Tag Archives: Authentication Services

‘The attacker still has the upper hand,’ says the Dutch government’s most recent Cyber Security Report. The report continues: attackers are getting smarter, more devices are being connected to the internet and yet many incidents could have been prevented by implementing basic security measures.

The human and business consequences are high. In 2011, for example, internet banking fraud alone resulted in Dutch losses of €35 million, according to the report.  Over 3 million Dutch citizens in 2013 said that they have been victims of cybercrime in the last 12 months according the Norton Cybercrime Report.

In 2012, one in eight Dutch adults were the victim of cybercrime, according to government research. Young people, who are more active online, were more likely to be victimised, with one in five being affected. Worryingly, in an increasingly social online world – 30% of social network users say they share passwords with others whilst 35% are happy to connect with people they do not know online. (Source: Norton Cybercrime Report).

The threat is not going away. Citizens and businesses need to be proactive in their own defence against cybercrime; particularly as we all transact more online and mobile devices multiply. And while nine out of ten victims of phishing and skimming do report the incident to the authorities, prevention is the preferred option.

The Nationaal Cyber Security Centrum’s website offers advice and security alerts in Dutch. For more information about Symantec Website Security Solutions in the Netherlands, visit our website or call us to find out how we can help your organisation stay safe online.

このブログではウェブサイトやその上で動作しているウェブアプリケーションの脆弱性について紹介すると共に注意喚起をする目的でまとめられています。

今回は2005年以来継続して攻撃被害のあるSQLインジェクションについて解説をしています。

1. Choosing based on price. Not all certificate authorities (CA) are the same. The security of your certificates depends in part on how secure the CA is, so it pays to choose wisely. In addition, when you’re installing new SSL certificates you need a company that can provide a full range of services and the backup to make the installation go smoothly. (Symantec secures more than one million Web servers worldwide, more than any other Certificate Authority.)
   
2. Not being prepared. Before you apply for a certificate, you will need certain pieces of information. It’s worth having everything ready before you start the process.
3. Getting the wrong type. There are different kinds of certificates for different types of application. For example, there are certificates for email systems, code signing certificates and more, besides the familiar certificates used on websites. Make sure you choose the right one.
4. Leaving certificate renewal to the very last minute. It can take a little time to go through the steps required to request and issue a new certificate, especially if you choose Extended Validation, where the CA will need time to authenticate you and your organisation. Starting 2-4 weeks in advance makes sense in most cases this also guards against unseen ‘tech issues’ that might arise too.
5. Generate a valid CSR. All certificates start with a certificate signing request (CSR) but how you get a valid CSR depends on the software you’re using. Check out this guide to the most popular applications.
6. Not checking the CSR. Use Symantec’s free CSR checker to make sure you have a valid CSR.
   
7. Not protecting the private key. SSL encryption depends on a private key that unlocks communication to and from your server. Your CA gives you this private key and you install it on your system. Treat it as a valuable asset and don’t share it with more people than necessary or make it easy for unauthorised users to access.
8. Not testing the certificate. After installation, check the site using Symantec’s certificate installation checker. Also check it on a wide variety of browsers and platforms to make sure it’s working properly.
9. Not getting help when you need it. If something goes wrong, you can turn to a reputable Certificate Authority like Symantec for help. A good starting point is our support page but you can also contact us directly.
10. Losing your password. Smart IT managers keep a run book to record the procedures they use so that if they are not around to renew the certificates when they expire, at least their successors know how to do it. Your run book should include the URL, user name and password required to access your CA’s certificate centre (but remember keep this secured and only allow access to those who need to manage the certificates).

For more information on encryption, SSL, and website security download our SSL Explained interactive infographic now.

For many website owners and network security admins 2013 was the final push to move older websites and servers off of 1024-bit RSA SSL certificates to 2048-bit RSA certificates. This was an industry wide effort and one that was essential to safeguard the future of SSL/TLS. For us here at Symantec it was a year of education, communication, and mobilization.  Although many people were comfortable with SSL certificate administration and the base functions of the technology, many did not understand the core aspects of SSL encryption.  Our webinars, blogs and other publications on the subjects of algorithms and encryption levels became highly popular; and still are.

