Page 2 of 3

A while ago Google announced its project zero, which is a team of security researchers, whose goal is to find bugs in software, so that you, dear user, can use the web and technology securely.  They were very up front about how the team would work.  They would report bugs and vulnerabilities that they have found to the companies or people responsible for maintaining the software.  Google would give the developers 90 days to fix the bug and then let the world know about it.

It turns out that Microsoft Windows has a few bugs in it(who knew?).  On more than one occasion Google discovered vulnerabilities in Windows.  On two of these occasions Microsoft was notified of these vulnerabilities and was “unable” to patch the vulnerability before the 90 days elapsed.  I have read many articles about this and I feel like they are almost all completely out to lunch.  I won’t even link to them because I feel they are so poorly informed on this topic.
Read Full Article

What is Firesheep?

You may remember about 4 years ago Eric Butler released a Firefox extension that did something very clever.  It hooked into a packet capture library and could capture cookies that weren’t sent over SSL, at an open Wi-Fi access point.   That extension was Firesheep.  The press grabbed onto this story as it made “hacking” into someone’s Facebook account something almost anyone could do.  At the time, many sites would shuttle you securely over https:// for the login and then give you an authentication cookie that was served insecurely over http://.  This authentication cookie is the thing that proves you are who you say you are so if a bad guy got access to this cookie, they could easily impersonate you on that site.

firesheep
Read Full Article

I was thinking about this question the other day.  It SEEMS obvious…  I relialized that it relates to one of my favourite misconceptions about https or SSL/TLS.  Often people get too focused on the encryption aspect of SSL/TLS and not the authenticity and verification properties of it.  When Google first announced that Google search was going to be over “https” a few years ago I, like a lot of people, assumed that it was because it was to make your search results private.

 

Google’s support page, regarding SSL Search, quite correctly points out:

SSL doesn’t always protect:

  • The fact that you visited google.com
  • The search terms that you typed

     

Read Full Article

VPN Introduction

I have been doing some work with VPNs lately, having set up a PPTP(Point to Point Tunneling Protocol) VPN for some Android network analysis that I have been doing lately.  It is easy to set up on a server and a mobile device, but PPTP generally isn’t secure unless you are using (P)EAP.  I wanted to try out something that overlaps with something that I’m pretty knowledgeable about, TLS/SSL, with something I have never had to actually set up, an SSL VPN.  Most people who use a VPN to connect into work use an SSL VPN.  Probably either from someone like Cisco or Juniper.  They are pretty easy to set up on the router side of things, and relatively easy for client device to get set up.  Other advantages are that they can be run over port 443, so they won’t be blocked by most firewalls, and that they use the verification properties inherent to TLS/SSL rather than some sort of challenge-response handshake.  Using TLS/SSL allows them to also be flexible about key sizes and cipher suites used and upgrade them as the future requires.
Read Full Article

I’m very excited to announce the launch of AM I SHA-1 – the SHA-1 Checkinator. This is a site that I have been working on for a few months off and on. Ever since Google announced that they were going to sunset support for SHA-1 support in Chrome, I felt that it would be cool to have an easy site to check your SSL/TLS certs. It isn’t difficult to check your certificates yourself, but not everyone is able to analyze their own certificates and understand the context under which they need to act to upgrade their certificates before the end of 2016. The tool/site I made takes a URL and downloads and parses the certificates for a site, and then helps you determine what action if any is required on your certificates. I realize that there are several tools out there that check for this already, but most of these are bundled into more extensive tests and the tests often take a long time to run. My goal with this site, was to be lean and quick so I focused on just checking for the presence of SHA-1 signatures in chain and leaf certificates. Plus it was a great learning experience.
amisha1
Read Full Article

My wife has a 27″ iMac from late 2009. We upgraded her to a more powerful Windows machine about a year ago. The iMac has a beautiful screen and is in good shape, but the performance of it had slowed quite a bit. I took a look at the specs of the machine. It had 4 GBs of RAM and a 1 terabyte hard drive. It also has a Core 2 duo, dual-core processor, which is meh. I figured that there wasn’t a whole lot I could do about the processor, but the hard drive and RAM could be upgraded.

