ISC StormCast for Monday, January 11th 2016 http://isc.sans.edu/podcastdetail.html?id=4817, (Mon, Jan 11th)

 SANS Internet Storm Center, Security Alerts  Comments Off on ISC StormCast for Monday, January 11th 2016 http://isc.sans.edu/podcastdetail.html?id=4817, (Mon, Jan 11th)
Jan 102016
 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Virtual Bitlocker Containers, (Sat, Jan 9th)

 SANS Internet Storm Center, Security Alerts  Comments Off on Virtual Bitlocker Containers, (Sat, Jan 9th)
Jan 092016
 

This week, I gotan interestingquestion from a customer: What do you recommend to safely store files in a directoryon my laptop?. They are plenty of ways to achievethis, the right choice depending on the encryption reliability, the ease of use and maybe some technical requirements. Sometimes, a simple encrypted zip file will do the job, sometimes something stronger is mandatory. In Microsoft environments, Bitlocker isa nice solution since Windows 7. But itwas not the right choice for my customer, he did not want to use Bitlocker in its FDE (Full Disk Encryption) way. For years, Im a big fan of TrueCrypt which is able to work with partitions but also with containers. When not used, those areseen just asbig binaryfiles for the operating system. Since the bad story that happened to TrueCrypt, I switched to GostCrypt, a 100% compatible alternative developed by a group of universities.

If your environment is fully running on top of Windows OS, why not use Bitlocker after all? If its not possible to encrypt a single directory (as requested by my customer), why not create a container in theTrueCrypt way? Do you know thatWindows is able to create virtual disk and mount them like a mount -o loop on Linux?This operation is achievedwithdiskpart, a command line tool available inC:WindowsSystem32.

Start a command prompt,launch diskpartand a new command line window will open: (Note: you will be playing with the filesystem, so administrator” />

Lets go! First we must create a virtual disk of the size you need, the size being in MB:”>
DISKPART create vdisk file=c:container.vhd maximum=120 type=fixed 100 percent completedDiskPart successfully created the virtual disk file.

Now,”>
DISKPART select vdisk file=c:container.vhdDiskPart successfully selected the virtual disk file.DISKPART attach vdisk 100 percent completedDiskPart successfully attached the virtual disk file.DISKPART list vdisk VDisk ### Disk ### State Type File ——— ——– ——————– ——— —-* VDisk 0 Disk 1 Attached not open Fixed c:container.vhdDISKPART list partitionThere are no partitions on this disk to show.DISKPART create partition primaryDiskPart succeeded in creating the specified partition.DISKPART list partition Partition ### Type Size Offset ————- —————- ——- ——-* Partition 1 Primary 18 MB 64 KBDISKPART select partition 1Partition 1 is now the selected partition.DISKPART format fs=ntfs label=Secret Container 100 percent completedDiskPart successfully formatted the volume.DISKPART activeDiskPart marked the current partition as active.DISKPART assign letter=qDiskPart successfully assigned the drive letter or mount point.DISKPART” />

To unmount the container, use the detach vdisk”>
select vdisk file=c:container.vhdselect partition 1attach vdisk

You can execute this script via the following command. Once mounted, the classic”>
C: diskpart /s bitlocker.txt

With this method, you can easily exchange Bitlocker containers with peers, you can create multiple containers for multiple projects and you can createcontainers on USB disks without having to reserve the entire space for this purpose!

Xavier Mertens
ISC Handler – Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

SLOTH, attack on TLS using MD5, (Fri, Jan 8th)

 SANS Internet Storm Center, Security Alerts  Comments Off on SLOTH, attack on TLS using MD5, (Fri, Jan 8th)
Jan 082016
 

Giving a talk late last year I was asked what some of my predictions were for 2016. One of the ones we talked about was further issues with TLS and the various algorithms used to provide a protocol that lies at the heart of e-commerce. Well looks like I got my wish, although you could argue that it was last year as a 2015 CVE number was assigned, however made public this week. (Thanks Rich for the heads up)

Two researchers at miTLS (www.mitls.org, Karthikeyan Bhargavan, Gatan Leurent) have been working away at looking at issues with the protocol and have identified a challenge with TLS 1.2, if it still uses MD5 (https://www.mitls.org/pages/attacks/SLOTH#introduction). Their attack dubbed SLOTH has identified a weakness that if RSA-MD5, or ECDSA-MD5 if used it significantly weakens the protocol and allows impersonation, credential forwarding and downgrade attacks. Unlike your more traditional MitM attacks this would not provide users with a warning. Currently, reading in the paper, real time attacks are not practical, but it is just a matter of having a large enough computer.

The core of the issue is again MD5. Back in 2005 it was shown that collisions were possible and yet for core security functions we still use it (think IPSec, TLS, …). This research has convinced the TLS working party to remove MD5 from TLS 1.3. The recommendation is to consider removing RSA-MD5 and ECDSA-MD5 from your allowed algorithms stack for your web servers. OpenSSL RHEL and others have release updates to address this issue.”>Mark H – Shearwater

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

ISC StormCast for Friday, January 8th 2016 http://isc.sans.edu/podcastdetail.html?id=4815, (Fri, Jan 8th)

 SANS Internet Storm Center, Security Alerts  Comments Off on ISC StormCast for Friday, January 8th 2016 http://isc.sans.edu/podcastdetail.html?id=4815, (Fri, Jan 8th)
Jan 072016
 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

VMware Sec Advisory released (VMSA-2016-0001) – VMware ESXi, Fusion, Player, and Workstation updates address important guest privilege escalation vulnerability – See more at: http://www.vmware.com/security/advisories/VMSA-2016-0001.html#sthash.2rpN8XTR.dp, (Fri, Jan 8th)

 SANS Internet Storm Center, Security Alerts  Comments Off on VMware Sec Advisory released (VMSA-2016-0001) – VMware ESXi, Fusion, Player, and Workstation updates address important guest privilege escalation vulnerability – See more at: http://www.vmware.com/security/advisories/VMSA-2016-0001.html#sthash.2rpN8XTR.dp, (Fri, Jan 8th)
Jan 072016
 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

%d bloggers like this: