Microsoft PKI Checklist for 2016

Update for 2016: In my home, which doubles as the home lab and testing environment, I have tried to build a new Microsoft PKI suitable for 2016. I use this to distribute all the certificate services certificates across my internal sites. and This guide and checklist should help everyone trying to get a handle on the latest. Specifically since SHA-1 certificates are now actively being denied.

This guide is built on Windows 2012 R2, even though we are very close to Windows Server 2016 being released.

I am building a Two-Tier PKI and you can use this guide to help you build one. I made sure to connect my Offline Root CA to the internet and fully patch it before taking it offline. One of the reasons for this, I wanted to make sure that we had the latest Cryptographic patches and signatures installed.

Offline Root Certificate Authority

Once the machine is patched and named appropriately, we will use the Roles and Features Wizard to install the Active Directory Certificate Services Role on this server.

Certificate Service Role

Certificate Service Role Installation

It will also be important to only choose the Certificate Authority Role on this Server.

Once this is done, you may see a Yellow Triangle at the top near the flag in which will prompt you to configure the Certificate Services on the system.

It always best practice to use a CAPolicy.inf file, I am skipping this at this time, but make sure in a production environment you have this file.

Configuration:

  • Standalone CA
  • Root CA
  • New Private Key
    • Cryptographic Provider: ECDSA_P256#Microsoft Software Key Storage Provider
    • Key Length: 256
    • Hash Algorithm: SHA-256
  • CA Name:
    • Common Name: Generally <Machine-Name>-CA Can be of your choosing
  • Validity Period:
    • For the offline root, I decided to use 20 years, because it is my lab.
    • Remember, after the time elapses you must Boot the Offline Root and Renew the CA Certificate.
  • Certificate Database Location:
    • Choose the defaults (unless you have a D:\ drive to use).

Since this is a Standalone CA, do not change the credentials and make sure to choose to configure the Certificate Authority Server. The system should be configured as a Standalone Root CA.

There is a way to do this from the Powershell CLI, like so:

Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
Install-AdcsCertificationAuthority –CAType StandaloneRootCA –CACommonName "OFFCA1-CA" –KeyLength 256 –HashAlgorithm SHA256 –CryptoProviderName "ECDSA_P256#Microsoft Software Key Storage Provider"

Verify the CA

The following command line will verify that the Root Certificate Authority was setup correctly. Opening a Powershell prompt as an administrative (or an elevated prompt), this is done by right-clicking on the Powershell icon and choosing ‘Run as Administrator’

Certutil -crl

Find your CRL file in (%Windir%\System32\CertSrv\CertEnroll) as [CAName].Crl

Certuil %Windir%\System32\CertSrv\CertEnroll\[CAName].Crl | findstr /spi algorithm

This should show something like so:

Screen Shot 2016-07-17 at 9.46.54 AM

If it shows ‘sha256ECDSA’ then you will have a universally accepted certificate. I had issues with many browsers when it stated : RSAPSS-DSS . This happened because my CAPolicy.inf file contained the following setting:

AlternateSignatureAlgorithm=1

Do not use this, set it to:

AlternateSignatureAlgorithm=0

Preparing for Active Directory Rollout

I ran the following settings with the same elevated Powershell Prompt:

  • I have changed some of the settings here to match my active directory domain and my active directory CA server directory. I state this for the people that are using copy and paste to CHANGE the URLs to match your environment.
certutil -setreg CA\CRLPublicationURLs "1:C:\Windows\system32\CertSrv\CertEnroll\%3%8.crl\n2:http://www.<domain.local>/pki/%3%8.crl"
certutil –setreg CA\CACertPublicationURLs "2:http://www.<SubCADomain.Local>/pki/%1_%3%4.crt"
Certutil -setreg CA\CRLOverlapPeriodUnits 12
Certutil -setreg CA\CRLOverlapPeriod "Hours"
Certutil -setreg CA\ValidityPeriodUnits 10
Certutil -setreg CA\ValidityPeriod "Years"
certutil -setreg CA\DSConfigDN "CN=Configuration,DC=<domain>,DC=<domain>,DC=<domain>"
restart-service certsvc
certutil -crl

At this point the certificate can be moved to a place in which the online Subordinate CA can get it. The documentation will tell you to move it to the A:\ drive, but with disk drives being in scarcity today, I will just recommend you to move it using the safest way you can.

copy C:\windows\system32\certsrv\certenroll\*.cr* X:\

Please note, at this point you cannot turn off the offline root CA as you will need it to sign the Subordinate CA Keys.

