We probably all have many accounts set up on many web sites.  Since it is a very bad practice to use the same password on more that one site,  I have used Password Safe for years for keeping up with accounts and passwords.  I have recently switched to using Lastpass.  Lastpass has a very long list of features.  Here are a few of the features:

• Automatic form filling, like Roboform
• One click login - click on the site, it brings it up and logs on for you
• Synchronizes everywhere - Windows, Mac, Linux, IE, Firefox, Chrome, Safari, iPhone, iPad, Android, Blackberry, Windows Mobile, even Symbian and Palm
• Generates strong, secure passwords
• Stores miscellaneous notes

Another great feature is a program called pocket.  This stand alone program will download your entire database and save it locally.  It will also decrypt it and export it to a CSV file.  This means if Lastpass ever goes away, you still have all your data which can be accessed or imported into another password manager.

The best feature is how it stores your data.  Everything is encrypted and decrypted locally and the Lastpass servers never have your key or unencrypted data.  The encryption part of the software is very simple.  It just uses a SHA256 hash of your email address (account) and master password for the encryption key. Read More...

Recently, an unscrupulous individual was trying to setup a fake copy of one of our customers for what was likely a phishing scheme on a server located in Netherlands.  Upon examining the whois record, there was a contact listed as the admin with an address and phone number.  Upon calling the number the individual that answered the phone of course knew nothing about the person that registered the website.  Other entries appeared to indicate that Yahoo was involved in the hosting.  However, in order to actually connect to the website, the DNS records are registered with name servers that are usually from the webhost provider. Below is a screen shot of the Whois results (with some of the information removed). Read More...

Most people know about the cookies that internet browsers use to store information.  It's easy to configure browser settings to not allow cookies, only allow trusted cookies, and to delete cookies when exiting the browser.  What slips around the radar are Local Stored Objects (LSO), also known as super-cookies or Flash cookies.

LSO’s use Flash technology to store more information than regular cookies.  In addition, LSO’s can be used to recreate, or respawn, deleted cookies.  More than half of the internet’s top websites use a little known capability of Adobe’s Flash plug-in to track users and store information about them, but only four of them mention the so-called Flash Cookies in their privacy policies according to UC Berkeley researchers.

To control these Flash cookies, you have to use the controls on Adobe’s site.  According to Wikipedia,  “Users can only opt-out of Local Shared Objects globally by using the Global Storage Settings panel of the online Settings Manager at Adobe's website. Users can also opt-out of them on a per-site basis by right-clicking the Flash player and selecting 'Settings'.  Adobe's online-only Website Storage Settings panel was created to let users view and delete LSOs on a per-domain basis. It is also possible to completely disallow LSOs from a specific domain by setting the storage space to "0 KB", however, although no data is stored, empty directories with the name of the domain are nonetheless created. Add-onextensions that allow the user to view and delete LSOs have also been created for the Firefox Web browser, e.g. BetterPrivacy.”

Recently an information security audit customer of ours lost a backup domain controller and contacted their network vendor to rebuild the machine.  The bank thought everything was in order until three months later when they were audited.  The audit discovered the old backup domain controller had not been rebuilt to be a backup domain controller again as well as no antivirus software was installed.   When the bank contacted their network vendor, the bank was told there were some issues the vendor "meant to get back to".  Regardless of errors assigning roles for the domain controller, the vendor still should have installed antivirus and other applications requested by the bank. 

The reason why steps were missed? Read More...

I had recently upgraded a Mac user to the v10 PGP client and registered them with the bank's PGP Universal Server.  Everything seemed to work fine, but the user later discovered that PGP would prevent them from shutting down their machine if their iPod was attached.  Other devices didn't seem to affect the shutdown process.  I did some research and found this was a known issue.  The fix was to simply update the client from v10.0.0 to v10.0.2.  Obtaining the v10.0.2 update proved to be trickier than expected, but with a coworker's help I was able to download the update and put it on my USB thumb drive.  With update in hand, I strolled over to the bank and quickly installed the update off my USB drive (ensuring the customer this simple procedure would fix their problem).  When the computer rebooted, I pulled my thumb drive out and waited for the PGP screen to come up.  When it did, I had the customer enter their PGP Wholedisk passphrase.  After a couple of failed tries, PGP accepted the password and began to load OSX.  Then, the OS crashed! 

The user told me that happens sometimes after he misses his PGP password, so he simply restarted and tried again, this time putting the password in correctly the first time.  It ended the same way however.  At this point, the room became very hot and I started to sweat profusely.  I was sure I had just trashed this guys' machine by applying this simple update.  I'm sure he was starting to think the same thing too.  I sat down at his machine, wondering what in the world my next step was going to be, and then it hit me.  "I wonder if PGP needs something off the installation media (my USB drive) to update the boot process?"  I shut down the machine, plugged my USB drive back in and powered it back on.  I logged in to the PGP screen, the OS started to load...loading....loading....loading... OSX login screen!  Suddenly, the temperature in the room dropped drastically.  I had the user log in, I removed my USB drive and rebooted again.  Everything came up perfectly.... much to my relief. Read More...

