Thursday, September 24, 2009

Thawte Discontinues Free Email Certificates and the Web of Trust

Creative Commons Attribution License image courtesy Flickr user Fristle

Thawte's Web of Trust and free email certificates have been a great way to get S/MIME certificates signed for personal use by a large CA. I've been a notary for a few years, and I've found that being able to offer an easy to obtain certificate with a reasonably strong validation process was a great way to introduce S/MIME certificates and secure email to many people.

Today Thawte announced that both their free personal email certificates and the Web of Trust will cease to exist after November 16th, 2009. Details of the impact are covered in their FAQ.

This will remove one of the largest in-person vetted identity certification groups that I know of - a reasonably unique institution. Those who paid money for notarization to receive points in the Web of Trust will find that that investment no longer pays returns. Thawte's consolation prize is a single year of VeriSign's commercial personal email certificate service, and a free one year certificate of the member's choice.

I'm not aware of any viable community replacement for this servicefor S/MIME certificate users, and I'm somewhat disappointed that Thawte hasn't pushed the idea of making this some form of community supported or managed service.

Tuesday, September 22, 2009

Aquisition drive too small? Loop and offset to the rescue!

On any given day, I might need to take an image of a physical drive to analyze offline. In the past, our imaging target drives of 1TB were plenty to handle a raw dump of the drive as well as partition dumps or carves later on. However, with the spate of large capacity drives being installed, even in laptops, I'm lucky to just get the raw dump of the drive with some working space for an evidence locker. But what if I need to parse through the partitions individually or want to mount them remotely? Loop device mounting and offset (commands operands supported within the mount command) to the rescue. After imaging the entire drive and of course verifying the hash, I have everything I need. Now for the fun.

Typically, you can mount a raw image with the loop device operand:

#mount -o loop,ro -t auto /some/image.raw /your/mountpoint

I use this often when I only have an image of a partition. However, this option will not work when trying to mount an image of an entire physical device with one or more logical drives defined within it. So now what?

Given that an image is really just a block level copy of data, we are only dealing with data. Using the the loop device with further options - offset specifically - offers you the ability to tell it where you want it to consider the starting point within the string of data. In essence, the offset operand tells mount and the loop device to offset from the actual beginning of the string of data n bytes. But where do my partitions start and end?

To get an idea of what is contained inside the image, as far as file system information, logical drives etc, you will need to use a utility like fdisk. fdisk is a partition table manipulator for Linux. While it can be used to manipulate the partitions, we'll just use it to find out what's inside the image. The following command will give you all the details we need about an image:

# fdisk -ul image.001

You must set cylinders.
You can do this from the extra functions menu.

Disk image.001: 0 MB, 0 bytes
255 heads, 63 sectors/track, 0 cylinders, total 0 sectors
Units = sectors of 1 * 512 = 512 bytes
Disk identifier: 0xd42ad42a

Device Boot Start End Blocks Id System
image.001p1 * 63 42154559 21077248+ 7 HPFS/NTFS
Partition 1 has different physical/logical endings:
phys=(1023, 254, 63) logical=(2623, 254, 63)
image.001p2 42154560 156296384 57070912+ 5 Extended
Partition 2 has different physical/logical beginnings (non-Linux?):
phys=(1023, 0, 1) logical=(2624, 0, 1)
Partition 2 has different physical/logical endings:
phys=(1023, 254, 63) logical=(9728, 254, 63)
image.001p5 42154623 156296384 57070881 7 HPFS/NTFS

In the example above, I pointed "fdisk -ul" at an image of a Windows drive that had two partitions. I used option "u" to list the sizes in sectors instead of cylinders and "l" to list the partitions within the device and then exit. So, from here, how do we calculate where the starting point is for each partition and then tell mount where we want the beginning to be? First we start by determining the sector size. This will be in bytes, and the number we use as a multiplier to determine how many bytes into the image we want to offset. We can see in the output that the sector size is 512 bytes:

Units = sectors of 1 * 512 = 512 bytes

Next we need to know at what sector each partition starts. In the example above, we see several partitions listed; image.001p1, image.001p2, image.001p5. Each partition entry in the output has a start point denoted in sectors:

Device Boot Start End Blocks Id System
image.001p1 * 63 42154559 21077248+ 7 HPFS/NTFS
image.001p2 42154560 156296384 57070912+ 5 Extended
image.001p5 42154623 156296384 57070881 7 HPFS/NTFS

But wait - in this example I have a drive image that only contained two partitions - why are there three listed? This is because the drive I imaged was partitioned with one primary boot partition and an extended partition which contains another partition. There are many religious debates on how to partition drives, but suffice it to say, this is by far more common than not. Today, we are only concerned about mounting the two NTFS partitions listed. In the fdisk output we can see that partition 1 starts at sector 63 and partition 5 starts at sector 42154623. We'll multiply these starting sectors by our sector size to determine what our offset (in bytes) is for each mount operation:

sector size * starting sector = offset
512 * 63 = 32256
512 * 42154623 = 21583166976

Now that we have the offset, in bytes, we can formulate our mount commands:

#mount -o ro,loop,offset=32256 -t ntfs-3g image.001 /some/mountpoint
#mount -o ro,loop,offset=21583166976 -t ntfs-3g image.001 /another/mountpoint

And there we have it - both partitions within a raw drive image mounted and ready to explore without having to take more images of just the logical drives - or carve them out of what we have. Of course, file systems will vary along with disk geometry and associated mounting options. However these basic steps can be used to identify and mount every partition contained within a raw disk image.

