Blog: Security and Compliance

Download and run the Cygwin installer from their web site: www.cygwin.com.  OpenSSL is not one of that packages that gets installed by default with Cygwin.  The important part of install is choosing OpenSSL as one of the packages you install, because that package is not selected by default.  You do this by searching for "openssl" on the "Select Packages" step, expanding "Net" option, clicking on the "Skip" image so that a version shows, and clicking the "Next" button.  Use the image below as a reference. [more] 

We probably all have many accounts set up on many web sites.  Since it is a very bad practice to use the same password on more that one site,  I have used Password Safe for years for keeping up with accounts and passwords.  I have recently switched to using Lastpass.  Lastpass has a very long list of features.  Here are a few of the features:

• Automatic form filling, like Roboform
• One click login - click on the site, it brings it up and logs on for you
• Synchronizes everywhere - Windows, Mac, Linux, IE, Firefox, Chrome, Safari, iPhone, iPad, Android, Blackberry, Windows Mobile, even Symbian and Palm
• Generates strong, secure passwords
• Stores miscellaneous notes

Another great feature is a program called pocket.  This stand alone program will download your entire database and save it locally.  It will also decrypt it and export it to a CSV file.  This means if Lastpass ever goes away, you still have all your data which can be accessed or imported into another password manager.

The best feature is how it stores your data.  Everything is encrypted and decrypted locally and the Lastpass servers never have your key or unencrypted data.  The encryption part of the software is very simple.  It just uses a SHA256 hash of your email address (account) and master password for the encryption key. [more]

This is all free, except the mobile versions require a premium account which costs $12 per year.  There is a 14 day free trial of the mobile versions.

In an attempt to be fair, here are some other password managers.  You may prefer one of these over LastPass, which is what I use and recommend.  I used Password Safe for many years, but it is not multi-platform and there is no synchronization between machines.  KeePass is another nice one, but I have never used it.  Both of these are open source on sourceforge.

Here is a list of some online password managers, with some brief comments about why I did not choose each one (except for the AGPL license).  My "online only" comment means you must access the web site in order to use the passwords stored there.

• www.agatra.com (no longer supported)
• www.needmypassword.com (web site out of date, misspellings and grammatical errors, online only)
• www.passlet.com (cert expired, beta software, online only)
• www.passpack.com (designed for sharing passwords, subscription priced on number of passwords and shared users, online only)
• www.spyshakers.com (mainly designed for privacy, requires more setup, online only)
• www.shibbo.com (either online only or purchase a portable app, does not seem to be maintained - web site from May 2007 said software on usb pendrive "soon available!" and it still says that today, based in Spain, web site not tls encrypted)
• www.clipperz.com (online only, seems to beta, main web site not tls encrypted, most of the source is AGPL v3)

Recently, an unscrupulous individual was trying to setup a fake copy of one of our customers for what was likely a phishing scheme on a server located in Netherlands.  Upon examining the whois record, there was a contact listed as the admin with an address and phone number.  Upon calling the number the individual that answered the phone of course knew nothing about the person that registered the website.  Other entries appeared to indicate that Yahoo was involved in the hosting.  However, in order to actually connect to the website, the DNS records are registered with name servers that are usually from the webhost provider. Below is a screen shot of the Whois results (with some of the information removed). [more]

After querying the name server’s DNS for citibo.com, it was clear that these servers were pointing back to a server named hosting1-nl.santrex.net.  Santrex.net showed to have hosting servers located in Netherlands.  A trouble ticket was created for abuse on the santrex.net website, and a few hours later, the webhost provider suspended the account.  While we were still waiting for the FBI to get back with us, it was really helpful to contact the webhost provider, and get the website taken down.

Most people know about the cookies that internet browsers use to store information.  It's easy to configure browser settings to not allow cookies, only allow trusted cookies, and to delete cookies when exiting the browser.  What slips around the radar are Local Stored Objects (LSO), also known as super-cookies or Flash cookies.

LSO’s use Flash technology to store more information than regular cookies.  In addition, LSO’s can be used to recreate, or respawn, deleted cookies.  More than half of the internet’s top websites use a little known capability of Adobe’s Flash plug-in to track users and store information about them, but only four of them mention the so-called Flash Cookies in their privacy policies according to UC Berkeley researchers.

To control these Flash cookies, you have to use the controls on Adobe’s site.  According to Wikipedia,  “Users can only opt-out of Local Shared Objects globally by using the Global Storage Settings panel of the online Settings Manager at Adobe's website. Users can also opt-out of them on a per-site basis by right-clicking the Flash player and selecting 'Settings'.  Adobe's online-only Website Storage Settings panel was created to let users view and delete LSOs on a per-domain basis. It is also possible to completely disallow LSOs from a specific domain by setting the storage space to "0 KB", however, although no data is stored, empty directories with the name of the domain are nonetheless created. Add-onextensions that allow the user to view and delete LSOs have also been created for the Firefox Web browser, e.g. BetterPrivacy.”

