Tag Archives: SSL

Troy Hunt’s ultimate list of security links

Below is the list of security related links Troy Hunt posted on September 26, 2015. http://www.troyhunt.com/2015/09/troys-ultimate-list-of-security-links.html

Also included are links posted by his readers in the Comments section.

Troy Hunt’s ultimate list of security links

SSL / TLS / HTTPS

  1. Is TLS fast yet – A great site debunking the myths of SSL/TLS speed cost
  2. Firesheep – A watershed moment for SSL by demonstrating the ease with which unprotected traffic can be intercepted and sessions hijacked
  3. Qualys SSL Labs – Tests a variety of attributes of the SSL implementation by pointing it at any URL
  4. CloudFlare – Get SSL for free on any website
  5. Let’s Encrypt – It’s coming, and it promises to fix the current mess that is CAs and configuring certs
  6. Betsy’s free wifi – Shows a young girl standing up a rogue wifi hot spot
  7. Chromium HSTS preload list – All the sites submitted for HTTP strict transport security preload (a depressingly small number of them)
  8. HTTP Shaming – Sensitive data sent insecurely? Name and shame!

DDoS

  1. Krista’s professional DDoS service – Video of an innocent teenager promoting a DDoS service
  2. Norse – Totally awesome real time map of DDoS attacks that’s absolutely mesmerising to watch
  3. Booter promotional video – Very professional advert for a “booter” service (complete with “Epic DDoS interface”)
  4. networkstresser.com – Example of a DDoS service… protected by CloudFlare… the world’s largest provider of DDoS defences…

SQL injection

  1. sqlmapThe tool for mounting SQL injection attacks tests against a running site
  2. Drupal 7 SQL injection flaw of 2014 – great example of how impactful it still is (patch it within 7 hours or you’re owned)
  3. Ethical Hacking: SQL Injection – If you really want to go deep, here’s five and a half hours worth of Pluralsight content

XSS

  1. XSSposed – List of sites found to be vulnerable to XSS (including attack vector)
  2. Dutch banks doing the Harlem Shake – Video collage of a number of Dutch banks with XSS risks being made to do the Harlem Shake via a script reflected from the URL
  3. XSS Filter Evasion Cheat Sheet – Because XSS payload filtering is almost always insufficient
  4. </xssed> – Heaps of XSS news and lists of vulnerabilities

Security scanners

  1. NetSparker – My favourite dynamic analysis tool due to ease of use and practicality (especially good for developers who may not live in security land)
  2. OWASP Zed Attack Proxy (ZAP) – Great tool for dynamic analysis security testing and ha a whole raft of other users too (oh – and it’s free!)
  3. Burp Suite – Seriously powerful with a heap of different tools and a freebie version to get you started
  4. Fiddler – Not a security tool per se, but I use it extensively to inspect website behaviour, tamper with requests and modify responses on the wire
  5. Acunetix – Popular dynamic analysis tool similar to NetSparker but is let down a bit in the usability stakes IMHO
  6. Nikto2 – Freebie open source app scanner sponsored by NetSparker

Exploit databases and breach coverage

  1. seclists.org – Heaps of exploits consolidated from various bug tracking lists
  2. Exploit DatabaseVery comprehensive list of vulnerabilities
  3. PunkSPIDER – Lots of vulnerabilities of all kinds all over the web (about 90M sites scanned with over 3M vulns at present)
  4. Data Loss DB – Good list of breaches including stats on number of records compromised
  5. Information is Beautiful: World’s Biggest Data Breaches – Fantastic visualisation of incidents that give a great indication of scale

Cracking software

  1. HashcatThe tools for cracking hashed passwords; totally free with a great supportive community
  2. John the Ripper – Also top notch password cracking software with some different approaches to Hashcat
  3. RainbowCrack – Rainbow tables are becoming less relevant in the era of fast GPUs and tools like Hashcat, but it’s worth a mention anyway
  4. Aircrack-ng – For all your 802.11 WEP and WPA-PSK key cracking needs

