Search the Site

 

Top
Blog

My Social
Services
Meta
Powered by Squarespace

Entries in Security (68)

Friday
Jan222010

Microsoft Haunted by 17-year old 'feature'

DateFriday, January 22, 2010 at 17:17

It looks like that every Windows version is susceptible to a 17-year old 'feature' that could give hackers access to your computer. The 'feature' exist since Windows v3.51, which dates from the last century (this way it looks even older :-) )

The person (Tavis Ormandy) who discovered this feature did a full disclosere which can be found here. So you'd better start watching your 3.51 Operating Systems (and above).

AuthorWillem | CommentPost a Comment |
tagged , , , , in , ,
Tuesday
Dec292009

Mobile Phone Communication Codes Cracked

DateTuesday, December 29, 2009 at 16:44

The German scientist Karsten Nohl published his findings this week on the CCC (Chaos Communications Congress) in Berlin. The CCC is an annual hacking convention, which is being held in Berlin, Germany.

Normally, the GSM communication switches frequency regularly, and therefor it's hard to listen in, but if you can crack the frequency switching algorithm..... Which is exactly what Karsten Nohl and his team did.
They cracked the so-called stream-cipher A5/1 which protects the voice conversations, and published details off it on the CCC in Berlin.

Click to read more ...

AuthorWillem | CommentPost a Comment |
tagged , , , , , in ,
Monday
Oct122009

Management Through SSH

DateMonday, October 12, 2009 at 10:05

SSH (Secure Shell) is a secure alternative to the ancient Telnet program/protocol. Telnet (and SSH) allows a user to connect to a remote server, and enables the users to use a command line interface to execute commands (manage the server).

Where Telnet is relatively limited in its functionality, SSH has a bunch of features which enables the user to do much more. The SSH protocol has the possibility to tunnel traffic through an SSH connection (read: tunnel). The big advantage is that everything going through the tunnel is heavily encrypted (which is good).

The tool best known to use SSH is SFTP (FTP over SSH). A secure alternative of the 'old' (in plaintext communicating) File Transfer protocol.

Click to read more ...

AuthorWillem | CommentPost a Comment |
tagged , , , , , , , , , in ,
Monday
Jul272009

Apple Favors Own Products, or FileVaults Screws Up

DateMonday, July 27, 2009 at 22:40

Apple FileVault Apple FileVaultSomething everyone would do I guess (the favoring part at least :) ). But Apple is doing this in a very peculiar way. When you run OSX with a ton of third-party applications you won't notice things, since everything runs as it should. But when you're going to use FileVault, things change. A lot....

FileVault is the way Apple secures your data. When turned on the OS creates a sparse iage of your userdata. So everything stored within your user directory is encrypted using AES-128.

The use of FileVault screws up certain system files. One of those is (or several for that matter) is used to store the default applications. Like FireFox for Internet instead of Safari. Every time you reboot your system the default application settings are read.
This weekend I also found out that at least one handy program also disagrees with FileVault. Little Snitch won't properly save it's registration info when you're using FileVault.

You know what the worst thing is? This BUG is present since Panther (OSX 10.3). I wonder if this is going to be fixed in Snow Leopard. To be honest, I doubt it. If they can't figure it out in 4 years, they probably never will.

As a security savvy nerd I want to use FileVault on my MacBook, but the problems with FileVault made me decide to uninstall this feature. Too bad that there are no other real alternatives. Truecrypt (or PGP) is nice, but it can't encrypt your hard disk (from which you boot) or even your user directory. Check Point seems to have software, but there's no way of buying it easily. So it seems that's it's mainly reserved for corporate environments.

UPDATE: w00t... They solved this annoying 'feature' Apple OS X 10.6 a.k.a. Snow Leopard. Way to go Apple. Although it being several OS releases/years too late!!!!

AuthorWillem | CommentPost a Comment |
tagged , , , , , , , in , , ,
Tuesday
Jul212009

Juniper NSMXpress 'Fun'

DateTuesday, July 21, 2009 at 21:01

Today was one of those days. First the two NSMXpress appliances failed yesterday (version 2008.2r2). No way of connecting the client gui. The webinterface and SSH connections worked fine though. Picked one up for examination, and since I had some *cough*good*cough* experiences a while back I assumed the latest software had some undocumented bug.

A back to factory defaults (version 2007.3r1) worked fine, but due to certain hardware the 2008 version was needed. So I upgraded the appliance (again) and found (while waiting) that the security certificate, used between the NSM server and the client gui, had expired on Juli 20th, 2009....... So someone forgot to update the certificates in the 2008.2r2 software.
After fixing that, the client gui worked like a charm.

Click to read more ...

AuthorWillem | CommentPost a Comment |
tagged , , , , in , , ,
Thursday
Jul092009

Internet Data Retention Law is Live in the Netherlands

DateThursday, July 9, 2009 at 16:04

It's a fact. As of this Tuesday, the Dutch ISP's are required (by Dutch law) to log all Internet activity of their customers and store the data for 12 months (at the moment). Gitmo Nation has expanded a bit further to the east, according to the No Agenda podcast host Adam Curry (which is a great podcast by the way).

