in a VM and upgrade that copy to Windows 10. Once I had Windows installed, I run Windows Update and got all the latest updates for my installation. But, the Windows 10 logo on my taskbar (Get Windows 10) did not appear. I restarted a couple of times just in case and run Windows Update again, but still nothing. 
Even though I could download an ISO image of Windows 10 or force the update through wuauclt.exe /updatenow, I discovered that the best way to do this is through the task scheduler which initiates the upgrade process as intended. Before you begin, you should navigate to C:\Windows\SoftwareDistribution\Download and delete all the files in that folder. 

Wednesday, 29 July 2015

Was I just overcharged for a free copy of Windows 10 ???

Everyone is talking about Windows 10, and articles pop out left and right informing people about the new and technically the "last version of" Windows you will ever need! Well, to rephrase that, Microsoft is presenting Windows 10 as "the last version of Windows" you’ll ever need to get. After that, you will receive regular feature updates and product improvements.

Monday, 27 July 2015

shell: command in Windows - Did you know?

I recently discovered that not many people are aware of the shell: command in Windows. Windows Explorer (not the Internet Explorer) recognises the command shell: allowing you to open specific system folders. (you can also use: shellnew: instead of shell:)

For example, type the command shell:startup in the address bar and hit Enter.

This action will open the StartUp folder which under Windows 8.1, it is located here:
C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Thursday, 23 July 2015

Burp Suite - Error handshake alert: unrecognized_name

This is the first time I had to deal with this error in Burp and I was trying to figure out what was the problem. It seems there is a problem with Java which causes Burp to fail when accessing some specific websites. This is the screen you get when this particular error occurs. 
Figure 1 - Burp Error handshake alert: unrecognized_name

If you ever stumble upon this problem the solution is easy once you know what to do. As a start, make sure you have the latest version of Java installed. 

Tuesday, 21 July 2015

What is the process to verify a particular certification?

I recently had people coming to me asking me what is the process to verify a particular certification and if I knew of a centralised way for doing this. 

Unfortunately (or fortunately as some may say) there isn't a centralised way where you could query for a particular certification. 

For example, the PCI Security Standards Council (PCI SSC) maintain a list of all certified companies and Qualified Security Assessors which is constantly up-to-date. If you want to verify a consultant's certification the only thing you need to do is to visit this link

Anyhow, this blog post is intended as a reference guide to the various webpages where you can verify a particular certification. If you do know of any other or you found that the list needs to be be updated just send me a message on Twitter and I will update it as soon as possible.

Below, the certifications are listed Alphabetically according to the respective company which have issued each certificate. 

Thursday, 16 July 2015

Critical Patch by Microsoft - MS15-078

Vulnerability in Microsoft font driver could allow remote code execution. This vulnerability requires immediate remediation (16 July 2015). 

Microsoft patch MS 15-078 addresses a serious security flaw found in the way Windows products read certain types of fonts. 
An attacker can send you an office document or ask you to visit a specific web page with a specific font being used. The attack is straight forward and simple to execute, and for that reason it is highly important to patch immediately. 

The attack is possible because it focuses on the Windows Adobe Type Manager Library and the way it deals with OpenType fonts, allowing Remote Code Execution. 

Please note that this vulnerability affects all modern versions of Windows. Also, if you install a language pack after you install this update, you must reinstall this update. Therefore, install any language packs that you need before you install this update. For more information, see Add language packs to Windows.

Tuesday, 14 July 2015

Adobe Flash Player - Keep it up-to-date

There is a big debate about uninstalling Adobe Flash Player completely from your systems or not. Unfortunately, Adobe Flash Player has been found to suffer by a number of vulnerabilities and new ones surface each other week. 
If you still want to keep flash player on your system, I suggest you change your browser* settings and make sure any flash content runs after you have authorised it by clicking on it and not automatically when you visit a web page. 

I also suggest you make sure you have the latest version of Adobe Flash Player which YOU MUST ONLY download from the Adobe website and not through any random popups or third party links. 

This is the official URL where you can download the latest version of Adobe Flash Player for your system and the browser you are using is https://get.adobe.com/flashplayer/. Please note that you need to run Windows Update in order to download automatically the latest Adobe Flash Player update for Internet Explorer. I suggest restarting your system before you run Windows Update and after you have completed patching your OS through Windows Update. 

By visiting the following link you can check if you are running the latest version of Adobe Flash Player: http://www.adobe.com/uk/software/flash/about/

* Make sure you have updated your browser (Firefox, Chrome, Opera, etc.) to its latest version before updating the flash player. In order to check if you have the latest version, run your browser, hit the Alt key from the keyboard, go to the Help menu and select the "About" option. Your browser will inform you if it is at its latest version or it will start downloading the latest version for you. 

