Today we ran into a feature of the Machine Authentication Restrictions (MAR) option in the Cisco Secure ACS Radius server. It seems that when you're using the ACS for 802.1x authentication, you have the option of demanding that the authenticating users can only be authenticated when the computer is already authenticated. This way, you make sure that no user can access the network without a legitimate PC.
Posts filed under Security
First Paypal Spoof Ever
Today, my very first PayPal spoof/phishing mail arrived. So finally, my e-mail address has been recorded in your average cyberpunk database. Note, that the (Dutch) grammar and spelling in the e-mail is appalling. Just what you expect from a default translation program like Google Translate or Babelfish.
Chinese Government Shows 'Interest'
It's no surprise that a lot of cyberattacks originate from the the 'excellent' People's Republic of China. Some of these attacks are funded by or even originating from the Chinese government. Well, the latter is definitely true.
My (private) ssh server is a point of interest to the Chinese government, since they are trying to get in.
Every couple minutes a possible break-in entry is recorded in my logs. I guess that they decided not to hammer the front door, in order to evade automatic blacklisting of the originating IP.
reverse mapping checking getaddrinfo for mail.zdpri.gov.cn [218.108.28.189] failed - POSSIBLE BREAK-IN ATTEMPT!
I checked the IP and it seems to host the web-mail for the Zhejang prov. Development Planning & Research Institute [1].
I guess it's time to tighten the timers on blacklisting.....
B.t.w. The reporting on the IP was provided by Splunk. Excellent tool for digging in logfiles and reporting.
HDCP Master Key Leaked
The High-Bandwidth Digital Content Protection (HDCP) key was leaked onto the Internet. This master key can be used to decode encrypted traffic between certified / licensed devices. No encryption means that the content (mostly movies) can be copied, and/or played on non-licensed devices.
A while back, another copy-protection key was leaked. That key was for BluRay (BR+) titles. This HDCP key is the, so-called, mother-load.
Adobe Coldfusion 8 and 9 Vulnerable to Hijacking
Adobe released a security bulletin regarding the Coldfusion web engine. Upgrade / patch your Coldfusion server if you like to stay in control of your webserver. The patch has been classified as important.
An important vulnerability has been identified in ColdFusion 8.0, 8.0.1, 9.0, 9.0.1 for Windows, Macintosh and UNIX. This directory traversal vulnerability could lead to information disclosure (CVE-2010-2861). Adobe has provided a solution to the reported vulnerability. It is recommended that users update their product installation using the instructions provided above.
The patch/update get be downloaded here.
Microsoft Cryptographic Store and Passwords
We've been experimenting with with the use of user certificates for VPN access to the lab. Issuing, and using them isn't the problem. The problem is that there's no way of enforcing a password on the use of the private key. You can use private key protection on the certificate template, but that still doesn't enforce a password requirement. The user still has the option to choosing for the notification instead of a password.
;)
Certificate Template - Request Handling OptionsThere's an option to enforce a password, but that's system wide for the Microsoft Cryptographic Service Provider, and we don't want to enforce passwords for ALL certificates. We just want to enforce passwords for this specific template.
Splunk> Making Sense of Logfiles
My area of expertise in the professional world is Network Security. This includes protecting network from intrusions, but also delivering reports about the network status. For the latter we use SIEM(like) environments like the Cisco CS-MARS and the Juniper STRM.
The 'problem' with these devices is that they are great in reporting incidents and creating awesome reports about everything, but they lack the functionality to do some serious investigating.
I have several customers with a SIEM, and most of them still use (Linux) commandline tools like awk, grep, etc. these tools work, but you need to scrape everything together yourself, and building queries can be quite challenging. This is where Splunk> comes in.
SafeSign and Apple OSX Snow Leopard
Last week I got an e-mail from one of the product managers @ AET Europe regarding the availability of SafeSign / Tokenlounge for OSX Snow Leopard.
The content of the e-mail wasn't very encouraging.... It seems that the Snow Leopard of SafeSign / Tokenlounge release is delayed by a bug in the Apple Keychain;
---------
We use systemkeychain -T to create a login keychain (for a new FV user) associated with our token. When trying to unlock this newly created keychain during login with the smartcard, we get prompted with the "unable to unlock login keychain" panel - as you have observed -.
This is basically our main concern, as this was perfectly running under 10.5. Any idea why the system wants to update the login keychain password, prompting the user with that panel???
What we have discovered beside, is that when you click Create New Keychain on that panel, the keychain gets encrypted with the PIN of the smartcard instead of the RSA key, which is a major security issue (Same behavior if you click Update Keychain Password)...
You can easily verify this last issue by removing your smartcard, launching Keychain Access and entering your PIN code to unlock the keychain...
Once again, we didn't have this kind of problems with Leopard.As long as this issue isn't resolved, there will be no version for Snow Leopard. The (security) risk is just too big.
-------------
So, we need to be patient, and wait till Apple solves this. In the mean time, when you need the SafeSign software for your every day work, you shouldn't upgrade to Snow Leopard.
Check the follow-up on the original SafeSign post for the availability on the Leopard version of SafeSign / Tokenlounge.
Microsoft Haunted by 17-year old 'feature'
It looks like that every Windows version is susceptible to a 17-year old 'feature' that could give hackers access to your computer. The 'feature' exist since Windows v3.51, which dates from the last century (this way it looks even older :-) )
The person (Tavis Ormandy) who discovered this feature did a full disclosere which can be found here. So you'd better start watching your 3.51 Operating Systems (and above).
Mobile Phone Communication Codes Cracked
The German scientist Karsten Nohl published his findings this week on the CCC (Chaos Communications Congress) in Berlin. The CCC is an annual hacking convention, which is being held in Berlin, Germany.
Normally, the GSM communication switches frequency regularly, and therefor it's hard to listen in, but if you can crack the frequency switching algorithm..... Which is exactly what Karsten Nohl and his team did.
They cracked the so-called stream-cipher A5/1 which protects the voice conversations, and published details off it on the CCC in Berlin.