Blog: Security and Compliance

When enabling whole disk encryption, be sure to save the recovery key externally from your laptop.  I recently upgraded to Mac OSX 10.7 (aka "Lion") and enabled the new whole disk encryption feature which is now part of FileVault.  Before encryption begins it provides the recovery key but it's up to you to save it offline (no USB flash drive option).  Thankfully I did this because when I rebooted it prompted me for local admin credentials which of course I changed and didn't remember.  Without the recovery key saved on my home network I would have been in big trouble.


 

The Google Chrome OS is just the Chrome browser running on a thin OS.  So extensions are like applications installed on other operating systems.  They have much more power than Firefox plugins.  Extensions are not reviewed, just removed when people complain.  Many extensions have cross site scripting vulnerabilities, enabling one extension to read and write information in other tabs.  For example, an extension could inject javascript into the tab for your online banking and have it collect and send your credentials to the attacker.  It could even show you the old figures so that you don’t even know that your all your money was transferred out of your account.

This information is from a session I attended at Black Hat called Hacking Google Chrome OS presented by Matt Johansen and Kyle Osborn of WhiteHat Security.


 

This is sort of a follow up to a post about the Firefox addon Certificate Patrol.  The addon Perspectives also helps watch out for certificate related problems.  When you go to a secure web site, Perspectives can (with a click or automatically) check with several “notaries” scattered around the world and tell you whether they are getting the same certificate from that site as you are.  Read http://perspectives-project.org/ for more details.  Here is a link to the Firefox addon: https://addons.mozilla.org/en-US/firefox/addon/perspectives.  There is also an Alpha, very experimental Chrome addon https://chrome.google.com/webstore/detail/lnppfgdnjafeikakadfopejdpglpiahn.

This project is out of Carnegie Mellon University  The notary server is open source, so anyone can run their own servers.  By default, the plugin uses several servers that seem to be run by the Massachusetts Institute of Technology.


 

I was having some problems with my laptop's Bluetooth radio turning itself off when I reboot without powering off. I found an online posting indicating resetting the BIOS to defaults would fix the problem. I went into the BIOS setup and reset it then rebooted. However, that changed the system enough to make Bitlocker to ask for the recovery key. I put in the recovery key then suspended Bitlocker on the C drive after Windows came up (as the Bitlocker message instructed). I then resumed Bitlocker and it seemed to work after another reboot. [more]

However, when I rebooted the laptop at home later that day, Bitlocker asked for the recovery key again. I found another Microsoft support entry that indicated the problem might be that the boot order was changed. That made sense because my configuration at home involved an external USB device that wasn't connected at the office.

I suspended Bitlocker then rebooted and went into the BIOS setup and made sure the first (and only in this case) boot device listed was my C drive.

After rebooting, I resumed Bitlocker protection and haven't had a problem since.


 

When installing or making changes to the Symantec Endpoint Protection client, be aware that the SEP firewall policy can cause Windows Firewall to 'reset' or change its configuration.  I've seen several versions of Windows OS change to an active firewall config with no exceptions under the following 2 conditions: [more]

  • SEP client with an enabled, default firewall policy is installed for the first time
  • Existing SEP client has its applied firewall policy withdrawn

This has been seen with several 11.0.6x builds of SEP, although it may be applicable to other builds as well.  This occurs even though the SEP firewall module (Network Threat Protection) is not installed.  When a Windows desktop has its firewall enabled with no exceptions and there is no group-policy in place to re-apply a previous config, it may become unreachable remotely via any protocol, while at the same time the user may notice no change and continue working normally.  If the Windows client happens to be a server, all connectivity to that server may be lost, except via console.

I suggest rolling out new SEP clients after the firewall policy in that group has already been withdrawn.  For existing clients where the firewall policy needs to be withdrawn or disabled (ie overriding Win7 firewall config), test a small subset of clients in a separate group before making the change to normal production groups.


 

A couple months ago, I had a user who was having problems with the RSA SecurID App on the iphone.  For some reason, his PIN was not hidden after he typed it in.  I found out there is a small “i” in the bottom right hand corner of the app, and if you open it up, there is a little slide-bar that you can move to hide/unhide the PIN.


 

This approach is certainly not for everyone, but here is what I have done to mitigate the problem with so many certificate authorities out there.  The Comodo breach of March 2011, for example, allowed some bad guys to use a registration authority to generate valid certificates for Google, Yahoo, Skype, etc.  There are companies that sell boxes with software that will generate a valid certificates on the fly for every secure web site you visit in order to be able to observe your traffic.  With so many CAs, the risk of misuse has increased.  These comments mainly apply to Windows.