Thursday, 9 July 2015

OpenSSL vulnerability, Severity: High, CVE-2015-1793

On June 11, an updated version of OpenSSL was released. It was disclosed earlier today that it contained a serious certificate validation error (CVE-2015-1793). Luckily, the vulnerability was discovered quickly enough (two weeks ago) and once made it was made public today a patch was also made available.
During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate.

This issue will impact any application that verifies certificates including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication. 

This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.
OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d
OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p

Please note that support for OpenSSL versions 1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these releases will be provided after that date. Users of these releases are advised to upgrade their OpenSSL implementations to the latest version. 

It is strongly suggested to update OpenSSL implementations to the latest version.

If you would like to run a quick check on your network for SSL implementations you can do that by using nmap: 
nmap -sV -Pn --script ssl-enum-ciphers --version-intensity 2 [IP/CIDR]

Are you using Nessus? If you do, make sure you update to the latest version (6.4.1) and update your plugins: nessuscli.exe update --plugins-only
Use Plugin IDs 84636/7 for testing.

Maybe it is time for you to look into into the s2n, which is a new open source TLS implementation. This implementation avoids the rarely used options and extensions of the TLS implementation. Consequently, it consists of approximately 6000 lines of code and makes it a lot easier to review. As it stands at the moment, s2n has passed three external security evaluations and penetration tests.

Saturday, 4 July 2015

SteelCon 2015 - Can you really hack an airplane? (myths & truths)

I was very excited to hear my talk that was sent to SteelCon 2015 (http://www.steelcon.info) was accepted. This time I am talking about something different than usual, which has to do about hacking airplanes.
A lot of noise, many discussions and many articles have been written lately due to the recent so claimed airplane hack. It is indeed very difficult, up to impossible, to find information about the security of an airplane's systems if you are not actually the person responsible for designing and building such systems. Of course, it is understandable that these details regarding these systems will never become available to the general public for security reasons.

Wednesday, 1 July 2015

Steps you need to take for the upcoming Windows Server 2003 End of Support (EOS)

The End of Support (EOS) for Windows Server 2003 is only a few days away. It is very important for CISOs and CyberSecurity decision makers in general to plan the next day once the support for this product has ended. Microsoft will stop issuing security patches next week and the risk of running a critical system in production will start to increase rapidly. 
As a reminder, the date for your calendar as the last day a security patch will be issued is the 14 July 2015. As it happened with Windows XP, after its end of support, attacks against the Operating System increased in an attempt to exploit it. 

Sunday, 28 June 2015

Linkedin - security issue - Unvalidated Redirects and Forwards

This is a Linkedin shortened URL that seems to be pointing to Linkedin (when you try to reverse it) but in reality, it redirects to this blog post! https://lnkd.in/eSQcwhD

Below we are going to prove that this unvalidated redirect method (OWASP A10) can be used to deceive users and redirect them to malicious websites and malicious executable files by letting them think they are being redirected to Linkedin.

>> Responsible Disclosure: Before I start describing the issue I would like to mention that I followed LinkedIn's policy on reporting vulnerabilities process to the letter (responsible disclosure) and reported the issue exactly as it is described in this page:

After sending a detailed description of the issue (on 27/May/2015), I received the following reply from Linkedin.

Thank you for contacting us and sending us your writeup.

We do perform validation for third-party links that users submit to LinkedIn, checking the destination for inclusion on malware and safe browsing blacklists. The hash you observed is used for that purpose. 


Regarding unwinding of our short links or obfuscation, URL encoding is working as expected and the depth of third-party inspectors is not something under our control. Note that some of our redirects use JavaScript, so they may not be capable of analyzing the content. Those redirects also clearly show an interstitial that a redirect is occurring.

If you believe we have misinterpreted your report, please let us know.
Thanks!

[name of responder not being disclosed]

LinkedIn House Security

From my point of view, Linkedin did not understand the extend of the issue I described. So, I replied to that person giving him a couple of examples why I believe this unvalidated redirect "feature" doesn't seem to be working as "expected". Simply because, it can redirect/trick/deceive users into downloading malware and/or visit a malicious website, while under the impression they are being redirected to Linkedin instead. So, my reply to Linkedin response was the following:

Friday, 26 June 2015

Applied Cyber Security at MIT

MIT (Massachusetts Institute of Technology) created a short but intense Applied Cyber Security course. In order for someone to attend the course he/she had to apply and go through an approval process which determined if they were accepted to attend the course or not. In this course, experts from academia, the military and industry shared their knowledge and gave participants the principles, the state-of-the-practice, and strategies for the future in CyberSecurity. 
I was honoured and very excited to be accepted to participate in this course. In today’s world, organizations must be prepared to defend against threats in cyberspace. Decision makers must be familiar with the principles and best practices of cyber security to best protect their enterprises. 

