Posts filed under Security

Internet Data Retention Law is Live in the Netherlands

It's a fact. As of this Tuesday, the Dutch ISP's are required (by Dutch law) to log all Internet activity of their customers and store the data for 12 months (at the moment). Gitmo Nation has expanded a bit further to the east, according to the No Agenda podcast host Adam Curry (which is a great podcast by the way).

Anyway, the logging is no longer limited to the basic IP connection data, the new law requires the ISP's to log the following information:

General Internet Access:

  • Loginname
  • IP Address
  • Name and address details of of all the parties involved (when available)
  • Time and Date the communication took place
  • Used service(s)
  • The callers phone number in the case of dial-up Internet access
  • The number called for dial-up Internet access
  • DSL, phonenumbers, MAC address (when using public/ISP sponsored WiFi/Network access)

E-mail:

  • IP address used to access or send e-mail
  • User ID
  • E-mail address of the sender, recipients etc. (basically the FROM, TO, CC and BCC fields)
  • Registered e-mail alias addresses when available
  • Time and date of the communications
  • Name and address details of all the parties involved (when available).
  • Method used in sending/receiving the e-mail (webmail, POP, SMTP, IMAP, etc.)

Internet VoIP:

  • Phone numbers of both parties
  • IP addresses
  • Name and address details of all the parties involved (when available)
  • Time and date of the communication (start and finish)
  • Protocols used during the communication
  • Successful and failed attempts to communicate

The 'fun' part is that the Dutch government won't (or can't) give a real reason why this information is required..... Why can't they give the proper reasons for creating and passing this law. Theoretically we still live in a democracy.

My thought is that it's probably based on some vague report by some high-profile consulting company that scared the shit out of the politicians (accountability??). Especially the terms 'child pornography' and 'terrorism' are most likely THE keywords on which the decision is based. And no one wants be publicly not against those two.... And so the privacy of the Dutch citizens crumbles, and crumbles.

Time to start using more and more encryption in all of your communications if you ask me, and start running your own services on a server in your attic .

/me is removing the dust from his PGP keyrings....

Posted on July 9, 2009 by Willem and filed under Internet, No Way!!!, Security and tagged Gitmo Nation PGP big brother data retention.

PGP Desktop Updates

I've been a PGP user for quite a while now. A couple of years ago I bought the software (before that I used the free PGP versions). My original license was for version 8.x. Every once in a while that would be a message indicating that there was a new version available.

The last couple of months there were no new messages, and when I checked for updates from the application the default message was "you're running the latest version".

But according to the PGP website there were newer versions (9.8, 9.9). So I 'registered' for an evaluation version and installed that over my existing 9.7 version.
After the reboot everything worked. My (old existing) license is still valid. So why is PGP not telling that there's an upgrade available?

I guess the fun will end with the release of version 10.
B.t.w. I still find it frustrating that they removed the SIGN and ENCRYPT buttons/functionality from within Apple Mail.app. I don't want to sign all my outgoing mail (which happens when you configure the mail proxy settings). I want to be in total control :)

Posted on January 7, 2009 by Willem and filed under Security, Software and tagged License PGP upgrade.

Broken SSL Trust

Webtrust WebTrust broken?When a CA issues a SSL certificate they (the registration authority) should verify certain information provided by the requester. This includes at least the domain name ownership and preferably the person or company tied to the domain name ownership. Basic stuff really, but what happens when certificates get issued without any verification? Well, this happened to Mozilla [2].

Basically the complete trust framework collapses (for that CA). Especially combined with hosts file and/or DNS hijacking. What if this incident isn't the first? What if some cybercrook got some SSL certs due to similar mistakes of your favorite bank? You're no longer sure if the https connection of your bank really terminates on the servers of your bank. They could just as easily terminate on a server in Russia or Albania. Which leaves you with an empty bank account (most likely).

If the certificate is issued (signed) by a Comodo Root CA (as it was in this case), your browser accepts this as a valid/trusted CA and for the user everything seems fine. This takes me back to the issue of all those trusted root certification authorities in the average OS or browser.
This time, it's a Comodo affiliate that's screwed up (there's no other way of describing this), but what are the chances that some of those trusted 100+ CA's make a mistake? The bigger the list, the bigger the chance of wrongfully issues (SSL) certificates.

By the way, if you're using an older browser (pre IE6 e.g.), chances are that SSL certificate revocation checking is disabled by default. So even when the revoke they certificate you still wouldn't know.... You can verifiy this by opening the Internet Explorer options section and checking the Advanced tab.

Posted on December 29, 2008 by Willem and filed under Annoying, Browsers, Internet, Security.

SSH Connection to Juniper Devices

While in the mids of my Juniper exam preparation I ran into a problem with my Apple equipment. Managing the Juniper firewall (SSG5 in this case) with SSH was not possible from OSX. The connection itself would work, but after entering the password the connection was closed by the remote host (the firewall).
Trying this from a Windows laptop (with SecureCRT) everything worked as expected.

Some searching revealed that this is an OpenSSH bug. To manage your Juniper with SSH from OSX you need to add a parameter to the ssh command (or edit the SSH config file).

Parameter to add:

-o ControlMaster=auto
e.g. ssh willem@127.0.0.1 -o ControlMaster=auto

Or add the following line to the global SSH config (/etc/ssh_config) or the user config (~/.ssh/config).

ControlMaster auto

Juniper has a knowledgebase article (KB12409) on the issue.

Posted on December 18, 2008 by Willem and filed under Annoying, Apple, Hardware, Operating Systems, Security, Software and tagged OSX ssh Juniper.

Uninstall SafeSign on OSX

While the installation of the SafeSign software is relatively easy, the removal of the software is a bit harder. The installation package lacks an automated removal feature. So removing the driver/application must be done by hand.

The removal of the software (both the SafeSign as well as the TokenLounge software) can be reconstructed by analyzing the original packages/installation scripts.

WARNING: Before you continue, you need to realize that this uninstall procedure is without ANY warranties. So make a backup BEFORE proceding.

Read more …
Posted on December 11, 2008 by Willem and filed under Apple, Security, Software, Tips'n Tricks and tagged AET Europe SafeSign uninstall.

SafeSign and OSX

After my blog post on OSX and Aladdin eToken I received a phonecall from Haaino @ AET Europe. He offered the SafeSign software for OSX so I could try their OSX software as well.

The SafeSign software is used with smartcards and smartcard readers like the OmniKey smartcard readers. Through my line of work, no lack of smartcards and/or readers. Only the software was missing (up till now).

Read more …
Posted on December 10, 2008 by Willem and filed under Apple, Security, Software and tagged AET Europe OmniKey PKI SafeSign Smartcard TrueCrypt certificates eToken.

OSX and Aladdin eToken

Due to the nature of my work, and my fondness of Apple products I wasn't able to get my Aladdin eTokens working with OSX. After several months of not trying to crack this I decided to try it again.
The trigger for me was stumbling on the possibility of adding so-called keyfiles to the eToken for accessing TrueCrypt volumes.

First challenge was the eToken PKI software for OSX... Thankfully I'm a Certified eToken guru, so I've got access to their download area (you will have to get your own software). The current version of the eToken software for OSX is v4.55. I installed the Aladdin software on OSX 10.5.5.

Read more …
Posted on December 4, 2008 by Willem and filed under Apple, Security, Tips'n Tricks and tagged SafeSign TrueCrypt eToken keyfiles firefox.

Apple Released OSX 10.5.5 Update

Apple released the 10.5.5 update last night.
What's included?

General

  • Includes recent Apple security updates.
  • Addresses stability issues with video playback, processor core idling, and remote disc sharing for MacBook Air.
  • Addresses an issue in which some Macs could unexpectedly power on at the same time each day.
  • Resolves a stability issue in TextEdit that could be found when accessing the color palette.
  • Improves Spotlight indexing performance.
  • Fixes an issue in which contacts might not sync properly with PalmOS-based devices.
  • Improves iPhone sync reliability with iCal and Address Book.
  • Includes improvements to Active Directory (see this article for more information).
  • Improves Speech Dictionary.
  • Fixes Kerberos authentication issues for Mac OS X 10.5 clients that connect to certain Samba servers, such as Mac OS X Server version 10.4.
  • Includes extensive graphics enhancements.

Mail

  • Addresses performance issues related to displaying IMAP messages.
  • Resolves an issue with SMTP settings for AIM, Compuserve, Hanmail, Yahoo!, and Time Warner Road Runner email accounts.
  • Addresses stability issues that may occur when dragging a file to the Mail icon in the Dock.
  • Addresses an issue with the "Organized by Thread" view in which the date does not appear when the thread is collapsed.
  • Resolves an issue in which RSS feeds could temporarily disappear from the sidebar.
  • Improves Mail robustness when sending messages.
  • Improves reliability when saving drafts that have attachments.

Time Machine

  • Improves Time Machine reliability with Time Capsule.
  • Addresses performance issues that may affect initial and in-progress backups.
  • Fixes an issue in which an incorrect alert message could appear stating that a backup volume does not have enough free space.
  • Time Machine can now back up iPhone backups that are on your Mac, as well as other items in (~/Library/Application Support).

And much, much more.

Posted on September 16, 2008 by Willem and filed under Apple, Operating Systems, Security, Software.

Storing Plain-text Passwords

Security is a hot issue now-a-days. You get told over and over that no one will ever ask you for your password. Not your bank, not Paypal, and not even your online grocery store. This is to make sure that people won't be persuaded by phishers and other scumbags in giving them the password.

But why is it that a lot of companies and other initiatives on the Internet seem to store passwords in plain text in their databases? There is NO NEED to do this. Almost every hypertext scripting engine (ASP, PHP, Coldfusion, Perl, Ruby on Rails) supports the hashing of passwords.

COLDFUSION: <CFSET hashedPwd = HASH(password, "SHA-256") />

When a user logs in with a username and password, they are checked against the credentials in the database. The password gets hashed, and the hash is checked against the stored hash in the database. This way no one will be able to figure out the actual password (especially if a relativley strong hashing algoritme is being used like SHA-256).

If the same user forgets his/hers password you only need a mechanisme to reset the password to a random password, and communicate this with the user (by e-mail, SMS, snail-mail, or whatever) and allow the user to change this new password to one of his own at the next logon.

Another nice feature of hashing passwords is that the user can use a password with lots of printable characters (like !@#$%^&* (){{}|":;'\][/.,<>?`~), or complete sentences because these won't be stored. Only the hash (a hexadecimal string) will end up in the database. No matter how long the password/sentence is, the hash will always be a fixed length.

Maximum flexibility for the user, and a secure way of storing the passwords in the database. So if financial institutions or other high profile web-presences fail to do so, they should be made aware, and change their code.

So there's absolutely no need for anyone to be able to see your (plaintext) password besides yourself. And don't let them tell you otherwise.

Posted on August 28, 2008 by Willem and filed under Security and tagged hashing password security.

Undocumented Coldfusion Ports

After running 'chkrootkit' on one of my Ubuntu server at work, I got a responds:

Checking `bindshell'... INFECTED (PORTS:  4000)

A message which started a 'mild' shiver across my back, because the rootkit checker just reported that one of the processes on the server could be compromised.

First I took the server of the network. Just to make sure. After that I searched the Internet for a possible explaination. Nothing substancionally. until I found the following command to see what is occupying the port.

sudo netstat -e -p -n -a | grep 4000

This gave me the following result:

udp6       0      0 :::4000                 :::*
65534      13886      4739/coldfusion8

So it seems that Adobe Coldfusion is using this port. But this can't be found in any of the official Adobe Coldfusion documentation. There are some (blog)posts related to this, but nothing more.

Posted on August 27, 2008 by Willem and filed under Annoying, Linux, Operating Systems, Security and tagged Coldfusion infected port 4000.