Subordinate CA Setup

The CA Needs to have the following prerequisites:

  • Renamed
  • Joined to the Domain
  • Patched

Before we start our CA Roles we will install the Root CA on the local machine, copy the files to the system for example:

copy X:\*.cr* C:\Certs\

Now make sure you login as a user who is both an Enterprise Admin and Domain Admin. With an elevated Powershell prompt run the following commands

certutil -dspublish -f C:\Certs\<file_rootCA>.crt RootCA
certutil -addstore -f root C:\Certs\<file_rootCA>.crt
certutil -addstore -f root C:\Certs\<RootCA>.crl

Next, because my SubCA will also serve as my www address I am going to create a CNAME in my domain controller and link it to my A record for the SubCA. Because we added the CPS and the /PKI directory above using registry entries for CDP and AIA, this is an important step.

Setting up IIS

Here we will setup IIS for the CA. As a shortcut we are going to once again run Powershell CLI as administrator and run the following commands. Do note, I do not have a D:\ drive for this, while I usually do, it is generally good practice to do so.

New-item -path C:\pki -type directory
write-output "To View an Example CPS use this link: "https://www.globalsign.com/en/repository/TrustedRoot%20Template%20CPS.pdf" | out-file C:\pki\cps.txt
new-smbshare -name pki C:\pki -FullAccess SYSTEM,"DOMAIN\Domain Admins" -ChangeAccess "DOMAIN\Cert Publishers"

Now we will install IIS on this server by using the Add Features Wizard or Alternatively Powershell, although what is below may be a bit much for your environment. I am running this environment as a test lab and as such I am generally installing much more than needed.

Install-WindowsFeature -Name Web-Server -IncludeAllSubFeature -IncludeManagementTools

In order for this server to actually be able to distribute the CDP and AIA information there needs to be a new Site setup. In this case we are going to setup the :\pki directory to map to a directory in the server known as \pki.

Right Click the Default Web Site and choose ‘Add Virtual Directory’.

PKI directory

Make sure to make the Alias: pki and the Physical Path C:\pki.

Click OK and now you will need to set up anonymous access. In order to do this you need to make a few things happen. Click on the ‘Authentication’ button in the PKI virtual directory and on the right hand side choose Edit Permissions. This will give you the same form as if you had right clicked on the PKI folder in the windows explorer.

Under Security tab click edit. On the permissions for PKI form choose Add.

This gets confusing because of how you are going to add users. More or less you are going to add 2 types of users.

  • DOMAIN\Cert Publishers
  • IIS AppPool\DefaultAppPool

The IIS AppPool is a special object type and to use it, you must change your search to include object type service accounts and change your place to your local server. Here is the other two items to note:

  • You cannot choose service accounts if you changed your place first.
  • You will not see the right account if you search for it, you must type in the name like it seems above and choose ok.

Make sure to give Cert Publishers Modify privileges. Click ok until your back in IIS.

Next change Request Filtering by double-clicking it. Then click Edit Feature Settings on the right and check the box to ‘Allow Double Escaping’.

In Powershell type the following command:

iisreset

If the system is ready, you may install the Certificate Authority Roles and Features as we did in the first Offline Root CA setup.

Sub CA Setup

We will install the Sub CA using the following commands in Powershell or alternatively using the Server Manager Add Roles and Features components.

Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
Install-AdcsCertificateAuthority -CAType EnterpriseSubordinateCA -CACommonName "SubCA-CA1" -KeyLength 256 -HashAlgorithm SHA256 -CryptoProviderName
"ECDSA_P256#Microsoft Software Key Storage Provider"

Once this is done we will need to move our Sub CA Certificates back to the Offline Root CA to have the Offline Root CA sign those certificates and confirm the entity.

You will see that there is a request typically by default put into the root of the C:\ drive and with the extension .req. This is the file to move.

There is a nice command line interface on the CA that will allow you to submit the request

certreq -submit file.req

Now that this is done using the Certificate Authority Tool, under Pending Requests Right-Click and issue the certificate.

Then under Issued Certificates you find your certificate

The command line equal to this is:

certreq resubmit <number>

Typically your RequestID will have a number and you can use that number for your request. Because in theory this should be the first real request more than likely it will be 2.

