While content is still a little thin on the ground, it does represent a major step forward in actually providing a point of collation of project information under our own control.  A large task to be performed next term is to actually backfill with old project information as we can get it off CD.

More as content actually develops.

Update: SNAFU n+1  the vhost is being denied access from outside of Rhodes.

Update: All fixed.

My gut feel was that it was the disclaimer being inserted by an intermediary gateway ( one has to love corpmail).  Setting about proving this was the hard part.  The first issue at hand wa to actually extract the certificates so I could play with the verification.  Cert Viewer Plus for Thunderbird made this part a dream. Creating a modified version of the signed message was a little bit more problematic.

Trusting the command line, I started hunting around for details on openssl support for SMIME, which it has.  OPenSSL needs a full CA path for being able to verify SMIME signed messages. One can optain this from various places ( such as exporting form your browser) but in a case like this where a private hierarchy was being used, its enough to just make used of a somewhat smaller subset contianing only the certificates used in this chain.  These can be extracted using Cert Viewer Plus. Alternately some command line magic can be used to extract the PKCS7 formatted embedded certificates out in standard PEM format., using the following command:

openssl smime -pk7out -in mail.txt | \
        openssl pkcs7 -print_certs > extract.crt

Now that we have a certificate chain we can attempt the verify. The extract.crt below can be either from the openssl method above or the Cert Viewer plus PEM dump.

openssl smime -CAfile extract.crt -verify -in mail.txt

Now e actually have a more usable error message. Although I really don’t know why I have such a deep distrust in GUI apps for actually telling me what is wrong.

Verification failure
88175:error:21071065:PKCS7 routines:PKCS7_signatureVerify:digest failure:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pkcs7/pk7_doit.c:808:
88175:error:21075069:PKCS7 routines:PKCS7_verify:signature failure:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pkcs7/pk7_smime.c:265:

As suspected the digest filed, which lead to a overall signature failure.  The next step was to see if removing the disclaimer worked.  Repeating on a slightly edited version of the the mail gave the following:

openssl smime -CAfile extract.crt -verify -in mail2.txt
...
mail contents deleted
...
Verification successful

So the original question posed was if the signature system was working correctly which it now was. The differences between the two mail files was checked using diff

diff -u mail.txt  mail2.txt
--- mail.txt         Mon Aug 25 18:06:33 2008
+++ mail2.txt      Mon Aug 25 18:08:10 2008
@@ -61,10 +61,6 @@
    South Africa

-Important Notice: This email is subject to important restrictions, qualifications
 and disclaimers ("the Disclaimer") ..that all was one very long line that made
 up the corporate disclaimer.....
-
-
-
 ------=_NextPart_000_0048_01C906C7.DB6FB700
 Content-Type: application/x-pkcs7-signature;
        name="smime.p7s"

From the above the only difference shown is that a mailgateway had added in a extra four lines of disclaimer and whitespace padding.  The question now evolves as to how to provide the now pretty much ubiquitious organisational disclaimer in outgoing mail in such a way that it doesnt trash any cryptographic operations in which the mail is involved.  Ive gone back over mails from a  couple of other people in corporate South Africa that I know , and the problem seems to be widespread.

The solution may be that the disclaimer as such is encapsulated as a separeate mime component, which is what interestingly one university here does ( although it insists on prepending its mime encapsulated HTML disclaimer, which makes for relaly ugly mail reading!)

The following a is a shorthand ticklist of the steps required.

1. sign up with cacert.org
2. On the thawte website make sure your notary details include the email address that you have used for the cacert.org signup.  This may involve just editing your details within the WOT console, and waiting for approval/verification, or having to do this and a ping to the mail address.  having the details verified can take 2-5 days, if the info is not already on your notary page.
3. Generate a certificate compatible for use with Internet Explorer.  This is the tricky part, as even Firefox 3 doesn’t support their client based authentication required by the tverify.cacert.org website  this should also be for the email address you are signed up to cacert.org with.
4. Go to the Thawte verification site (tverify.cacert.org), and choose the appropriate certificate to present to the server. make sure to use your IE browser witht he right client cert installed.
5. Fill in your email address, ( grants you 50 points since youare trusted within the Thawte WOT
6. Wait while a manual verification takes place.
7. Once email is received either notifying you of an error or noting you have succeded, either rinse and repeat, or proceed to the next step.
8. You are now ‘Assured’ but need to take the Assurer Challenge in order to prove your basic knowledge about the system, in oorder to be able to actually start Assuring people.  The link above also includes some background material one may need in order to attain the 80% mark required.

