Linux Security Archives - CVTF Studios.net

Let’s Encrypt Revoking 3 Million TLS Certificates

admin — Wed, 04 Mar 2020 12:55:35 +0000

The most popular free certificate signing authority Let’s Encrypt is going to revoke more than 3 million TLS certificates within the next 24 hours that may have been issued wrongfully due to a bug in its Certificate Authority software.

The bug, which Let’s Encrypt confirmed on February 29 and was fixed two hours after discovery, impacted the way it checked the domain name ownership before issuing new TLS certificates.

As a result, the bug opened up a scenario where a certificate could be issued even without adequately validating the holder’s control of a domain name.

The Certification Authority Authorization (CAA), an internet security policy, allows domain name holders to indicate to certificate authorities (CAs) whether or not they are authorized to issue digital certificates for a specific domain name.

Let’s Encrypt considers domain validation results good only for 30 days from the time of validation, after which it rechecks the CAA record authorizing that domain before issuing the certificate. The bug — which was uncovered in the code for Boulder, the certificate signing software used by Let’s Encrypt — is as follows:

“When a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times.” In other words, when Boulder needed to parse, for example, a group of 5 domains names that required CAA rechecking, it would check one domain name 5 times as opposed to checking each of the 5 domains once.

The company said the bug was introduced as part of an update back in July 2019.

This means that Let’s Encrypt might have issued certificates that it shouldn’t have in the first place, as a result of which it’s revoking all the TLS certificates that were affected by the bug.

The development comes as Let’s Encrypt project announced last week that it had issued its one-billionth free TLS certificate since its launch in 2015.

Let’s Encrypt said 2.6 percent of approximately 116 million active certificates are affected — about 3,048,289 — out of which about one million are duplicates of other affected certificates.

Affected website owners have until 8PM UTC (3PM EST) March 4 to manually renew and replace their certificates, failing which visitors to the websites will be greeted with TLS security warnings — as the certificates are revoked — until the renewal process is complete.

It’s worth noting that the certificates issued by Let’s Encrypt are valid for a period of 90 days, and ACME clients such as Certbot are capable of automatically renewing them.

But with Let’s Encrypt revoking all impacted certificates, website admins will have to perform a forced renewal to prevent any interruptions.

Besides using the tool https://checkhost.unboundtest.com/ to check if a certificate needs replacement, Let’s Encrypt has put together a downloadable list of affected serial numbers, allowing subscribers to check if their websites rely on an affected certificate.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.

The post Let’s Encrypt Revoking 3 Million TLS Certificates appeared first on CVTF Studios.net.

15000 compromised servers

admin — Thu, 04 Jan 2018 17:56:38 +0000

Swati Khandelwal

Technical Writer, Security Blogger and IT Analyst.

She is a Technology Enthusiast with a keen eye on the Cyberspace and other tech related developments.

Link: https://thehackernews.com/2017/05/cryptocurrency-mining-botnet.html

A new botnet consisting of more than 15,000 compromised servers has been used to mine various cryptocurrencies, earning its master around $25,000 per month.

Mining cryptocurrencies can be a costly investment, as it requires an enormous amount of computing power, but cybercriminals have found an easy money-making solution.

Dubbed BondNet, the botnet was first spotted in December 2016 by GuardiCore researchers, who traced back the botnet malware developer, using online handle Bond007.01, to China.

According to the GuardiCore researchers, Bond007.01 is currently using BondNet for mining cryptocurrencies

— primarily Monero, but also ByteCoin, RieCoin, and ZCash

— but they warn that the hacker could easily take full control of compromised servers for malicious purposes, like mounting Mirai-style DDoS attacks.

BondNet’s Botnet Infrastructure

One thing that’s worth noticing is that the botnet operator does not use all infected machines for mining cryptocurrencies. The operator has built its botnet infrastructure of compromised servers with various roles:

1. Some infected machines serve as scanning servers to check for vulnerable systems on the Internet by going through a list of IP addresses with open ports that have been compiled with the WinEggDrop TCP port scanner.

2. Some servers are used as file servers to host the mining software.

3. Other infected servers are turned into command-and-control (C&C) servers after they have been equipped with a fork of goup — a small open source HTTP server written in Golang.

“Building an attack infrastructure on top of victim machines helps conceal the attacker’s true identity and origin of the attack,” the GuardiCore researchers explained in their report published Thursday.

