Monday, July 18, 2016

DeepViolet TLS/SSL Java DAST Tool Added as OWASP Project

July 13, 2016 the DeepViolet TLS/SSL DAST tool became an OWASP incubator project.  I started this project some time back for my own purposes.  I always intended to share this code publicly but I seriously never considered it would be useful to anyone.  Mostly since such great like OpenSSL and Qualys already exist.  It became apparent after being contacted by interested developers and operational teams that there's still some room to contribute with a new tool in this space.   I petitioned OWASP to add DeepViolet as an OWASP project to increase visibility and attempt to build a team of like minded developers willing to invest in DeepViolet and build a tool we can all use.

So what can you do with DeepViolet?
A picture is worth a thousand words so here is a sample of some of the scanning output.
Photo 2: DeepViolet Desktop Application View

DeepViolet can also be run from the command line and included in your shell scripts.  A sample of the output looks like the following.

DeepViolet can also be included in your own projects as an API.  For more information about DeepViolet refer to the following information.

OWASP DeepViolet TLS/SSL Scanner Code Project, main OWASP project landing page.
DeepViolet GitHub Project Page, main landing page for GitHub project code/documentation.
DOWNLOAD, current release binaries.

Monday, July 4, 2016

OWASP Security Logging Project Presentation - Slide Deck

June 30, 2016 I provided a presentation, How to Use OWASP Security Logging, at AppSecEU 2016 in Rome, Italy.  I am following up to post the presentation slides.  For background about the project see my previous post, Presenting at OWASP AppSec EU Conference in Rome.

Thursday, June 23, 2016

Presenting at OWASP AppSec EU Conference in Rome

Updated on July 4, 2016

For a copy of the slide deck for this presentation see my follow-up post, OWASP Security Logging Project Presentation - Slide Deck.

Thursday June 30, 2016 4:15pm I am presenting a Lightning Training Session, How to Use OWASP Security Logging with August Detlefsen, Sytze van Koningsveld.  The training session will be a mixed format of presentation with hands-on lab exercises.

Attendees will learn about the OWASP Security Logging Project, background and why we need security logging, it's benefits, how to include it in new projects, upgrading your legacy projects, and much more.  In the session we cover each feature and answer audience questions.  Bring your laptop and participate in our exercises.  Learn first-hand how apply security logging to your projects.

So why would you be interested in our logging project?  A brief rundown on the benefits,

Diagnostics/Forensics, for problem determination is often useful to have a history of system state recorded in logs that you can refer to when their problems.  Security logging provides some features that log command line arguments, system environment variables, and Java system properties on startup.  Security logging also provides an interval logging feature to log key system and user specified metrics every 15-secs.  SIEM tools can be integrated to alert on memory problems, etc

Security Focus, door open/closed, user logged in/out, resource allocation, information classification of log messages, a desirable feature for government agencies or government contractors

Compliance, sign log messages, log messages remotely, discourage tampering

Automation Across Several Use-Cases,  the project provides automation benefits for standalone or desktop applications as well as up the application stack like Servlets/J2EE.  For example, in the application layer provide facilities to pull user id from the HTTPSession and insert it into log4j/logback Mapped Diagnostic Context(MDC) so that users can easily correlate ever log message with the current user that's logged into the system.

Support for Popular Platforms,  are you using Java logging, log4j, logj4 2, or logback?  If so, your ready to go since security logging is written to the SLF4J logging interface.

Large Base of Developer Knowledge,  security logging is compatible with populator loggers so you can get running quickly.

Legacy Support, security logging includes support to capture streams from your old console logging applications (e.g., System.out/System.err).  Alternatively, you may have old commercial code that logs to consoles where you don't have the source code.  In these use cases there are some benefits for intercepting these streams and redirecting them to security logging.  You will not realize the full benefits of native logging (e.g., logger inheritance); however, you still receive some ancillary benefits like remote logging, ability to mark messages with an information classification, etc.