Hacking and penetration testing tools

  1. Metasploit – The canonical pen testing tool; seriously advanced and enormously powerful
  2. BeEF – The Browser Exploitation Framework offering remote control over a target’s browsing session
  3. Kali Linux – All your pen testing bits in one image!
  4. Backtrack-linux – Fallen out of favour a bit as Kali has emerged, but still deserves a mention
  5. Nmap – For all your mapping of network things needs
  6. Wireshark – When you need to down to monitoring at the packet level

Vulnerability definitions

  1. The OWASP Top 10 Web Application Security Risks – The canonical categorisation of the top risks on the web today
  2. SANS 20 Critical Security Controls – Great consolidation of security controls presented in an easily consumable fashion

Security headers

  1. Fiddler extension for CSP – Massively streamlines your creation of a CSP by building the policy as you browse
  2. SecurityHeaders.io – Everything security header related and a great place to assess your current state
  3. Report URI – Analyse your CSP and HPKP headers plus log your exception reports there
  4. Make any website do the Harlem Shake – if you can run this in the console against a website, they almost certainly don’t have a CSP prohibiting arbitrary content from being loaded into the site

Passwords

  1. OWASP Password Storage Cheat Sheet – There are plenty of bad ways of doing it, this is a great resource documenting the good ways
  2. Jimmy Kimmel “What is your password” – video of interviewing people and engineering them into disclosing their password
  3. Diceware – A popular method of creating strong pass phrases suitable for use as a password

Password managers

  1. 1Password – Still my favourite password manager; client based, runs on all devices and the keychain is syncable via multiple mechanisms
  2. LastPass – A web based password manager (albeit with rich clients as well), one of the big players in password managers
  3. KeePass – A popular free alternative to commercial password managers

Account management

  1. Adult Friend Finder password reset – Enumeration done wrong; initiate a password reset for any email address and be told if they’re a member of a highly personal site
  2. Entropay password reset – A great example of not disclosing the existence of an account (try resetting an account that isn’t registered on their system)
  3. Botnet brute force attack against GitHub – I regularly use this as an example of how hard it can be to defend against brute force

Personal security

  1. F-Secure’s Freedome – My VPN of choice with lots of exit nodes around the world and a promise of no logging
  2. mycreditfile.com.au – This is an Aussie version so do find one local to you if you’re not down under, but identity protection and credit alerts is a “must have” today IMHO

Googledorks

  1. Google Hacking Database – Great collection of Googledorks categorised by various classes of expose data
  2. Google Hacking for Penetration Testers – In case you prefer books over web pages

Other tools and links

  1. Have I been pwned? – How could I not include this?! My own tool, now being put to particularly good use by large enterprises monitoring tens of millions of people
  2. Mailinator – create temporary email addresses for testing
  3. Shodan – Find devices connected to the web (cameras, SCADA systems, etc.)
  4. Reitre.js – “What you require you must also retire”: Helps identify JavaScript libraries with known vulnerabilities
  5. urlQuery.net – Analyses web-delivered malware by inspecting an individual URL and identifying malicious behaviour
  6. Phish5 – I’m yet to use them but I hear good things; phishing attacks are enormously effective and these guys help you test your organisation for how well equipped people are to recognise the attacks
  7. Plain Text Offenders – Been emailed your password? Name and shame!
  8. Kaspersky Real Time Threat Map – Very cool visualisation of the real time threat Kaspersky is seeing
  9. Tor Browser Bundle – Access the underwebs and browse anonymously

Security statistics reports

  1. Verizon Data Breach Investigations Report – The annual DBIR is based on real world security incidents and is a great resource for evidence-based security metrics
  2. WhiteHat Security Statistics Report – Based on findings in the websites they monitor with their security products so another good evidence-based report
  3. Trustwave Global Security Report – Another annual report driven from real world investigations (plus they use the terms “threat intelligence”, “seedy criminal underground” and “data defender” so you know it’ll be good!)
  4. Websence Threat Report – Created by Websense Security Labs, a fairly high level overview of the threat landscape
  5. HP Cyber Risk Report – More cyber, more statistics, more reports