“It also provides high availability infrastructure, which is very helpful when relying on compromised servers, providing infinite backup options in case one of the servers fails or loses connectivity to the internet.”

BondNet has already infected more than 15,000 server machines at major institutions around the world, including high-profile global companies, universities, and city councils, while the majority of them runs Windows Server 2008 R2.

Additionally, the BondNet botnet adds around 500 new machines to its network each day, and an approximately the same number of servers are delisted.

Here’s How to Detect the Threat and How to Mitigate:

To prevent your machines from getting hacked, server admins are advised to secure their systems by regularly applying security patches for all software, updating the firmware, and employing stronger passwords.

Meanwhile, GuardiCore has also provided network and file indicators of compromise systems to help server administrators check whether their machines are among compromised ones.

The researchers have also released a detection & cleanup tool (registration is required to download it) to help admins find and remove BondNet bots from their servers, as well as instructions on how to clean the system manually, without using the script.

The post 15000 compromised servers appeared first on CVTF Studios.net.

What is the best Linux Distributions for Hacking and Penetration Testing in 2016

admin — Tue, 02 Aug 2016 21:09:04 +0000

Last updated August 1, 2016 By Munif Tanjim– https://itsfoss.com

Looking for best Linux to learn hacking?

Whether you want to pursue a career in Information Security or you are already working as a security professional or if you are just interested in this specific field of knowledge, a decent Linux distro that suits your purpose is a must.

There are countless Linux distros for various purposes. Some are designed for specific tasks in mind and others are for different interfaces.

We have seen weird Ubuntu distributions in an older article. But, today we are going to have a look at a list of some of the best Linux distro to learn hacking and Penetration Testing.

Before we see the best Linux distros for hackers, I would recommend you to check for online hacking courses at our ITSFOSS shop.

Best Linux hacking distros in 2016

I have basically listed out various Linux distributions focusing on security. These Linux distros provide various tools that are needed for assessing networking security and other similar tasks. List is in no particular order.

Kali Linux

Kali Linux is the most widely known Linux distro for ethical hacking and penetration testing. Kali Linux was developed by Offensive Security taking on the mantle of BackTrack.

The post What is the best Linux Distributions for Hacking and Penetration Testing in 2016 appeared first on CVTF Studios.net.

Fortinet SSH Backdoor Found In Firewalls

admin — Thu, 21 Apr 2016 12:35:29 +0000

January 14, 2016

So the Fortinet SSH Backdoor, apparently it’s just a management authentication issue. Sorry, what’s that? It looks like a passphrase based admin level access login via SSH to me personally.

Which is scary.

They are adamantly shouting from rooftops that it was not planted by a 3rd party (NSA? Like Juniper..) or any kind of malicious activity.

Enterprise security vendor Fortinet has attempted to explain why its FortiOS firewalls were shipped with hardcoded SSH logins.

It appears Fortinet’s engineers implemented their own method of authentication for logging-into FortiOS-powered devices, and the mechanism ultimately uses a secret passphrase. This code was reverse-engineered by persons unknown, and a Python script to exploit the hole emerged on the Full Disclosure mailing list this week.

Anyone who uses this script against vulnerable firewalls will gain administrator-level command-line access to the equipment. After some outcry on Twitter and beyond, Fortinet responded by saying it has already killed off the dodgy login system.

“This issue was resolved and a patch was made available in July 2014 as part of Fortinet’s commitment to ensuring the quality and integrity of our codebase,” a spokeswoman told El Reg.

“This was not a ‘backdoor’ vulnerability issue but rather a management authentication issue. The issue was identified by our product security team as part of their regular review and testing efforts. After careful analysis and investigation, we were able to verify this issue was not due to any malicious activity by any party, internal or external.”

In a security advisory dated today, Fortinet explained that the issue affects FortiOS versions 4.3.0 to 4.3.16 and 5.0.0 to 5.0.7. This covers FortiOS builds from between November 2012 and July 2014, and it’s certainly possible that some slack IT admins haven’t updated the software since then.

It was actually patched by Fortinet in July 2014, but with edge devices like Firewalls – they don’t often get updated as it usually causes network downtime. So I’d guess there are plenty of firewalls out there very vulnerable to this, which basically gives you full admin access.

