Static in the Ether

After some preparation and navigation of technical SNAFUs the new website for the Security and Networks research Group (SNRG) that I run in the Rhodes CS Department is up and running.

While content is still a little thin on the ground, it does represent a major step forward in actually providing a point of collation of project information under our own control.  A large task to be performed next term is to actually backfill with old project information as we can get it off CD.

More as content actually develops.

Update: SNAFU n+1  the vhost is being denied access from outside of Rhodes.

Update: All fixed.

I had an interesting question posed ot me today by Dominic who asked me to verify whether his all new Digital certificate was correctly being used for signing mail. Thunderbird sadly complained that the signature was invalid, which was unexpected, and that the issuer was unknown ( expected since it comes form a private hierarchy.)  The question then lead to where did the problem lie?

My gut feel was that it was the disclaimer being inserted by an intermediary gateway ( one has to love corpmail).  Setting about proving this was the hard part.  The first issue at hand wa to actually extract the certificates so I could play with the verification.  Cert Viewer Plus for Thunderbird made this part a dream. Creating a modified version of the signed message was a little bit more problematic.

Trusting the command line, I started hunting around for details on openssl support for SMIME, which it has.  OPenSSL needs a full CA path for being able to verify SMIME signed messages. One can optain this from various places ( such as exporting form your browser) but in a case like this where a private hierarchy was being used, its enough to just make used of a somewhat smaller subset contianing only the certificates used in this chain.  These can be extracted using Cert Viewer Plus. Alternately some command line magic can be used to extract the PKCS7 formatted embedded certificates out in standard PEM format., using the following command:

openssl smime -pk7out -in mail.txt | \
        openssl pkcs7 -print_certs > extract.crt

Now that we have a certificate chain we can attempt the verify. The extract.crt below can be either from the openssl method above or the Cert Viewer plus PEM dump.

openssl smime -CAfile extract.crt -verify -in mail.txt

Now e actually have a more usable error message. Although I really don’t know why I have such a deep distrust in GUI apps for actually telling me what is wrong.

Verification failure
88175:error:21071065:PKCS7 routines:PKCS7_signatureVerify:digest failure:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pkcs7/pk7_doit.c:808:
88175:error:21075069:PKCS7 routines:PKCS7_verify:signature failure:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pkcs7/pk7_smime.c:265:

As suspected the digest filed, which lead to a overall signature failure.  The next step was to see if removing the disclaimer worked.  Repeating on a slightly edited version of the the mail gave the following:

openssl smime -CAfile extract.crt -verify -in mail2.txt
...
mail contents deleted
...
Verification successful

So the original question posed was if the signature system was working correctly which it now was. The differences between the two mail files was checked using diff

diff -u mail.txt  mail2.txt
--- mail.txt         Mon Aug 25 18:06:33 2008
+++ mail2.txt      Mon Aug 25 18:08:10 2008
@@ -61,10 +61,6 @@
    South Africa

-Important Notice: This email is subject to important restrictions, qualifications
 and disclaimers ("the Disclaimer") ..that all was one very long line that made
 up the corporate disclaimer.....
-
-
-
 ------=_NextPart_000_0048_01C906C7.DB6FB700
 Content-Type: application/x-pkcs7-signature;
        name="smime.p7s"

From the above the only difference shown is that a mailgateway had added in a extra four lines of disclaimer and whitespace padding.  The question now evolves as to how to provide the now pretty much ubiquitious organisational disclaimer in outgoing mail in such a way that it doesnt trash any cryptographic operations in which the mail is involved.  Ive gone back over mails from a  couple of other people in corporate South Africa that I know , and the problem seems to be widespread.

The solution may be that the disclaimer as such is encapsulated as a separeate mime component, which is what interestingly one university here does ( although it insists on prepending its mime encapsulated HTML disclaimer, which makes for relaly ugly mail reading!)

Having finally completed my points transfer from my Thawte web of Trust to CaCERT, I thought it would be worth documenting the process.  I am already  Thawte WOT notary, and as such a trusted and assured person in the sense of their Web of Trust. details of this migration process can be found here, although my understanding is it applies to ordinary thawte users too.

The following a is a shorthand ticklist of the steps required.

1. sign up with cacert.org
2. On the thawte website make sure your notary details include the email address that you have used for the cacert.org signup.  This may involve just editing your details within the WOT console, and waiting for approval/verification, or having to do this and a ping to the mail address.  having the details verified can take 2-5 days, if the info is not already on your notary page.
3. Generate a certificate compatible for use with Internet Explorer.  This is the tricky part, as even Firefox 3 doesn’t support their client based authentication required by the tverify.cacert.org website  this should also be for the email address you are signed up to cacert.org with.
4. Go to the Thawte verification site (tverify.cacert.org), and choose the appropriate certificate to present to the server. make sure to use your IE browser witht he right client cert installed.
5. Fill in your email address, ( grants you 50 points since youare trusted within the Thawte WOT
6. Wait while a manual verification takes place.
7. Once email is received either notifying you of an error or noting you have succeded, either rinse and repeat, or proceed to the next step.
8. You are now ‘Assured’ but need to take the Assurer Challenge in order to prove your basic knowledge about the system, in oorder to be able to actually start Assuring people.  The link above also includes some background material one may need in order to attain the 80% mark required.

The Assurer Challenge is a relaly nice idea, and although anyone familiar with the concepts around the Thawte WOT system and general CA operations should have no problems witht he the majority of the 25 random questions, there are some which trelate closely to the CA specific rulings etc.

So now I have a full 150 assurance points since I was procesed by the Trusted Third Party (TTP ) system ( and it appears this is the maximum one can get as otherwise ones points are rounded down), as opposed to the 100 point maximum one gets for gathering points via the WOT method.

So now I’m able to embed my name in client certificates (50 points minimum), get server certificates for 2 years, and also get code signing bits on my certificates.

I probably should have posted this a while back but, its still worth noting that Raffael Marty’s Applied Security Visualization has been released, and includes a copy of the DAVIX CD as distributed at Defcon 16 (davix-1.0.1-defcon16.iso.gz - also obtainable from the homepage, includes a couple of packet traces as used in the Defcon workshop) , which includes a copy of InetVis as one of their four chosen visual analysis tools on the live CD.

For the impatient some instructions are available for getting started. Now to work out what else to order form amazon so that the 40USD specail shipment fee hurts a little less ( thanks to our totally criminal and incompetent post office in South Africa)

Failing that its time to wait till the local places get round to stocking it.

Michael Boman has made available the slidepack for Blackhat 2008. There are many blackhats as such but THE Blackhat is Blackhat USA held in Vegas in early in August each year. While the official audio and video will be another couple of months off, the slides should keep people interested. BH Europe also has material already available on the archive

Blackat Media’s decision to open up their archives is to be commended.  If I recall correctly, this content has also been available on iTunes fro a while under podcasts.

With the 16^th incarnation of Defcon having come and gone last week, a number of people have put together a nice list of the various tools released. The ZDnet’s Rob Fuller has done all the hard work of tracking down the various tools and their websites in his article -  entitled “ DEFCON 16: List of tools and stuff released
“seems to be the most definitive.  Another (updated) list is on Rob’s personal site in which he includes some other items like Packet-O-Matic, PE-Scambler andVMware Pen-Testing Framework, alng with a link to the ISO.

Of all the tools release its DAVIX, that makes me happiest, other than it being a relaly slick Compilation of VizSec tools, it also features InetVis, which is a part of the postgraduate research by one of my students (Jean-Pierre van Riel), which I previously posted about.

iKat is the other tool that tickles my fancy.

There are some interesting setf odf Defcon Photos floating around such as these by sits, who has also made available a zip of the of the Defcon 16 CD contents.An 732MB ISO  version is also available that at least has checksums.

I see some fun times ahead!

The last few weeks has seen a deluge of comment spam, which mostly is the run of the mill bot based stuff advertising ‘cheap hosting’ , porn and other such sites.  a couple tht cought my attention were simple posts of urls with the following sort of format:

• http://www.google.com/search?q=rxbcrobh
• http://www.google.com/search?q=frhlrxca
• http://www.google.com/search?q=omihinga

Searching on google with these links, surprisingly turns up nothing. I was expecting to find lists of malware infected sites similar to the SQL injection attacks seen in the last few months. Does anyone have any insight into these ? Sources appear to be geographically dispersed, and scattered across a variety of blog entries, old and new?

With the ongoing smoldering relating to the cross platform cross-vendor flaw in DNS as reported by Dan Kaminsky, Christofer Hoff has put a summary of  the situation together, but as a poem.

Its also worth noting that Halvar Flake has stepped up and stated that hes found the bug as well ( so I assume He will be sharing the stage with Dan at Defcon)

Footnote:

While trawling through logs it was interesting to nitice that this post was noted in E-Securre-it and Team Cymru’s security news links links on the 24th of July 2008

The 24th IFIP International Information Security Conference, has just released its call for papers for the 2009 edidtion to be held in Cyprus May 18-20 next year. Accepted papers will be presented at the conference and published by  Springer. Accepted papers must follow Springer’s guidelines for the IFIP Series, available at  www.springer.com/series/6102

Important dates
Submission of papers: October 20, 2008
Notification to authors:  December 20, 2008
Camera-ready copies:  January 15, 2009

While doing some reading this evening in preparation for my Postgrad Infosec course next week I came across the following pearls of wisdom from Taylor Banks

1. Admit that you are powerless over bots.
2. Believe that a power greater than yourself exists and is necessary to identify and eliminate malware, botnets, and the Windows hosts that contain them.
3. Make a decision to turn your will and your life over to ShadowServer, Malfease or another similar volunteer effort.
4. Make a searching and fearless inventory of your Windows machines.
5. Admit to another security expert that you [have/do] run Windows.
6. Demonstrate readiness to remove Windows from your PC.
7. Humbly ask other experts to remove Windows from your machine.
8. Make a list of all other machines you’ve infected.
9. Make amends to those infected, i.e. with Mac OS, Ubuntu, FreeBSD or similar.
10. Continue to inventory remaining Windows hosts, and when infected, format & re-install.
11. Seek through prayer, meditation and continuing malware research to improve your understanding of the growing malware threat as we know it.
12. Having had a spiritual awakening, carry this message to other Windows users.

What I found interesting despite the obvious humour, is that it left me wondering as to just now many of the 19 million connects form the last 3 years I was processing earlier are actually from enslaved bots or zombies…