End user education
March 27, 2013 Leave a comment
Schneier has an interesting article on his blog about end user education.
Sony utility disables UAC
March 25, 2013 Leave a comment
Sony Hotkeys Utilities (SOAOTH-606A0000-0042.exe) disables User Account Control (UAC) on my Windows 7 machine.
After re-installing Windows 7 on my Sony laptop I wanted to make my hotkeys (like volume) work again so I installed the Hotkeys utility by Sony. A few weeks later I got suspicious when several programs I opened had “Administrator:” in the title when I hadn’t approved any UAC. I checked my logs and the last program to ask for privilege elevation was the Hotkey utility.
I re-enabled UAC dialogs and re-booted the machine. I re-downloaded the utility from Sony, installed it, and was asked to approve a UAC dialog (so UAC was definitely enabled). Sony software asked that I reboot the machine to “finish installation.” Immediately after the Sony dialog appeared a balloon in the bottom right appeared with the following text: “You must restart your computer to turn off User Account Control.” Sony’s software was the only thing running and I hadn’t opened any User Account Control settings since restarting the computer.
I let the software reboot the computer. After the reboot Sony software continued to install itself. I opened the User Account Control settings panel and verified that UAC was disabled.
Sony’s software finished installing itself, theoretically requiring UAC to do so, and asks to reboot a second time. I allowed it to reboot the machine and after the second reboot I pulled up the UAC settings again to verify that they were still disabled. As can be seen below the settings stayed with UAC disabled after two reboots.
Turning off UAC dialogs without user notification is a very dangerous thing to do. My computer spent several weeks in a state where any program that wanted to install could just do so without my approval. My programs were running with “Administrator” in the title because they were running with Administrator privileges (I manually verified this for PowerShell). No well behaved software should ever change security settings on a computer without notifying the user.
A couple of limitations to consider
- This is one personal computer, it is possible that the Sony utility is reacting badly with my computer’s setup.
- I tried the above steps three separate times, this is repeatable (at least on my machine).
Graph of attacks in real time
March 12, 2013 Leave a comment
A map of the world showing the source of attacks and statistics about past attack rates.
http://www.sicherheitstacho.eu/
Certificate authority network
December 14, 2012 Leave a comment
Researchers at Berkeley created a map of Certificate Authorities.
http://notary.icsi.berkeley.edu/trust-tree/
The EFF SSL Observatory also tracks Certificate Authorities and has a downloadable MySQL table of them.
https://www.eff.org/observatory
Also ICIS Certificate Notary system by Berkely
http://notary.icsi.berkeley.edu/
Open source eye tracker
July 18, 2012 Leave a comment
Open source code and open source construction directions for building an eye tracker.
http://code.google.com/p/experteyes/
Verifying certificate fingerprint
March 9, 2012 1 Comment
When opening pidgin on Ubuntu Linux I received the following warning dialogue with the message “Accept certificate for gmail.com?”. Clicking on “View Certificate” showed the second dialogue.
So how do you verify this?
To start with get the actual certificate from gmail and put it in a file
> openssl s_client -connect gmail.com:443 > cert.pub
The file contents should look something like this:
CONNECTED(00000003) depth=1 C = ZA, O = Thawte Consulting (Pty) Ltd., CN = Thawte SGC CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain  0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com   i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA  1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIDIjCCAougAwIBAgIQK59+5colpiUUIEeCdTqbuTANBgkqhkiG9w0BAQUFADBM MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0xMTEwMjYwMDAwMDBaFw0x MzA5MzAyMzU5NTlaMGkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh MRYwFAYDVQQHFA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKFApHb29nbGUgSW5jMRgw FgYDVQQDFA9tYWlsLmdvb2dsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ AoGBAK85FZho5JL+T0/xu/8NLrD+Jaq9aARnJ+psQ0ynbcvIj36B7ocmJRASVDOe qj2bj46Ss0sB4/lKKcMP/ay300yXKT9pVc9wgwSvLgRudNYPFwn+niAkJOPHaJys Eb2S5LIbCfICMrtVGy0WXzASI+JMSo3C2j/huL/3OrGGvvDFAgMBAAGjgecwgeQw DAYDVR0TAQH/BAIwADA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vY3JsLnRoYXd0 ZS5jb20vVGhhd3RlU0dDQ0EuY3JsMCgGA1UdJQQhMB8GCCsGAQUFBwMBBggrBgEF BQcDAgYJYIZIAYb4QgQBMHIGCCsGAQUFBwEBBGYwZDAiBggrBgEFBQcwAYYWaHR0 cDovL29jc3AudGhhd3RlLmNvbTA+BggrBgEFBQcwAoYyaHR0cDovL3d3dy50aGF3 dGUuY29tL3JlcG9zaXRvcnkvVGhhd3RlX1NHQ19DQS5jcnQwDQYJKoZIhvcNAQEF BQADgYEANYARzVI+hCn7wSjhIOUCj19xZVgdYnJXPOZeJWHTy60i+NiBpOf0rnzZ wW2qkw1iB5/yZ0eZNDNPPQJ09IHWOAgh6OKh+gVBnJzJ+fPIo+4NpddQVF4vfXm3 fgp8tuIsqK7+lNfNFjBxBKqeecPStiSnJavwSI4vw6e7UN0Pz7A= -----END CERTIFICATE----- subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA --- No client certificate CA names sent --- SSL handshake has read 2005 bytes and written 285 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-RC4-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session:    Protocol : SSLv3    Cipher   : ECDHE-RSA-RC4-SHA    Session-ID: 45F9A9FA76661A382878C54AD89EB033C1D8CABB1840F6C154B32F406EC05D75    Session-ID-ctx:    Master-Key: 11FA086DFD76443E656F2C487A52B4BCF83A3F7B65C390A15FC2D876EE64E1EBF9FD1B9E8A22E5980D77CD86A11B2BE8    Key-Arg  : None    PSK identity: None    PSK identity hint: None    Start Time: 1331313945    Timeout  : 7200 (sec)    Verify return code: 20 (unable to get local issuer certificate)
Then calculate the fingerprint.
> openssl x509 -noout -fingerprint -in cert.pub SHA1 Fingerprint=59:29:78:A7:2A:90:61:F7:0A:D7:C4:4C:4D:44:9D:CF:25:8C:D5:34
The above fingerprint is different than the one Pidgin was warning me about. In this case I rejected the certificate, told pidgin to re-connect and on the second attempt got a valid certificate.
Who is responsible for securing confidential information?
January 27, 2011 Leave a comment
The University of North Carolina at Chapel Hill found out last year that, in 2007, someone had hacked into a server holding personal information of 180,000 mammography patients from around the state. . . . . The university tried to fire — and is still trying to punish — the researcher who was in charge of the information.
Basically the school is trying to punish the researcher for failing to keep the data secure and the researcher is claiming that security isn’t her expertise. She did everything she knew to do but the university could have done a better job of providing her with support for keeping confidential information secure.
Update:
A resolution has been reached. The Professor in question is being reinstated as a full professor provided that she voluntarily retires.
Fun security ideas
January 25, 2011 Leave a comment
Can you spot all the security issues with this messy desk?
Its an interesting way to make security more “fun” by challenging people to think and find the problems instead of lecturing them about what to do right.
Security Conference Rankings
January 24, 2011 Leave a comment
Guofei Gu at Texas A&M University has a nice list of security conferences and what he believes their rankings are.