Management Through SSH

SSH (Secure Shell) is a secure alternative to the ancient Telnet program/protocol. Telnet (and SSH) allows a user to connect to a remote server, and enables the users to use a command line interface to execute commands (manage the server).

Where Telnet is relatively limited in its functionality, SSH has a bunch of features which enables the user to do much more. The SSH protocol has the possibility to tunnel traffic through an SSH connection (read: tunnel). The big advantage is that everything going through the tunnel is heavily encrypted (which is good).

The tool best known to use SSH is SFTP (FTP over SSH). A secure alternative of the 'old' (in plaintext communicating) File Transfer protocol.

Posted on October 12, 2009 by Willem and filed under Security, Tips'n Tricks and tagged Management OSX bitvise meerkat putty remote secure shell securecrt ssh vandyke.

Apple Favors Own Products, or FileVaults Screws Up

Apple FileVaultSomething everyone would do I guess (the favoring part at least :) ). But Apple is doing this in a very peculiar way. When you run OSX with a ton of third-party applications you won't notice things, since everything runs as it should. But when you're going to use FileVault, things change. A lot....

FileVault is the way Apple secures your data. When turned on the OS creates a sparse iage of your userdata. So everything stored within your user directory is encrypted using AES-128.

The use of FileVault screws up certain system files. One of those is (or several for that matter) is used to store the default applications. Like FireFox for Internet instead of Safari. Every time you reboot your system the default application settings are read.
This weekend I also found out that at least one handy program also disagrees with FileVault. Little Snitch won't properly save it's registration info when you're using FileVault.

You know what the worst thing is? This BUG is present since Panther (OSX 10.3). I wonder if this is going to be fixed in Snow Leopard. To be honest, I doubt it. If they can't figure it out in 4 years, they probably never will.

As a security savvy nerd I want to use FileVault on my MacBook, but the problems with FileVault made me decide to uninstall this feature. Too bad that there are no other real alternatives. Truecrypt (or PGP) is nice, but it can't encrypt your hard disk (from which you boot) or even your user directory. Check Point seems to have software, but there's no way of buying it easily. So it seems that's it's mainly reserved for corporate environments.

UPDATE: w00t... They solved this annoying 'feature' Apple OS X 10.6 a.k.a. Snow Leopard. Way to go Apple. Although it being several OS releases/years too late!!!!

Posted on July 27, 2009 by Willem and filed under Annoying, Apple, Security, Software and tagged Check Point Encryption FileVault Little Snitch PGP Snow Leopard TrueCrypt default.

Juniper NSMXpress 'Fun'

Today was one of those days. First the two NSMXpress appliances failed yesterday (version 2008.2r2). No way of connecting the client gui. The webinterface and SSH connections worked fine though. Picked one up for examination, and since I had some *cough*good*cough* experiences a while back I assumed the latest software had some undocumented bug.

A back to factory defaults (version 2007.3r1) worked fine, but due to certain hardware the 2008 version was needed. So I upgraded the appliance (again) and found (while waiting) that the security certificate, used between the NSM server and the client gui, had expired on Juli 20th, 2009....... So someone forgot to update the certificates in the 2008.2r2 software.
After fixing that, the client gui worked like a charm.

Posted on July 21, 2009 by Willem and filed under Annoying, Hardware, Personal, Security and tagged PKI certificate nsm nsmxpress Juniper.

Internet Data Retention Law is Live in the Netherlands

It's a fact. As of this Tuesday, the Dutch ISP's are required (by Dutch law) to log all Internet activity of their customers and store the data for 12 months (at the moment). Gitmo Nation has expanded a bit further to the east, according to the No Agenda podcast host Adam Curry (which is a great podcast by the way).

Anyway, the logging is no longer limited to the basic IP connection data, the new law requires the ISP's to log the following information:

General Internet Access:

Loginname
IP Address
Name and address details of of all the parties involved (when available)
Time and Date the communication took place
Used service(s)
The callers phone number in the case of dial-up Internet access
The number called for dial-up Internet access
DSL, phonenumbers, MAC address (when using public/ISP sponsored WiFi/Network access)

E-mail:

IP address used to access or send e-mail
User ID
E-mail address of the sender, recipients etc. (basically the FROM, TO, CC and BCC fields)
Registered e-mail alias addresses when available
Time and date of the communications
Name and address details of all the parties involved (when available).
Method used in sending/receiving the e-mail (webmail, POP, SMTP, IMAP, etc.)

Internet VoIP:

Phone numbers of both parties
IP addresses
Name and address details of all the parties involved (when available)
Time and date of the communication (start and finish)
Protocols used during the communication
Successful and failed attempts to communicate

The 'fun' part is that the Dutch government won't (or can't) give a real reason why this information is required..... Why can't they give the proper reasons for creating and passing this law. Theoretically we still live in a democracy.

My thought is that it's probably based on some vague report by some high-profile consulting company that scared the shit out of the politicians (accountability??). Especially the terms 'child pornography' and 'terrorism' are most likely THE keywords on which the decision is based. And no one wants be publicly not against those two.... And so the privacy of the Dutch citizens crumbles, and crumbles.

Time to start using more and more encryption in all of your communications if you ask me, and start running your own services on a server in your attic .

/me is removing the dust from his PGP keyrings....

