Wednesday Mar 24, 2010

Why using social security numbers for something else than social security is bad...

I keep repeating around the world that using social security numbers for anything else than social security is a bad thing.

One of the reasons ID theft is so big in the USA is specifically because of that. Your SS number appears in so many communications you get from so many sources (why, for instance, would you need to give your SS number to your bank in order to open an account - do they expect to be responsible for deciding what money you get from social security?)...

This paper published some time ago explains how it is possible to predict SS numbers for a non negligeable number of US citizens using publicly available data... that should be one more (if not enough of a) reason to stop using SS numbers everywhere, like the US does.

Time to change that system... fast!

Zero day flaws?

OK... This is where I will attempt to educate a certain population of journalists about terminology.

I keep reading about impressive new zero day flaws that are present in this or that product... So for the record, I'd like to go over this once again...

The term "zero day" doesn't apply to faults, vulnerabilities, bugs or holes. It applies to attacks and exploits.

A "zero day" exploit / attack is one that is present on the day that a fault it leverages is disclosed. That's why they are called zero day. Because they appear on that day. Not 1, 2, 3 or more days after...

What would a "zero day fault" be? It would be one that is announced the day it is announced... pretty dumb if you want my take on it.

So could all those journalists in need of sensationalism stop using the term "zero day flaw" which means nothing, and concentrate on proper facts, and their correct naming?

We now return to our original programming...

Tuesday Mar 23, 2010

Test your web apps with Google's new Skipfish vulnerability scanner!

Google's just made available a beta (for some reason, all the cool stuff I use from Google is labled "beta" these days) version of Skipfish, their new fully automated, active web application security reconnaissance tool (I'm quoting their page on that last sentence).

Grab the baby here!

It's looking very good to test your own code... but seems to be VERY noisy, so don't use it to stealthily probe other people's sites... you WILL get detected. :) (Maybe that's a voluntary design goal to avoid criminals using it - I have no issue with it.)

Friday Oct 23, 2009

Evil maids attacking? Nothing new. Really!

So, I've been reading Bruce Schneier's blog on the Evil Maid Attack. He's falling to one of the behaviors he usually criticizes. Just a new holywood industry plot for something not really new, not really changing the world.

The thing is... The assumption is that thee attacker has access to your laptop. Which has always been an issue. Inserting a keylogger into your hardware (keyboard cable on a desktop, or a bit more subtle on a laptop, but nothing beyond the capabilities of your typical spooks) and you get the same access to all keystrokes, including those for the passwords to the encrypted disks, firefox datastores, and pretty much anything else.

So appart from having a fancy name... nothing new.

It's like Java... If you let an attacker change your bytecode loader / verifyer... yeah, they break your system. But then again... it's not really running java anymore at this point.

Same here... if you let an attacker change the behavior of your machine (hardware or software) then you're not really running your machine anymore at this point either.

Sure, multi-factor authentication is the solution. But "Evil Maid Attack" is just a fancy name for something not really new.

Monday Jun 08, 2009

Microsoft's unremovable add-on to Firefox

See, this is why I think we should all be extremely careful when it comes to using Microsoft software.

Recently, one of the Windows updates resulted in an add-on being, well, added, to Firefox. This happened with the Microsoft .NET Framework 3.5 Service Pack 1 update, pushed through the Windows Update service to all recent editions of Windows in February 2009.

First, I'm really upset that this didn't ask my permission to add the Firefox add-on. That alone is enough to break whatever confidence I had left in that company's way of dealing with user's property.