Now you can retrieve this certificate in command line:

certreq -retrieve <Request#> X:\CANAME-ComputerName.crt

Now on the SubCA with the files available type the following commands will copy the cert files over to the pki folder, install the certificate and start the certificate server on your subordinate.

copy x:\*.cr* C:\pki\
certutil -installcert x:\CANAME-ComputerName.crt
start-service certsvc
copy %windir%\System32\certsrv\certenroll\*.cr* C:\pki\

Finally, just as before you need to make sure to publish the right pathing so that all the clients can find the CDP and AIA.

certutil -setreg CA\CRLPublicationURLs "1:C:\Windows\system32\CertSrv\CertEnroll\%3%8.crl\n2:http://www.www.<domain.local>/pki/%3%8.crl
certutil -setreg CA\CACertPublicationURLs "2:http://www.www.<domain.local>/pki/%1_%3%4.crt\n1:file://\\subca1.<domain.local>\pki\%1_%3%4.crt"
Certutil -setreg CA\CRLPeriodUnits 2
Certutil -setreg CA\CRLPeriod "Weeks"
Certutil -setreg CA\CRLDeltaPeriodUnits 1
Certutil -setreg CA\CRLDeltaPeriod "Days"
Certutil -setreg CA\CRLOverlapPeriodUnits 12
Certutil -setreg CA\CRLOverlapPeriod "Hours"
Certutil -setreg CA\ValidityPeriodUnits 5
Certutil -setreg CA\ValidityPeriod "Years"
restart-service certsvc
certutil -crl

This should now build our certificate authority. Turn off your Root CA’s as this should be done.

Test Drive IIS Server SSL

For a test drive, we will enable SSL on the www server and test it with a browser like Chrome just to make sure that everything is working as expected. In order to do this most effectively, I am going to go back into Roles and Features and add the Active Directory Role for Web Enrollment.

Once this is done, we can then later use this to actually request and retrieve our certificate.

First on the SubCA run the following command:

Certuil %Windir%\System32\CertSrv\CertEnroll\[CAName].Crl | findstr /spi algorithm

If everything worked as before then you should see the sha256ECDA string appear.

Open Certificate Authority MMC and Let’s make sure that the WebServer Template is enabled and available.

Choose Certificate Templates and then New Certificate Template to Issue. Choose Web Server.

Next run IIS Manager. Choose the following menu options:

Under the Computer Name find a button for Server Certificates and Double-Click it. Next on the right hand side under actions you will see a Create Certificate Request Option. Choose it.

Make the common name the following:

www.<domain.name>

Fill all the fields of the form out to be able to create it.

Next, choose a secure key size like a 4096 bit key – length.

Finally choose a place for the request, because this server is also the certificate authority we do not have to worry too much about permissions. I called mine www.req.

Next we will open the following URL:

http://localhost/CertSrv

Choose to Submit a New Request and copy and paste the request. Make sure the template you use is marked ‘Web Server’.

Copy the contents of www.req into the first form and choose submit. At this point we should be able to retrieve the certificate and chain.

 

Finally go back to the IIS Manager and in the same window as the Server Certificate choose to complete the request. You should be able to just point to the .cer file to finish the submission.

Now we need to bind this request to the 443 listener. Under Default websites choose bindings. Add a 443 listener binding and choose the following hostname:

www.<domain.local>

At this point you can distribute your Root CA and SubCA Certificates to all devices that do not have Active Directory joined rights. For Example Internal Linux and OSX Devices.

 

 

Firepower Best Practices: The Access Control Policy

Screen Shot 2016-03-13 at 1.26.44 PM

As people who are purchasing Cisco Firepower gear get more invested in the product many of the legacy Cisco customers have come to me and asked me about Firepower Best Practices. What I find however is that the answers to those questions are ‘it depends’. The purpose of this series of posts is to get people familiar with Firepower and Firepower Services. These series of articles covers version 6.x of the product.


The Access Control Policy, what is it and how to use it.

The access control policy has become the heart of the firepower system. It is sometimes completely misunderstood because in certain circumstances it is used as a Firewall policy but on an IPS it can be used in completely interesting and unique ways. If the engineers understand how the system is meant to act the AC-Policy becomes a wonderful thing.

With that started, let’s go through some tips and tricks on the AC Policy, first our standard visualization that helps us talk about how the AC policy works and looks.

AC Policy

As you can see the AC Policy takes a number of policies and puts them, or pieces them together. It is really critical to understand how the AC Policy can be used to redirect each flow to and from the different engines.

I hope this guide can serve as tips and tricks for people. The first of the things that I would recommend is to push block rules as to the highest area in the policy. I would also recommend pushing items that do no need to get inspected to the top also if possible.