I think it was during May 2010, I edited the trust level on the root CA certificates in Firefox to only trust about 10 of them.  I think I have had to trust maybe two more since then.  I started with the list at http://netsekure.org/2010/05/results-after-30-days-of-almost-no-trusted-cas.  There are several links on this page that explain a lot about how Windows handles certificates.  This is one of the major reasons I use Firefox instead of IE.

To change the trust level of certificates in Firefox, go to Options, select the Encryption tab, and then the View Certificates button.  This brings up the Certificate Manger window.  The Authorities tab in the Certificate Manage window is where all the CAs are listed. Select each certificate and then select the Edit Trust button at the bottom.  This is where you can disable trusting each CA’s certificate. [more]

I also run the Firefox Addon Certificate Patrol which saves every certificate and warns me if a certificate has changed.  The primary blogger with the Tor Project, phobos (I don’t know the real name), suggests being your own certificate authority in a manual sort of way and not trusting any external certificate authorities (https://blog.torproject.org/blog/life-without-ca). I decided not to go that far.

If you prefer another browser such as Google Chrome or Internet Explorer, the procedure will be different.   Chrome and IE use the Windows certificate store, so you will have to delete the certificates that you do not want to trust.  Opera has it’s own store, but operates like Windows, downloading additional root certificates behind your back.  You may be able to preload these and remove the trust, but I have not taken the time to look into this.  I know nothing about how Safari handles certificates.

As I mentioned at the begining of the article, this approach is not for everyone.  However, for technical users with a little patience you can greatly reduce the likelihood you'll fall susceptible to a spoofed SSL certificate.


 

I’ve recently been migrating to a Windows 7 laptop using BitLocker for full disk encryption.  Many of my co-workers have extensive experience with BitLocker, but I’ve had a desktop for a couple years and before that my laptop used GuardianEdge Encryption Anywhere.  This is my first experience with BitLocker.  To access the BitLocker Manager application go to Start -> Control Panel -> System and Security -> BitLocker Drive Encryption.  That interface is pretty much limited to allowing you to turn off/on BitLocker, suspend protection, save or print a recovery key, and reset your PIN for each of your drives. [more]

I found the “manage-bde.exe” command line utility is also useful in addition to the GUI.  The “bde” in the application’s name stands for “BitLocker Disk Encryption” and knowing that makes it a easier to remember the name.  I like running “manage-bde.exe -status” because it displays more details like the conversion status, percentage encrypted, and encryption method.  The manage-bde.exe documentation can be found at http://technet.microsoft.com/en-us/library/dd875513(WS.10).aspx.

There is also two other command line tools available. Repair-bde.exe can be used to access encrypted data on a severely damaged hard disk if the drive was encrypted by using BitLocker.  This would be useful if your system has a hard disk failure or if Windows exits unexpectedly.   Bdehdcfg.exe is used to prepare a drive with the partitions necessary to BitLocker Drive Encryption.  In most cases you will not need this tool because the BitLocker setup includes the ability to prepare and repartition drives as required.  The documentation for these two tools can be found at http://technet.microsoft.com/en-us/library/ee706528(WS.10).aspx and http://technet.microsoft.com/en-us/library/ee732026(WS.10).aspx respectively.

A co-worker pointed out another BitLocker tip to me.  Typically, if you make any BIOS upgrades you should suspend BitLocker, do the upgrade, and then resume BitLocker.  If you forget to do these steps the PC will constantly boot into BitLocker recovery mode.  Suspending and resuming BitLocker after the BIOS upgrade appears to reset BitLocker so it boots normally.


 

When performing a migration from ISA 2000 to Forefront TMG, I set up the perimeter networks as part of the “perimeter” network object.  I ran into a problem when I went to create server publishing rules. They did not work.  I had to remove the subnets from the perimeter group so that the network interface would show up as part of the “external” network object.  Once the addresses on the outside interface were in the “external” network object, I was able to successfully create server publishing rules.
 
Also, Forefront TMG now allows the published port to be different from the port on the internal server.  This is useful when creating publishing rules for multiple RDP servers, for example.

 

Steganography has always been an esoteric and theoretical concept to me. The following lifehacker link shows the use of a hidden TrueCrypt volume that is embedded in a video file. It's pretty interesting to actually see it in action. One of the interesting parts of the post has to do with the difficulty of detecting something like this. They mention four methods of detection, none of which are very straightforward. It's a little concerning to see how difficult it can be to detect the hidden information. [more]

http://m.lifehacker.com/5771142/embed-a-truecrypt-volume-in-a-playable-video-file