Archive for the ‘Security’ Category

« Older Entries

Roundup of Security predictions for 2009

Thursday, January 1st, 2009

Robert Auger of Webappsec.org has compiled a good roundup of various security predictions for 2009, as various sites are want to do at this time of year.

I’m sure various individual security bloggers/researchers will start adding their own thoughts in due course.

Tags: ,
Posted in Security | No Comments »

Choosing your Computer Security Conference

Wednesday, December 17th, 2008

While trawling through references, and chasing down files as part of my final PhD push, I came across a  resource compiled by Guofei Gu at Texas A&M. He has provided a Computer Security Conference Ranking and Statistic page. While by his own admission it is somewhat subjective, he makes use of some interesting metrics.

If you ahve novel research and are looking to get the best bang for yourl buck, this list can help you select the right forum to present in.  Particularly interesting is the statistics list showing acceptance rates for some of the major conferences over the last few years.

Tags:
Posted in PhD, Security | No Comments »

Fresh Phish - more on DNS and Kaminsky

Wednesday, October 29th, 2008

The October 2008 Issue of IEEE Spectrum magazine has an nicely phrased piece title “Fresh Phish” by David Schneider describing the potential of the DNS spoofing bug Discovered by Kaminsky.

Also worth noting is the focus on Steampunk [1] [2] [3] including a reference to Steampunk band Abney Park

Tags: ,
Posted in Incidents, Security | No Comments »

Phishing on Phacebook ?

Saturday, October 25th, 2008

I came across the following on facebook while doing my monthly catchup on who is who in the zoo. Is it bad design to allow users to inject their own content like this ? In this case is more a case of a litmus test of the awareness of social networking users , in terms of awareness to this.

Is it really this easy, to get people to give up the proverbial crown jewels?

Is it really this easy, to get people to give up the proverbial crown jewels?

I would assume the person in question either has savvy friends who have not fallen for the ploy, or has no friends ;)

*info redacted to protect the curious*

Tags: ,
Posted in InfoSec People, Security, Web Randomness | 1 Comment »

New Infosec Viz Tool - Picviz

Friday, October 24th, 2008

Version 0.3 of PicViz has been released, based on python and QT - which bodes well for potential portability. This is yet another tool to help one actually filter through piles of connections, using a classic parallel axis setup.  Drilldown is offered. Some example renderings of  the Kaminsky DNS attacks are available.

A more advanced version of the kind of output achievable is also provided showing how with the help of a pre-processing script, the SSH login process can be graphed:

Graphs are produced via an intermediate scripting language which has by design strong similarity to that used by Graphviz.  I’ll definatley be adding this to my toolset and seeing how it handles processing of some of the rather large data sets Ive got.

Tags: , , ,
Posted in Security, Vizualization, tools | No Comments »

Next Great worm on the rise ? (MS08-067 Critical)

Friday, October 24th, 2008

Microsoft seems to have broken with the “Patch Tuesday” scheduled release cycle with the urgent release of MS08-67 earlier today after having detected in the wild attacks against  netapi32.dll. The vulnerability is in the RPC connector we know and love so well ( Blaster, Welchia, Nimda …). ISC points out quite nicely that this could be the vector of choice for the next Generation worm, and have adjusted their infocon to Yellow accordingly. I suspect that we could see such a bit of code comming out within the next 3-5 days since there is already existing exploit source for blaster , and some of the reverse enginering and weaponization techniques based on patchers are rumoured ot be quite advanced. I supec we are  either going to see a  a payload  of some kind of destructiive nature ( Us Elections anyone?) or in a somewhat more insidous (now why do the Ordos spring to mind) form a bonet zombie.

I’ve been patiently waiting for three years to catch a new worm on my telescopes, so I I’m ready and waiting.