The Firepower management center is involved heavily in things like policy management but also participates actively in AMP Disposition lookups and checking. You could run all of this without cloud communications but you would lose some capabilities like:

  • Dynamic URL Categorization
  • Advanced Malware Hash Lookups
  • Dynamic IP/URL/FQDN/DNS Reputation

Allow, Monitor, Trust, and Block

There are 4 major types of actions that are in the Access Control policy of the system. Remember the product had a heritage of IDS (and IPS) before Firewall and NGFW policies and so the rules do reflect this.

Screen Shot 2016-03-13 at 12.31.55 PMAllow rules are self explanatory, but remember, there are some tips and tricks here that will help you setup your rules.

Trust rules will be rules that will not add any further inspection. For example, if the rule has a source address 1.1.1.1 and destination of any, then any packet matching those parameters will not go through IPS, File, or URL inspection.

Monitor Rules are somewhat special, they are designed for logging of traffic but will neither automatically permit or deny, instead they will fall to the next rule which could be a permit or deny. This is important because you may want to just monitor and allow but end up denying a packet or vice versa. It will also automatically log at the END of a connection. Logging is another subject we will get into.

Block will block traffic without inspection, Block with Reset is really meant for IDS mode in which a TCP Reset will attempt to stop the communication of the traffic. Interactive Block is also unique, remember this system has the capability to present the user with a Web Page that can prompt the user to bypass the block in various ways. If you are doing Web Based blocking for categorization, this would be an area where a user can bypass the block, in which case it would fall into an allow rule.

Zones, Networks, Geo-IP, and VLANS

This system was designed with IPS/IDS in mind, but the same concepts can be applied to firewalls in the case of Zone Based Firewalls. Zone based will allow a user to define the appropriate rules per zone which could be somewhat interface specific and allow for more granular and flexible policies.

Now there are some other treasures in the system iScreen Shot 2016-03-13 at 12.44.04 PMincluding the ability to block entire countries, how does one do that? It is actually hidden somewhat in the network and is accessible in a tab called GeoLocation. I have pulled out a screenshot which should help you find the location of it. One of the things that is important to note is that you can block continent and country but there is a limit of somewhere in the 40 or so objects in the rule. That is critical because it will change how you add those countries. What I caution most people however is not fall into the trap of block countries because while it can help it is not a foolproof way to stop attackers from coming in the network. I leverage the results to look at who is communicating or connecting to my device for analysis but I don’t generally take action on this.

VLANs tagging in a policy is generally used for layer 2 inspections. There are some tips and tricks that I will talk about in a future post on how you can stop double inspecting traffic and one of the methods that can be used is through the AC Policy is the VLANs area.

The Advanced Tab

There is one last thing that is happening in the system that most people don’t realize, and that is in the advanced tab has a wealth of more tuning capabilities that can help further intrusion analysis. I will not be-labour this particular area as much but I will highlight a few gems that I find to be great to enable.

The first thing is Adaptive Profiles, so what are those?  Those are really well defined here in this area: Firepower User Guide – Passive Deployments. The reason I mention these is because in the passive deployment section you can implement Adaptive Profiles which will change the way that packets are re-assembled and automatically change the behavior seen in those packets. This can detect anomalies such as fragmentation attacks and other IDS evasion tactics. To configure Adaptive Profiles, you need to click on the pencil icon and not only enable adaptive profiles but add the network ranges for those profiles.

The second item here that I will mention is the Network Analysis Policy which can Screen Shot 2016-03-13 at 12.54.37 PMchange the behavior of the rules. In the 5.X version of the product instead of having preprocessors stored within the IPS policy as you would expect you could add change each policy specifically for use in different AC-Policies and for different actions. Some of the more interesting items you will find in this area? The ability to change HTTP Configurations. In here you will see how we can capture the originating IP address from a proxy by using the X-Forward-For header to show the originating IP address so that not all the attacks show up as coming from your proxy. We can also add static ports to some of these areas to further our investigation. While I would not recommend changing all the features within this area without thinking about it first, I would recommend giving it a cursory look.

Additional Tips/Tricks?

  • You can move any rule up and down in the list by just clicking on the rule and dragging it up or down
  • You can click on any of the objects in the rule base such as source ip, ports, applications, the shield (NGIPS), etc, to get into that rule and right into that tab.

This is only one of a few Firepower Best Practices posts.

 

 

Why not just decrypt this Apple for the FBI?

Apple

Apple

*Due to the sensitive nature of this blog post, this was excluded from my internal mailings and was only placed on my blog site. Enjoy some thoughts.

Today myself and another researcher had a lot of fun talking about how to define a backdoor. It was an interesting debate as the author (Jonathan Ździarski) was trying to define backdoor.

https://twitter.com/JZdziarski/status/704069755750236160

“A backdoor is a mechanism that has been placed by the creator of the system to enable access to the system through an alternative means.”