There is a lot of cover with the platform.  Hope to see you in Rome at our session, seats are filling up fast, register quickly.  Usually OWASP provides the session content after the conference so if you can't attend you still have an opportunity to learn more about the platform.

Additional Resources
Wiki, OWASP Security Logging Project
Lightning Training Presentation, How to Use Security Logging Presentation
GitHub Project Site, OWASP Security Logging code

Tuesday, June 14, 2016

Blue Coat Intermediate CA Certificate Has Not Been Revoked

In a recent Internet security kerfuffle, Symantec issued the surveillance company Blue Coat Systems, a powerful digital certificate that allows them to masquerade as any secure business or financial institution by impersonating their web server.  See my original post for background, Blue Coat has Intermediate CA signed by Symantec.

In statement by Symantec the company notes, that companies often test with their own Intermediate CA.  While it's true companies test their PKI processes, it's very uncommon that Intermediate CA certificates in the test environment anchor to trusted roots in popular web browsers.  Any Intermediate CA certificate anchoring to trusted roots is by definition a - live production certificate.
Symantec goes on to note that certificates used in testing are "discarded" once tests are completed.  Unfortunately, this type of public communication is difficult to understand from a technical standpoint.  The standard practice to assure the public a certificate cannot be used is to revoke the certificate.  In the PKI system, a certificate that has been revoked provides scary warnings when users try to browse these web sites.  The assurance we desire is that the certificate is revoked.  Whether Blue Coat has the private key or not is immaterial.

To better understand the communication from Symantec, I checked the Blue Coat CA revocation status.  The result is that the Blue Coat CA certificate has not been revoked.  While there is no evidence of inappropriate use, nothing about this incident in the way it's explained or handled is considered industry best practice or even normal practice.  This is not the first time Symantec's processes around certificate management have been called to question by security researchers, The Case of the Symantec's Mysterious Digital Certificates.

You can test the Blue Coat CA certificate revocation status yourself with the following procedure.

Step 1 - Download Blue Coat CA Certificate
Download the Bluecoat CA Certificate to your computer.

Step 2 - Extract CRL host from Bluecoat Certificate
I'm using a work in progress tool I wrote, DeepViolet, to read the certificate but openssl is a well established alternative available on many operating systems.  If your using openssl you can view the certificate with the following, openssl x509 -in bluecoat-cert.crt -text -noout

java -jar dvCMD.jar -rc ../Downloads/bluecoat-cert.crt
Starting headless via dvCMD
Trusted State=>>>UNKNOWN<<<
Validity Check=VALID, certificate valid between Wed Sep 23 17:00:00 PDT 2015 and Tue Sep 23 16:59:59 PDT 2025
SubjectDN=CN=Blue Coat Public Services Intermediate CA, OU=Symantec Trust Network, O="Blue Coat Systems, Inc.", C=US
IssuerDN=CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Serial Number=108181804054094574072020273520983757507
Signature Algorithm=SHA256withRSA
Signature Algorithm OID=1.2.840.113549.1.1.11
Certificate Version =3
Non-critical OIDs
CertificatePolicies=[ the event that the BlueCoat CPS and Symantec CPS conflict, the Symantec CPS governs. the event that the BlueCoat CPS and Symantec CPS conflict, the Symantec CPS governs.]
ExtendedKeyUsages=[serverauth clientauth]
SubjectAlternativeName=[[[, SymantecPKI-2-214]]]
Critical OIDs
KeyUsage=[nonrepudiation keyencipherment]

Processing complete, execution(ms)=784

Step 4 - Download CRL 
Download the certificate revocation list from the server specified in the certificate.

wget -O bluecoat-symcb-crl.der

Step 3 - Display CRL
Now that we have the certificate revocation list we can view the list of certificates revoked.  Apparently there are no revoked certificates.