Anyway, the logging is no longer limited to the basic IP connection data, the new law requires the ISP's to log the following information:

General Internet Access:

  • Loginname
  • IP Address
  • Name and address details of of all the parties involved (when available)
  • Time and Date the communication took place
  • Used service(s)
  • The callers phone number in the case of dial-up Internet access
  • The number called for dial-up Internet access
  • DSL, phonenumbers, MAC address (when using public/ISP sponsored WiFi/Network access)

E-mail:

  • IP address used to access or send e-mail
  • User ID
  • E-mail address of the sender, recipients etc. (basically the FROM, TO, CC and BCC fields)
  • Registered e-mail alias addresses when available
  • Time and date of the communications
  • Name and address details of all the parties involved (when available).
  • Method used in sending/receiving the e-mail (webmail, POP, SMTP, IMAP, etc.)

Internet VoIP:

  • Phone numbers of both parties
  • IP addresses
  • Name and address details of all the parties involved (when available)
  • Time and date of the communication (start and finish)
  • Protocols used during the communication
  • Successful and failed attempts to communicate

The 'fun' part is that the Dutch government won't (or can't) give a real reason why this information is required..... Why can't they give the proper reasons for creating and passing this law. Theoretically we still live in a democracy.

My thought is that it's probably based on some vague report by some high-profile consulting company that scared the shit out of the politicians (accountability??). Especially the terms 'child pornography' and 'terrorism' are most likely THE keywords on which the decision is based. And no one wants be publicly not against those two.... And so the privacy of the Dutch citizens crumbles, and crumbles.

Time to start using more and more encryption in all of your communications if you ask me, and start running your own services on a server in your attic .

/me is removing the dust from his PGP keyrings....

AuthorWillem | Comment1 Comment |
tagged , , , in , ,
Wednesday
Jan072009

PGP Desktop Updates

DateWednesday, January 7, 2009 at 16:25

I've been a PGP user for quite a while now. A couple of years ago I bought the software (before that I used the free PGP versions). My original license was for version 8.x. Every once in a while that would be a message indicating that there was a new version available.

The last couple of months there were no new messages, and when I checked for updates from the application the default message was "you're running the latest version".

But according to the PGP website there were newer versions (9.8, 9.9). So I 'registered' for an evaluation version and installed that over my existing 9.7 version.
After the reboot everything worked. My (old existing) license is still valid. So why is PGP not telling that there's an upgrade available?

I guess the fun will end with the release of version 10.
B.t.w. I still find it frustrating that they removed the SIGN and ENCRYPT buttons/functionality from within Apple Mail.app. I don't want to sign all my outgoing mail (which happens when you configure the mail proxy settings). I want to be in total control :)

AuthorWillem | CommentPost a Comment |
tagged , , in ,
Monday
Dec292008

Broken SSL Trust

DateMonday, December 29, 2008 at 14:44

Webtrust WebTrust broken?When a CA issues a SSL certificate they (the registration authority) should verify certain information provided by the requester. This includes at least the domain name ownership and preferably the person or company tied to the domain name ownership. Basic stuff really, but what happens when certificates get issued without any verification? Well, this happened to Mozilla [2].

Basically the complete trust framework collapses (for that CA). Especially combined with hosts file and/or DNS hijacking. What if this incident isn't the first? What if some cybercrook got some SSL certs due to similar mistakes of your favorite bank? You're no longer sure if the https connection of your bank really terminates on the servers of your bank. They could just as easily terminate on a server in Russia or Albania. Which leaves you with an empty bank account (most likely).

If the certificate is issued (signed) by a Comodo Root CA (as it was in this case), your browser accepts this as a valid/trusted CA and for the user everything seems fine. This takes me back to the issue of all those trusted root certification authorities in the average OS or browser.
This time, it's a Comodo affiliate that's screwed up (there's no other way of describing this), but what are the chances that some of those trusted 100+ CA's make a mistake? The bigger the list, the bigger the chance of wrongfully issues (SSL) certificates.

By the way, if you're using an older browser (pre IE6 e.g.), chances are that SSL certificate revocation checking is disabled by default. So even when the revoke they certificate you still wouldn't know.... You can verifiy this by opening the Internet Explorer options section and checking the Advanced tab.

AuthorWillem | CommentPost a Comment |
in , , ,
Thursday
Dec182008

SSH Connection to Juniper Devices

DateThursday, December 18, 2008 at 19:09

While in the mids of my Juniper exam preparation I ran into a problem with my Apple equipment. Managing the Juniper firewall (SSG5 in this case) with SSH was not possible from OSX. The connection itself would work, but after entering the password the connection was closed by the remote host (the firewall).
Trying this from a Windows laptop (with SecureCRT) everything worked as expected.

Some searching revealed that this is an OpenSSH bug. To manage your Juniper with SSH from OSX you need to add a parameter to the ssh command (or edit the SSH config file).

Parameter to add:

-o ControlMaster=auto
e.g. ssh willem@127.0.0.1 -o ControlMaster=auto

Or add the following line to the global SSH config (/etc/ssh_config) or the user config (~/.ssh/config).

ControlMaster auto

Juniper has a knowledgebase article (KB12409) on the issue.

AuthorWillem | CommentPost a Comment |
tagged , , in , , , , ,
Thursday
Dec112008

Uninstall SafeSign on OSX

DateThursday, December 11, 2008 at 20:39

While the installation of the SafeSign software is relatively easy, the removal of the software is a bit harder. The installation package lacks an automated removal feature. So removing the driver/application must be done by hand.

The removal of the software (both the SafeSign as well as the TokenLounge software) can be reconstructed by analyzing the original packages/installation scripts.

WARNING: Before you continue, you need to realize that this uninstall procedure is without ANY warranties. So make a backup BEFORE proceding.

Click to read more ...

AuthorWillem | Comment5 Comments |
tagged , , in , , ,
Page 1 2 3 4 5 ... 7 Next 10 Entries »