End user education

Schneier has an interesting article on his blog about end user education.

Sony utility disables UAC

Sony Hotkeys Utilities (SOAOTH-606A0000-0042.exe) disables User Account Control (UAC) on my Windows 7 machine.

After re-installing Windows 7 on my Sony laptop I wanted to make my hotkeys (like volume) work again so I installed the Hotkeys utility by Sony. A few weeks later I got suspicious when several programs I opened had “Administrator:” in the title when I hadn’t approved any UAC. I checked my logs and the last program to ask for privilege elevation was the Hotkey utility.

I re-enabled UAC dialogs and re-booted the machine. I re-downloaded the utility from Sony, installed it, and was asked to approve a UAC dialog (so UAC was definitely enabled). Sony software asked that I reboot the machine to “finish installation.”  Immediately after the Sony dialog appeared a balloon in the bottom right appeared with the following text: “You must restart your computer to turn off User Account Control.” Sony’s software was the only thing running and I hadn’t opened any User Account Control settings since restarting the computer.

Sony_post_install

Sony_post_install_zoomed

I let the software reboot the computer. After the reboot Sony software continued to install itself. I opened the User Account Control settings panel and verified that UAC was disabled.

Sony_post_reboot

Sony’s software finished installing itself, theoretically requiring UAC to do so, and asks to reboot a second time. I allowed it to reboot the machine and after the second reboot I pulled up the UAC settings again to verify that they were still disabled. As can be seen below the settings stayed with UAC disabled after two reboots.

Sony_post_reboot2

Turning off UAC dialogs without user notification is a very dangerous thing to do. My computer spent several weeks in a state where any program that wanted to install could just do so without my approval. My programs were running with “Administrator” in the title because they were running with Administrator privileges (I manually verified this for PowerShell). No well behaved software should ever change security settings on a computer without notifying the user.

A couple of limitations to consider

  • This is one personal computer, it is possible that the Sony utility is reacting badly with my computer’s setup.
  • I tried the above steps three separate times, this is repeatable (at least on my machine).

 

Graph of attacks in real time

A map of the world showing the source of attacks and statistics about past attack rates.

http://www.sicherheitstacho.eu/

Certificate authority network

Researchers at Berkeley created a map of Certificate Authorities.

http://notary.icsi.berkeley.edu/trust-tree/

The EFF SSL Observatory also tracks Certificate Authorities and has a downloadable MySQL table of them.

https://www.eff.org/observatory

Also ICIS Certificate Notary system by Berkely

http://notary.icsi.berkeley.edu/

Open source eye tracker

Open source code and open source construction directions for building an eye tracker.
http://code.google.com/p/experteyes/

Verifying certificate fingerprint

When opening pidgin on Ubuntu Linux I received the following warning dialogue with the message “Accept certificate for gmail.com?”. Clicking on “View Certificate” showed the second dialogue.

So how do you verify this?

To start with get the actual certificate from gmail and put it in a file

> openssl s_client -connect gmail.com:443 > cert.pub

The file contents should look something like this:

