What is a DROWN attack?

If you have been online in the past few day's chances are that you have seen the headline "new vulnerability discovered in OpenSSL" or something along those lines. This new vulnerability has been dubbed as DROWN (Decrypting RSA with Obsolete and Weakened eNcryption), and it is said to effect over 11 million websites and email services worldwide.

DROWN is a cross-protocol attack that uses weaknesses in the SSLv2 implementation against transport layer security (TLS), and that can "decrypt passively collected TLS sessions from up-to-date clients." While latest versions don't allow SSLv2 connections by default, administrators sometimes, unintentionally override those settings in an attempt to optimize applications and this is where the problem lies. The DROWN attack could allow an attacker to decrypt HTTPS connections by sending specially crafted malicious packets to a server or if the certificate is shared on another server, potentially performing a successful Man-in-the-Middle (MitM) attack. It has been reported that more than 33% of all HTTPS servers are vulnerable to DROWN based MITM attacks. 

If you want to see if your website is vulnerable to this critical security hole you can check out https://drownattack.com/. If your website is vulnerable there is good news in the fact that an academic researchers uncovered the DROWN security hole and a patch for the vulnerability has already been made available with an OpenSSL update. And just in case you get to happy the Bad news is that the DROWN attack can be conducted in just under a minute and now that the bug has been disclosed, it may be actively used by hackers to attack servers. So really this isnt something that you want to be putting on the long finger, OpenSSL 1.0.2 users are strongly advised to upgrade to OpenSSL 1.0.2g and OpenSSL 1.0.1 users are recommended to upgrade to OpenSSL 1.0.1s. And if you are using another version of OpenSSL for security, you should move up to the newer versions 1.0.2g or 1.0.1s.

In order to protect yourself against the DROWN attack, you should ensure SSLv2 is disabled, as well as make sure that the private key isn’t shared across any other servers. Those already vulnerable to DROWN attack do not need to re-issue certificates but are recommended to take action in order to prevent the attack immediately. And remember the fact that this has been widely publicized you can be sure that hackers are actively targeting websites that have not implemented the above so get your IT team moving.

5 golden rules for staying safe online

If you have been reading my posts you will notice that a number of points keep popping up. The reason for this is of course that these particular points are vital to keeping yourself safe online. For the few out there who want to do the minimum in order to stay safe I am laying out 5 golden rules to follow.

1) Keep your software updated

Updating software, whether it be on your phone, laptop, or television, is extremely important. When hackers discover new ways to steal your data, gadget and software companies usually work quickly to release fixes for those vulnerabilities. Once a fix is in place an update becomes available and you should download this update, I try to set as many applications as possible to do automatic updates or in the case of my phone I set it running at night time when its not been used.

2) STOP using the same password everywhere

You are living in an age of big hacks and data breaches if you use the same password everywhere once your details are stolen once all your accounts are compromised. And you can be guaranteed that there is a high possibility your details have already been stolen from somewhere.  

3) Don't fall for phishing scams

These scams are getting more and more frequent and the attacks been used are becoming more professional. I recently received an email claiming to be a free password security tester, the email asked me to enter my password to test how strong it is and of course I deleted it as its purpose was of course to steal my password. Be smart when you receive phone calls and emails that you are not expecting and never open an application you receive in an email with the file extension .exe.

4) Add recovery contact information to your accounts

This is important you should always have two different contact methods on your accounts. The reason for this is if you forget your password and lose your phone well then your snookered and you may be locked out of that account forever, leaving your information hanging in cyber space. The second reason for this is If your account is compromised, companies will probably try to let you know. But that’s only possible if they have some means of getting in touch with you on file.

5) Enable two factor authentication 

Two-factor authentication adds an extra layer of security to your accounts by requiring another code in addition to your memorized password. That code can be sent to your smartphone via a text or generated by an app. With two-factor authentication, even if a hacker has your username and password, he or she won’t be able to access your account unless they also have your smartphone — not a likely scenario. I ask if you don't do any of the above at least do this one and give yourself some chance of staying protected.

