Posts filed under Security

Apple Released OSX 10.5.5 Update

Apple released the 10.5.5 update last night.
What's included?

General

  • Includes recent Apple security updates.
  • Addresses stability issues with video playback, processor core idling, and remote disc sharing for MacBook Air.
  • Addresses an issue in which some Macs could unexpectedly power on at the same time each day.
  • Resolves a stability issue in TextEdit that could be found when accessing the color palette.
  • Improves Spotlight indexing performance.
  • Fixes an issue in which contacts might not sync properly with PalmOS-based devices.
  • Improves iPhone sync reliability with iCal and Address Book.
  • Includes improvements to Active Directory (see this article for more information).
  • Improves Speech Dictionary.
  • Fixes Kerberos authentication issues for Mac OS X 10.5 clients that connect to certain Samba servers, such as Mac OS X Server version 10.4.
  • Includes extensive graphics enhancements.

Mail

  • Addresses performance issues related to displaying IMAP messages.
  • Resolves an issue with SMTP settings for AIM, Compuserve, Hanmail, Yahoo!, and Time Warner Road Runner email accounts.
  • Addresses stability issues that may occur when dragging a file to the Mail icon in the Dock.
  • Addresses an issue with the "Organized by Thread" view in which the date does not appear when the thread is collapsed.
  • Resolves an issue in which RSS feeds could temporarily disappear from the sidebar.
  • Improves Mail robustness when sending messages.
  • Improves reliability when saving drafts that have attachments.

Time Machine

  • Improves Time Machine reliability with Time Capsule.
  • Addresses performance issues that may affect initial and in-progress backups.
  • Fixes an issue in which an incorrect alert message could appear stating that a backup volume does not have enough free space.
  • Time Machine can now back up iPhone backups that are on your Mac, as well as other items in (~/Library/Application Support).

And much, much more.

Posted on September 16, 2008 by Willem and filed under Apple, Operating Systems, Security, Software.

Storing Plain-text Passwords

Security is a hot issue now-a-days. You get told over and over that no one will ever ask you for your password. Not your bank, not Paypal, and not even your online grocery store. This is to make sure that people won't be persuaded by phishers and other scumbags in giving them the password.

But why is it that a lot of companies and other initiatives on the Internet seem to store passwords in plain text in their databases? There is NO NEED to do this. Almost every hypertext scripting engine (ASP, PHP, Coldfusion, Perl, Ruby on Rails) supports the hashing of passwords.

COLDFUSION: <CFSET hashedPwd = HASH(password, "SHA-256") />

When a user logs in with a username and password, they are checked against the credentials in the database. The password gets hashed, and the hash is checked against the stored hash in the database. This way no one will be able to figure out the actual password (especially if a relativley strong hashing algoritme is being used like SHA-256).

If the same user forgets his/hers password you only need a mechanisme to reset the password to a random password, and communicate this with the user (by e-mail, SMS, snail-mail, or whatever) and allow the user to change this new password to one of his own at the next logon.

Another nice feature of hashing passwords is that the user can use a password with lots of printable characters (like !@#$%^&* (){{}|":;'\][/.,<>?`~), or complete sentences because these won't be stored. Only the hash (a hexadecimal string) will end up in the database. No matter how long the password/sentence is, the hash will always be a fixed length.

Maximum flexibility for the user, and a secure way of storing the passwords in the database. So if financial institutions or other high profile web-presences fail to do so, they should be made aware, and change their code.

So there's absolutely no need for anyone to be able to see your (plaintext) password besides yourself. And don't let them tell you otherwise.

Posted on August 28, 2008 by Willem and filed under Security and tagged hashing password security.

Undocumented Coldfusion Ports

After running 'chkrootkit' on one of my Ubuntu server at work, I got a responds:

Checking `bindshell'... INFECTED (PORTS:  4000)

A message which started a 'mild' shiver across my back, because the rootkit checker just reported that one of the processes on the server could be compromised.

First I took the server of the network. Just to make sure. After that I searched the Internet for a possible explaination. Nothing substancionally. until I found the following command to see what is occupying the port.

sudo netstat -e -p -n -a | grep 4000

This gave me the following result:

udp6       0      0 :::4000                 :::*
65534      13886      4739/coldfusion8

So it seems that Adobe Coldfusion is using this port. But this can't be found in any of the official Adobe Coldfusion documentation. There are some (blog)posts related to this, but nothing more.

Posted on August 27, 2008 by Willem and filed under Annoying, Linux, Operating Systems, Security and tagged Coldfusion infected port 4000.

Create Your Own EV Certificate??

Most web browsers support the extended validation certificates. These certificates give a visual indication (green browserbar for example) that the SSL connection is trustworthy. The only problem is that they are expensive. Especially compared with the 'ordinary' SSL certificates.

These certificates are special because the Certificate Authority (e.g. VeriSign) validated the company who buys these certificates. This way, the end user can shop / bank / or whatever online without worrying too much.

Some affiliates / certificate vendors already did this years ago (validating the actual companies), so this is nothing new. Yet another way to fool the consumers, and make some extra money.....

The problem I run into is that I used to have a 'yellow-ish' addressbar when I entered an https website. Today (at least with FireFox 3) the address bar remains blank. The only indication is a tiny lock displayed at the bottom of the browser. Something you might (and definitely will) overlook.

I use a home made Certificate Authority to create my own certificates (for webmail, secure IMAP, SSL, etc.), but I would like to see a proper visual indication of the SSL connection. So, is there a way to create an EV-like certificate (or even a new CA) by using Microsoft Certificate Services or by using OpenSSL which displayes the colored addressbar?

