SSL certificates have been in the news lately (again), and there’s a huge uproar. Is SSL still OK? Is PKI dead? While most people understand the technical side of PKI, I’ve found that the “soft”, or what I call the “political” side, is not as well understood. Anyone can set up the technical infrastructure to become a CA – but what makes the Root CAs found in your browser special? And as a corollary, how do you get into that select list? Each company officially has their own method of determining what CAs are in their list of Trusted Roots. Mozilla clearly outlines their requirements on their wiki, and Microsoft has a program for inclusion. In general, there are a[…]

Disclaimer: I requested and received an evaluation version of the Apricorn Aegis Padlock. I was sent the 250GB AES-256 version, and I need to return it to the company in 30 days. This is a pretty sweet hard drive, but there are a few annoyances that I think can be improved upon. I was unable to test a few things just due to the time I could devote to this, the fact that I need to return the drive in working condition, and that I don’t have access to some specialized hardware to test timing attacks. The drive is FIPS 197 validated – aka, uses AES according to NIST. You can check out Apricorn’s site for the specs and details,[…]

Black Hat Briefings have been going on all this week, with the expected announcements of vulnerabilities, tools, and other fun. I refuse to go to Vegas for health reasons, so I often miss out on Black Hat and Defcon. But this week, the one announcement that has me interested is that SMS messages are being used to unlock cars and start them – specifically the Subaru Outback. They also demonstrated that car unlocking isn’t the only capability that SMS messages have. Pretty much anything that uses the GSM network for communication may be vulnerable – electric meters, traffic lights, GPS-tracking, etc. With more and more devices being “always connected”, I suspect we’ll see more problems. And these are the kinds[…]

I hesitate to say that visio is only useful in pen-testing, because it can also be useful in developing a secure architecture, or a web page, and really just putting all the moving parts onto your screen (or paper) so that you can look at the big picture. I use Visio to diagram networks and web pages that I’m looking at. The network diagramming is pretty obvious – a lot of people use Visio for network diagrams anyway. Where the value comes for security folks is in the details you’re willing to add to the diagram – what ports are open on the firewall and what servers do they go to? Another use for Visio is mapping out web pages.[…]

LDAPS is used among security folks and developers pretty indiscriminately. The general gist is that the LDAP connection is encrypted between the client and server via SSL/TLS – with a lot of hand waving involved. But there is actually a slight difference in how SSL and TLS are negotiated over LDAP. TLS can be negotiated over the standard 389 port, rather than the 636 port we normally associate with SSL connections – although for the sake of convention, it’s generally done over port 636 as well. LDAPS comes from LDAPv2 (retired in 2003) where the SSL negotiation takes place before any commands are sent from the client to the server. With a TLS connection, the connection is negotiated (non-encrypted) before[…]

Disclaimer: I am *not* a mathematician. I just happened to take a Number Theory class from an awesome professor (Dr Blakley) at Texas A&M. When I took Dr Blakley’s Math 673 class, I was in over my head at first (and probably still would be if I hadn’t seen the applications of the topics in his class since taking his class). Unfortunately, I graduated and didn’t get to take the second part of the course, which friends told me was just as good as the first part. We learned about polynomial math, and at the time, I had no clue what it could be used for…. Then a friend linked me to this awesome stick figure explanation of AES. Once[…]