Friday, September 18, 2009

Stolen Laptop Recovery with LogMeIN - Round 2

PC World has David Krop's story of laptop recovery using LogMeIn. I've discussed a couple of similar stories involving a laptop and an iPhone previously, as well as the case for remote control software, and this is another example of a laptop that was not properly secured being used by a new user while remote login software was on.

The buyer of the stolen laptop is quoted, saying "I didn't care whether it was stolen, I buy stolen stuff all the time. I don't care... If I can save $600, I'll do it.". While he may not have learned a lesson, the owner of the stolen laptops did, noting that he won't leave the laptops unattended, that he takes only one with him, and that he uses passwords and remote tracking software now.

What You Do on Facebook Can Cause You Harm is True For Criminals Too

Jonathan G. Parker of Fort Loudon, Pennsylvania was arraigned on a burglary charge after he forgot to log out of Facebook on the computer at a house that he had robbed.

We're all busy telling our users that what they do on Facebook can cause them problems in the future, but this is a slightly more direct example...

Thursday, September 17, 2009

Making Web Application Security Controls Repeatable

Raul Siles recently posted a useful reminder as his ISC diary post - "Review the security controls of your Web Applications... all them!". He used the problems described by Ryan Barnett that were found in Yahoo's web API as an excellent example of this rule. Both posts point to a common problem in applications that I see - the loss of established controls in new code and new functionality.

One way I've been working to help fix this in an organization that hasn't developed a comprehensive software develoment lifecycle or broad QA process is to build a multi-step process to handle security flaws found in an application. Typical steps are:

  1. Determine whether the problem is unique to the application, or if it is a flaw that is likely found in other applications, either current or future.
  2. If it is more than a one time problem, design a common library or technique to handle the problem.
  3. Assess the severity of the problem, and apply the fix to other applications if the risk is determined to be high enough to justify the effort. If not, add the fix to the queue for the next update to those applications.
  4. Re-test the application to verify that the fix works.
  5. Document the library and ensure that the rest of the team is aware of it.
One of the best things about this sort of process is that developers start to think about problems in a much broader context. Recently, I've seen two of the developers I work with frequently stop during a meeting and ask out loud "I wonder if that applies in application X too...". That thought process usually ends up in modifications to their standard application libraries which means that problems I saw once tend not to come back across their entire group.

How are these vulnerabilities discovered? A web application vulnerability scanner - WebInspect in this case - provides most of the vulnerability testing. Manual testing, while often deeper and more likely to find corner cases for vulnerabilities doesn't scale as well into an environment with limited resources and a large number of applications. Automated testing systems are also great to help cover some gaps in skillset. As Jeremiah Grossman points out, they may simply cover low hanging fruit, but that can be very valuable.

Do you have a unique or creative internal process to make sure that your organization keeps web application vulnerabilities from recurring?

Monday, September 14, 2009

Brazilian ATM Skimmer Installation Video

LiveLeak has great footage of an ATM skimmer being installed in Brazil, as well as the police arrest that followed. Note - LiveLeak itself may be not safe for some work environments due to adult ads.

The first few seconds are a quick lesson in how easily these skimmers can be attached.

Friday, September 11, 2009

Security Humor: Indiana State Government Ponzi Scheme Education

Google text ads can sometimes be a bit humorous as seen in this example:

I knew there was a reason that our budget wasn't as bad as those in other states. Of course, I wonder if the Secretary of State also teaches advanced Ponzi schemes...

Thursday, September 10, 2009

EDUCAUSE's 2009 Video and Poster Contest Winners

EDUCAUSE has announced their 2009 security video and poster contest winners. They can be viewed at: Previous years can be accessed from the main EDUCAUSE contest site.

The videos produced for this contest are typically aimed at students, but often address topics that are relevant to the general populace.

This year, I particularly liked the Cyber Security Awareness video by Nathan Krochmal, and Lenae Boykin's 10 Most Common Passwords is quite well done. In previous years, Adam Stackhouse's Laptop Theft video has been a big hit.

As with the videos and other materials created each year for this contest, colleges and universities can use these videos as part of their education and awareness campaigns. They're a great way to add spice to typical student security awareness and education videos, and they've helped to inspire some of our staff and faculty awareness efforts as well.

Wednesday, September 9, 2009

SMB2 - Breaking Windows From Afar

Creative Commons Attribution License Photo courtesy Justus Hayes / Shoes on Wires /

Announcements have been making the rounds about vulnerabilities in Windows Vista and Windows 7's implementation of SMB, SMB2. As posted on Full Disclosure, this version of SMB "SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL REQUEST functionnality.", which results in a remotely initiated crash for any Vista or Windows 7 machine with exposed SMB services.

Older versions of Windows, including 2000 and XP are not affected, as they do not use the new SRV2.SYS driver.

Another good reminder that SMB shouldn't be exposed on workstations in general, and that if it must be available, that it should be locked down to prevent access beyond your local trusted networks or workgroup.