Blog - Everything within Reason

Entries in Security (68)

Saturday

Feb052011

PGP Services Menu Integration

Saturday, February 5, 2011 at 17:57

During the clean-up of my personal data on my Mac's, I found several PGP encrypted containers, and encrypted files. To see what was stored in them, I needed to install PGP (again).

After installing the software I dug up my keyrings and everything worked fine, until I tried to encrypt an e-mail. In the old days you had a button for encrypting the body of an e-mail message, but today things have changed. PGP is using some sort of (local) proxy to encrypt, decrypt, sign and verify e-mail messages. BUT there's also the possibility to do this with text on the clipboard, or text you selected with your mouse/keyboard.

This is where I ran into some missing functionality; Normally the PGP actions are visible under the 'right-mouse' click -> Services, but no PGP actions available. Further investigation showed that no PGP actions were available on (plain) text in editors. PGP actions on entire files were no problem.

Click to read more ...

Willem |

Post a Comment |

tagged

PGP,

System Services in

Saturday

Jan292011

Weird 802.1x EAP-TLS Behavior with Windows XP SP3

Saturday, January 29, 2011 at 13:29

I'm currently busy with several 802.1x implementations in corporate networks, and in one of those environment I get the strangest behavior in regards to the authentication process.

In this particular case I use a Microsoft 2008 Active Directory. Mandatory for distributing the wired network adapter settings in regards to 802.1x. The clients are a mix of Windows XP (SP1 and SP3) clients and some newer and/or exotic operating systems. The authentication mechanism of choice is EAP-TLS with dynamic VLAN assignment. The RADIUS server used is the Cisco Secure ACS v5.x appliance.

During the authentication process of the XP SP3 PC's I saw that the first authentication attempt was made with the PEAP mechanism. Since PEAP isn't allowed, the authentication mechanism failed. About a minute and twenty seconds later the PC started another dot1x authentication sequence. This time using EAP-TLS, and the PC got access to the network.

Click to read more ...

Willem |

1 Comment |

tagged

802.1x,

ACS,

Cisco,

Microsoft,

RADIUS,

XP,

dot1x,

service pack 3 in

Annoying,

Operating Systems,

Security

Thursday

Jan202011

802.1x: Machine Access Restriction 'Vulnerability'

Thursday, January 20, 2011 at 21:45

Today we ran into a feature of the Machine Authentication Restrictions (MAR) option in the Cisco Secure ACS Radius server. It seems that when you're using the ACS for 802.1x authentication, you have the option of demanding that the authenticating users can only be authenticated when the computer is already authenticated. This way, you make sure that no user can access the network without a legitimate PC.

Click to read more ...

Willem |

Post a Comment |

tagged

802.1x,

ACS,

Cisco,

EAP-TLS,

MAR,

PEAP,

PKI,

RADIUS in

Security,

Software,

Tips'n Tricks

Saturday

Nov202010

First Paypal Spoof Ever

Saturday, November 20, 2010 at 16:11

Today, my very first PayPal spoof/phishing mail arrived. So finally, my e-mail address has been recorded in your average cyberpunk database. Note, that the (Dutch) grammar and spelling in the e-mail is appalling. Just what you expect from a default translation program like Google Translate or Babelfish.

Click to read more ...

Willem |

Post a Comment |

tagged

paypal,

spoof in

Thursday

Nov182010

Chinese Government Shows 'Interest'

Thursday, November 18, 2010 at 20:50

It's no surprise that a lot of cyberattacks originate from the the 'excellent' People's Republic of China. Some of these attacks are funded by or even originating from the Chinese government. Well, the latter is definitely true.

My (private) ssh server is a point of interest to the Chinese government, since they are trying to get in.

Every couple minutes a possible break-in entry is recorded in my logs. I guess that they decided not to hammer the front door, in order to evade automatic blacklisting of the originating IP.

reverse mapping checking getaddrinfo for mail.zdpri.gov.cn [218.108.28.189] failed - POSSIBLE BREAK-IN ATTEMPT!

I checked the IP and it seems to host the web-mail for the Zhejang prov. Development Planning & Research Institute [1].

I guess it's time to tighten the timers on blacklisting.....

B.t.w. The reporting on the IP was provided by Splunk. Excellent tool for digging in logfiles and reporting.

