Author Archives: enicaise

Victim of a ransomware? Call the Crypto Sheriff!

| 2016-08-25 | English, Information Security

Ransomware are not new but they become more and more efficient and, consequently, make more victims.

RANSOMWARE: Malware encrypting your files on your hard disk, making them inaccessible by you, so they can ransom you to allow you to decrypt them.

Even large companies, despites their multiple layers of security and anti-malware protections, are victims of these. The luckiest can rely on their backups to restore the lost data, the others pay it cash, either to the criminals or in business losses, or sometimes both (as paying doesn’t always guarantee that you will get a cure).

Ransomware is a plague against which smaller companies and individual are often defenceless. Not anymore, as Crypto Sheriff has arrived.

RW-Sheriff

Crypto Sheriff is a free service brought to you by Europol, the Dutch police, Kaspersky labs and Intel Security (ex McAfee) through the website: https://www.nomoreransom.org.

It allows you to submit sample of encrypted files and copies of the ransom note in order to analyse the malware used and possibly find a cure. It provides also decryption tools working on some of the most common malware like Chimera, Teslacrypt or coinvault.

Moreover, as prevention is always better than damage control, it will also provide you some basic tips to prevent such infection.

Let’s visit the Crypto Sheriff. Hihaaa!

To protect against quantum computers, will we have quantum teleportation?

| 2016-08-22 | Information Security

It sounds a bit like a bad sci-fi movie but its becoming reality. A few days ago, on August 16th 2016, China launched Micius, the world first quantum satellite (as reported by Quartz or BBC News).

Quantum satellite? I won’t try to explain quantum physics in a nutshell, I’m totally unqualified for that but I would like to come back one one of my last post of 2015 (in french) to make my point. End 2015,  Google and NASA announced that they purchased a D-Wave X2 super quantum computer on which they succeed to perform some quantum specific computation 100 millions time faster than on an actual average computer. As such, it was a clear indicator that our prediction on actual cryptographic algorithms and keys resistance will have to be reviewed soon. With an estimated cost of 15 millions of US Dollars, the X2 is affordable for any country, large corporation or major criminal organization in the world. Scary, no?

You may imagine that we were not the first to know and that states likes US, Russia or China are actively looking for a solution to further secure their sensitive and secret communications in the (near) future. One of the well known principle in cryptography, and you don’t need to have a degree in advance mathematics to understand it, is that a message crypted with a key as long as the message itself (and used only once) is virtually unbreakable. You don’t even need a complicated algorithm, a simple rotation will make it so. Of course, exchanging a new key for every message send is a bit complicated and security of the key exchange will soon become the weakness of the system. Too bad! Except if we use quantum teleportation.

Here again, I won’t go deeper into the technicalities but, to keep it simple, imagine you can bind the state (ON and OFF, 0 or 1) of two objects together, whatever the distance between them. When you change the state of the first one, the second one change accordingly simultaneously. That’s exactly what happens with two atoms or two photons when they are entangled (another quantum physics phenomenon called quantum entanglement).

The nice feature of quantum entanglement is that it is totally simultaneous, whatever the distance (no communication delay) and that it is not possible (so far) to intercept or block the communciation.  As reading the states changes it, it is not (yet) possible to exchange binary information as we do it with current digital communication means. However, the advantage of this “feature” is that if a third party tries to read the state of the atom, it will be noticed by the two other participants. So your communication, at least from atom to atom, is secure and has a intrusion detection mechanism embedded. Nice, isn’t it?

But, what’s the point if we can’t send messages using this technique? We can’t send message but it seems that it can be used to securely exchange random keys (I have to admit that I don’t get yet how they do this, based on what I just wrote). If you use very long keys (as long as your message) generated by this quantum teleportation mean, you can have, again, very secure communication using a classical encrypted communication channel.