Noteworthy books

  1. We are Anonymous – Still one of my favourite security books, a look inside Lulzsec and how it all unravelled
  2. Ghost in the Wires – The story of Kevin Mitnick’s early days and an absolutely fascinating read
  3. Data and Goliath – Just because you’re paranoid doesn’t mean they’re not after you! Excellent read on data collection by Bruce Schneier

Other things you should be reading

  1. What Every Programmer Absolutely, Positively Needs To Know About Encodings And Character Sets To Work With Text – Because encoding is one of those things you just need to know

Awesome people you want to read and follow

  1. Mikko Hypponen
  2. Brian Krebs
  3. Jeremiah Grossman
  4. Scott Helme
  5. Bruce Schneier
  6. Kevin Mitnick
  7. Swift on Security
  8. Brian Honan
  9. Graham Cluley
  10. Rob Graham

Links from the Comments (with some shameless and not shameless plugs)

  1. Troyhunt.com / @troyhunt
  2. http://blog.cryptographyengineering.com/ (Crypto relatively easy explained)
  3. http://blog.cr.yp.to/ (Also crypto, by Dan Bernstein)
  4. https://blog.skullsecurity.org/ (Detailed “How-to”s to a wealth of security stuff, from DNS over Hash extension to ROP)
  5. https://pax.grsecurity.net/docs/index.html (Especially the txt documents – that’s where a lot of the kernel security today comes from – ASLR anyone?)
  6. https://twitter.com/grsecurity (Twitter of one of the grsecurity devs, most interesting for Linux users)
  7. http://googleprojectzero.blogspot.de/ (Google’s Project Zero)
  8. http://www.dfir.org/?q=node/8 <- big list of “recommended Reading”
  9. https://strongpasswordgenerator.com/
  10. https://8ack.de/firstaidkit/ dont panic fist aid kit (more for devops, but some links could fit in here too)
  11. https://app.pluralsight.com/library/courses/aspdotnet-security-secrets-revealed/table-of-contents “ASP.NET Security Secrets Revealed” course
  12. http://infospectives.co.uk/
  13. Also open source training: https://www.edgescan.com/secure_application_dev_training_material.html
  14. Edgescan stats report: http://www.bccriskadvisory.com/wp-content/uploads/Edgescan-Stats-Report.pdf
  15. https://encryptr.org/
  16. http://emailsecuritygrader.com/
  17. IBM X-Force Exchange Threat Intel Platform – https://exchange.xforce.ibmcloud.com/
  18. IBM X-Force Threat Intelligence Quarterly – http://www-03.ibm.com/security/xforce/downloads.html
  19. Book – The Cuckoos Egg by Cliff Stoll
  20. https://httpsecurityreport.com/
  21. http://www.digitalattackmap.com/
  22. Password Manager – https://www.schneier.com/passsafe.html
  23. https://privnote.com/
  24. https://paragonie.com/blog/category/security-engineering
  25. https://www.privacytools.io/
  26. http://www.arachni-scanner.com/
  27. http://www.arachni-scanner.com/features/framework/crawl-coverage-vulnerability-detection/
  28. https://whatsmychaincert.com/
  29. https://certsimple.com/
  30. http://testssl.sh/
  31. Book – http://www.amazon.com/Stealing-Network-Complete-Collectors-Edition/dp/159749299X
  32. http://wpscan.org/
  33. https://wpvulndb.com/

Original content courtesy of Troy Hunt licensed under a Creative Commons Attribution 3.0 Unported License.

Work on this page is also licensed under a Creative Commons Attribution 3.0 Unported License.

The most “bank grade” secure of Milwaukee County bank websites

Only 3 sites passed our Milwaukee County bank website security review. Who passed and who failed?

The following are results and analysis of a snapshot of SSL Labs Server Tests of Milwaukee county’s state chartered banks’ web servers performed June 2nd, 2015.

View full-screen in a new tab

Results are sorted by:

  1. Grade (A to F followed by sites that don’t use secure protocols & failures), then by
  2. Number of failed tests (ascending), then by
  3. Bank name

Clicking the name of the bank in column A will take you to the SSL Labs report page for that bank’s website  or 3rd party service it uses for online banking (that is why most of the bank names and domains tested in the report don’t directly match.)