The Assurer Challenge is a relaly nice idea, and although anyone familiar with the concepts around the Thawte WOT system and general CA operations should have no problems witht he the majority of the 25 random questions, there are some which trelate closely to the CA specific rulings etc.

So now I have a full 150 assurance points since I was procesed by the Trusted Third Party (TTP ) system ( and it appears this is the maximum one can get as otherwise ones points are rounded down), as opposed to the 100 point maximum one gets for gathering points via the WOT method.

So now I’m able to embed my name in client certificates (50 points minimum), get server certificates for 2 years, and also get code signing bits on my certificates.

Installation was simple, with registration required in order to obtain two APi keys for use with the service. What interesting about this solution is that rather than just mutating words, a two phrase system is sued. One of the phrases is a known word, and th eother is a word that is taken form a ocr scan of the NYT or Internet Archive, ans has not been correctly identified by the ocr software. Thus there is a bit of community mindedness involved as well, as these words are interpreted. More on the gory details can be found here.

What does interest me tho is that this will not offer any protection from ‘pingback’ spam whihc is being submitted via the xmlrpc interface, but should still at another layer to the security onion.

For the impatient some instructions are available for getting started. Now to work out what else to order form amazon so that the 40USD specail shipment fee hurts a little less ( thanks to our totally criminal and incompetent post office in South Africa)

Failing that its time to wait till the local places get round to stocking it.

Blackat Media’s decision to open up their archives is to be commended.  If I recall correctly, this content has also been available on iTunes fro a while under podcasts.

Of all the tools release its DAVIX, that makes me happiest, other than it being a relaly slick Compilation of VizSec tools, it also features InetVis, which is a part of the postgraduate research by one of my students (Jean-Pierre van Riel), which I previously posted about.

iKat is the other tool that tickles my fancy.

There are some interesting setf odf Defcon Photos floating around such as these by sits, who has also made available a zip of the of the Defcon 16 CD contents.An 732MB ISO  version is also available that at least has checksums.

I see some fun times ahead!

• http://www.google.com/search?q=rxbcrobh
• http://www.google.com/search?q=frhlrxca
• http://www.google.com/search?q=omihinga

Searching on google with these links, surprisingly turns up nothing. I was expecting to find lists of malware infected sites similar to the SQL injection attacks seen in the last few months. Does anyone have any insight into these ? Sources appear to be geographically dispersed, and scattered across a variety of blog entries, old and new?

The screenshots provided show the functionality quite nicely. To round it off, its a tiny 3MB download, installing to just over 8MB.  The actual burning is handled by the well established CDRtools libraries, but the frontend makes it a much more pleasurable experience, than having to fiddle with command line arguments.

Its also worth noting that Halvar Flake has stepped up and stated that hes found the bug as well ( so I assume He will be sharing the stage with Dan at Defcon)

Footnote:

While trawling through logs it was interesting to nitice that this post was noted in E-Securre-it and Team Cymru’s security news links links on the 24th of July 2008

Important dates
Submission of papers: October 20, 2008
Notification to authors:  December 20, 2008
Camera-ready copies:  January 15, 2009

1. Admit that you are powerless over bots.
2. Believe that a power greater than yourself exists and is necessary to identify and eliminate malware, botnets, and the Windows hosts that contain them.
3. Make a decision to turn your will and your life over to ShadowServer, Malfease or another similar volunteer effort.
4. Make a searching and fearless inventory of your Windows machines.
5. Admit to another security expert that you [have/do] run Windows.
6. Demonstrate readiness to remove Windows from your PC.
7. Humbly ask other experts to remove Windows from your machine.
8. Make a list of all other machines you’ve infected.
9. Make amends to those infected, i.e. with Mac OS, Ubuntu, FreeBSD or similar.
10. Continue to inventory remaining Windows hosts, and when infected, format & re-install.
11. Seek through prayer, meditation and continuing malware research to improve your understanding of the growing malware threat as we know it.
12. Having had a spiritual awakening, carry this message to other Windows users.

What I found interesting despite the obvious humour, is that it left me wondering as to just now many of the 19 million connects form the last 3 years I was processing earlier are actually from enslaved bots or zombies…

The impact its having on mirrors seems to be quite intense. The following two images sow traffic stats from mirror.ac.za the mirror service run by TENET here in South Africa.

Update:

A Firefox 3.0 download counter is now available. 943806 currently averaging some 7000/minute. Some commentary on the outages, although they seem to have cleared.

This Aside, I think the upgrade is well worth it , and I’ve been more than happy since Beta2 when I move my primary system over to running 3.0. The biggest improvements being rendering when switching between tabs ( and I usually have LOTS of tabs) and memory usage.

Tomorrow regular programming resumes ;)

My copy should hopefully be arriving in the next few weeks, but I’m looking forward to the Work done by John R Goodall, Gregory Conti and Kwan-Liu Ma as editors. I’m just sorry I’m not going to make VizSec 2008 this year.

The two papers that I presented are (links to the PDF slides):

• High level Internet Scale traffic visualization using Hilbert curve mapping - Barry Irwin and Nick Pilkington. This details the initial work we did using the Hilbert Curve Analysis tool for IP networks
• Using InetVis to evaluate Snort and Bro scan detection on a network telescope - Barry Irwin and Jean-Pierre van Riel. InetVis is the result of three years of JP’s work to build a scalable 3-D vizualisation tool for network traffic — primarily that collected by network telescopes.

Jan Monsch and Raffael Marty and have prepared the second beta version of DAVIX. And are now seeking for beta testers that have the time to test DAVIX and answer the questionnaire that comes along with the beta version. All completely filled out questionnaires received by me until Monday 23 June 2008 18:00 UTC will enter a raffle for one autographed copy of Raffy’s upcoming book “Applied Security Visualization”.

If you want to participate in the beta test please contact: jan.monsch ät iplosion.com

What makes me quite happy is that they have included InetVis as one of their four chosen visual analysis tools on the live CD.

I’ve been paying with this since this morning and so far so good.

..For each piece of disassembled code, API calls, memory addresses and subroutines are tracked and analyzed. Their frequency, density and grouping are mapped to the inputs of an algorithm that grows a virtual 3D entity.

The Storm Worm is probably my favorite visualizations. He also has an interesting set of images entitled SpamPlants, based on input relating to the ASCII character frequency of spam messages.

Now this sounds like a great project for an aspiring security researcher with a graphical bent.

• 1 subscribers using Google FeedFetcher to grab /blog/index.php?flav=rss
• 6 subscribers using Google FeedFetcher to grab /blog/?flav=rss&category=Security
• 27 subscribers using Google FeedFetcher to grab /blog/?flav=rss
• 2 subscribers using Rojo to fetch /blog/?flav=rss
• 7 subscribers NewsGatorOnline to grab /blog/?flav=rss
• 1 subscriber using Feedshow to grab /blog/?flav=rss

First of all thank-you for your interest, but the links have changed. My full feed is available as RSS 2.0 or Atom 1.0, or a reduced Security only feed as RSS 2.0 ( but you miss out on the fun stuff).

This is why this post is actually tagged as security, so they get it too ;)

http://www.ctan.org/tex-archive/biblio/bibtex/utils/misc/rfc2bib.awk

Or other CTAN mirrors closer to you.

Intel’s own Microprocessor Hall of Fame describes the chip as:

A pivotal sale to IBM’s new personal computer division made the 8088 the brains of IBM’s new hit product–the IBM PC. The 8088’s success propelled Intel into the ranks of the Fortune 500, and Fortune magazine named the company one of the “Business Triumphs of the Seventies.”

Intel also has a nice image (300K) of the 8086 and 8088 die.

While purists will probably grumble about the horridness of the x86 family instruction set in comparison to some RISC and embedded controller instructions sets, it has proved highly scalable, and extensible over the last 30 years.