Recently an information security audit customer of ours lost a backup domain controller and contacted their network vendor to rebuild the machine.  The bank thought everything was in order until three months later when they were audited.  The audit discovered the old backup domain controller had not been rebuilt to be a backup domain controller again as well as no antivirus software was installed.   When the bank contacted their network vendor, the bank was told there were some issues the vendor "meant to get back to".  Regardless of errors assigning roles for the domain controller, the vendor still should have installed antivirus and other applications requested by the bank. 

The reason why steps were missed? [more] No equipment recovery checklists had been created in the bank's Business Continuity Plan (BCP) so the vendor didn’t have a detailed list of steps to take in order to recover.  This can lead to both lost time and missed steps when rebuilding equipment.  Ensure equipment recovery lists exist for critical components of your infrastructure.

I had recently upgraded a Mac user to the v10 PGP client and registered them with the bank's PGP Universal Server.  Everything seemed to work fine, but the user later discovered that PGP would prevent them from shutting down their machine if their iPod was attached.  Other devices didn't seem to affect the shutdown process.  I did some research and found this was a known issue.  The fix was to simply update the client from v10.0.0 to v10.0.2.  Obtaining the v10.0.2 update proved to be trickier than expected, but with a coworker's help I was able to download the update and put it on my USB thumb drive.  With update in hand, I strolled over to the bank and quickly installed the update off my USB drive (ensuring the customer this simple procedure would fix their problem).  When the computer rebooted, I pulled my thumb drive out and waited for the PGP screen to come up.  When it did, I had the customer enter their PGP Wholedisk passphrase.  After a couple of failed tries, PGP accepted the password and began to load OSX.  Then, the OS crashed! 

The user told me that happens sometimes after he misses his PGP password, so he simply restarted and tried again, this time putting the password in correctly the first time.  It ended the same way however.  At this point, the room became very hot and I started to sweat profusely.  I was sure I had just trashed this guys' machine by applying this simple update.  I'm sure he was starting to think the same thing too.  I sat down at his machine, wondering what in the world my next step was going to be, and then it hit me.  "I wonder if PGP needs something off the installation media (my USB drive) to update the boot process?"  I shut down the machine, plugged my USB drive back in and powered it back on.  I logged in to the PGP screen, the OS started to load...loading....loading....loading... OSX login screen!  Suddenly, the temperature in the room dropped drastically.  I had the user log in, I removed my USB drive and rebooted again.  Everything came up perfectly.... much to my relief. [more]

One other note about PGP and OSX upgrades...
In some cases, PGP will modify the system partition table enough that OSX upgrades (in my case, Leopard to Snow Leopard) won't be able to identify the currently installed OS.  This makes doing an in-place upgrade impossible.  The fix is to simply open Disk Utility, select the system disk, select the Partition tab, resize the system partition by dragging the bottom right corner up, then right back down (this should enable the "Apply" button), click Apply (confirming the change), exit Disk Utility.  The OSX upgrade should be able to correctly identify the currently installed OS after this.

During a recent bank's information security audit, a coworker and I wrestled with LANguard for the better part of two days trying to figure out why LANguard would freeze during network scanning.  There were several potential culprits including a VLAN setting on the port I was using, a “switch” (which looked just like a little 4 port hub) the company had set up to allow me to use two laptops, etc.  I tried scanning from my laptop, from my VM, from the other laptop, skipping the “switch”, etc.  Finally, I set LANguard to a single thread and noted the scan stopped at the “Enumerate Trusted Domains” step.  The company had two domains, something we don’t often encounter.  I disabled this item in the scanning profile and, presto, the scan ran.  To eliminate any other variables, I turned “Enumerate Trusted Domains” back on and it stalled again.

I installed PGP on my new laptop and after the reboot I got the PGP prompt for my passphrase.  This was a new laptop and was not yet encrypted so I was a little confused where it got a passphrase since I was using BitLocker on my old laptop.  Then logging into the PGP Universal Server I remembered I used PGP to encrypt a different laptop while we were testing.  PGP carried over the old passphrase, and of course since it was installed on a test laptop I didn’t remember (or record) the passphrase I used.  I removed my user and computer entries in PGP and was able to install and encrypt after wiping the partition table and reinstalling from the factory default image.

Secunia is one of the many security firms who maintain teams of researchers looking for vulnerabilities in software applications.  I have seen their name credited on several vulnerability notices from CERT and SANS.  They offer a software vulnerability tool called Secunia Personal Software Inspector that is free for personal use.  It scans your system looking for all executable files and then compares them to their database of current software versions/vulnerabilities.  I have used it on a couple of systems that I believed to be current and found at least half a dozen out-of-date or vulnerable apps.  Apart from the security benefits, it can also be an easy way to see if there have new releases for any of your software.  For example, Secunia PSI informed me that a new version of Wireshark was available for my home computer even though it didn't find any security vulnerabilities for the version I was using.  This can be much easier than individually opening each app and clicking on "check for updates", or even worse, having to go to the app's website to see if a new version is available.