Willem |

Post a Comment |

tagged

Splunk,

sshd in

Monday

Sep202010

HDCP Master Key Leaked

Monday, September 20, 2010 at 14:13

The High-Bandwidth Digital Content Protection (HDCP) key was leaked onto the Internet. This master key can be used to decode encrypted traffic between certified / licensed devices. No encryption means that the content (mostly movies) can be copied, and/or played on non-licensed devices.
A while back, another copy-protection key was leaked. That key was for BluRay (BR+) titles. This HDCP key is the, so-called, mother-load.

Click to read more ...

Willem |

Post a Comment |

tagged

Crypto,

HDCP in

DRM,

Security

Thursday

Aug192010

Adobe Coldfusion 8 and 9 Vulnerable to Hijacking

Thursday, August 19, 2010 at 12:09

Adobe released a security bulletin regarding the Coldfusion web engine. Upgrade / patch your Coldfusion server if you like to stay in control of your webserver. The patch has been classified as important.

An important vulnerability has been identified in ColdFusion 8.0, 8.0.1, 9.0, 9.0.1 for Windows, Macintosh and UNIX. This directory traversal vulnerability could lead to information disclosure (CVE-2010-2861). Adobe has provided a solution to the reported vulnerability. It is recommended that users update their product installation using the instructions provided above.

The patch/update get be downloaded here.

Willem |

Post a Comment |

tagged

Adobe,

Coldfusion,

Patch in

Security,

Software

Thursday

Aug122010

Microsoft Cryptographic Store and Passwords

Thursday, August 12, 2010 at 18:30

We've been experimenting with with the use of user certificates for VPN access to the lab. Issuing, and using them isn't the problem. The problem is that there's no way of enforcing a password on the use of the private key. You can use private key protection on the certificate template, but that still doesn't enforce a password requirement. The user still has the option to choosing for the notification instead of a password.

Certificate Template - Request Handling OptionsThere's an option to enforce a password, but that's system wide for the Microsoft Cryptographic Service Provider, and we don't want to enforce passwords for ALL certificates. We just want to enforce passwords for this specific template.

Click to read more ...

Willem |

Post a Comment |

tagged

CSP,

certificates in

Annoying,

Microsoft,

Security

Tuesday

Jul132010

Splunk> Making Sense of Logfiles

Tuesday, July 13, 2010 at 12:43

My area of expertise in the professional world is Network Security. This includes protecting network from intrusions, but also delivering reports about the network status. For the latter we use SIEM(like) environments like the Cisco CS-MARS and the Juniper STRM.
The 'problem' with these devices is that they are great in reporting incidents and creating awesome reports about everything, but they lack the functionality to do some serious investigating.

I have several customers with a SIEM, and most of them still use (Linux) commandline tools like awk, grep, etc. these tools work, but you need to scrape everything together yourself, and building queries can be quite challenging. This is where Splunk> comes in.

Click to read more ...

Willem |

Post a Comment |

tagged

SIEM,

Splunk,

logfiles in

Security,

Software,

Tips'n Tricks

Thursday

Apr222010

SafeSign and Apple OSX Snow Leopard

Thursday, April 22, 2010 at 22:11

Last week I got an e-mail from one of the product managers @ AET Europe regarding the availability of SafeSign / Tokenlounge for OSX Snow Leopard.

The content of the e-mail wasn't very encouraging.... It seems that the Snow Leopard of SafeSign / Tokenlounge release is delayed by a bug in the Apple Keychain;

---------
We use systemkeychain -T to create a login keychain (for a new FV user) associated with our token. When trying to unlock this newly created keychain during login with the smartcard, we get prompted with the "unable to unlock login keychain" panel - as you have observed -.
This is basically our main concern, as this was perfectly running under 10.5. Any idea why the system wants to update the login keychain password, prompting the user with that panel???

What we have discovered beside, is that when you click Create New Keychain on that panel, the keychain gets encrypted with the PIN of the smartcard instead of the RSA key, which is a major security issue (Same behavior if you click Update Keychain Password)...
You can easily verify this last issue by removing your smartcard, launching Keychain Access and entering your PIN code to unlock the keychain...

Once again, we didn't have this kind of problems with Leopard.

As long as this issue isn't resolved, there will be no version for Snow Leopard. The (security) risk is just too big.
-------------

So, we need to be patient, and wait till Apple solves this. In the mean time, when you need the SafeSign software for your every day work, you shouldn't upgrade to Snow Leopard.

Check the follow-up on the original SafeSign post for the availability on the Leopard version of SafeSign / Tokenlounge.

Willem |

1 Comment |

tagged

OSX,

bug in

Apple,