Findings

3rd party services are prevalent

As far as I could tell, none of these banks used their own services for managing the actual financial portion (online banking, credit card processing, online deposits, etc.).  They all outsourced to 3rd party services, which you’d think would be more secure since many clients are managed from the same service.

From a confidence and usability standpoint, it should be noted that none of these banks inform or disclose that the user will be redirected to a 3rd party service.

The F (many issues including SSL 2 enabled)

Waterstone Bank’s website got the one and only F grade.   Their server still supports SSL 2, which is obsolete and insecure.  This alone capped their grade to F.  They were also one of two that had SSL 3 enabled.

Additionally, the HTTP version of their site doesn’t automatically redirect to the HTTPS version, which wouldn’t do them much good at this point.  I didn’t go through all the pages, but there doesn’t appear to be any user information that passes through the HTTP or F-grade-receiving-HTTPS-page.  The Account Access links for business and consumer banking link directly to the 3rd party service via HTTPS.

The only A

Metavante’s RemitPoint solution used by Park Bank earns the only A grade.  According to this press release, RemitPoint provides “a centralized image-based remittance processing service.”  The only way for them to get an A+ is to enable HTTP Strict Transport Security support with a max-age of at least 6 months.

Two A- Websites (the other 2 of 3 A grades)

So there is only one bank’s website (not the portion where the online banking occurs) that received an A- grade.  Congrats to Layton State Bank.

Also, only one 3rd party banking service, Park Bank Business Credit Card – Administrator from FIS received an A- grade.

Neither support Forward Secrecy which would boost their respective scores.

 The grade breakdown

  • A grade (A or A-): 3/20 – 15%
  • B grade: 2/20 – 10%
  • C grade: 14/20 – 70%
  • D grade: 0/20 – 0%
  • F grade: 1/20 – 5%

No secure protocols supported: 2

Assessment failures: 2

Sites without secure protocols

The first is Columbia Savings and Loan Association’s website, which is purely informational.  There are no links to online banking or other login fields for customers.  However, the “Owner Login” link does not target a HTTPS page nor does the login form within.

The second is The Equitable Bank’s website.  The “Access ID” field targets a secure endpoint, but the page itself isn’t secure.  Fortunately, the account password isn’t requested until the 3rd party service’s secured page.

Logjam (95% pass rate)

Information about the latest vulnerability, the Logjam attack was published last month (May 20, 2015).  I wanted to highlight those results specifically in this project.

There was one server that didn’t pass the WeakDH.org server test.  The Park Bank Personal Credit Card service from First Bankcard got the warning about using a common 1024-bit DH prime.  I thought about adding a “Warning” type to Pass/Fail, but decided that anything that wasn’t a pass was a failure.

“Warning! This site uses a commonly-shared 1024-bit Diffie-Hellman group, and might be in range of being broken by a nation-state. It might be a good idea to generate a unique, 2048-bit group for the site.”

Things I’d never seen before

In interesting report to look at is the one for Park Bank Merchant Card Processing.  It was the first time I saw the notification “This site is intolerant to newer protocol versions, which might cause connection failures.”

It also only allows for one cipher suite TLS_RSA_WITH_AES_256_CBC_SHA (0x35).  The fewest I had seen before was 3.

The other result I hadn’t encountered was “Assessment failed: Cipher suite support test failed” which occurred on the Points2U test.

Why so many C’s?

If many of you are familiar with these types of analyses, you will notice many more “C” grades than before.  SSL Labs, since the 5/20/15 1.17.10 version release, is penalizing the RC4 cipher when used with TLS 1.1+ more now and not supporting TLS 1.2 caps the grade to a C from a B previously.  Full information on the ratings is available here (PDF).

Date performed: 6/2/15

Sites tested: 24

Data sources

Tools

Similar posts and analysis

Tangential articles (coming soon)

  • Fiserv
  • Wisconsin Department of Financial Institutions