Discount Offers

SIA Security Notebook SIA Approved Licensed Security

£5.75
End Date: Wednesday Apr-19-2017 12:03:34 BST
Buy It Now for only: £5.75
Buy It Now | Add to watch list

Tactical ID Arm Band Security ID Badge Card Holder Doorman Armband SIA New

£2.49
End Date: Saturday Apr-1-2017 11:47:24 BST
Buy It Now for only: £2.49
Buy It Now | Add to watch list

Tactical ID Arm Band Security ID Badge Card Holder Doorman Armband SIA New

£2.49
End Date: Saturday Apr-1-2017 11:47:24 BST
Buy It Now for only: £2.49
Buy It Now | Add to watch list

Farb Gel UK Legal Self Defence Spray Personal Security Protection, Legal CS alt

£8.99
End Date: Thursday Apr-27-2017 12:07:14 BST
Buy It Now for only: £8.99
Buy It Now | Add to watch list
0024177
Visit Today : 1
Visit Yesterday : 1
This Month : 29
This Year : 88
Total Visit : 24177
Hits Today : 13079
Total Hits : 1289360
Who's Online : 1

comms

Are you undermining your web security by checking on it with the wrong tools?

Your antivirus and network protection efforts may actually be undermining network security, a new paper and subsequent CERT advisory have warned. The issue comes with the use of HTTPS interception middleboxes and network monitoring products . They are extremely common and are used to check that nothing untoward is going on. However, the very method by which these devices skirt the encryption on network traffic through protocols like SSL, and more recently TLS, is opening up the network to man-in-the-middle attacks.

In the paper1 PDF, titled The Security Impact of HTTPS Interception, the researchers tested out a range of the most common TLS interception middleboxes and client-side interception software and found that the vast majority of them introduced security vulnerabilities.

“While for some older clients, proxies increased connection security, these improvements were modest compared to the vulnerabilities introduced: 97 per cent of Firefox, 32 per cent of e-commerce, and 54 per cent of Cloudflare connections that were intercepted became less secure,” it warns, adding: “A large number of these severely broken connections were due to network-based middleboxes rather than client-side security software: 62 per cent of middlebox connections were less secure and an astounding 58 per cent had severe vulnerabilities enabling later interception.”

Of the 12 middleboxes the researchers tested ranging from Checkpoint to Juniper to Sophos just one achieved an “A” grade . Five were given “F” fail grades meaning that they “introduce severe vulnerabilities” and the remaining six got “C” grades . In other words, if you have a middlebox on your network and it’s not the Blue Coat ProxySG 6642, pull it out now. Likewise, of the 20 client-side pieces of software from 12 companies, just two received an “A” grade: Avast’s AV 11 for Windows (not Mac), and Bullguard’s Internet Security 16 . Ten of the 20 received “F” grades; the remaining eight, “C” grades.

How does it happen?

TLS and SSL encrypt comms between a client and server over the internet by creating an identity chain using digital certificates . A trusted third party provides that certificate and it verifies that your connection is to a trusted server. In order to work, therefore, an interception device needs to issue its own trusted certificate to client devices or users would constantly see warnings that their connection was not secure. Browsers and other applications use this certificate to validate encrypted connections but that introduces two problems: first, it is not possible to verify a web server’s certificate; but second, and more importantly, the way that the inspection product communicates with the web server becomes invisible to the user.

In other words, the user can only be sure that their connection to the interception product is legit, but has no idea whether the rest of the communication to the web server, over the internet is secure or has been compromised. And, it turns out, many of those middleboxes and interception software suites do a poor job of security themselves . Many do not properly verify the certificate chain of the server before re-encrypting and forwarding client data . Some do a poor job forwarding certificate-chain verification errors, keeping users in the dark over a possible attack.

In other words: the effort to check that a security system is working undermines the very security it is supposed to be checking . Think of it as someone leaving your front door wide open while they check that the key fits. What’s the solution? According to CERT2, head to the website badssl.com3 to verify whether your inspection product is doing proper verification itself . And of course, check out the SSL paper and make sure you’re not running any of the products it flags as security fails on your network.

Sponsored: M3: Minds Mastering Machines . The ML & AI conference . Register now4

References

  1. ^ paper (jhalderm.com)
  2. ^ According to CERT (www.us-cert.gov)
  3. ^ badssl.com (badssl.com)
  4. ^ M3: Minds Mastering Machines .

    The ML & AI conference .

    Register now (go.theregister.com)

Are you undermining your web security by checking on it with the …

Your antivirus and network protection efforts may actually be undermining network security, a new paper and subsequent CERT advisory have warned. The issue comes with the use of HTTPS interception middleboxes and network monitoring products . They are extremely common and are used to check that nothing untoward is going on. However, the very method by which these devices skirt the encryption on network traffic through protocols like SSL, and more recently TLS, is opening up the network to man-in-the-middle attacks.

In the paper1 PDF, titled The Security Impact of HTTPS Interception, the researchers tested out a range of the most common TLS interception middleboxes and client-side interception software and found that the vast majority of them introduced security vulnerabilities.

