"SSL Audit" - Updated release (SSL/TLS Scanner)
[Tuesday, December 27, 2011 | 0 comments ]


Preamble :

During my research on TLS/SSL Compatibility across different Operation Systems and Browsers I created supporting tools for myself and later decided to release them for the public.

"SSL Audit" remotely scans web servers for SSL support - unlike other tools it is not limited to ciphers supported by underlying SSL engines such as "OpenSSL" or "NSS" but can detect cipher suites based on it's own (simplistic) SSL/TLS engine. As a gimmick it features an innovative Fingerprinting engine that is based on behavioral heuristics.

Surprisingly I had positive feedback about the tool and hence think it's worthwhile to update it.

Updates:
  • Added an option to export the results (CSV)
  • Adjusted documentation
Download:
Documentation:


Video:


Links to this post
Final - SSL/TLS renegotiation explained (CVE-2009-3555)
[Friday, December 23, 2011 | 0 comments ]


Final release for my paper explaining the different attack vectors and impacts for (CVE-2009-3555) "TLS / SSL renegotiation vulnerability".

  • Added comments and corrections by Alun Jones (Who I hereby thank for his time)
  • Changed FTPS description
  • Better PDF output
I profit from the update to stress particular impacts that seem to be forgotten about, in addition to the plain-text injection described everywhere (Please refer to the paper to know more)

Additional Impacts
  • Potentially allows to downgrade from HTTPS to HTTP (à la SSLstrip)
  • Potentially allows to inject XSS into Trace requests
Available Tools (2011)
I have been delighted by the interest given to this paper at the time, the paper is referenced by the US-CERT, DFN-CERT, BELNET-CERT, SWITCH-cert, Nessus, Qualys, c't Heise and the book "IPhone and IOS Forensics: Investigation, Analysis and Mobile Security" covers the analysis on Page 110

Download "TLS/SSL Session Renegotiation Vulnerability Explained"

Links to this post
PCI compliance, Security in isolated systems and Parking Tellers
[Tuesday, December 06, 2011 | 3 comments ]


A colleague of mine spotted the below while we were doing our expenses - The photograph below shows two separate receipts from two parking buildings that are not far away from each other in central Luxembourg (est. 1km). Both were paid by credit card / debit card.

Can you spot the issue ?


Spotted it? While the first receipt masks everything except the last four digits, the second receipt masks everything except the first digits and leaves the last digits visible. While the example above shows a Debit and a Credit card, I can assure you that if you use a VISA credit card, both together show your complete PAN.
 
There are multiple reasons on why this might be an issue, PCI compliance obviously is one. My interest in this goes further. Two different systems use what they believe is good enough privacy/security and it works as long as they are in their separate world. Put both into the same public place and it becomes apparent it's no longer the case.

This might pose a problem for those that collect tickets and them throw them in the bin, or expense them, like in our case.

Thanks for Opale Security to point out the relevant VISA Guidance on the matter :

Links to this post