CONNECTED(00000003)
 depth=1 C = ZA, O = Thawte Consulting (Pty) Ltd., CN = Thawte SGC CA
 verify error:num=20:unable to get local issuer certificate
 verify return:0
 ---
 Certificate chain
  0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com
    i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
  1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
    i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
 ---
 Server certificate
 -----BEGIN CERTIFICATE-----
 MIIDIjCCAougAwIBAgIQK59+5colpiUUIEeCdTqbuTANBgkqhkiG9w0BAQUFADBM
 MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg
 THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0xMTEwMjYwMDAwMDBaFw0x
 MzA5MzAyMzU5NTlaMGkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
 MRYwFAYDVQQHFA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKFApHb29nbGUgSW5jMRgw
 FgYDVQQDFA9tYWlsLmdvb2dsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
 AoGBAK85FZho5JL+T0/xu/8NLrD+Jaq9aARnJ+psQ0ynbcvIj36B7ocmJRASVDOe
 qj2bj46Ss0sB4/lKKcMP/ay300yXKT9pVc9wgwSvLgRudNYPFwn+niAkJOPHaJys
 Eb2S5LIbCfICMrtVGy0WXzASI+JMSo3C2j/huL/3OrGGvvDFAgMBAAGjgecwgeQw
 DAYDVR0TAQH/BAIwADA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vY3JsLnRoYXd0
 ZS5jb20vVGhhd3RlU0dDQ0EuY3JsMCgGA1UdJQQhMB8GCCsGAQUFBwMBBggrBgEF
 BQcDAgYJYIZIAYb4QgQBMHIGCCsGAQUFBwEBBGYwZDAiBggrBgEFBQcwAYYWaHR0
 cDovL29jc3AudGhhd3RlLmNvbTA+BggrBgEFBQcwAoYyaHR0cDovL3d3dy50aGF3
 dGUuY29tL3JlcG9zaXRvcnkvVGhhd3RlX1NHQ19DQS5jcnQwDQYJKoZIhvcNAQEF
 BQADgYEANYARzVI+hCn7wSjhIOUCj19xZVgdYnJXPOZeJWHTy60i+NiBpOf0rnzZ
 wW2qkw1iB5/yZ0eZNDNPPQJ09IHWOAgh6OKh+gVBnJzJ+fPIo+4NpddQVF4vfXm3
 fgp8tuIsqK7+lNfNFjBxBKqeecPStiSnJavwSI4vw6e7UN0Pz7A=
 -----END CERTIFICATE-----
 subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com
 issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
 ---
 No client certificate CA names sent
 ---
 SSL handshake has read 2005 bytes and written 285 bytes
 ---
 New, TLSv1/SSLv3, Cipher is ECDHE-RSA-RC4-SHA
 Server public key is 1024 bit
 Secure Renegotiation IS supported
 Compression: NONE
 Expansion: NONE
 SSL-Session:
     Protocol  : SSLv3
     Cipher    : ECDHE-RSA-RC4-SHA
     Session-ID: 45F9A9FA76661A382878C54AD89EB033C1D8CABB1840F6C154B32F406EC05D75
     Session-ID-ctx: 
     Master-Key: 11FA086DFD76443E656F2C487A52B4BCF83A3F7B65C390A15FC2D876EE64E1EBF9FD1B9E8A22E5980D77CD86A11B2BE8
     Key-Arg   : None
     PSK identity: None
     PSK identity hint: None
     Start Time: 1331313945
     Timeout   : 7200 (sec)
     Verify return code: 20 (unable to get local issuer certificate)

Then calculate the fingerprint.

> openssl x509 -noout -fingerprint -in cert.pub
SHA1 Fingerprint=59:29:78:A7:2A:90:61:F7:0A:D7:C4:4C:4D:44:9D:CF:25:8C:D5:34

The above fingerprint is different than the one Pidgin was warning me about. In this case I rejected the certificate, told pidgin to re-connect and on the second attempt got a valid certificate.

SOUPS 2011

I’m blogging SOUPS 2011 over on the CUPS blog.

http://cups.cs.cmu.edu/blog/?cat=20

Who is responsible for securing confidential information?

Interesting article

The University of North Carolina at Chapel Hill found out last year that, in 2007, someone had hacked into a server holding personal information of 180,000 mammography patients from around the state. . . . . The university tried to fire — and is still trying to punish — the researcher who was in charge of the information.

Basically the school is trying to punish the researcher for failing to keep the data secure and the researcher is claiming that security isn’t her expertise. She did everything she knew to do but the university could have done a better job of providing her with support for keeping confidential information secure.

Update:
A resolution has been reached. The Professor in question is being reinstated as a full professor provided that she voluntarily retires.

Fun security ideas

Can you spot all the security issues with this messy desk?

Its an interesting way to make security more “fun” by challenging people to think and find the problems instead of lecturing them about what to do right.

Security Conference Rankings

Guofei Gu at Texas A&M University has a nice list of security conferences and what he believes their rankings are.