Now why are we talking about backdoors? Apple has somewhat brought this argument back into the spotlight. A few months ago, there was talk about this in the media, It was quite clear that a few senators and a few others in the media (https://www.moses.io/2015/11/23-nov-2015-week-ind-security/). This very topic reminded of the clipper chip arguments when I was much younger and not in this business. While I did enjoy the computers I had access to, it was more of a hobby than a profession so I did not fully comprehend the argument back then. The clipper chip provided the government the concept of key escrow to be able to decrypt any item that had been encrypted with a specific cipher or legal encryption protocols. Of course we can already see the fallacy of this argument. Why would someone with mal-intent use only Legal Encryption? The clipper chip argument did fail but only to have emerged with the same drum beat today. You can argue that we can compel all citizens to use some type of U.S. Government sanctioned encryption, but what happens in other parts of the world? We already know how the Indian Government felt about the amount of US dominance in operating systems (http://www.storypick.com/boss-indian-os/)

Bringing it back to Apple. There are two fantastic write-ups on the subject:

https://dfir.to/AppleFBI-FAQ

https://blog.trailofbits.com/2016/02/17/apple-can-comply-with-the-fbi-court-order/
If you take the time to read here through the arguments, you can see what is being asked of Apple. The question of course is not whether Apple has the technical capabilities to do this, they may. But here are two questions to ponder.

  • If they do this for this one phone, where does Pandora’s box end?
  • If they do this and the person in question (The San Bernardino Terrorist) used a third-party service that encrypted the chats and this data is longer available, what happens next?

Here are my thoughts on the subject, while I do think the idea of escrow was technically interesting, backdoors are not a good idea. They are dormant until someone else discovers them and could be used against you. I do think Apple could potentially create the keys or work around for this one phone. The precedent however needs to be tested and made clear. This is important because in a digital age, the laws must be made defined and not subject to arbitrary untested measures. Kudos for Apple for bringing this up, even if at the end this decision does not go their way, they have done the right thing.

Firepower Best Practices: Configuration Menu and Updates.

Cisco-Firepower-4100-Series_600web

As people who are purchasing Cisco Firepower gear get more invested in the product many of the legacy Cisco customers have come to me and asked me about Firepower Best Practices. What I find however is that the answers to those questions are ‘it depends’. It may sound weird, but there is no scientifically salient way to enable every feature. The purpose of this series of posts is to get people familiar with Firepower and Firepower Services. These series of articles covers version 6.x of the product.


Up and Running with Firepower: Configuration Menu and Updates.

Firepower is the brand name for several things, Firepower comes as a Standalone IPS, as an Sensor on an ASA integrated, as well as a unified all in one system that merges the ASA with the Firepower Software. Let’s begin with how you setup and deploy the manager which ends up being where the majority of the work is. When first setting up Firepower 6, the first and most important thing to do is set your sizing requirements. If you happen to be using a Virtual Manager make sure that you get as much memory as possible on the box. I would recommend that at least you attempt to put 16GB to 32GB of RAM.

Here is my simple cheat sheet of items.

Internet Connectivity

First question I get is what Internet connectivity is needed to run the unit. This is the guide most people refer to:

https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Security__Internet_Access__and_Communication_Ports.html

Firepower Ports

I believe this guide is a bit to complicated to understand, here is a better way to visualize it because it’s not so clear how it works at first blush. The Firepower management center is involved heavily in things like policy management but as well as the AMP part. You could run all of this without cloud communications but you would lose some capabilities like:

  • Dynamic URL Categorization
  • Advanced Malware Hash Lookups
  • Dynamic IP/URL/FQDN/DNS Reputation

Manager Configuration

Here are also a couple of items to enable.

  • System Menu -> Configuration Menu -> Remote Storage Device. Setup your Remote Storage Device to be SMB or NFS or something of the like.
  • System Menu ->Configuration Menu -> Change Reconciliation. Turn this on so that you have change control logged.
  • System Menu ->Configuration Menu -> Access List. Because right now any one can hit 80/443 to your Manager. I would limit it to the furthest you can. You may have a range for IT, or you may have a range for your network. For example it could be 10.10.10.0/24 or at least 10.0.0.0/8. I don’t think you want to possibility of the internet hitting your manager ever?
  • System Menu ->Configuration Menu -> Time Synchronization. Make sure you set this to either your Stratum 1 server, or any other servers that synchronize time in your environment. It is critical that the sensor and the manager have the same time, but as good habit all of your systems should keep the same time period.
  • For VM Systems: System Menu ->Configuration Menu -> VMware Tools -> Enable VMware Tools. Just good practice.