Posted on July 9, 2009 by Willem and filed under Internet, No Way!!!, Security and tagged Gitmo Nation PGP big brother data retention.

PGP Desktop Updates

I've been a PGP user for quite a while now. A couple of years ago I bought the software (before that I used the free PGP versions). My original license was for version 8.x. Every once in a while that would be a message indicating that there was a new version available.

The last couple of months there were no new messages, and when I checked for updates from the application the default message was "you're running the latest version".

But according to the PGP website there were newer versions (9.8, 9.9). So I 'registered' for an evaluation version and installed that over my existing 9.7 version.
After the reboot everything worked. My (old existing) license is still valid. So why is PGP not telling that there's an upgrade available?

I guess the fun will end with the release of version 10.
B.t.w. I still find it frustrating that they removed the SIGN and ENCRYPT buttons/functionality from within Apple Mail.app. I don't want to sign all my outgoing mail (which happens when you configure the mail proxy settings). I want to be in total control :)

Posted on January 7, 2009 by Willem and filed under Security, Software and tagged License PGP upgrade.

Broken SSL Trust

WebTrust broken?When a CA issues a SSL certificate they (the registration authority) should verify certain information provided by the requester. This includes at least the domain name ownership and preferably the person or company tied to the domain name ownership. Basic stuff really, but what happens when certificates get issued without any verification? Well, this happened to Mozilla [2].

Basically the complete trust framework collapses (for that CA). Especially combined with hosts file and/or DNS hijacking. What if this incident isn't the first? What if some cybercrook got some SSL certs due to similar mistakes of your favorite bank? You're no longer sure if the https connection of your bank really terminates on the servers of your bank. They could just as easily terminate on a server in Russia or Albania. Which leaves you with an empty bank account (most likely).

If the certificate is issued (signed) by a Comodo Root CA (as it was in this case), your browser accepts this as a valid/trusted CA and for the user everything seems fine. This takes me back to the issue of all those trusted root certification authorities in the average OS or browser.
This time, it's a Comodo affiliate that's screwed up (there's no other way of describing this), but what are the chances that some of those trusted 100+ CA's make a mistake? The bigger the list, the bigger the chance of wrongfully issues (SSL) certificates.

By the way, if you're using an older browser (pre IE6 e.g.), chances are that SSL certificate revocation checking is disabled by default. So even when the revoke they certificate you still wouldn't know.... You can verifiy this by opening the Internet Explorer options section and checking the Advanced tab.

Posted on December 29, 2008 by Willem and filed under Annoying, Browsers, Internet, Security.

SSH Connection to Juniper Devices

While in the mids of my Juniper exam preparation I ran into a problem with my Apple equipment. Managing the Juniper firewall (SSG5 in this case) with SSH was not possible from OSX. The connection itself would work, but after entering the password the connection was closed by the remote host (the firewall).
Trying this from a Windows laptop (with SecureCRT) everything worked as expected.

Some searching revealed that this is an OpenSSH bug. To manage your Juniper with SSH from OSX you need to add a parameter to the ssh command (or edit the SSH config file).

Parameter to add:

-o ControlMaster=auto
e.g. ssh willem@127.0.0.1 -o ControlMaster=auto

Or add the following line to the global SSH config (/etc/ssh_config) or the user config (~/.ssh/config).

ControlMaster auto

Juniper has a knowledgebase article (KB12409) on the issue.

Posted on December 18, 2008 by Willem and filed under Annoying, Apple, Hardware, Operating Systems, Security, Software and tagged OSX ssh Juniper.

Uninstall SafeSign on OSX

While the installation of the SafeSign software is relatively easy, the removal of the software is a bit harder. The installation package lacks an automated removal feature. So removing the driver/application must be done by hand.

The removal of the software (both the SafeSign as well as the TokenLounge software) can be reconstructed by analyzing the original packages/installation scripts.

WARNING: Before you continue, you need to realize that this uninstall procedure is without ANY warranties. So make a backup BEFORE proceding.

Posted on December 11, 2008 by Willem and filed under Apple, Security, Software, Tips'n Tricks and tagged AET Europe SafeSign uninstall.

SafeSign and OSX

After my blog post on OSX and Aladdin eToken I received a phonecall from Haaino @ AET Europe. He offered the SafeSign software for OSX so I could try their OSX software as well.

The SafeSign software is used with smartcards and smartcard readers like the OmniKey smartcard readers. Through my line of work, no lack of smartcards and/or readers. Only the software was missing (up till now).

Posted on December 10, 2008 by Willem and filed under Apple, Security, Software and tagged AET Europe OmniKey PKI SafeSign Smartcard TrueCrypt certificates eToken.

OSX and Aladdin eToken

Due to the nature of my work, and my fondness of Apple products I wasn't able to get my Aladdin eTokens working with OSX. After several months of not trying to crack this I decided to try it again.
The trigger for me was stumbling on the possibility of adding so-called keyfiles to the eToken for accessing TrueCrypt volumes.

First challenge was the eToken PKI software for OSX... Thankfully I'm a Certified eToken guru, so I've got access to their download area (you will have to get your own software). The current version of the eToken software for OSX is v4.55. I installed the Aladdin software on OSX 10.5.5.

Posted on December 4, 2008 by Willem and filed under Apple, Security, Tips'n Tricks and tagged SafeSign TrueCrypt eToken keyfiles firefox.