Search the Site

 

Top
Blog

My Social
Services
Meta
Powered by Squarespace

Entries in Security (68)

Wednesday
Dec102008

SafeSign and OSX

DateWednesday, December 10, 2008 at 20:27

Updated on Thursday, April 22, 2010 at 22:07 by Registered CommenterWillem

After my blog post on OSX and Aladdin eToken I received a phonecall from Haaino @ AET Europe. He offered the SafeSign software for OSX so I could try their OSX software as well.

The SafeSign software is used with smartcards and smartcard readers like the OmniKey smartcard readers. Through my line of work, no lack of smartcards and/or readers. Only the software was missing (up till now).

Click to read more ...

AuthorWillem | Comment15 Comments |
tagged , , , , , , , in , ,
Thursday
Dec042008

OSX and Aladdin eToken

DateThursday, December 4, 2008 at 22:00

Due to the nature of my work, and my fondness of Apple products I wasn't able to get my Aladdin eTokens working with OSX. After several months of not trying to crack this I decided to try it again.
The trigger for me was stumbling on the possibility of adding so-called keyfiles to the eToken for accessing TrueCrypt volumes.

First challenge was the eToken PKI software for OSX... Thankfully I'm a Certified eToken guru, so I've got access to their download area (you will have to get your own software). The current version of the eToken software for OSX is v4.55. I installed the Aladdin software on OSX 10.5.5.

Click to read more ...

AuthorWillem | Comment6 Comments | Reference1 Reference |
tagged , , , , in , ,
Tuesday
Sep162008

Apple Released OSX 10.5.5 Update

DateTuesday, September 16, 2008 at 9:39

Apple released the 10.5.5 update last night.
What's included?

General

  • Includes recent Apple security updates.
  • Addresses stability issues with video playback, processor core idling, and remote disc sharing for MacBook Air.
  • Addresses an issue in which some Macs could unexpectedly power on at the same time each day.
  • Resolves a stability issue in TextEdit that could be found when accessing the color palette.
  • Improves Spotlight indexing performance.
  • Fixes an issue in which contacts might not sync properly with PalmOS-based devices.
  • Improves iPhone sync reliability with iCal and Address Book.
  • Includes improvements to Active Directory (see this article for more information).
  • Improves Speech Dictionary.
  • Fixes Kerberos authentication issues for Mac OS X 10.5 clients that connect to certain Samba servers, such as Mac OS X Server version 10.4.
  • Includes extensive graphics enhancements.

Mail

  • Addresses performance issues related to displaying IMAP messages.
  • Resolves an issue with SMTP settings for AIM, Compuserve, Hanmail, Yahoo!, and Time Warner Road Runner email accounts.
  • Addresses stability issues that may occur when dragging a file to the Mail icon in the Dock.
  • Addresses an issue with the "Organized by Thread" view in which the date does not appear when the thread is collapsed.
  • Resolves an issue in which RSS feeds could temporarily disappear from the sidebar.
  • Improves Mail robustness when sending messages.
  • Improves reliability when saving drafts that have attachments.

Time Machine

  • Improves Time Machine reliability with Time Capsule.
  • Addresses performance issues that may affect initial and in-progress backups.
  • Fixes an issue in which an incorrect alert message could appear stating that a backup volume does not have enough free space.
  • Time Machine can now back up iPhone backups that are on your Mac, as well as other items in (~/Library/Application Support).

And much, much more.

AuthorWillem | CommentPost a Comment |
in , , ,
Thursday
Aug282008

Storing Plain-text Passwords

DateThursday, August 28, 2008 at 20:19

Security is a hot issue now-a-days. You get told over and over that no one will ever ask you for your password. Not your bank, not Paypal, and not even your online grocery store. This is to make sure that people won't be persuaded by phishers and other scumbags in giving them the password.

But why is it that a lot of companies and other initiatives on the Internet seem to store passwords in plain text in their databases? There is NO NEED to do this. Almost every hypertext scripting engine (ASP, PHP, Coldfusion, Perl, Ruby on Rails) supports the hashing of passwords.

COLDFUSION: <CFSET hashedPwd = HASH(password, "SHA-256") />

When a user logs in with a username and password, they are checked against the credentials in the database. The password gets hashed, and the hash is checked against the stored hash in the database. This way no one will be able to figure out the actual password (especially if a relativley strong hashing algoritme is being used like SHA-256).

If the same user forgets his/hers password you only need a mechanisme to reset the password to a random password, and communicate this with the user (by e-mail, SMS, snail-mail, or whatever) and allow the user to change this new password to one of his own at the next logon.

Another nice feature of hashing passwords is that the user can use a password with lots of printable characters (like !@#$%^&* (){{}|":;'\][/.,<>?`~), or complete sentences because these won't be stored. Only the hash (a hexadecimal string) will end up in the database. No matter how long the password/sentence is, the hash will always be a fixed length.

Maximum flexibility for the user, and a secure way of storing the passwords in the database. So if financial institutions or other high profile web-presences fail to do so, they should be made aware, and change their code.

So there's absolutely no need for anyone to be able to see your (plaintext) password besides yourself. And don't let them tell you otherwise.

AuthorWillem | CommentPost a Comment |
tagged , , in
Wednesday
Aug272008

Undocumented Coldfusion Ports

DateWednesday, August 27, 2008 at 13:27

After running 'chkrootkit' on one of my Ubuntu server at work, I got a responds:

Checking `bindshell'... INFECTED (PORTS:  4000)

A message which started a 'mild' shiver across my back, because the rootkit checker just reported that one of the processes on the server could be compromised.