There are other options in there to explore like email addresses for notifications, Syslog servers setup, but those options can be explored at a later time.

Updates

The next topic is that of updates. Some updates are simple to add, because they have built-in scheduling like those below.

Screen Shot 2016-02-20 at 10.31.24 AM

In the System -> Updates -> Rule Updates Menu the scheduler is visible as well as in the Geolocation menu. There is however one other menu item that is not automatic. This option is called the VDB. The Vulnerability Database Update will update the system against the latest CVE’s that come down and provide accuracy when fingerprinting hosts which we will get into later. The VDB is not automated so we must automate its installation ourselves and we can do that using the scheduler.

Screen Shot 2016-02-20 at 10.33.54 AM Screen Shot 2016-02-20 at 10.39.30 AM

The above shows how you can very easily go into the System menu, Under Tools -> Scheduling and add a new task. Explore the options in this menu because you would be very surprised to see all the different automated scheduled actions you could have.

This is a 2 Step Process to full work. It is important that you use recurring. If you want these actions to keep happening the default is once.

Step 1. Is shown above, Download the Latest Updates and you want to give the system time to do this, you can even say do it a day before, a week before, etc. This update happens at a somewhat ad-hoc basis and not very often so timing isn’t as important as the rule updates.

Step 2. Which I will show below is to actually install the VDB update on the manager. This is important because you will need to do this to actually make sure of the downloaded database.

Screen Shot 2016-02-20 at 10.34.22 AM

That concludes this post on up and running with Firepower. Please stay tuned for more notes, feedback, tips, and tricks! If you enjoy these series of posts, I encourage you to Subscribe.

 

 

Twenty Sixteen the first post.

CartoonMoses20161

Ah… Twenty Sixteen, It’s funny because my ex-wife taught me, or would thoroughly critique my writing when we were married. She used to tell me, and in a not so very nice way at times, that anything smaller than numerical twenty should be correctly written out (or maybe it was numerical ten), and anything past that can be used as numbers. My title above breaks all the norms. Welcome to 2016 (Twenty Sixteen), Sixteen years past when planes would have fallen from out of the sky due to Y2K bugs.

Introspection and this time of year are a marvelously beautiful thing. My wife tells me that she loves New Years resolutions because it allows you to measure and set a gauge about what you did and where you were going. That is a marvelous thing, so here a few items on the site that I think I”m going to be putting in with housekeeping notes and my resolve.

Failures and Re-affirmations

Last year I wanted to update the site with a weekly newsletter. See post 1 and post 2. That seemed not to go so well with my curation efforts were just too broad and challenging with my schedule at the end of the year. This year I want to continue attempting to do this, but I will be doing so with some sandbox. Three important stories and one editorial comment per week. I am going to try to commit to this, and as such because I’m a one man shop, I may look to ask for a few guest bloggers or guest posters for this. I also feel like this site design needs a lot of work and this year we will launch a new better site design.

Forum and Community

Not even sure if I should keep the forum and community going because no one uses it. I wanted it to be a place where I can post technical articles and then talk to people and give feedback. That hasn’t been working because no one either has registered or has had the interest to register. I am working on figuring out how to make that better, and this year it would be an exciting growth year for the community part.

Technical Content and Videos

People seem to love technical content, and also video’s. This year I will dive into actually trying to film a few. I am not 100% sure what the content will be, but perhaps I’ll be doing surveys along with it to help this along. I could potentially just do a bunch of how-to’s although I’m not so sure that the content will be well received, so I’m cautious about how to do this.

Finally, there is YOU! I want to make the site relevant and share my experiences with everyone. I hope that when you come here, it’s worth the time and effort in the sea of noise. Please post your opinions below to make the site wonderful.

Thanks!

23 Nov 2015 – Week ind Security

Editors Note: It has been one week since the Paris attacks which swiftly dominated the news for the entirety of the week. During these times of turmoil I usually ask my kid to explain to me the significance of this to the past. It’s important to understand the past to understand exactly why things are happening and what they mean to the greater significance of life. I say this because I saw something disturbing yesterday. Dianne Feinstein, who I do admire, said on Face the Nation:

FEINSTEIN: I can say this.

Director Comey and I think John Brennan would agree that the Achilles’ heel in the Internet is encryption, because there are now — it’s a black Web and there’s no way of piercing it. And it’s even in commercial products. PlayStation, John, which our kids use, if the two ends communicate, that’s encrypted.

