We talk a lot about how SSL is useful, but how exactly does it work? Most systems today use SSL v3/TLS v1 rather than “SSL”, and the nitty gritty details are found in RFC 2246. However, that’s only part of what goes on, and certificate validation and path building (RFC 4158) and X.509 certificates (RFC 5280) are also important. This post is only concerned with the SSL/TLS protocol itself, and when the other RFCs are needed “magic happens.” If you’re interested, I highly recommend reading through the RFCs. I do assume that you’ve got basic certificate and PKI knowledge while reading this. If you don’t, Mike wrote a great series on it.

Read the rest of this entry »

By default Thunderbird doesn’t help to filter out spam and instead relies on whatever spam protection your email provider uses. This can be frustrating, not to mention create security problems, since rather than block legitimate messages, your provider takes the risk and you end up with a bit more spam.

I see users delete spam messages using Outlook, Thunderbird, and the varieties of webmail. Simply deleting a spam email doesn’t help you in the long run – because unless someone (you, your email client, someone!) knows a message is spam it will wind up in your inbox.

It’s easy to enable Thunderbird’s adaptive junk mail for one or all of your accounts.

1. From the tool bar click Tools > Account Settings
2. Scroll down and select Junk Settings > Enable Adaptive Junk Mail Controls…
   
3. Select below, 14 days or some other interval for Thunderbird to automatically delete the messages in your spam folder. Just make sure to check your spam folder to catch any valid emails that may have been incorrectly marked.
4. Click Ok

Now, every time you get an email that is spam, click Thunderbird’s junk button shown on the right. Thunderbird will then slowly begin to learn which messages are spam based on what you teach it. The concept is the same with other email clients and will gradually reduce the amount of spam you receive and the time you take to delete messages every day. Less spam will also protect you and other users in case they’ve forgotten the lessons they’ve learned from Anti-Phishing Phil.

You go to a website. You decide to sign up for a new account there. You’re taken to a screen where you meticulously enter your details, making sure you dont leave out any required fields (or else you’ll have to retype your password… twice). And right before you are allowed to hit “Submit” you see the final challenge of registerering for something online– a box with some strange symbols all jumbled up (possibly incomprehensible upon first glance) with the instructions “type what’s in the box.”

Its not a new scenario– in fact, it’s probably something most people have had to deal with online since Captcha really got kicked off in the late 90s. In general, a Captcha is a challenge-response test that is designed to make sure the user taking the test is actually a human. This is based on the assumption that humans are better at character recognition than machines. Indeed, the algorithms for optical character recognition (OCR) wern’t very good at figuring out Captchas when they were first introduced. Therefore, Captchas originally provided a good defense against spam robots or automated programs that wished to abuse features of online services that were designed or intended to be used only by real people.

But how useful is Captcha nowadays?

Read the rest of this entry »

Pinging is an easy way to determine if communication is possible between two hosts, but sometimes you need more information than an ICMP echo request can provide. hping is a nifty command-line tool that allows you to use different protocols and the features of those protocols to test how a host will respond to different scenarios. It can be a strong ally for network analysts who want to find all the holes in their network before the bad guys do.

Read the rest of this entry »

The recent release of Acrobat 9.1 included a new feature that helps enable an organization to preserve records of validation information on signed documents.  This new feature is called “Document Validation Information”, and using it is quite simple.  (Note:  this can only be performed in Acrobat 9.1 full, or Reader 9.1 using a Reader-Enabled document.)

The digital signature must be validated in the currently open document, as this feature is only available for valid signatures.  In an open PDF document, right-click the digital signature (either in the document, or from the signature panel), and the following context menu is shown:

Click the Add Verification Information shortcut to embed the certificates and revocation objects used to validate the signature, and save the file.  These objects are saved as unsigned objects appended to the PDF file.  Now, when the document is opened, the embedded validation information can be used to check the signature, unless the user specifically configures Acrobat to ignore it.

In addition to being useful from a long term validation standpoint, this feature would also be beneficial in a bridge PKI environment.  When a document is signed by one participant in a bridged PKI with the “Embed revocation information” option selected in Acrobat, only the certificates and CRLs/OCSP responses that chain up to the signer’s trust root are included. When this signature is verified by a member of another organization across the bridge, this is insufficient, as members of the bridged organizations typically do not explicitly trust the other’s root certificate.  When the relying party embeds the document verification information, this will include the certificates and CRLs required to validate the signer’s certificate, through the bridge CA, and up to their own trust anchor.