Now that 2013 has come to a close and the migration from 1024-bit SSL certificates are becoming a distant memory it is time to switch your mind to hash algorithms (e.g. SHA-1) as we embark on another migration to higher cryptographic standards before 2017. Once again this is an industry wide push to ensure that we are at the forefront of technology to meet a multitude of future demands.

What is a Hash Algorithm?

A hash algorithm reduces and maps the entire contents of the SSL certificate into a small, fixed-size value. The Certification Authority’s (CA) private key is used to encrypt the hashed value, and that is included in the certificate as the signature.  The main purpose is to reduce data of any size to a small fixed-size fingerprint that effectively represents the initial file which is signed by a CA.

The Issue

On 12 November 2013, Microsoft published a security advisory on “Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program”.  In summary, Microsoft is requesting that Certificate Authorities stop issuing new SHA-1 SSL and code signing certificates by 1 January 2016. With regards to SSL certificates, Windows (Internet Explorer) will no longer recognize or accept SHA-1 certificates from 1 January 2017. All SHA-1 SSL certificates issued before or after this announcement must be replaced with a SHA-256 (SHA-2) equivalent by 1 January 2017 to continue working with Microsoft platforms.  In regards to code-signing certificates, your code must be time stamped before 1 January 2016.

At the time of writing, the Certification Authority/Browser Forum (CA/BF) has not endorsed Microsoft’s schedule to depreciate the SHA-1 hash algorithm.  It is also worth noting that certificates chained to a private root, such as Symantec Private Certification Authority (CA) or any self-signed CA are not affected by these migrations and other regulations associated with certificates chained to public roots.

What You Need To Do/Know

Much like the recent migration from 1024 to 2048-bit RSA or ECC certificates there will be a little bit of pain but the methodologies will thankfully be the same, which should be some comfort to those of you licensing SSL certificates to multiple servers. To simplify things let me give you a check list of actions to take:

1. Locate all of your SHA-1 certificates.  Tools such as Symantec Certificate Intelligence Center can discover all of the certificates on your network regardless of who issues them.
2. Create a migration plan.
   1. SHA-1 SSL certificates expiring before 1 January 2017 will need to be replaced with a SHA-2 equivalent certificate.
   2. SHA-1 SSL certificates expiring after 1 January 2017 should be replaced with a SHA-2 certificate at your earliest convenience. 
   3. Any SHA-2 certificate chained to a SHA-1 intermediate certificate should be replaced with another one chained to a SHA-2 intermediate. 
3. Execute. Plan to do this sooner rather than later. Although many people tend to wait until the deadline, the last thing you need to handle on a New Year’s Eve is SSL certificate installation and testing.  Since any unused validity will be credited back to you, there are few benefits in waiting.
4. Test.  Upon installation please check your configuration using our set of SSL tools.  Although SSL installation may like simple muscle memory after a while, there may be hardware or software conflicts you may not have caught and a belt and suspenders approach makes sense here.

SHA-2 Ubiquity and Hardware/Software Conflicts

One thing that some owners of webservers learned in 2013 is that some older servers are not configured to handle advanced SSL encryption.  In our recent webcast on the subject only 18% of attendees who responded to the poll said they were confident that all of their servers can handle the SHA-2 hash algorithm.  If a server can’t handle SHA-2 what will you do?

If retiring them is not an option (and we know that this is often not an option you can consider), the main course of action is to move it to the backend (intranet usage) and encrypt it with a SHA-1 SSL certificate chained to a private root.  Symantec can provide an organization with a custom private SSL hierarchy to overcome hardware/software conflicts in legacy devices.  Talk to us today to help complete your cost/benefit analysis when considering this option.  It is also worth noting that in the event you encounter a hardware/software conflict please access our SSL Support Pages or contact Symantec Technical Support (available 24/7/365 days a year) using the contact information provided to you (based on region) or located in your SSL control center.

At Symantec we are committed to supporting you through this next transition in encryption standards.  In summary please plan, prepare, execute and test your move to SHA-2 before 1 January 2017 for SSL and 1 January 2016 for code-signing certificates.  If you would like to learn more view our aforementioned webinar How to Navigate the Future Changes in SSL Encryption (select “View” at the bottom of the text for the recording).