So, terrorists could use PlayStation to be able to communicate, and there’s nothing that can be done about it.

As you can see she is worried about ‘Encryption’ on the internet and the fact that people can use it to ‘hide’ communications. The obvious answer of course comes later:

DICKERSON: The tech community says if you tried to do something, develop a backdoor that law enforcement could use, that that would open up all kinds of other communication. It would — financial transactions, other sensitive information would then be at risk if what you’re talking about would be put into place.

FEINSTEIN: No, I don’t think so. I think, with a court order, with good justification, all of that can be prevented. It can be prevented in Europe, because Europe has been a major driver for more encryption. And I think they are now seeing the results.

Unfortunately we have tried this before with encryption and when that was insufficient a few others attempted to implement the clipper chip to try to provide a more structured backdoors. Of course, the problem with Backdooring of Cryptography, and just backdoors in general is that it is all great until the people who you do not want using it, start to use it. I recommend if this is of interest to you, to read this paper.

My opinion? Implementation of such an encryption technology where there could be an escrow or backdoor mechanism would be doomed to potential flaws. We normally do not break crypto algorithms, because that requires a great deal of skill. Instead we break crypto implementations because there are flaws in them. This attack on France will further escalate these conversations.

Of course as you will also see this week sometimes, technology does not die, because in other French news, the Airport systems in france used Windows 3.1, which did support export control ciphers.

On to the news:

Wireshark 2.0.0 Released

Editors Note: Wireshark 2.0.0 is released, it has come along way since Ethereal days. Even though it is riddled with massive security bugs, we all use it because it just works so well.

Windows Phone 8 Forensics

Editors note: Cindy Murphy of the Madison Police department and most notably the Co-Author of the SANS 585 course, published this great little slide deck on the Windows 8 phone was has been opaque for a quite a bit.

BitLocker encryption can be defeated with trivial Windows authentication bypass

Editors note: Uhh patch now? Seriously however, think about this. This is an authentication bypass in all Windows devices that are not patched up to the latest version. Really, if you read this, its regardless of Windows Bitlocker. You are bypassing authentication pretty trivially in all Windows Domain Joined systems as long as you have physical access and know some really basic information.

Keynote: Alex Stamos – The Moral Imperatives and Challenges for Modern Application Security

Editors note: Alex Stamos gives a level-headed view of Security at Scale within the confines of Facebook. My frame of mind is more like his than most others. Because to give the most security you probably should cover the largest number of people. That is first, but secondly it is probably a good idea that we not be so stringent and fight usability. If it is not usable then no one will want it. We should know this by now…no?

Breaking into and Reverse Engineering iOS Photo Vaults 

Editors note: This week we feature reverse engineering Apple iOS Stuff. Yay!.

 

16 Nov 2015 – Week ind Security

Editors Note: I decided a few months ago that I would create a weekly newsletter with an editorial twist for all my readers to promote a monthly newsletter. I recommend everyone just sign up right now. While I get everything going however, I figured I would give my readers a taste of my analysis over the weeks’ news. This is the first of  a series of posts that provides this analysis. I decided to call this series of notes, Week ind Security, a play on Weakened Security.

First thoughts this week is the sadness I feel for the people of France. I fear that we have started to enter a new era in our history one that we may have not seen for a long time. I always wonder in my head what role does technology have in predicting and helping. Before I dive into this, I have decided to postpone my full analysis on this until the next week, as of the writing of the news letter was in the midst of the news breaking. I just wanted to add that the most earth shattering thoughts I had about this was the fact that this was all over social media which was the first time we had ever seen Social Media (Twitter and Periscope) used in this matter ever. I just wanted to make mention of this as I leave this example found on this blog post.

Overall the security news of the week this week is from a range of sources. The Washington Post has a series of articles on the security of the internet, this week it features a controversial look at Linux and Linus Torvalds. I also included some fun tidbits from around the entire industry from mimikatz to jboss and vbulletin bugs. I hope that you find these articles good enough to read and pass around.

Most interesting stories of the week.

The $50 Device that Detects Mimikatz

Editors Note: This is probably not a scalable solution for the masses. I can’t imagine that you would want to buy thousands of these, plus, how would you pass the USB over VMware? I mean you could, but it’s not so simple or easy to track down which machine. Either way, it is fun, I’m going to buy one!

Lets Encrypt Public Beta December 3rd.

Editors note: I’m excited for this! I am thinking that we are going to be seeing a large uptick in encrypted traffic, and for the good. I cheer this one on. I am a big believer in Encrypt first technologies. Public Beta is slated for a few weeks from now and I for one, hope to try to check it out.

