Using OpenSSL to determine which Ciphers are Enabled on a Server

Billy McLaughlin, Associate Security Analyst, Independent Security Evaluators
November 2nd, 2015

When evaluating a remote target, learning more about the Secure Sockets Layer (SSL)/Transport Layer Security (TLS) configuration can be very useful. Being able to test SSL/TLS configurations on target machines is a common requirement when performing security assessments. As such, it is important to be able to perform these tests as independent of system configuration as possible. Today, most popular Linux distributions come bundled with the openssl package, which is the only tool that is required for these purposes.
Is Apple’s watchOS 2 Update Less Secure than the Predecessor?

Drew Branch, Associate Security Analyst, Independent Security Evaluators
October 6th, 2015

If you are like me, you were ecstatic when Apple finally decided to release its version of the Apple Watch smart watch. For many, this was a long overdue added installation to Apple’s device lineup. While its delayed release proved worth the wait, soon after, Apple Watch owners, as well as the general public, received intriguing news about the recently released watchOS 2 operating system for the Apple Watch. With a vast number of new features—one being the ability to run native applications on the watch—is Apple prepared to keep the information stored on your watch secure?
Quantum Computing and Quantum Resistant Algorithms

Ersin Domangue, Independent Security Evaluators
September 8th, 2015

Recently, I gave a little talk at ISE about quantum computing; I tried to delve into the subject a little deeper than what you might receive from a popular magazine or web news outlet. Following my talk, the ISE team jumped into a deeper discussion, questioning if an algorithm that is deemed "quantum resistant" is really safe. After all, with some celebrated exceptions (think one-time pad), no cryptographic algorithm can be totally resistant to cryptanalysis—even in the conventional sense.
Advanced Package Tool: Privacy or No Privacy?

Drew Branch, Associate Security Analyst, Independent Security Evaluators
August 31st, 2015

The Debian-based Linux distribution’s package manager, Advanced Package Tool (APT), does not ensure privacy out of the box. While other UNIX package managers use SSL/TLS, APT does not—leaving your privacy in the balance. With privacy concerns rapidly growing due to new discoveries of various government spying scandals, brand new laptops installed with “bloatware,” and targeted ads embedded within social media outlets, one would think that people would be more concerned with privacy. This blog post will demonstrate how requests made via APT are sent over the network by default, and it will provide steps to enable secure communications when using APT.
Empowering Healthcare Security Executives

Geoff Gentry, Independent Security Evaluators
June 29th, 2015

Patient lives are at risk. We’re all patients. Every single one of us. We get sick, we have children, we suffer accidents. And we all rely on the most advanced medical ecosystems in the world to make us better. To heal us. But these petri dishes of innovation and efficiency could also kill us. Healthcare ecosystems, architected by bright minds and integrating groundbreaking technologies to assist in the healing process, are suffering from what makes them great: technology. Due to myriad of factors, these ecosystems have become, and will continue to be, woefully insecure and vulnerable to attacks from a plethora of adversaries, all of whom are hell bent on gaining access to their most valuable asset: their patients. The stark reality of the modern era is that a digital attack can plausibly result in physical harm.
Samsung SwiftKey Killer Exploit

Independent Security Evaluators
June 20th, 2015

During BlackHat London, a vulnerability in the SwiftKey keyboard bundled by Samsung came to light.1 There is a flaw in the way languages are updated and installed that allows an attacker to write an arbitrary file to an arbitrary location on the file system. Disclosed to Samsung in late 2014, to capitalize on the vulnerability, the attacker needs to be able to modify traffic en route to the update servers. While Samsung provided a patch early in 2015,2 as of today, that patch has not made it in to an over-the-air (OTA) update for major carriers.3
Technology in Healthcare and Patient Risk

Drew Ogle, Independent Security Evaluators
June 8th, 2015

Technology is a critical component in healthcare: we get it, we can all agree on this point. However, these same technologies...the ones meant to better patient care, to improve workflows, to reduce costs, also introduce the possibility for errors, for attacks, and for patient harm. The referenced article below provides a good example of how disaster can strike, and I'll provide a few lessons we can learn to, hopefully, do better in the future.
VENOM Vulnerability: The Newest Threat to Your System’s Cyber Health

Ersin Domangue, Independent Security Evaluators
May 21st, 2015

The security firm CrowdStrike recently revealed a vulnerability that its staff discovered in QEMU-based virtual machine (VM) products (CVE-2015-3456). These include Xen, KVM, and VirtualBox. VMWare products, Bochs and Hyper-V, are not affected. The vulnerability, which they call "VENOM" (Virtualized Environment Neglected Operations Manipulation), can lead to complete control of a host computer, as well as access to all of the VMs running on the machine. VM vendors have or will have updates, and system administrators should apply them as soon as they are available.
Cyber Security: The Gateway to Career Success

Lisa Green, Independent Security Evaluators
May 14th, 2015

A notable weakness in most organizations’ security program is a lack of trained, experienced, and available security resources; to protect their assets, organizations require talented professionals with both technical and soft skills to create, define, and implement these programs. While the need is growing, the bar is set high. To work among the elite in the field in a career that allows for expansive professional growth, consider what it takes to get there. The need for talented cyber security analysts will continue to grow, and choosing to work in the industry is not only a timely career choice that allows for professional growth, but it is also a rewarding one that allows for personal growth and directly benefits companies and their stakeholders.
Don't Believe Everything You Read: Security Bugs in Reference Materials

Jacob Thompson, Independent Security Evaluators
April 10th, 2015

In this post, we consider the impact that the explosion of new software frameworks, and the frequent need to shift between them, has on security: (1) the tendency to use technologies without fully understanding them, (2) the use of non-peer reviewed sources for assistance and documentation when solving a problem, and (3) the presence of security bugs in code examples in printed materials from respected publishers. Finally, we conclude with recommendations for developers and authors to help avoid inadvertent subtle security bugs as a result of relying on or producing faulty documentation.
Superfish and Lessons not Learned - Preloaded Malware

Mark Goldman, Independent Security Evaluators
Feb. 21st, 2015

ISE has been finding more and more suspicious bloatware on Windows operating systems in past years. Just this past week, this issue came to a head with the discovery of the Superfish malware disguised as bloatware on Lenovo machines. ISE gives its take on this topic here.
Which SSL/TLS Protocol Versions and Cipher Suites Should I Enable on My Server?

Jacob Thompson, Independent Security Evaluators
Jan. 19th, 2015

ISE customers have recently asked how they should configure the SSL/TLS libraries on their servers to avoid any known security vulnerabilities. Here are our recommendations.
Case Studies
Contact us

Copyright 2005-2013 Independent Security Evaluators, LLC. All rights reserved.