iSEC Research Labs

SSLyze v0.7 Released

14 Aug 2013 - Alban Diquet

A new version of SSLyze is now available. SSLyze is a Python tool that can analyze the SSL configuration of a server by connecting to it.

Changelog

  • Complete rewrite of the OpenSSL wrapper as a C extension
    • SSLyze is now statically linked with the latest version of OpenSSL instead of using the system's (potentially outdated/broken) OpenSSL library
    • All of SSLyze's features are now available on all supported platforms (including SSL 2.0, TLS 1.1 and TLS 1.2)
    • Scans are slightly faster
    • Python 2.6 is no longer supported
  • Support for StartTLS FTP, POP, IMAP, LDAP and "auto". See --starttls
  • Support for OCSP Stapling. See --certinfo
  • Other various improvements that results in SSLyze being more stable/robust

Packages

SSLyze requires Python 2.7; the supported platforms are Windows 7 32/64 bits, Linux 32/64 bits and OS X 64 bits. SSLyze is statically linked with OpenSSL 1.0.1e. For this reason, the easiest way to run SSLyze is to download one the following pre-compiled packages:

Linux

The following packages were tested on Debian 7 and Ubuntu 13.04.

OS X Mountain Lion

Windows 7

Black Hat 2013 - Cryptopocalypse Presentation Available

06 Aug 2013 - iSEC Partners

The slides for the Preparing for the Cryptopocalypse presentation from Black Hat 2013 are now available.

The group presentation was given by Alex Stamos, Tom Ritter, Javed Samuel and Thomas Ptacek and looks into the latest breakthroughs in the academic crypto community.

The paper can be downloaded here.

Black Hat 2013 - Bluetooth Smart Presentation Available

06 Aug 2013 - Mike Ryan

The slides for the Bluetooth Smart presentation from Black Hat 2013 are now available.

The presentation was given by Mike Ryan and looks into Bluetooth "Smart" (also known as Bluetooth Low Energy or BTLE), the latest Bluetooth spec, 4.0, used by fitness devices, locks, and recent smartphones.

The paper can be downloaded here.

Tool Release: PeachFarmer

14 Jun 2013 - Michael Lynch

Cloud-based Fuzzing with Peach

Several of the consultants here at iSEC perform fuzz testing using the Peach fuzzing framework. One of Peach's strengths is that it allows the user to parallelize a fuzzing job between multiple machines, making Peach a great way to perform cloud-based fuzzing. The drawback of using Peach in the cloud is that each Peach instance generates a large number of log files and crash dumps. For the user to analyze their results effectively, they must aggregate all of these logs manually. With a large number of fuzzing instances, this can become a cumbersome task.

PeachFarmer

To solve this problem, we created PeachFarmer. PeachFarmer runs as an agent on each Peach cloud instance. The user can query the fuzzing progress via the PeachFarmer client, which collects all of Peach's logs and crash dumps from each instance in the cloud. The client then downloads and aggregates these files to a central location on the user's local machine. PeachFarmer only downloads the data that has changed since the last successful check, so there's no redundant transfer of data files. In our own usage, PeachFarmer has made management of cloud fuzzing instances much faster and easier.

Project Page

Today we are excited to release PeachFarmer to the security community. Check out the project page on Github, try it out for yourself, and tell us what you think.

Happy fuzzing!

An Introduction to Authenticated Encryption

29 Apr 2013 - Shawn Fitzgerald

Historically, independent encryption and message authentication codes (MAC) have been used to provide message confidentiality and integrity. This has led to confusion within the user community, as there was no standard construct for combining these. The result of this has been often insecure combinations that have resulted in a number of high profile system breaks such as the use of WEP in 802.11. Over the last ten years, the cryptographic community has moved to a more formal approach to the development and specification of cryptographic algorithms and modes of operation; this has resulted in provably secure Authenticated Encryption primitives that provide both confidentiality and integrity.

Authenticated Encryption is beginning to see deeper adoption in both security standards and implementations, yet is still not commonly understood by the security community. In this paper, iSEC's Shawn Fitzgerald attempts to bridge the gap between academic and technical standards and non-technical overviews by presenting a systematic introduction to Authenticated Encryption and the most commonly used modes such as CCM, EAX, OCB and GCM.

The paper can be downloaded here.