You can find the ‘exploit’ script in Python here: SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7

It’s also possible that even if they did update in a timely fashion, their devices could have been breached before the fix was issued.

The login method is used by FortiManager, a tool for controlling any number of Fortinet devices from a central system.

If you are running older code and can’t upgrade, the firewall maker suggests a couple of workarounds. Managers can disable admin access via SSH and use the web interface instead, or the console browser applet for command-line access. If you really need SSH access, then version 5.x can restrict access to SSH to a minimal set of authorized IP addresses.

Whether you call it a backdoor or a “management authentication issue,” it’s still a pretty major issue for some sysadmins, and they are unlikely to be happy about the news.

One significant part of Fortinet’s statement was the assertion that this didn’t come from an external party. Ever since the Juniper backdooring security vendors have been at pains to avoid any suggestion that they are allowing intelligence agencies access to their products.

In the meantime, if you are using FortiOS then make sure the fimrware is up to date. The news of this hole will have the malicious hacking community aflutter and many are no doubt already scanning for vulnerable targets.

There are some work arounds, what I’d personally like to see though is more transparency about the process and decisions made that led to this code being on production firewalls. How does this even happen?

And how did they only find it during scheduled review and testing? What kind of testing/QA/CI process do they have?

It all sounds rather fishy to me.

Source: The Register

The post Fortinet SSH Backdoor Found In Firewalls appeared first on CVTF Studios.net.

How to Use SSH Pipes on Linux

admin — Sun, 20 Mar 2016 13:35:02 +0000

Like most commands on Linux, SSH can be used with input/output redirection via |Unix Pipe. SSH can be used with this pipeline too. The basic concept here is understanding how the Unix pipeline works.
When you understand the way pipes work, you can get seriously creative. This article covers what happens when you combine Unix pipes and SSH. It should be noted that since Unix pipes can be just about anything, there are no doubt going to be commands not on this list would also be useful.

Understanding the Unix Pipeline

Pipes on Unix (and by extension, Linux) are used to chain programs together and make them work together. For example, using cat, you can show the contents of a file, but if you used a pipe, you could chain the cat command to the more command to make the file easier to read through.

cat file1 | more

The basic idea here is this: program1 fileX | program2. It’s not just limited to one file and two programs, though. Piping can get about as advanced as you need it to be with as many modifiers as you can think of.

Note: Some types of pipes can be done without using the |. Some may use > instead.

The post How to Use SSH Pipes on Linux appeared first on CVTF Studios.net.

How to upgrade to SSL certificates from SHA1 to SHA2

admin — Fri, 03 Oct 2014 09:46:48 +0000

With Chrome version 39 which is in the process of being released (see footnote), Google has started issuing warnings if a website is using a certificate that has a signature algorithm that uses the older and less secure SHA1.

To find out which signature algorithm your secure website is using, in Chrome click on the green lock in the location bar. Then click on ‘connection’, then click on ‘certificate information’. You should see something like the image below. Note the ‘Signature algorithm’ is SHA-256 which is one of the SHA2 hashing functions. If you see SHA-1, you need to immediately reissue your certificate using SHA-2 and install the new version.

So what does it look like in the new version of Chrome when you’re using SHA-1? This is taken from a well known website that has not upgraded yet. Notice the lock with the warning triangle in the location bar. This is the main indication for a site visitor that something is awry. If you then click on the lock it has a further warning with explanation.

If you do have a website that is using SHA-1, don’t panic. Just sign into GoDaddy or whoever your SSL issuer is. Then go to manage your certificates and they’ll have an option there to reissue your certificate. You’ll need to resubmit your certificate signing request (CSR) but you can just resubmit your old CSR and it will work fine.

Then make sure that you’ve selected SHA-2 or SHA-256 or another SHA-2 compatible function. Then reissue the certificate. In GoDaddy’s case it takes about a minute for them to approve your request. If you have an EV certificate it may take longer.

Please share this with other site administrators to make sure that their customers aren’t getting warnings when visiting those all-important secure pages.

Footnote: Chrome 39 has officially been pushed into the “Stable” channel which is the release channel. It will be pushed out via auto-update to millions of customers in the coming days. The demo above was done with Chrome 40 beta, but what the user sees is identical.

The post How to upgrade to SSL certificates from SHA1 to SHA2 appeared first on CVTF Studios.net.