Each Tuesday, Security Musings features a topic to help educate our readers about security. For more information about Gemini Security Solutions’ security education capabilities, contact us!

Watch where you download software from. Windows 7 RC is available for free from Microsoft, but some people are getting their copies from bittorrent, or other download sites. Several pirated copies have a trojan that is creating a botnet. If you’re wanting to try Windows 7, get it through a legitimate source so that you know what you’re downloading.

I know Microsoft wants to keep track of everyone with a copy of the software, so they’re asking you to register with your Live ID. I personally think that they should make public the MD5/SHA1 hash of the download to help people avoid downloading a trojan.

I’ve downloaded (but not yet installed) the Windows 7 release candidate, and I’ve been perusing the security features they’ve added to the OS. Two things that have caught my eye are the new BitLocker to Go feature and AppLocker.

BitLocker to Go adds the capability to encrypt a USB disk drive through the BitLocker interface, which will protect any sensitive data stored on the drive from falling into the wrong hands. (Of course, the data protection is only as strong as the password you use, so remember not to make it something easily figured out by someone who nabs your device.) Data loss via portable devices has always been problematic – this is a pretty common sense way to at least mitigate that.  Read more about BitLocker to Go here: http://www.neowin.net/news/main/09/01/11/windows-7-bitlocker-to-go–biometric-improvements-overview .

AppLocker is a new feature in Windows 7 for the enterprise that allows central management of which applications are allowed to run on domain machines. Microsoft summarizes AppLocker as “a flexible, easy-to-use mechanism that enables IT professionals to specify exactly what is allowed to run on user desktops.” (http://www.microsoft.com/windows/enterprise/products/applocker.aspx). A more in-depth look at AppLocker on the Windows security blog indicates that: “AppLocker works by intercepting kernel calls that try to create new processes or load libraries and making sure that the code in question has been allowed to execute.” (http://windowsteamblog.com/blogs/windowssecurity/archive/2009/04/20/windows-7-security-helping-enable-the-mobile-workforce.aspx).  This seems to be based on defining rule sets, although I’m not sure what the nature of these rule sets is because I haven’t had a chance to toy with it yet.

In addition to helping lock down a desktop from users installing things intentionally, AppLocker also seems to be a good way to keep malware from being installed via drive-by downloads or other nefarious means. What I’ve read so far seems to be centered around enterprise management and group policy, so I hope that AppLocker can also be configured easily on my lone desktop at home.

Each Thursday, Security Musings features a security-related technology or tool. Featured items do not imply a recommendation by Gemini Security Solutions. For more information about how Gemini Security Solutions can help you solve your security issues, contact us!

Firefox gives users the ability to easily log on to their favorite sites without having to re-enter their passwords every time. It does this by keeping an encrypted form of the passwords in a file usually called signons*.txt in the user’s Firefox profile folder. The key used to decrypt these passwords is stored in the same folder under the name key3.db (this file also stores other important information related to keys and encryption).

So, unless a user disables this ability, it is trivial for another user to either copy the signon*.txt and key3.db files to examine later, or simply display the passwords within Firefox and write them down (Tools->Options->Security->Saved passwords->Show passwords). This user could be anyone with access to the folder– an administrator, or even someone you let use your computer temporarily… like a nosey girlfriend who just keeps trying to go through your stuff when you go out of town. Even though you trust her with the keys to your place and the password to your computer so she can work on her report, she abuses the privilege and takes the first opportunity she can to snoop through your personal stuff… hypothetically speaking.

Enter the Master Password.

Firefox’s Master Password is just a password for a list of passwords. It essentially encrypts the key used to decrypt the saved passwords. This has the effect of adding security to Firefox’s option to “show” passwords as well as protecting against someone copying the signon*.txt and key3.db files.

Enabling this is easy:

1) In Firefox, go to Tools->Options and make sure the “Security” category is active
2) Check the “use a master password” option
3) It’ll ask you for a new password, so enter a good one that she someone is unlikely to guess
4) Click “OK” and exit the Options menu

Now, if someone tries to “Show passwords” you, you’ll have the “Enter master password” defense.

Of course, the safe alternative is disabling the ability in the first place: Tools->Options->Security->Uncheck remember passwords for sites. Secure, but highly inconvenient since it is a very useful feature.