このブログではウェブサイトやその上で動作しているウェブアプリケーションの脆弱性について紹介すると共に注意喚起をする目的でまとめられています。

今回は2013年に公表されたApache Strus2の脆弱性(S2-016)の概要、影響、対策について解説をしています。

※なお、内容に関しましてはHASHコンサルティング株式会社の徳丸　浩様に監修いただいています。

＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋

Apache Struts2の任意コード実行可能な脆弱性S2-016(CVE-2013-2251)

■概要

Apache Struts2（2.0.0-2.3.15）には、外部から指定した任意のプログラムを許してしまう脆弱性S2-016(CVE-2013-2251)があります。これはすなわち、インターネット経由で、攻撃者がサーバー上で勝手にプログラムを実行できるという意味です。その結果、情報漏洩、データやページの改ざん、他のサーバーへの攻撃、サービスの停止などさまざまな影響を受ける可能性があります。

　Struts2には、OGNL(Object-Graph Navigation Language)というJavaに似た言語がサポートされ、Web開発をサポートしています。OGNLはStruts2の様々な場所で使えますが、外部からOGNLが指定できてしまうとセキュリティ上問題なので、外部から指定できないように制限されています。

しかし、一部に制限漏れがあり、細工したURLを閲覧することで、外部からOGNL式を指定できる箇所が見つかりました。式には「プログラム実行」を指定することもできるため、この脆弱性は、前述のような大きな影響があります。

■攻撃のイメージと影響

　Struts2のサンプルアプリblankに対して、サーバー上で3 * 4の計算をするには下記のURLを実行します。

　3 * 4のかけ算をサーバー上で計算しても実害はありませんが、同様の手順によりサーバー側で「任意のプログラム」を実行することができます。

■脆弱性による影響

　この脆弱性による影響の例として下記がありますが、これらに限りません。

• Webコンテンツの改ざん
• 情報漏えい
• コンテンツ削除等によるサービスの停止
• 他サーバーへの攻撃（踏み台）

■脆弱性の有無の確認方法

　S2-016は外部からの診断で見つけることは難しいとされており、Struts2が設置されているサーバー上で下記のコマンドを実行する方法が確実です。

上記の太字の部分がStruts2のバージョンです。上記の実行例では、2.3.15となります。2.3.15以下の数字であれば当該脆弱性があります。2.3.15.1以降であれば対策されたバージョンです。

■対策

Struts2をバージョンアップすることで対策となります。前述のように2.3.15.1以降で対策されていますが、特別な事情がなければ最新版のStruts2（本稿執筆時点では2.3.16）の導入を推奨します。

Struts2のバージョンアップ自体はjarファイルの入れ替えのみであり短時間で終わりますが、バージョンアップによるアプリケーションの影響の検証が必要であり、検証には時間を要する場合があります。すぐに検証が終わらない場合や、検証の結果アプリケーションに不具合が生じてアプリケーションの改修が必要な場合は、回避策を導入する必要があります。回避策の1つとして、WAF(Web Application Firewall)の導入があります。S2-016による攻撃は特徴的であるため、WAFによる防御は有効です。

なお、「シマンテック クラウド型WAF」では、S2-016の脆弱性をからウェブサイトが攻撃を受けるのを防ぐことができます。

■参考文献

Apache Struts の脆弱性 (S2-016) に関する注意喚起(JPCERT/CC)

‘I don’t know of any reason why you[r website] wouldn’t be able to rank with just HTTPS,’ says Matt Cutts of Google.

More and more software developers in the UK and US are looking to Eastern Europe to get their code written. After all, it can be done far more cheaply there, as well as offering an abundance of choice. Indeed, code writing ‘houses’ in Eastern Europe are proliferating in response to this demand – from one-man bands to sizeable operations. So any developer intent on keeping their costs down, and often along with the promise of a quick turnaround, has the perfect scenario for having their software code written there, right?

Not necessarily. Because cheap is not good if the code that’s written becomes compromised in any way. And when you, the developer, are possibly thousands of miles away from whoever is writing your code, you need to be even more sure of those into whose hands you are entrusting this process.

Certainly, there are many highly reputable enterprises in Eastern Europe that provide this service and deliver to the highest standards. But this is also a region where, not unlike other areas of the world, cybercrime has soared with the rapid growth of ecommerce and emergence of a more stable, faster Internet. Software that has not been adequately protected is an irresistible target for them, as indeed it is wherever cybercrime rears its head.