“While for some older clients, proxies increased connection security, these improvements were modest compared to the vulnerabilities introduced: 97 per cent of Firefox, 32 per cent of e-commerce, and 54 per cent of Cloudflare connections that were intercepted became less secure,” it warns, adding: “A large number of these severely broken connections were due to network-based middleboxes rather than client-side security software: 62 per cent of middlebox connections were less secure and an astounding 58 per cent had severe vulnerabilities enabling later interception.”

Of the 12 middleboxes the researchers tested ranging from Checkpoint to Juniper to Sophos just one achieved an “A” grade . Five were given “F” fail grades meaning that they “introduce severe vulnerabilities” and the remaining six got “C” grades . In other words, if you have a middlebox on your network and it’s not the Blue Coat ProxySG 6642, pull it out now. Likewise, of the 20 client-side pieces of software from 12 companies, just two received an “A” grade: Avast’s AV 11 for Windows (not Mac), and Bullguard’s Internet Security 16 . Ten of the 20 received “F” grades; the remaining eight, “C” grades.

How does it happen?

TLS and SSL encrypt comms between a client and server over the internet by creating an identity chain using digital certificates . A trusted third party provides that certificate and it verifies that your connection is to a trusted server. In order to work, therefore, an interception device needs to issue its own trusted certificate to client devices or users would constantly see warnings that their connection was not secure. Browsers and other applications use this certificate to validate encrypted connections but that introduces two problems: first, it is not possible to verify a web server’s certificate; but second, and more importantly, the way that the inspection product communicates with the web server becomes invisible to the user.

In other words, the user can only be sure that their connection to the interception product is legit, but has no idea whether the rest of the communication to the web server, over the internet is secure or has been compromised. And, it turns out, many of those middleboxes and interception software suites do a poor job of security themselves . Many do not properly verify the certificate chain of the server before re-encrypting and forwarding client data . Some do a poor job forwarding certificate-chain verification errors, keeping users in the dark over a possible attack.

In other words: the effort to check that a security system is working undermines the very security it is supposed to be checking . Think of it as someone leaving your front door wide open while they check that the key fits. What’s the solution? According to CERT2, head to the website badssl.com3 to verify whether your inspection product is doing proper verification itself . And of course, check out the SSL paper and make sure you’re not running any of the products it flags as security fails on your network.

Sponsored: Continuous lifecycle London 2017 event . DevOps, continuous delivery and containerisation . Register now4

References

  1. ^ paper (jhalderm.com)
  2. ^ According to CERT (www.us-cert.gov)
  3. ^ badssl.com (badssl.com)
  4. ^ Continuous lifecycle London 2017 event .

    DevOps, continuous delivery and containerisation .

    Register now (go.theregister.com)

NATIONAL NEWS: Security services thwarted 13 potential terror attacks in four years

Security services thwarted 13 potential terrorist attacks on the UK in less than four years and are running more than 500 live investigations at any time, Britain’s most senior counter-terrorism officer has revealed. Assistant commissioner Mark Rowley disclosed the figures as he launched a major appeal for the public to report any suspicions and act on their instincts, stressing that help is critical to foiling atrocities. The Metropolitan Police officer said that since June 2013, police and intelligence agencies have disrupted 13 terrorist attack plots. The figure is one higher than the last tally given in October. Information from members of the public has contributed to stopping some of those attacks, while figures show it has assisted counter-terrorism police in a third of the most high-risk investigations. Describing the contribution as ‘extraordinary’, Mr Rowley said: “Some of that information is a change in someone’s behaviour, some of that’s about suspicious activity. “Sometimes that public information has actually started an investigation .

Other times it’s part way through and it corroborates some things or adds to things we already know. “The public are making a great contribution which is critical to us all working together to protect ourselves from terrorism.” Investigators have been making terror-related arrests at a rate of close to one a day on average since 2014, he said. The official threat level for international terrorism has stood at severe – meaning an attack is ‘highly likely’ – for more than two years. Mr Rowley said that ‘tempo’ of activity continues . He identified a host of challenges including encrypted communication methods, propaganda and the range of possible attack methods.

“Now we worry about everything from fairly simple attacks with knives or using vehicles all the way through to the more complex firearms attacks,” he said. “All of that means that our job remains difficult . We’ve got over 500 investigations at any one stage.”

In the year to March, the anti-terrorist hotline received more than twice the number of calls on the previous 12 months, with 22,000 people making contact. Mr Rowley said: ” Even though the public are doing a great job, we want more help.” As part of the Action Counters Terrorism campaign, a podcast has been produced revealing previously untold stories of how terrorist attacks on UK soil were prevented, featuring accounts from detectives, bomb disposal and surveillance officers. Mr Rowley said the aim of releasing new material was to give an insight into how terrorists might prepare and provide more confidence for the public to report any suspicions. He said: ” I think what often happens is a member of the public will see something, or hear something, and think ‘well that’s a bit odd, but maybe I’m overreacting and I won’t bother telling anybody’. “Us putting more information out there, the aim is that it gives that bit more confidence for the public.

“We will respond carefully, we won’t overreact. “If it turns out to be a call where you made it with good intent but actually there was no problem at the end of it, that’s fine. “We’d rather have many calls like that, rather than miss out on the critical one that helps us stop an attack.”

Security minister Ben Wallace welcomed the campaign, saying: ” The horror of recent terrorist attacks in Europe and beyond is a shocking reminder of the threat we all face.”