Windows 2000, XP and Server 2003 are all listed as critical targets, with Vista and Server 2008 being vulnerable as well, but potentially able to limit the damage due to their newer some what more modular and layered security design.  For Operating systems other than the latter two, this release also effectively updates MS06-040

Christopher Budd from the Microsoft Security Response Center has a nice little writeup about it, with further details on the Official release notes for MS08-67. Also from a Microsoft Perspective, Michael from the Security Develoment Lifcycle has a nice piece titled MS08-067 and the SDL in which he actually explains the bug itself.

Microsoft have also gone as far as to provide a webcast on the subject.

Update: Infosec blogspace is all a twitter with this.  I’ll add relecant content as I find it.

Tags: , , ,
Posted in Incidents, Security, Uncategorized | No Comments »

Security and Networks Research Group (SNRG) Site launch

Tuesday, September 2nd, 2008

After some preparation and navigation of technical SNAFUs the new website for the Security and Networks research Group (SNRG) that I run in the Rhodes CS Department is up and running.

While content is still a little thin on the ground, it does represent a major step forward in actually providing a point of collation of project information under our own control.  A large task to be performed next term is to actually backfill with old project information as we can get it off CD.

More as content actually develops.

Update: SNAFU n+1  the vhost is being denied access from outside of Rhodes.

Update: All fixed.

Tags: ,
Posted in Networking, Security | 2 Comments »

Verifying Smime content with openSSL

Monday, August 25th, 2008

I had an interesting question posed ot me today by Dominic who asked me to verify whether his all new Digital certificate was correctly being used for signing mail. Thunderbird sadly complained that the signature was invalid, which was unexpected, and that the issuer was unknown ( expected since it comes form a private hierarchy.)  The question then lead to where did the problem lie?

My gut feel was that it was the disclaimer being inserted by an intermediary gateway ( one has to love corpmail).  Setting about proving this was the hard part.  The first issue at hand wa to actually extract the certificates so I could play with the verification.  Cert Viewer Plus for Thunderbird made this part a dream. Creating a modified version of the signed message was a little bit more problematic.

Trusting the command line, I started hunting around for details on openssl support for SMIME, which it has.  OPenSSL needs a full CA path for being able to verify SMIME signed messages. One can optain this from various places ( such as exporting form your browser) but in a case like this where a private hierarchy was being used, its enough to just make used of a somewhat smaller subset contianing only the certificates used in this chain.  These can be extracted using Cert Viewer Plus. Alternately some command line magic can be used to extract the PKCS7 formatted embedded certificates out in standard PEM format., using the following command:

openssl smime -pk7out -in mail.txt | \
        openssl pkcs7 -print_certs > extract.crt

Now that we have a certificate chain we can attempt the verify. The extract.crt below can be either from the openssl method above or the Cert Viewer plus PEM dump.

openssl smime -CAfile extract.crt -verify -in mail.txt

Now e actually have a more usable error message. Although I really don’t know why I have such a deep distrust in GUI apps for actually telling me what is wrong.

Verification failure
88175:error:21071065:PKCS7 routines:PKCS7_signatureVerify:digest failure:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pkcs7/pk7_doit.c:808:
88175:error:21075069:PKCS7 routines:PKCS7_verify:signature failure:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pkcs7/pk7_smime.c:265:

As suspected the digest filed, which lead to a overall signature failure.  The next step was to see if removing the disclaimer worked.  Repeating on a slightly edited version of the the mail gave the following:

openssl smime -CAfile extract.crt -verify -in mail2.txt
...
mail contents deleted
...
Verification successful

So the original question posed was if the signature system was working correctly which it now was. The differences between the two mail files was checked using diff

diff -u mail.txt  mail2.txt
--- mail.txt         Mon Aug 25 18:06:33 2008
+++ mail2.txt      Mon Aug 25 18:08:10 2008
@@ -61,10 +61,6 @@
    South Africa

-Important Notice: This email is subject to important restrictions, qualifications
 and disclaimers ("the Disclaimer") ..that all was one very long line that made
 up the corporate disclaimer.....
-
-
-
 ------=_NextPart_000_0048_01C906C7.DB6FB700
 Content-Type: application/x-pkcs7-signature;
        name="smime.p7s"

From the above the only difference shown is that a mailgateway had added in a extra four lines of disclaimer and whitespace padding.  The question now evolves as to how to provide the now pretty much ubiquitious organisational disclaimer in outgoing mail in such a way that it doesnt trash any cryptographic operations in which the mail is involved.  Ive gone back over mails from a  couple of other people in corporate South Africa that I know , and the problem seems to be widespread.

The solution may be that the disclaimer as such is encapsulated as a separeate mime component, which is what interestingly one university here does ( although it insists on prepending its mime encapsulated HTML disclaimer, which makes for relaly ugly mail reading!)

Tags: , , ,
Posted in Applications, LyX, Networking, Security, Systems Administration, Uncategorized, Unix, Vizualization | 3 Comments »

Points Transfer with CAcert

Monday, August 25th, 2008

Having finally completed my points transfer from my Thawte web of Trust to CaCERT, I thought it would be worth documenting the process.  I am already  Thawte WOT notary, and as such a trusted and assured person in the sense of their Web of Trust. details of this migration process can be found here, although my understanding is it applies to ordinary thawte users too.

The following a is a shorthand ticklist of the steps required.

  1. sign up with cacert.org
  2. On the thawte website make sure your notary details include the email address that you have used for the cacert.org signup.  This may involve just editing your details within the WOT console, and waiting for approval/verification, or having to do this and a ping to the mail address.  having the details verified can take 2-5 days, if the info is not already on your notary page.
  3. Generate a certificate compatible for use with Internet Explorer.  This is the tricky part, as even Firefox 3 doesn’t support their client based authentication required by the tverify.cacert.org website  this should also be for the email address you are signed up to cacert.org with.
  4. Go to the Thawte verification site (tverify.cacert.org), and choose the appropriate certificate to present to the server. make sure to use your IE browser witht he right client cert installed.
  5. Fill in your email address, ( grants you 50 points since youare trusted within the Thawte WOT
  6. Wait while a manual verification takes place.
  7. Once email is received either notifying you of an error or noting you have succeded, either rinse and repeat, or proceed to the next step.
  8. You are now ‘Assured’ but need to take the Assurer Challenge in order to prove your basic knowledge about the system, in oorder to be able to actually start Assuring people.  The link above also includes some background material one may need in order to attain the 80% mark required.

The Assurer Challenge is a relaly nice idea, and although anyone familiar with the concepts around the Thawte WOT system and general CA operations should have no problems witht he the majority of the 25 random questions, there are some which trelate closely to the CA specific rulings etc.

So now I have a full 150 assurance points since I was procesed by the Trusted Third Party (TTP ) system ( and it appears this is the maximum one can get as otherwise ones points are rounded down), as opposed to the 100 point maximum one gets for gathering points via the WOT method.

So now I’m able to embed my name in client certificates (50 points minimum), get server certificates for 2 years, and also get code signing bits on my certificates.

Tags: , ,
Posted in Security, Systems Administration | 2 Comments »

Applied Security Visualization released

Thursday, August 21st, 2008

I probably should have posted this a while back but, its still worth noting that Raffael Marty’s Applied Security VisualizationApplied Security Vizualisation has been released, and includes a copy of the DAVIX CD as distributed at Defcon 16 (davix-1.0.1-defcon16.iso.gz - also obtainable from the homepage, includes a couple of packet traces as used in the Defcon workshop) , which includes a copy of InetVis as one of their four chosen visual analysis tools on the live CD.

For the impatient some instructions are available for getting started. Now to work out what else to order form amazon so that the 40USD specail shipment fee hurts a little less ( thanks to our totally criminal and incompetent post office in South Africa)

Failing that its time to wait till the local places get round to stocking it.

Tags: , , ,
Posted in Applications, Books, Security, Vizualization | No Comments »

« Older Entries