I strongly believe that the best way to achieve this is to be educated, share knowledge and information among our peers. Our business strategies need to be reformed and adapt to the fast evolving threat landscape of cyber threats and be prepared to make the right decisions going forward.

Friday, 19 June 2015

SnoopCon 2015

It was a great honour to be invited by the Cyber Security Testing and Validation Team at British Telecoms (BT) to attend their annual internal conference, as a guest speaker. The conference is known as SnoopCon and it is BT’s Penetration Testing and Ethical Hacking annual meet-up event which lasts five days. 

The event is held behind closed doors, however it is customary that on the third day they invite people from the industry, recognising that their work would be an invaluable input if presented at their internal conference.

I had fantastic day at BT and the quality of the guest talks was over the roof. From Cyber Wargaming to the dark corners of the Dark Net, hacking the Internet of Things, a different approach when it comes to hacking cars, OS exploitation and of course, Threat Intelligence in depth.

The amazing news came a couple of days later, when I was informed that I was awarded the "Best External Speaker" award for my talk. 

The award is called the “my little Pwnie Award” based on the word "pwn", which is hacker slang meaning "to compromise" or to "control", hense the eccentric type of the award.

Thank you for inviting me to the conference and a special thank you for the award. I am looking forward to the next conference already! 

Follow me on Twitter: @drgfragkos 

Saturday, 13 June 2015

How to initialize your brand new SSD (Windows)

If you decide to buy a new Solid State Drive a.k.a. SSD, before you can use it, you have to initialize and partition it. 

Otherwise it will seem to you that you connect the drive and nothing is happening. You can do the initialization by connecting the SSD through a USB cable (SATA to USB).

  1. Attach the SSD as a secondary drive and load Windows from your existing drive.
  2. In Windows 7 and earlier, open 'Disk Management' by right clicking on 'Computer' and selecting 'Manage', then 'Disk Management'. In Windows 8 and later, move the mouse to the lower left corner of your desktop and right-click on the Start Icon, then select Disk Management.
  3. When Disk Management opens, a pop-up should appear and prompt you to initialize the SSD.
  4. Select MBR (Master Boot Record) and click OK
  5. Right click in the area that says Unallocated and select New Simple Volume...
  6. The New Simple Volume Wizard will open, click Next
  7. Leave the Specify Volume Size as the maximum (default value) and click Next
  8. Select a Drive Letter and click Next
  9. In the Format Partition screen, decide on a Volume label (the name you want to give the drive) and click Next
The drive is now formatted and ready for use.

Sunday, 7 June 2015

InfoSec 2015, BSides London 2015 and 2600

My first time at InfoSec was something like ten years ago, or more. It was interesting to see how the event has evolved over the years. Once again, it was really exciting to be among so many colleges in information security during InfoSec and Security BSides London

As always, I enjoyed my rounds at InfoSec and that I had the chance to chat and catch up with a number of people from the Information Security community and to a number of vendors about their products and their cybersecurity strategies for the next year. 

Friday, 5 June 2015

Understanding the significance of Operations Security (OPSEC) in a fast evolving threat landscape

It is not the first time a military term is being used by the Information Security community in order to describe an Information Assurance process. Operations Security (OPSEC) is a military term referring to the protection of different types of unclassified information which could end up exposing the security of an entity if put together and combined. In other words, in information security OPSEC describes the process by which publicly available information (unclassified) can be used against us if taken advantage by cyber criminals and/or adversaries with malicious intent.

Friday, 29 May 2015

BSides London 2015 - Virtual Terminals, POS Security and Becoming a Billionaire Overnight!

Yes, it is true. The talk was short-listed and it was voted for the BSides London 2015 conference! Thank you all for voting for my talk. 

I am looking forward to fantastic line-up of talks at the conference. As you probably noticed at the schedule page, the session is not to be recorded due to the sensitive content, so please, do respect this request. 

This means that if you want to find out more about the talk, you will have to be there and attend the session
Tripwire (@TripwireInc) posted a short article about my forthcoming Security BSides London 2015 talk, which you can find at this link.
 
As far as I know Track 2 is quite big and I really hope there are going to be enough spaces for everyone. For those attending the talk, mark it down on your schedule, tweet about it and follow me @drgfragkos to find out more! :) 

I have only one thing to say to you for now: Great things do come, to those who attend ;)

If you want to tweet about the talk dont forget to use the BSides London 2015 handler: #BSidesLDN2015

Copy-Past Tweet for sharing: 

Virtual Terminals, #POS Security and Becoming a Billionaire Overnight! via @drgfragkos at @BSidesLondon #BSidesLDN2015

I am looking forward to the event, hoping to have a chance to speak to all of you at the conference and potentially share a drink or two. I really appreciate your interest in this field and I can only hope my talk will keep you all excited once more. I really believe that anyone who has the opportunity to be at this conference should not miss the chance. We are all going to be there and if you have like five minutes to spare, come and say hi.