No doubt we can all recall incidents where the cybercriminals have struck hard. There was the ‘Zeus’ virus scam, used to steal around £675,000 from the bank accounts of some 3,000 on-line UK customers, while, earlier this year, US federal authorities charged three men with building and disseminating a virus that crippled NASA computers and brought in tens of millions of dollars for the East European-based cybercriminals.

And then there’s Alexsey Belan, for whom the FBI is offering a reward of up to $100,000 for information leading to his arrest. Belan is alleged to have penetrated the computer networks of three major US-based e-commerce companies, stealing their user databases and the encrypted passwords of millions of accounts, and then selling these on. Only look on the FBI’s website listing of ‘Cyber’s Most Wanted’ and you will find many more such examples of cybercriminals active in the region.

“Global cybercrime is arguably the biggest underworld industry of our times,” said Nir Kshetri, in the  report, ‘Cybercrime and Cybersecurity in the Global South’[1]. “Global forces and technologies such as mobile phones, social media and cloud computing are shaping the structure of the global cybercrime industry, estimated at US$1 trillion. Many of the economies in the Former Soviet Union and Central and Eastern Europe (FSU&CEE) have become top cybercrime hotspots.

“Cybercrime rings in these economies have mastered complex tricks and have increased pervasiveness and sophistication of cyberfrauds. Sophisticated frauds, such as cyberextortion, distributed denial-of-service (DDoS) attacks and hijacking users’ searches and clicks, involve a complex fusion of strategy, technology, processes and people,” he states.

“Corruption, the lack of sufficiently high penalties, ineffective, inefficient, inadequate and weak legislation and lax law enforcement have fuelled cybercrime,” Kshetri adds.

So, no matter how compelling your latest application or functionality may be, any vigilant customer will be aware of such dangers and see potential risk in installing your code, fearful that they might be putting malware on their computers, smartphones and other devices. Once unleashed, malicious code can wreak havoc, stealing personal and financial data, damaging files and systems, and compromising confidential information. Malware also poses a serious threat to the mobile environment, slipping into application stores and becoming a threat to anyone who downloads such infected applications.

Fixing the damage can exact a huge toll on those stores – in terms of time, money and disruption. And the damage goes deeper. Because, when application stores lose the trust of their customers, wireless providers and device manufacturers can lose customers, too. The ‘domino’ effect hurts everyone.

So, any developer keen to reap the upsides of Eastern Europe needs to be mindful of the downsides and ensure that the systems to protect their applications are in place. And that brings us to the good news. Software vendors and developers can digitally sign and timestamp the software they distribute over the Internet – known as ‘Code Signing’ – to demonstrate that their applications are safe, secure and trustworthy.

With code signing, everything starts from a position of trust – trust that the apps and downloads that customers install are free from viruses, spyware, or any other alteration or tampering that might compromise or damage their systems. And that isn’t all that’s at stake. Get it wrong and your hard-won brand and reputation could soon be in tatters.

This is where code signing solutions from Symantec come in to play, creating what is essentially a ‘digital shrink wrap’ for secure distribution of code and content over the Internet. Not only does this protect your software, but also it gives customers all the information they need to download and install your software with complete confidence.

Here’s how it works. When you are ready to publish new software and make it available on line, Symantec’s solutions enable you sign and timestamp your code, using a secure private key and digital certificate. The latter includes an encryption hash that allows customers to see all of the information in your digital certificate when they download your application, verifying your identity as the publisher, and confirming the integrity and trustworthiness of your software.

Also, Symantec fully supports multiple computing and mobile platforms, including an EV (Extended Validation) code signing solution that enhances the levels of trust on the latest operating systems, browsers and security software. Another plus for developers is that Symantec has partnered with Microsoft to integrate EV Code Signing certificate status with its SmartScreen reputation services in Internet Explorer and Windows 8. That means programs signed by an EV Code Signing certificate can immediately establish reputation with Microsoft’s SmartScreen, even if no prior reputation exists for that file or publisher; so, potentially there will be fewer warning messages flagged up when a user tries to run your application.

Ensuring that your software has these highest levels of authentication in place protects your brand every time and strengthens the trust relationships that make your business successful.

And with such protections in place, looking to Eastern Europe for the many code writing advantages it promises may well be a move that allows you to sleep that much easier at night.

As we wrote in our previous blog The Middle East and North Africa (MENA) region is basking in the joys of booming economic growth.