During a recent audit, Larry and I wrestled with LANguard for the better part of two days trying to figure out why LANguard would freeze during network scanning.  There were several potential culprits including a VLAN setting on the port I was using, a “switch” (which looked just like a little 4 port hub) the company had set up to allow me to use two laptops, etc.  I tried scanning from my laptop, from my VM, from the other laptop, skipping the “switch”, etc.  Finally, I set LANguard to a single thread and noted the scan stopped at the “Enumerate Trusted Domains” step.  The company had two domains, something we don’t often encounter.  I disabled this item in the scanning profile and, presto, the scan ran.  To eliminate any other variables, I turned “Enumerate Trusted Domains” back on and it stalled again.

I installed PGP on my new laptop and after the reboot I got the PGP prompt for my passphrase.  This was a new laptop and was not yet encrypted so I was a little confused where it got a passphrase since I was using BitLocker on my old laptop.  Then logging into the PGP Universal Server I remembered I used PGP to encrypt a different laptop while we were testing.  PGP carried over the old passphrase, and of course since it was installed on a test laptop I didn’t remember (or record) the passphrase I used.  I removed my user and computer entries in PGP and was able to install and encrypt after wiping the partition table and reinstalling from the factory default image.

Secunia is one of the many security firms who maintain teams of researchers looking for vulnerabilities in software applications.  I have seen their name credited on several vulnerability notices from CERT and SANS.  They offer a software vulnerability tool called Secunia Personal Software Inspector that is free for personal use.  It scans your system looking for all executable files and then compares them to their database of current software versions/vulnerabilities.  I have used it on a couple of systems that I believed to be current and found at least half a dozen out-of-date or vulnerable apps.  Apart from the security benefits, it can also be an easy way to see if there have new releases for any of your software.  For example, Secunia PSI informed me that a new version of Wireshark was available for my home computer even though it didn't find any security vulnerabilities for the version I was using.  This can be much easier than individually opening each app and clicking on "check for updates", or even worse, having to go to the app's website to see if a new version is available.

During an audit this week, I had the chance to test the Cisco AnyConnect VPN client from a VPN-hostile network.  The bank has implemented multiple layers of Internet filtering including web content filtering, outbound port filtering, and inbound IP address/port filtering.  As expected, the old Cisco IPSEC VPN client could not connect.  The AnyConnect client, however, connected on the first try without having to ask the bank to modify any of their access controls.

FYI, the AnyConnect client dynamically determines if it can also use a Datagram Transport Layer Security (DTLS) tunnel via UDP in addition to the SSL tunnel.  If the DTLS tunnel connects and is “healthy” the client will use both the SSL and DTLS tunnels to transmit data.  If the DTLS tunnel cannot connect or is unreliable, the client will dynamically switch to using only the SSL tunnel.  You can read more about it on Cisco’s AnyConnect FAQ page.

Symantec Endpoint Protection clients that have been cloned and rolled out for production may be misconfigured. I recently found out that Sysprep does not remove the hardware ID for SEP. Which prevents the client from appearing in the SEP console properly. Since all the systems will have the same hardware ID, as they check in it will replace the previous system that checked in. The clients will still receive updates, but the console will not allow you to track all the clients. To fix the problem a new hardware ID for Symantec must be created. Read More...

I think we all know better than to download executable programs (.exe's) from untrusted sources and run them.  Opening a Word document from an untrusted source could be dangerous.  Now, even opening a PDF file on a fully patched Windows machine with excellent, up-to-date anti-virus and malware software could cause your machine to get owned.

Didier Stevens, who has written some great PDF analysis tools, published a disturbing blog post the other day.  He demonstrates how to use an existing feature in PDF to execute a program on someone's computer when they open the document.  Adobe Acrobat Reader displays a message first, but the message can be changed to social engineer someone into clicking the Open button on the message.  And my favorite PDF reader, Foxit, does not even display this message.  Disabling javascript does not help. Read More...

I recently upgraded a Windows server to the latest version of Symantec Endpoint Protection and the server was no longer accessible on the network after the upgrade.  The server would not respond to network requests even though the console was working.  It turned out the full SEP feature set was installed, including the SEP firewall.  Additionally, now the firewall policy was applied to the server.  This caused the SEP firewall to isolate the server from the network. 

 To fix the problem I uninstalled Enpoint Protection and reinstalled without the firewall feature set.  I also applied a firewall policy just in case the firewall feature was installed on that server again.  My suggestion is to modify the SEP installation document, so that a firewall policy is not applied.