360 Security

Turn That S#!T Off - SSHv1

Thu, 16 Feb 2012 12:52:50 PST

When I first joined VERT, I had little insight into enterprise networks. I'd spent several years in a helpdesk role at a college and then worked as a sys admin for an SMB. While I still don't work directly with enterprise networks, I do get to see reports that customers submit and findings that they question. It's often a surprise for me, and for the customer, to see what is running on their network.

In recent years the attack focus has shifted to the client, with the browser and the office suite surpassing the telnet daemon and web server as the most attractive targets on a network. In my opinion, this means that certain network-based issues are often overlooked and I wanted to highlight my list of "WTF Issues" that security teams should resolve as quickly as possible. So enough with the intro, on to the first post in VERT's new "Turn That S#!T Off" Series.

SSHv1 Enabled

SSHv1 has had known serious issues for quite a while and the common message from the security community has always been, "Turn that S#!T off". If I had a wishlist of things I'd like to see disappear on a network, this would be near the top. nCircle's IP360 and PureCloud platforms will identify this as "SSHv1 Protocol Available"
Confirming SSHv1 Support
Customers are often surprised by this one because vendors tell them that SSHv1 isn't supported but IP360 tells them it is. You can easily confirm this yourself with ncat (part of nmap):
neogeo:~ treguly$ ncat wopr.test.toronto.ncircle.com 22
SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7
^C
The above server will only support SSHv2 and the first 5 characters will tell you:
SSH-2.0 - Only SSHv2 is supported.
SSH-1.99 - SSHv2 and SSHv1 are both supported.
SSH-1.5 - Only SSHv1 is supported.
Note that the first 5 characters will always be SSH-1 when SSHv1 is supported.

Disabling SSHv1
Assuming you're running OpenSSH, disabling SSHv1 is very simple:
1) Edit your sshd_config file (generally in /etc or /etc/ssh).
2) Locate the "Protocol" line (e.g. Protocol 2,1).
3) Update the line to read "Protocol 2"
4) Restart sshd
If you're dealing with an appliance, you may want to poke your vendor. They may have a patch out or a method of reconfiguring the appliance to disable SSHv1.

That's it, a simple little fix to a problem that simply shouldn't exist today. Tomorrow we'll discuss something else that's been stuck in my craw for a while, when I explain how to turn that S#!T off for SSLv2.

What's On Your Patch List?

Tue, 14 Feb 2012 16:41:55 PST

It's Patch Tuesday and nCircle's Vulnerability and Exposure Research Team (VERT) recorded their first monthly VERT Alert Live interactive discussion about today's security bulletins.

If you missed the discussion, a recording of today's VERT Alert Live is available here.

VERT Alert Live is a great opportunity to have a conversation with nCircle security researchers on the questions that matter most to you. Don't miss our next session on Tuesday, March 13, 2012 at 12 pm pacific / 3 pm eastern.

Do We Need International Cyber Security Regulations?

Mon, 13 Feb 2012 16:47:02 PST

Are we in an international cyber security arms race? Would a set of international cyber security regulations help or hinder national cyber security efforts? Listen to Episode 28 of our Security Slice podcast as Tim 'TK' Keanini and Oliver Lavery discuss this multi-faceted problem and possible solution models.

Security is Like Insurance

Mon, 13 Feb 2012 10:57:52 PST

Security is Like Insurance

We all know that the cost of insurance is just part of life, even if you never have a lawsuit or a fire.

You buy insurance to help cover your losses when bad things happen. Business owners carry insurance, for example, in case there is a fire or in the event your company is named in a lawsuit. Car insurance offsets your financial risk in the event of an accident or theft. Once an incident occurs, it's too late to buy insurance that will protect you from the financial consequences of any adverse event. After something negative happens insurance is going to be much more expensive.

No one ever wants to buy insurance, it can feel like a waste of good money that could be used for much more important things. No one expects a business catastrophe either, but if you have appropriate insurance you know your investment will help minimize your losses.

Small businesses need to think about information security the same way they think about insurance. You probably already protect your financial assets by using risk management tools like inventory control and credit leverage. Information security practices need to be just one more aspect of normal risk management processes.

Information security and risk management practices may not save you from a cyber attack, but they will help you recover faster and cushion the potential financial impact. You need good network security all the time because by the time you know you need it, it's too late to put it in place.

You might think your business doesn't have anything worth stealing but cyber criminals don't agree. They target small businesses because they don't pay much attention to security. Don't be a victim, invest in good security now, before you need them.

New: VERT Alert Live Events!

Fri, 10 Feb 2012 13:06:07 PST

Do you ever wish you could quickly consult a security expert right after new security bulletins are released so you can get your questions answered?

Starting next week, February 14, 2012, nCircle's Vulnerability and Exposure Research Team (VERT) will be hosting monthly 30 minute interactive sessions about Microsoft security bulletins and other security advisories.

It's a great opportunity to have a conversation with nCircle security researchers on the questions that matter most to you.

You can find more information on VERT Alert Live events here.