Staying anonymous online (The Basics)

This is a topic that seems to keep popping up over and over again for many different reasons some good and some bad. In my opinion everyone should have the right to remain anonymous online if they choose to do so. I know in the extreme cases Governments are claiming that terrorists and criminals are using encryption of a means to carry out organised crime and nation attacks, however does this mean the rest of free society should give up the right to remain anonymous online? If you believe that the answer to this question is no then you can take a number of steps to help keep your     online identity non-existent. The steps below in no way mean that the FBI won't know who you are if you start doing some illegal shit like hiring an assassin on the dark-net so I strongly advise against doing so.

1)  If you are the type of person who wants no digital footprint then you might not want to join social media sites. The amount of personal data that social networking sites like Facebook, Google Plus and Twitter have harvested from their billions of users is shocking. Head to facebook.com/settings and click ‘Download a copy of your Facebook data’ and you might be surprised to see just how much information is on file. More or less everything you have ever done on Facebook is saved in this file so you can kind of get a feel for just how much information these sites hold on you.

2)  My second tip is another rather simple approach, go incognito The top four most popular browsers - Google Chrome, Mozilla Firefox, Internet Explorer and Safari - have a private browsing mod. With private browsing activated, your browser will not store cookies or internet history on your computer. This is quiet a limited function and is really only of use to hide information from others such as a significant other. I say this because Private browsing does not securely hide your identity or browsing activities beyond your local machine as your IP address can still be tracked.

3)  It is a known fact that many websites track and monitor their users activity, this can actually cost you money. An example of this is that plane ticket that you want to buy so you regularly check to see if its sold out, then when you have the cash the bloody ticket has gone up in price, the reasons for this could very well be website tracking. The issue with website tracking is you can't see if the websites you are visiting are actually tracking you. Ghostery is a free browser extension - available on all major web browsers - that will reveal these trackers, also known as web bugs. You can then decide which web bugs you’re comfortable with tracking you and which ones you’d like to block.

4)  Stop using Dropbox, I know that its a handy tool but as Edward Snowden once stated about Dropbox "they are a cloud service hostile to privacy". Lucky enough if you still want a way to share your files Snowden himself recommends that you use Spideroak to do so. The reason for this being that Spideroak is a zero-knowledge encrypted data backup, share, sync, access and storage service.

5) Use an alternative search engine to the mainstream, I suggested in a previous post that the best search engine for this is DuckDuckGo, which promises never to track your searches and “emphasizes protecting searchers’ privacy and avoiding filter bubble of personalized search results.

6) Reconsider your phone options, if you have a smartphone then staying anonymous just became a whole lot harder. The reason for this is for some reason every app you download these days wants access to your location,contacts,camera,microphone etc which makes staying off the grid impossible really. If you are super parnoid may I suggest investing in the super cool name "Blackphone" This is an ‘NSA-proof’ smartphone that claims to provide privacy features for texts, emails, web browsing and phone calls.

7) Use a Virtual Private Network (VPN)!!! I am sick of repeating this and if you really are serious about staying anonymous online this is simply a must have. You ask what is a VPN? Well essentially it hides your IP address and runs all your online data via a secure and encrypted virtual tunnel, which can keep websites from tracking your online activity or even knowing which country you’re browsing from (which is great for American Netflix). The catch with a using a VPN is don't ever trust a free one so you will need to shell out a few quid every month for the privilege of the service. Their has been a lot of talk recently about how secure certain VPN's are so do some of your own research and find the best one for you.

8) If you are using a popular webmail service such as Gmail then you might want to either change to a more secure provider or else add some security to your current provider. To do this I would suggest installing Mailvelope. Mailvelope is a browser extension for Google Chrome or Mozilla Firefox that brings OpenPGP encryption to your webmail service. Similar extensions exist, such as SecureGmail, which encrypts and decrypts emails you send through Gmail. Alternatively you could start using a webmail service such as Hushmail. Hushmail is currently very popular, it provides a private email account with no ads, built-in encryption and unlimited email aliases. Their is a limited free version of Hushmail however like everything you need to pay to get all the bells and whistles. For the more paranoid their is always the option of Disposable Email Addresses (DEAs). These are anonymous and temporary. They allow users to quickly create new email addresses as-and-when they’re needed, which can then be disposed of after use. There are many companies that provide this type of service however the more reliable one may come in the form of Guerrilla Mail and Mailinator.