General Musing

blaze your trail

Archive for the ‘security’ Category

OCSP Troubles #security #x509 #certificate #revoke

with one comment

A company was having intermittent trouble with their new authenticated SSL, it wasn’t that they experienced trouble with the certificates, which came from a large international CA, or the authentication. There was a bug which caused the OCSP check on some certificates to fail. And after it had failed the first time for a certificate it would continue to fail for that certificate until the application server had been restarted. As this was a mission critical application for their customers between 8am-6pm they had taken to restarting the servers at 7am to ensure that there would be less issues during the day. This was obviously not a permanent solution so the vendor was called to fix the issue.

Read the rest of this entry »

Written by Daniël W. Crompton (webhat)

June 23, 2011 at 7:05 am

OS registers to DNS #security #risk

leave a comment »


Recently on NANOG I saw the item below, I was thinking about what this actually means. A computer would – similar to DynDNS – register itself and it’s hostname to a DNS server using some kind of authentication. Naturally I immediately thought this was a brilliant plan, and didn’t understand why nobody, with the exception of DynDNS, had thought of this before. The immediate afterthought was that this would be easy to implement with a soft-token, which is the software equivalent of a physical token like RSA’s SecureID, or complicated to implement with PKI infrastructure.

From: Mark Andrews <>
Re: mailing list bounces

It will be much better when the OS’s just register themselves in
the DNS. Humans shouldn’t have to do this when a machine renumbers.
Named can already authenticate PTR updates based on using TCP and
the source address of the update. For A/AAAA records you setup a
cryptographically strong authentication first.

DynDNS uses username password, which is less secure than the cryptographically strong solution that Mark Andrews mentions below.

Image source: Bill McCurdy

Written by Daniël W. Crompton (webhat)

March 8, 2011 at 4:56 pm

Posted in mail, pki, security

Tagged with , , , ,

On Failing Gracefully #security #risk

with one comment

Failing gracefully is one of the most important things, whether it is your responsibility or not ultimately customers believe it is your responsibility to perform in extraordinarily difficult situations. Some companies forget this and force their view and ideas of the world on their customers, that’s one of the quickest ways to turn customers into ex-customers.

I was inspired when I was at a customer site checking my Google Reader and selected Little Gamers, which is considered profanity according to the content filter, and received the message below. I could see the item in Google Reader when I used https rather than http to access Google Reader, although the cartoon was obviously blocked due to the content filter.

This is a fine example of failing gracefully.

Image source: Jason Coleman

Written by Daniël W. Crompton (webhat)

February 15, 2011 at 9:25 am

Posted in business, risk, security

Tagged with , , ,

Proof of Concept: Overloading file operations with LD_PRELOAD

with 2 comments

Viaduct and sky 2, Scottish borders, 2010 - Viaduct and sky close to Melrose

In a discussion on Full Disclosure I added a reply which I would like to expand on here:

What I did for a project I was working on was I create a LD_PRELOAD library which overloaded the i/o operations and used gz and bz2. This could easily be adapted to overload with encryption library functions rather than compression libraries. You can also use this to keep the bash history in memory using a shared memory location.

What I did which inspired the message above was to replace a number of functions – including read, write and lseek – with custom functions. What the underlying custom code did was fingerprint – using the magic file – the file to discover which compression mechanism was being used for an existing file, and when creating a new file it would use the compression based on the value set in an environment variable. The file was never extracted to and only held in memory as these were mostly streamed to and from disk compressed, which means that with a little tweaking that these could include a stream cipher, provided the key is long enough to avoid stream cipher attacks.

For completeness I’ll add here that the code supported the formats listed below, and a number of other historic formats and others that I don’t recall:

  • gzip
  • bzip2
  • pkzip (deflate)
  • compress
  • lz

Somebody else’s LD_PRELOAD examples can be found here: LD_PRELOAD fun

Image source: John Davey

Written by Daniël W. Crompton (webhat)

February 8, 2011 at 12:39 pm

Forban: Local Opportunistic p2p #security

leave a comment »

Forban Logo

No, it’s not just another p2p/file sharing program. Forban is a local network p2p program, it’s meant for replicating ANY file to computers in the immediate proximity without requiring the Internet. As it is has a narrow focus on the local network it can also be used for Personal Area Networks consisting of laptop’s and mobile devices. I have yet to be able to install python on my digital camera, but I’m sure that this will be possible in the future.

It can be run in two modes, gossip and epidemic. Gossip mode, uses the gossip protocol to spread the files by disseminating the data the peer has to a random peer. Epidemic mode is similar to a real virus epidemic, spreading the files rapidly from one Forban server to another. Like any p2p network it requires that there are others running for it to communicate with, these can be intermittently connected to the network, whether it be a mobile device which comes into proximity of the LAN/PAN or a laptop.

It uses HTTP, and I doubt that adding authenticated HTTPS would be much of an issue once the PKI infrastructure is in place. This would make it ideal for rapidly sharing or backing up data without user interaction when you get to the office. And as it requires little user interaction, and with authenticated HTTPS this service can be left running in the background with minimal risk of the wrong people getting their hands on the data.

Forban is an old French word for pirate.

Written by Daniël W. Crompton (webhat)

February 1, 2011 at 10:28 pm

Posted in piracy, pki, security, technology

Tagged with ,

In Synch: Language Style Matching #security

with 3 comments

In Synch

I was forwarded the link to In Synch, a tool which will calculate the Language Style Matching for two pieces of text.

“[In Synch] determines the degree to which any two samples of language are similar in their language styles. It can be most helpful in analyzing two sides of the same conversation.”

All that is needed are two writing examples – instant messages, text chats, text messages, transcribed conversations or other writing samples – with a minimum of 50 words for each the language style can be analyzed and a score can be calculated. The scoring is from 0.50 – 1.00, so the closer you are to 1.00 the more in synch you are with the author.

Possible uses for this could be verification that a piece of written text is from an author. And in combination with text-to-speech and speech analysis this could lead to an additional factor which could be used in authentication.

Written by Daniël W. Crompton (webhat)

January 31, 2011 at 4:36 pm

Possible Akamai Troubles #dos #smurf

with one comment


Usually I probably wouldn’t have mentioned it, and it inspired me. Yesterday I heard that Akamai might have a bug which is causing DoS like situations for dialup customers. From the description of the payload and details of the occurrences it sounds like a smurf attack. Apparently the packet is TCP with a size round 1460 bytes, the seq and ack numbers are the same within an incident. I’ve seen reports of 4 ISPs that have this problem.

Usually I probably wouldn’t have mentioned this item, and it reminded me of a story I heard some years ago from a small Dutch ISP who would get people hassling the sysops on an irc channel, one of the sysops would log into the main border router of the ISP and run a ping flood against the luser knocking him of the Internet.

What do you think?

Image source: Nik Wilets

Written by Daniël W. Crompton (webhat)

January 21, 2011 at 2:40 pm

Posted in network, risk, security

Tagged with , ,

%d bloggers like this: