Monthly Archives: August 2016

9 tips to improve the security of your web applications

Should you be a student, a TV Show fan, a small online-shop, a small enterprise or a large corporation, you likely have a web site connected to the world wid web. You probably didn’t developped your website in PHP or in Java by yourself but rather used one of the existing (some being free of charge) framework available like WordPress for you blog, Prestashop for your online shop, Odoo, Drupal, Joomla or even Adobe CQ. While you can use a “cloud” version of these application, you might also have decided to manage it by yourself on your own server or using a hosting service like OVH, HostGator or Ikoula.

If you’ve decided to manage it by yourself, here are a few tips to ensure your server(s) is/are and remain secure:

  1. Use very strong passwords: At least 14 characters and a combination of uppercase, lowercase, numeric and special characters. Ideally change it a few times a year or at least as soon you believe your password might have been compromised. Don’t use the same password for everything.
  2. If possible, rename or disable default admin user (like admin or root) into something less common and use personnal accounts (every admin should have its own user and password). When someone leaves the company, immediately remove his/her user account from the server.
  3. Patch your systems (OS like Linux or Windows server), your middleware (like Apache or IIS), your database (MySQL, Postgress, MSSQL) and your application (like WordPress, Odoo) regularly (every week). Nowadays, most systems inform you when an update is available.
  4. Ideally, you should have a separeted test environment, being a second (set of) server(s) (that we will call the Acceptance System) replicating exactly the one you use for the publicaccess (we call it the “production system”) on which you can first test if the patches won’t disrupt, corrupt or break anything on your servers (It can happen too).
  5. Disable any un-used services on your server(s) like telnet (prefer SSH), motd, FTP (use SCP via SSH instead), IMAP, POP3 or SMTP (if you don’t use your server as a mail relay), Samba and other stuff you won’t use. Be sure to still keep a way to access your server. For Linux machines, you can use automated scripts like Bastille to help you harden your server.
  6. For your database accesses, use a specific system user per application (and per environment) that will have only the access needed on the database of the application it is used for (So, you don’t use the admin user of your database to grant access to your database for your application). If possible, restrict access to the database to the localhost or to the IP of your front-end application.
  7. If possible, force the encryption of your communication by using TLS (HTTPS instead of HTTP). For that purpose you need a cryptographic certificate (not a self-signed as it won’t be recognized by your customer’s browser). You can get free SSL/TLS certificate that will be recognized by most browser with companies like StartCom. Once your certificate installed, you can check the configuration of your SSL with the free online SSL Labs analysis tool. If you need help to configure your SSL with Apache Servers, you can use Mozilla’s SSL Configuration Generator.
  8. In order to prevent attacks like Clickjacking or Man-in-the-Middle, you can configure the HTTP(S) headers sent by your server to make it more secure (see OWASP Secure Header project for more details). Practically, you can check the status of your server’s headers on the very useful and user friendly SecurityHeaders.io website from Scott Helme. Based on the result of your servers’ hearders analysis, Scott’s website will provide you with all the necessary information to improve your headers (again, for free).
  9. Scan your server(s) in order to detect any known vulnerability. This is still possible for free with the services of BitNinja or even from one of the market’s leaders like Qualys.  If you use a Windows server, you can download Microsoft baseline Analyzer and run it against your server.

Google (also) knows what you said last summer

After, Google knows what you did last summer, this summer, we will give you a little hint to discover (and it migh be creepy) all the things you said to your androïd phone or to your Google search (sometimes just by hitting the wrong button or by saying “OK Google”).

Yes, Googles likes to keep everything and also to share it with you (in case you would like to remeber all those stuff). You just have to go to My Activity on Google (https://myactivity.google.com/myactivity) to have te complete list of things you said to your phone (search this, call Bob, launch this application) and all the things that were heard by your microphone at the same time.

Privacy? At least now you know (a bit more about the cost of using free tools).

By the way, some hackers are using this function to hack your phone by including sounds in YouTube videos that will trigger the voice recognition function without being perceived as a command by a human. If you found something stange in the list, you’ll know.

You’ve been notified!

OK Google, close this page!

Sauron, an APT created by a government?

A few days ago, on the 9th of August, Kaspersky Lab released different reports on the newly found Project Sauron APT (Advanced Persistent Threat). Based on forensic analysis of Kaspersky labs, this APT was running since, at least, 2011 in military or governmental agencies around the world. 5 years, it is indeed persistent, isn’t it? It is also advanced because, from what we can deduct from Kaspersky’s Technical Analysis, it seems that this APT is more a framework than a “simple” Trojan. It is more a set of services and code disseminated across the Windows Servers services, used to copy, sniff, decrypt, encrypt and exfiltrate data, even found on air-gap computers. It is also clearly targeted to find sensitive information protected by a very specific encryption technology. It is also polymorphic as it changes its “appearance” (like the name of the DLL it hides behind) on each installation. It also exfiltrate data through standard channels like DNS or email in order to avoid detection.

Kaspersky named it Project Sauron because the name is used in the LUA scripts of the framework as a variable name prefix (Symantec called it Strider).The use of LUA (a very popular script language amongst gamers) is also quite exceptional in the malware world.

This combination of use of zero day exploits (code exploiting previously unknown vulnerabilities), the modularity, the polymorphism, the use of strong encryption techniques (like RSA2048, RC6, AES), the use of normal channel for exfiltration in order to avoid detection and the long lasting infection (2011-2016), makes it a “Top of the top” (sic), state-of-the-art, APT.

What makes it also exceptional is that Sauron targeted military and governmental agencies around the world and not your everyday computer system used by SMEs. Some of these targets have multiple layers of protection and detection systems, anti-viruses, security analysts, firewalls, network segregation and so on. They are even running some of their services on air-gap (not connected to the Internet) servers or networks. Even there, Sauron was able to get in and out using the USB key used to update the systems. Bottom line, Sauron was evading security measures from some of the best actors on the market. What an achievement!

So, looking at this level complexity, some will directly look at the NSA, the MI6 and the GCHQ or why not the FSB (Russia was listed amongst the victims but it is a well-known technique to get your own poison in order to avoid suspicion of being the poisoner). But, states are not the only actors in the market with such capabilities.Symantec evoque a group call Strider (hence the name of the attack) as being the mastermind behind this attack. For years now cyber-criminal organization are growing in importance and size. With a trillion (1.000 billion $) of estimated revenue per year, supposing there is one single organization that generate a 1/1000 of this revenue, meaning 1 billion $ per year, would not be a crazy idea. 1 billion $ of revenue for an organization of hackers is quite a lot of money, and means, to develop and put such kind of attack in motion. As long there is a return on the investment (and there will likely have states ready to buy such valuable information), criminals are never far away.

It means also that if this project is at least 5 years old, the attackers must have, by now, much more efficient and stealth malware in place somewhere else (or at the same place). It means also that such vector will become more widely available in the community, hence more frequent, like any technical progress in a market. If Sauron his a “private sector” product, how can we protect from organization with such means? We often settle that we are basically powerless against state espionage. Should we do the same with (large) criminal organization in the (near) future?

More on the subject: