For authentication, newer versions of Oracle (11g+) use a session agreement and key exchange scheme known as O5Logon. It has some of the same weaknesses of authentication as the O3Logon used in previous versions of Oracle. An example transcript of the default auth process: 1) Client connects to Server: 2) Client sends Username to Server 3) Server generates a ServerSessionID and encrypts it with AES. The key is the PasswordHash. It sends this encrypted ServerSessionID and the PasswordSalt to the Client 4) Client tries to generate a password hash using the PasswordSalt and the provided password. It decrypts the ServerSessionID using this ClientPasswordHash 5) Client generates a ClientSessionID and encrypts it with AES. The key is the ClientPasswordHash. It combines[…]

There’s no need to go and reinvent the wheel when coding. Many good developers will have a plethora of custom or public libraries of code to do all the functions they need. One area where this type of stockpiling code really shines is in security APIs. For the longest time I’d followed Microsoft’s Enterprise Library, specifically for its security namespace. Being a .NET developer primarily this was all good. But lately I’ve been branching out my coding endeavors, as well as watching the Microsoft Enterprise Library continue to grow; A little too large for my taste as of lately. This is where the OWASP ESAPI (Enterprise Security API) comes into play. It’s fairly lightweight, supports many languages, and is a[…]

A few months ago, I described how the Firefox add-on HttpFox could be used for basic traffic monitoring. Another helpful add-on that complements nicely with HttpFox is called HackBar. HackBar adds a toolbar underneath the main address bar that can be toggled on or off with the F9 key. When enabled, the toolbar provides a miniature console of sorts for various testing tasks. A resizable textbox gives you plenty of room for editing URIs, and you can also issue POST requests or spoof the referrer. Menus across the top of the bar provide common functions for working with different types of data, such as hash algorithms or encoding and decoding in Base64, URI format, and even hexadecimal. Using HackBar has[…]

I recently had a project to help spec out a DLP project for a customer from a high-level perspective. Having never done anything with DLP previously I embarked on a research mission. What I found was interesting. There’s not much out there on the intarwebs. As such, I thought I’d offer a few quick suggestions, just in case you want to go research solutions, too. Start with Securosis! Their reports are freely available, comprehensive, and more informative than anything else I found. Search for Gartner and Forrester reports. While these analyst firms charge for their reports, vendors will often post them for free. Specifically, try these search strings: “forrester wave content security suites” “gartner magic quadrant data loss prevention” Beware[…]

Many people have used OpenVPN for a simple and effective VPN solution, but did you know that you can use it for real two-factor VPN authentication? How you do that depends on the two-factor solution you are using. There is support for PKCS11 token stores, and Windows CAPI, with patches submitted for OS X’s Keychain. In order to get the OS X patch into the testing/stable branch of OpenVPN, it needs more testers though (please help!). So, if your token supports one of the above, and most do, you can use OpenVPN as a (relatively) inexpensive two-factor VPN. The tokens are still rather expensive however 🙁 To use the CAPI functionality, add cryptoapicert “thumbprint” to the client’s command line or[…]

For a while now, CAPICOM has been declared deprecated by Microsoft, as it is only implemented in 32-bit, with no plans to roll out a 64-bit version. Microsoft’s Official Recommendation for replacing CAPICOM is to “use the .NET Framework to implement security features”. This is a fine solution for desktop applications, server-side code, web services, and a whole host of other applications. However, there doesn’t seem to be any equivalent support for the functionality the CAPICOM ActiveX control enables within a browser. The client platform Microsoft wants you to use to run client code in the Browser is Silverlight, a browser add-on similar to Flash or ActiveX. Silverlight uses many of the .NET APIs; however, the support for the System.Security.Cryptography.X509Certificates[…]