Upgrading RAM on an iMac is supported by Apple and very easy to do on most models. I decided to upgrade it to 8 GBs. I made sure that I bought RAM that was supported by the version of iMac that I was using. I used Crucial’s RAM picker as I have had good experiences with it in the past. On a regular PC I can usually suss out what RAM will be compatible with the motherboard in question. With Macs, I have been burnt by buying RAM that isn’t compatible, so I always check. Actually performing the upgrade was fairly straightforward. I tipped the iMac back so that it was lying horizontal, then unscrewed a panel from the bottom of the monitor housing. As I recall there are some tabs that help you eject the RAM modules. Before you pull the modules out, you may want to take a minute to understand how to put the tabs back before you insert the new modules. It will make it easier to eject the new modules should you ever need to. Also it just looks tidier.
Read Full Article

The Setup

I have been testing out different ways to optimize this site for performance, purely as a learning experience.  I have come across several guides explaining how server-side caching works, some of them are really good, and some of them a bit out of date in terms of what I consider “best practice” in the industry these days.  Most of the guides to server side-caching do not include the notion of SSL/TLS.  Just like setting up a web server with SSL/TLS is more complex than setting up a web server without, setting up a cache with SSL/TLS is more complex than setting up a cache without.  The goal of this article is to discuss some of the most popular methods and some of their advantages/disadvantages.

This article will be more about the overarching concepts and flow of information than actual configuration, but I’m hoping to do articles on how to actually configure the different options in future posts and incorporate them into this article.
Read Full Article

PKI vs. CA

First we need to get a few terms straight.  I have heard the terms public key infrastructure(PKI) and certificate authority(CA) sometimes used in conversation interchangeably.  The difference is that a CA by itself doesn’t perform all of the functions of a PKI.  PKIs contain CAs, but they also have other components like certificate revocation lists(CRLs), online certificate status protocol(OCSP) responders that allow clients a higher degree of certainty when assessing whether or not a certificate is valid, even things like policy, which allows you to specify what kinds of certificates or what attributes can be signed by CAs within the PKI.

What is AD CS?

Active Directory Certificate Services(AD CS) is made by Microsoft and it is what a lot of companies use for their PKI needs.  It works well, gives you nice ways to interact with it and runs on Windows Server.  You can request certificates through a (somewhat ugly) web interface, you can also request/issue certificates through a Microsoft Management Console(MMC),  you can request/issue certificates at the command-line with certutil/certreq.  AD CS even handles things like CRL publishing over FTP or SMB and running an OCSP responder, in concert with IIS.  Even though certificate revocation is utterly broken in the consumer world, many PKI uses in the enterprise, e.g. EAP-TLS, generally require revocation to be ‘working’.
Read Full Article

The Setup

I recently decided that I wanted to learn about Nginx. You may know that Nginx is a web server that has been growing in popularity in the last few years. People use it as an alternative to more traditional web servers like Apache or IIS. They even use it in conjunction with Apache or IIS with Nginx acting as a reverse proxy. Nginx excels at serving up static content and can use fewer resources than Apache or IIS if properly configured, in some scenarios. The one drawback that I had heard about with Nginx was it doesn’t have the breadth of modules that you find in Apache. To illustrate one of the differences, under Apache PHP is loaded as a module while Nginx loads it via FastCGI. Using FastCGI Nginx is able to get comparable performance with potentially lower resource usage.

In terms of configuration Apache is certainly an acquired taste, but once you get it, it is not all that complicated and many of the directives are well documented in the Apache docs. Coming from Apache, configuration of Nginx is surprising easy to pick up. Several things that take 2 or 3 lines on Apache take only 1 on Nginx.
Read Full Article

EDIT: There is an updated version of this article for Ubuntu 16.04 here.

I love to mess around with Linux in my home lab and I like to check out the state of Samba from time to time. I have documented the steps that I took to get Samba 4 working as a Active Directory Domain Controller and also made a screencast that I have cross-posted on YouTube. I chose Ubuntu because they have pretty recent packages of Samba, more info about binary packages for different Distributions on the Samba Wiki. If you are following this as a guide, I’m assuming that you have already installed Ubuntu 14.04. If you do watch the screencast, it is best viewed in HD!

Read Full Article