The Net of Insecurity Part 5: The Kernel of the Argument

Editors note: Is Linus really wrong? I mean I am a pragmatist. I don’t know either of Linus or the security community is right or wrong. I think the truth and the compromise of how it’s look at is equally important. Some people may as well want to encase a computer in concrete and make it unusable for the sake of security. Others wish for it to run like MS-DOS. I think the truth is somewhere in the middle. The debate rages on, but what a good article.

What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability.

Editors Note:  Wait, wait, are you saying that there could be bugs when you serialized between formats? In all seriousness, I think that this is a really good writeup because it explains how to approach a Java Serialization and web bugs. I would recommend everyone to go out and read it even you have never understood java, it is a very good writeup.

UCF Students Win $25,500 at Cybersecurity Competition

Editors Note:  UCF has won a ton of these hacking competitions, they just seem to keep winning. Good job.

vBulletin password hack fuels fears of serious Internet-wide 0-day attacks

Editors Note:  This one is just ugly, vBulletin (like most other PHP Based forums), widely used, and according to some reports this may have been a silent RCE that was in the framework for a long time.

SecFail Focus: Passwords

For the month of November, and to just to get people going on our forums, (ahem, shameless shameless plug) I decided to go ahead and work on a series of sticky posts, this particular one is focused on Passwords.

For this one, I wanted to go through a few interesting posts (maybe I’ll do something fun on this one day in a presentation). We can passively deduce potential problems just by looking at some flaws:

The concern here, obviously is why would spaces not be allowed? Spaces typically are not allowed when a developer is actually taking in those spaces and is unable to decide where the password begins and ends. For example if my password is:

Password: Really Super Awesome

When I got to read that in a database or as a string I may be unable to realize that the space is there so the password may end up being stored as Really.

Picard-Why-Ship-Exploding-480x220

Why on earth in today’s world is this person not hashing that password before storing it? Why are they unable to read a string with so many ‘special characters’, what are they doing!? Are they just blindly trusting input from the form?

And of course, I need to put in the Obligatory Stack Overflow link to prove that people still do dumb things:Screen Shot 2015-11-11 at 5.32.37 PM

http://stackoverflow.com/questions/17118883/php-password-encryption-key-include

So much wrong with this code concept…oh my lord. Double Equals in PHP, taking in straight $input from god knows where, loose comparison with PHP (Double Equals), Using MD5, Double Equals again. … I can’t even begin. I mean my favorite however is the question Why do you want to hash… Yeah why indeed.

This got me thinking how many people have password issues on the internet, so I started this forum post. I am hoping that others contribute below. I’ll start off by giving some funnier ones I’ve seen.

So passwords that are too long, hashes don’t work that way by the way guys, they are generally fixed length. MD5 (weak) is about 32 digits long. 25 > 32… hmm. Que?

 

This other one is genius, poor guy is trying got ask for help and just posts his personal information all over the net :/.

Not smart.

I think Tesco has always had just horrible security…but thanks for showing us what kind of passwords you use.. I guess?! More of these will be on the forum as I find them throughout the month of November, feel free to add your own!

Fixing the issue?

Once way I have attempted to fix this for myself is I use a Password Manager for all my passwords like that of DashLane. That’s how we can solve it. Visit the ‘Tools I Use‘ to find more tools of the trade.

ASA Clustering Layer 3 Quick Configuration

ASA for many years now has had clustering for data center networking and even to a certain extent for edge internet deployments. There are some interesting clustering requirements you can read about in their documentation: http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/release/notes/asarn94.html

There are several misconceptions however that arise with clustering.

  • It requires layer 2 only, or transparent mode.
  • It requires multi-context or contextual firewalls
  • It requires VPC or some other Layer 2 technology like VSS.

That’s not 100% true, although it may not be the most recommended solution, you can deploy a cluster in Layer 3 mode. Here is a quick gist that shows you how it’s done. Before going to production with something like, consult Cisco the Manufacturer or one it’s rep’s to guide you through the process.

-M

Hackers. 20 Years Ago.

I remember, vaguely, thinking that I had never been to New York. I was about 16 at the time. It was not for me. No. Traveling? That wasn’t in the cards for me. We where just an immigrant family and I was going to eventually work with father in his mechanic shop or maybe selling used cars like he used to do. I was probably still running my BBS at the time. It was funny that today if you ask my mom she remembered the horror of her 12 year old son asking for a computer because we had Apple II’s in Elementary school. What did she know about computers?

This story is continued on Medium!