I did find some info on the EV requirements, but these should be 'spoofable' some way or another.....

UPDATE: I found a website which suggests reconfiguring Firefox 3. Problem with that is that I need to reconfigure all my browsers. I'd rather do it by 'faking' the specs.

It seems that the OCSP-responder is mandatory for the bars to turn green....

Posted on August 15, 2008 by Willem and filed under Browsers, Security.

XS4ALL Plans Outbound Port Filtering

XS4ALL A usenet posting suggests that XS4ALL will provide a filtering service to their subscribers. The filter would consist of 5 levels. Ranging from fully open to 'fully' closed. The first will give you the possibility of running your own services at home, and the latter means you're only able to e.g. surf and e-mail (through the XS4ALL SMTP server).

The filters would give the basic/ignorant user the opportunity of preventing the spreading of malware and other stuff by default. The more tech savvy subscribers can remove the filter for running a bunch of services (webserver, ftp, mail, DNS, etc).

Definitely a good decision. I just hope that the other ISP's will do something similar, because most of the virus/malware/massmailing 'software' is running on PC's run by the average user. Totally ignorant of the malware running on their PC's.

Yet another 'thumbs up' for the quality provider of the Netherlands

Posted on August 13, 2008 by Willem and filed under Internet, News, Security and tagged port filtering xs4all.

Lightroom 2.0

Adobe has released Lightroom 2.0.

The new features for this release are (my favorites);

  • 64bit support
  • >10.000 pixel wide images (finally able to add a decent panorama to Lightroom)
  • Multiple monitor support

An overview of the (new) features can be found here.

UPDATE: I've been playing with the dual display feature for a couple of hours. This is definitelly a major enhancement. Finally, a real workplace of 2 * 24" widescreen.

Posted on July 29, 2008 by Willem and filed under Personal, Security.

FireFox 3 Dialog Boxes

Firefox is the default browser on all my platform, and every once in a while I run into strange dialog boxes.
E.g., this evening I updated some digital certificates for the test environment of VeriSign MPKI backend. These certificates are issued by a (private) VeriSign CA. So there's no trust by default.

After generating the keypair in FireFox 3 I got the positive dialog box as showed below.

No problem so far, but the next dialog box 'scared' me a little;

This dialog box, or at least the result, would remove (or delete) the certificate I just generated. The issueing CA is not installed in FireFox (or on the machine itself for all it matters). But in fact the certificate was installed in the Crypto/Certificate store of FireFox, and I could use it to access the VeriSign test backend.

So, eventhough, FireFox warns the user that the content will be deleted (or not added), it doesn't exactly does that at all. Let's see if I can file a bug report, because this occured on all 4 certificates I generated/imported.

Posted on July 8, 2008 by Willem and filed under Browsers, Security, Software and tagged VeriSign certificates security firefox.

Full Disk Encryption for the Mac

Checkpoint acquired a company called PointSec a while ago. This company made full hard disk encryption software for Windows. Now, Checkpoint has released a hard disk encryption version for the Mac. I guess they are taking OSX seriously.

Disk encryption is available today for the Mac (TrueCrypt, PGP), but these aren't able to encrypt the boot partition. Only partitions are by the use of containers. This type of software was available to Windows only primarily.

Now that the 'trick' has been done, I guess more will follow.

I do wonder if it's still possible to use SuperDuper for cloning a bootdisk....

Posted on June 3, 2008 by Willem and filed under Apple, News, Operating Systems, Security, Switched2Mac and tagged Encryption Mac OSX PGP TrueCrypt checkpoint pointsec.

Symcaimport Safety

No matter what you do, there are always social rejects (and this is saying it nice) trying to sabotage you. I've been getting various virus alerts on my CA import tool for mobile phones. Every on of them seems to be an attempt to upload a trojan. Thankfully, the AV software intercepts them.

Social rejects trying to upload trojans

 Just to reassure you all; each upload is given a unique name (8 characters). If such a filename already exists, it will be overwritten. So the chance of you getting someone else's file is (almost) zero. Just make sure that you use the correct name / URL when you're trying to download the certificate on your phone.

Posted on May 27, 2008 by Willem and filed under Annoying, Security, Symbian, Website and tagged Website social rejects symcaimport virus.

CiscoVPN Error 51 Annoyance

The CiscoVPN client (v4.9.01.0100) for Apple OSX throws an error every once in a while. Mainly when I just rebooted, or when I was forced to quit some hanging application (which also occurs on Macs). The error is:

Error 51: Unable to communicate with the VPN subsystem

Somehow, the VPN software looses contact with the network adapter (wired AND wireless). After this there are two things you can do;

  1. Reboot
  2. or restart the Cisco VPN Service manually.

The first is kinda obvious (it's almost a MS Windows strategy :)). The second one is done via the Terminal (Finder -> Applications -> Utilities -> Terminal). Just type the following command (followed by your password);

sudo /System/Library/StartupItems/CiscoVPN/CiscoVPN restart

The thing I don't understand is; Why hasn't Cisco incorporated this in the VPN client?

IF (Error 51 == TRUE)
DO CiscoVPN.restart

It seems that this 'bug' is present since the release of the Mac OSX version of the software.

Posted on May 20, 2008 by Willem and filed under Annoying, Apple, Security, Software, Tips'n Tricks and tagged Cisco Error 51 VPN.