First I took the server of the network. Just to make sure. After that I searched the Internet for a possible explaination. Nothing substancionally. until I found the following command to see what is occupying the port.

sudo netstat -e -p -n -a | grep 4000

This gave me the following result:

udp6       0      0 :::4000                 :::*
65534      13886      4739/coldfusion8

So it seems that Adobe Coldfusion is using this port. But this can't be found in any of the official Adobe Coldfusion documentation. There are some (blog)posts related to this, but nothing more.

AuthorWillem | CommentPost a Comment |
tagged , , in , , ,
Friday
Aug152008

Create Your Own EV Certificate??

DateFriday, August 15, 2008 at 18:38

Most web browsers support the extended validation certificates. These certificates give a visual indication (green browserbar for example) that the SSL connection is trustworthy. The only problem is that they are expensive. Especially compared with the 'ordinary' SSL certificates.

These certificates are special because the Certificate Authority (e.g. VeriSign) validated the company who buys these certificates. This way, the end user can shop / bank / or whatever online without worrying too much.

Some affiliates / certificate vendors already did this years ago (validating the actual companies), so this is nothing new. Yet another way to fool the consumers, and make some extra money.....

The problem I run into is that I used to have a 'yellow-ish' addressbar when I entered an https website. Today (at least with FireFox 3) the address bar remains blank. The only indication is a tiny lock displayed at the bottom of the browser. Something you might (and definitely will) overlook.

I use a home made Certificate Authority to create my own certificates (for webmail, secure IMAP, SSL, etc.), but I would like to see a proper visual indication of the SSL connection. So, is there a way to create an EV-like certificate (or even a new CA) by using Microsoft Certificate Services or by using OpenSSL which displayes the colored addressbar?

I did find some info on the EV requirements, but these should be 'spoofable' some way or another.....

UPDATE: I found a website which suggests reconfiguring Firefox 3. Problem with that is that I need to reconfigure all my browsers. I'd rather do it by 'faking' the specs.

It seems that the OCSP-responder is mandatory for the bars to turn green....

AuthorWillem | Comment4 Comments |
in ,
Wednesday
Aug132008

XS4ALL Plans Outbound Port Filtering

DateWednesday, August 13, 2008 at 20:06

XS4ALL A usenet posting suggests that XS4ALL will provide a filtering service to their subscribers. The filter would consist of 5 levels. Ranging from fully open to 'fully' closed. The first will give you the possibility of running your own services at home, and the latter means you're only able to e.g. surf and e-mail (through the XS4ALL SMTP server).

The filters would give the basic/ignorant user the opportunity of preventing the spreading of malware and other stuff by default. The more tech savvy subscribers can remove the filter for running a bunch of services (webserver, ftp, mail, DNS, etc).

Definitely a good decision. I just hope that the other ISP's will do something similar, because most of the virus/malware/massmailing 'software' is running on PC's run by the average user. Totally ignorant of the malware running on their PC's.

Yet another 'thumbs up' for the quality provider of the Netherlands

AuthorWillem | CommentPost a Comment |
tagged , in , ,
Tuesday
Jul292008

Lightroom 2.0

DateTuesday, July 29, 2008 at 17:28

Adobe has released Lightroom 2.0.

The new features for this release are (my favorites);

  • 64bit support
  • >10.000 pixel wide images (finally able to add a decent panorama to Lightroom)
  • Multiple monitor support

An overview of the (new) features can be found here.

UPDATE: I've been playing with the dual display feature for a couple of hours. This is definitelly a major enhancement. Finally, a real workplace of 2 * 24" widescreen.

AuthorWillem | CommentPost a Comment |
in ,
Tuesday
Jul082008

FireFox 3 Dialog Boxes

DateTuesday, July 8, 2008 at 21:40

Firefox is the default browser on all my platform, and every once in a while I run into strange dialog boxes.
E.g., this evening I updated some digital certificates for the test environment of VeriSign MPKI backend. These certificates are issued by a (private) VeriSign CA. So there's no trust by default.

After generating the keypair in FireFox 3 I got the positive dialog box as showed below.

No problem so far, but the next dialog box 'scared' me a little;

This dialog box, or at least the result, would remove (or delete) the certificate I just generated. The issueing CA is not installed in FireFox (or on the machine itself for all it matters). But in fact the certificate was installed in the Crypto/Certificate store of FireFox, and I could use it to access the VeriSign test backend.

So, eventhough, FireFox warns the user that the content will be deleted (or not added), it doesn't exactly does that at all. Let's see if I can file a bug report, because this occured on all 4 certificates I generated/imported.

AuthorWillem | CommentPost a Comment |
tagged , , , in , ,
Tuesday
Jun032008

Full Disk Encryption for the Mac

DateTuesday, June 3, 2008 at 18:42

Checkpoint acquired a company called PointSec a while ago. This company made full hard disk encryption software for Windows. Now, Checkpoint has released a hard disk encryption version for the Mac. I guess they are taking OSX seriously.

Disk encryption is available today for the Mac (TrueCrypt, PGP), but these aren't able to encrypt the boot partition. Only partitions are by the use of containers. This type of software was available to Windows only primarily.

Now that the 'trick' has been done, I guess more will follow.

I do wonder if it's still possible to use SuperDuper for cloning a bootdisk....

AuthorWillem | CommentPost a Comment |
tagged , , , , , , in , , , ,
Page 1 ... 2 3 4 5 6 ... 7 Next 10 Entries »