In such a way, even with quantum computers, it wouldn’t be possible to “crack” your keys and your messages’ confidentiality during transport would be completely guaranteed. Unless science allows us to predict the modification of the measured property of the entangled atom without modifying its state as it is suggested in this vulgarization article on quantum cryptography.

This said, let’s come back to Micius. Micius has some quantum entangled atoms inside it (their “twins” are still on earth, of course) and China, with Austrian researchers, will try to validate the effectiveness of the communication between entangled atom on large distance (above 1200 km). That’s a statement, no?

So, we are not there yet but the future is tomorrow and we better get ready for it because it will really raise the bar of the complexity of our systems, reducing our understanding of it and, hence, our control over it.

Live long and prosper!

9 tips to improve the security of your web applications

| 2016-08-16 | Uncategorized

Should you be a student, a TV Show fan, a small online-shop, a small enterprise or a large corporation, you likely have a web site connected to the world wid web. You probably didn’t developped your website in PHP or in Java by yourself but rather used one of the existing (some being free of charge) framework available like WordPress for you blog, Prestashop for your online shop, Odoo, Drupal, Joomla or even Adobe CQ. While you can use a “cloud” version of these application, you might also have decided to manage it by yourself on your own server or using a hosting service like OVH, HostGator or Ikoula.

If you’ve decided to manage it by yourself, here are a few tips to ensure your server(s) is/are and remain secure:

  1. Use very strong passwords: At least 14 characters and a combination of uppercase, lowercase, numeric and special characters. Ideally change it a few times a year or at least as soon you believe your password might have been compromised. Don’t use the same password for everything.
  2. If possible, rename or disable default admin user (like admin or root) into something less common and use personnal accounts (every admin should have its own user and password). When someone leaves the company, immediately remove his/her user account from the server.
  3. Patch your systems (OS like Linux or Windows server), your middleware (like Apache or IIS), your database (MySQL, Postgress, MSSQL) and your application (like WordPress, Odoo) regularly (every week). Nowadays, most systems inform you when an update is available.
  4. Ideally, you should have a separeted test environment, being a second (set of) server(s) (that we will call the Acceptance System) replicating exactly the one you use for the publicaccess (we call it the “production system”) on which you can first test if the patches won’t disrupt, corrupt or break anything on your servers (It can happen too).
  5. Disable any un-used services on your server(s) like telnet (prefer SSH), motd, FTP (use SCP via SSH instead), IMAP, POP3 or SMTP (if you don’t use your server as a mail relay), Samba and other stuff you won’t use. Be sure to still keep a way to access your server. For Linux machines, you can use automated scripts like Bastille to help you harden your server.
  6. For your database accesses, use a specific system user per application (and per environment) that will have only the access needed on the database of the application it is used for (So, you don’t use the admin user of your database to grant access to your database for your application). If possible, restrict access to the database to the localhost or to the IP of your front-end application.
  7. If possible, force the encryption of your communication by using TLS (HTTPS instead of HTTP). For that purpose you need a cryptographic certificate (not a self-signed as it won’t be recognized by your customer’s browser). You can get free SSL/TLS certificate that will be recognized by most browser with companies like StartCom. Once your certificate installed, you can check the configuration of your SSL with the free online SSL Labs analysis tool. If you need help to configure your SSL with Apache Servers, you can use Mozilla’s SSL Configuration Generator.
  8. In order to prevent attacks like Clickjacking or Man-in-the-Middle, you can configure the HTTP(S) headers sent by your server to make it more secure (see OWASP Secure Header project for more details). Practically, you can check the status of your server’s headers on the very useful and user friendly SecurityHeaders.io website from Scott Helme. Based on the result of your servers’ hearders analysis, Scott’s website will provide you with all the necessary information to improve your headers (again, for free).
  9. Scan your server(s) in order to detect any known vulnerability. This is still possible for free with the services of BitNinja or even from one of the market’s leaders like Qualys.  If you use a Windows server, you can download Microsoft baseline Analyzer and run it against your server.