openssl crl -inform DER -text -in bluecoat-symcb-crl.der
Certificate Revocation List (CRL):
        Version 1 (0x0)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
        Last Update: Mar 22 00:00:00 2016 GMT
        Next Update: Jun 30 23:59:59 2016 GMT
No Revoked Certificates.
    Signature Algorithm: sha1WithRSAEncryption
-----BEGIN X509 CRL-----

-----END X509 CRL-----

Thursday, May 26, 2016

BlueCoat has Intermediate CA signed by Symantec

Updated June 12, 2016

A digital certificate was created by Symantec for Blue Coat Systems Inc.  The digital certificate is a special type of certificate that allows Blue Coat to operate as a trusted Certificate Authority(CA).  The certificate allows Blue Coat to create new digital certificates for use on highly trusted web sites like those used in banking and health care.

Most people and businesses operating servers on the Internet make every effort to provide the public with the safest and most secure online experience.  But the Internet is a big place and not everyone plays by the rules.  Providing a trusted Internet environment is essential for commerce and collaboration.  The system that manages Internet trust is Public Key Infrastructure(PKI).  PKI is the the security technology and processes that web browsers and web servers use for all highly trusted activities like online banking and health.  Certificate Authorities(CA) play a special role in PKI as the gatekeepers of secure servers on the Internet.  CA duties include managing applications for secure web servers.  To fulfill this special and important role, CA's must submit to stringent audits of their business practices and operations.  During normal day-to-day operations CA's must preserve public trust in online security by denying criminals access to masquerade as legitimate businesses or trusted partners.  Most often everything goes as planned but what about the case when CA's don't follow the rules.  Abuses may include issuing certificates without knowledge or consent of rightful domain owners, servicing unlawful or warrantless government requests, and much more.

Why is this incident important to me?
In May 2016 a security researcher, Filippo Valsorda, discovered an Intermediary CA X.509 digital certificate was issued to Blue Coat Systems by Symantec.  This is a concern for two reasons, 1) Blue Coat Systems manufactures hardware designed for surveillance, 2) the Intermediary CA certificate facilitates the issuance of highly trusted certificates in any Internet domain name.  For example, a Blue Coat device armed with their new CA certificate can surveil HTTPS web sites in a way that's difficult for web browser users to detect.

Why is the Blue Coat Systems CA a problem?
Trust is essential to the continued operation of the Internet.  Without trust, the full potential of the Internet will never be realized.  Few would want to purchase products, view medical laboratory results, exchange ideas with business partners, or email friends and family if our information can be surveilled, intercepted, and manipulated at any point without our full knowledge and consent.  The key displayed in your web browser in a secure HTTPS connection is an icon of trust.  If it's visible, we must have confidence the site we are communicating to is authentic and our communications confidential.

What does Bluecoat and Symantec have to say? 
Symantec has said that it's determined the CA certificate issued to Blue Coat was done so appropriately and that Blue Coat never had access to it.  This statement is designed to assuage public concern since it would prevent impropriety on Blue Coast behalf.  Unfortunately there is no easy way for the public to verify this statement.
Issuing a CA certificate to a surveillance company is by no means normal and concern by the security research community and anyone using a web browser is warranted.  Trust and confidence when issuing CA's is the single most important duty entrusted to Symantec in responsibility as an issuing authority.

What is the appropriate course of action for you?
It depends upon you.  If you trust that Symantec and Blue Coat are operating in your best interest then do nothing.  If on the other hand you consider Blue Coat's CA a potential vector for abuse then you can untrust the Blue Coat CA certificate.

To mark the BlueCoat CA certificate untrusted
1) Download BC CA Cert
2) Mark untrusted, OSX users | Windows users
* Mobile users: iPhone, I don't believe Apple exposes any trust management features to the public.  Android, unsure.

Original security researcher comments

More information
The Register, Blue Coat, Skype and QQ named despots' best friends
Blue Coat Systems, Blue Coat Intermediate CA
Symantec,  Symantec Protocol Keeps Private Keys In Its Control

Share It!