These are exciting times however, that said, such success also has its downsides. While e-commerce is on a rapid upward trajectory – particularly in the banking and travel sectors – it has made many MENA businesses highly attractive to the cybercriminals, who are out to cash in on any vulnerabilities they can exploit.

Just how open to the cybercriminals the region is can best be exemplified by the targeting of its oil and gas sector. Last year, it was the victim of a hacker attack known as Shamoon (aka W32.Disttrack), which is capable of wiping files and rendering several computers on a network unusable. Saudi Arabia’s national oil company Saudi Aramco itself came under fire, with 30,000 of its computers knocked out, resulting in its own network being taken offline. Only a few days later, in Qatar, computer systems at energy firm RasGas, one of the world’s largest producers of liquid petroleum gas, were also taken offline by a similar attack.

What exactly can Shamoon do, once it gets inside an organisation? A great deal of damage, is the answer. Using bespoke malware written to run on both 64bit and 32bit systems, it is able to:

• Disseminate malware over the network
• Pass data to the attackers
• Erase disks of infected machines.

But the level and scale of attacks go way beyond that. In some cases, they are designed to cause maximum disruption for political reasons. In other cases, it’s all about inflicting brand damage or manipulating the market. But mostly these assaults are driven by financial motives. And they are only increasing. As the MENA region’s economy prospers, the cybercriminals are out to do the same.

One favoured method of trapping the unsuspecting is by means of what is known as a ‘Watering hole’ web attack. Just as a lion will lurk unseen waiting for its prey when it comes out into the open to drink, believing it is safe, so, too, do the hackers seek out those with their guard down (Indeed one particularly successful (for the perpetrator that is) waterhole attack infected 500 organisations in a single day). Moreover, the intended victims that the attackers seek out are particular individuals or groups (organisation, industry or region, such as MENA) and then: Identifying which websites are used most often

• Exploiting a website vulnerability and infecting one or more of these sites with malware
• Ensuring as a result that some member of the targeted group will also get infected.

Once that process is complete, the trap is sprung and the defenceless victim ensnared. Google, Apple, Twitter and Facebook have all been victims of such attacks after employees visited a site popular with iOS app developers.

For those intent on enjoying a share of MENA’s burgeoning prosperity, while avoiding the damage inflicted by the cybercriminals, it is vital that anyone who engages with your business remains safe and secure, particularly when conducting on line transactions. And the way to make certain of this is by using SSL and a trust mark such as the Norton Secured Seal

In fact, SSL certificates should be the starting point for any ecommerce site or anyone else that asks customers to submit personal information. Equally, for companies that don’t ask for personal information from visitors, SSL is still an absolute must, as it acts as a powerful protective barrier on line, keeping the cybercriminals at arm’s length. So, if you are operating in the region or looking to do so, you need to put a series of ‘Best Practice’ measures in place, such as:

Advanced Reputation Security: Detect and block new and unknown threats based on global reputation and ranking

Layered Endpoint Protection: use more than just AV – use full functionality of endpoint protection including heuristics, reputation-based, behaviour-based and other technologies; restrict removable devices and turn off auto-run to prevent malware infection

Layered Network Protection: Monitor globally for network intrusions, propagation attempts and other suspicious traffic patterns, including using reputation-based technologies; network protection is more than just blacklisting

Security Awareness Training: ensure employees become the first line of defence against socially engineered attacks, such as phishing, spear phishing, and other types of attacks.

Website Security Solutions from Symantec: SSL certificates with added website malware scans and web vulnerability assessment to ensure your site cannot be compromised by hackers.

Most of all, you need to create and enforce security policies, so that all confidential information is encrypted – and monitor globally for network intrusions, propagation attempts and other suspicious traffic patterns, including using reputation-based technologies.

On which note, according to a survey carried out recently by the independent web research organisation Baymard Institute, in conjunction with Google, the Norton Secured Seal is by far the most trusted – nearly 13% ahead of its nearest rival (http://baymard.com/blog/site-seal-trust). It was shown to be the seal that gave customers the strongest sense of trust when purchasing online, making it the de facto choice.

For any business intent on capturing and keeping customers in the MENA region by establishing the highest levels of trust and trustworthiness, such reassurance will play a major role in the days ahead, as the internet spreads its reach even farther and e-commerce gathers ever greater momentum.

To learn more please visit go.symantec.com/ssl