Second, when I realized what was going on, and that there was a significant security risk to that add-on, I decided to remove it. Unfortunately, Microsoft decided that I'm not supposed to remove that add-on. Maybe they think they know better than me. As a result, the add-on's uninstall button is greyed out. The only way I found to remove it was to follow the instructions on

Just to make sure this is really clear, I'll repeat those instructions here :

  1. Open Registry Editor (type regedit in the Start menu Search box in Vista/Windows 7, or in XP's Run window).
  2. Expand the branches to the following key:
    • On 32-bit systems: HKEY_LOCAL_MACHINE \\ SOFTWARE \\ Mozilla \\ Firefox \\ Extensions
    • On x64 systems: HKEY_LOCAL_MACHINE \\ SOFTWARE \\ Wow6432Node \\ Mozilla \\ Firefox \\ Extensions
  3. Delete the value named {20a82645-c095-46ed-80e3-08825760534b} from the right pane.
  4. Close the Registry Editor when you're done.
  5. Open a new Firefox window, and in the address bar, type about:config and press Enter.
  6. Type microsoftdotnet in the Filter field to quickly find the general.useragent.extra.microsoftdotnet setting.
  7. Right-click general.useragent.extra.microsoftdotnet and select Reset.
  8. Quit Firefox (or else step 10 won't work)
  9. Open Windows Explorer, and navigate to %SYSTEMDRIVE%\\Windows\\Microsoft.NET\\Framework\\v3.5\\Windows Presentation Foundation.
  10. Delete the DotNetAssistantExtension folder entirely.
  11. Restart Firefox
  12. Open the Add-ons window in Firefox to confirm that the Microsoft .NET Framework Assistant extension has been removed.

Now repeat after me : "I don't trust Microsoft to want the best for my PC... ever. I am convinced that many more times in the future, they will resort to this kind of behavior and install code that poses a risk to my machine without asking me and making very sure I can't remove it easily".

If you have to use Microsoft software for specific tasks (I have to), be extremely careful with what they install on your machine without telling you.

If you want to be able to trust your machine, use an open source operating system such as OpenSolaris or one of the Linux variants (I like Ubuntu). But don't even start thinking you can trust Microsoft with your machine. They just proved to the world it's a trust incorrectly placed.

And while you're at it, ditch MS Office... go for You're better off from a security perspective... and already all set to send and work with documents that all major governments are starting to define as their standard format.

Monday Feb 23, 2009

appGATE Free Edition is out!

Finally it's there! appGATE has just released their new Free Edition of their Security Server. The general idea is that you can download a virtualized version of it, run it in VMware (hopefully soon VirtualBox). You just need to go to appGATE's web site, apply for a free license, download the image, and off you go.

While this isn't open source... it's using a similar business model. You get the basic for free... you can then decide if you want / need (paying) support. Of course there is a limitation in terms of number of users... but, should you need more, you probably will want a fully scalable appliance version of the product, in which case you'll be happy to purchase it pre-bundled and configured for you. That's added value that you'll appreciate.

appGATE is doing the right thing. In these times of economical difficulties, they are making their product available for free to small enterprises as well as anybody who wants to do a small pilot... and that will let people discover the benefits of remotely accessing corporate data and applications.

You know what's even nicer about all this? It's based on OpenSolaris, our very own open source operating system. And, I think, the worlds most secure general purpose operating system. You can, of course, if you want something a bit less bleeding edge, and you need the certification, get the appliance on Solaris 10 which has undergone IT-SEC EAL4+ certification. And since the actual appGATE security server is EAL2+ certified, you get pretty much state of the art security, with certifications to prove it.

Way to go!

Sunday Feb 01, 2009

Jet lag and appGATE

I arrived yesterday in the SF Bay Area for a week of meetings and this is the first night. Jet lag just hit at its strongest and weirdest as I woke up at 2:15 this morning fresh out of a dream that (since I woke up during it) I remember in every vivid (and strange) detail.

So in my dream, I was with a friend who is the IT director from the Grande Chartreuse monastry in France, a beautiful place near Grenoble where they make one of my all (adult) time favorite drinks : La Chartreuse. Now this is strange as I have no friend who works in, or for, a monastry... But if I had, it would probably be one working right there.

So what was I doing in my dream, well, we were home, and he was asking me (thus adhering to the oh-so-common tradition around me : "Hey, Gilles, you work in computer security, can you give me some ideas about what I'm trying to do?";) how to enable the monks in the monastry who are travelling around the globe (I don't even know if the Carthusian monks actually do so) could securely access their internal network.

And so, in my dream, I had brough him up to my work room and was explaining, using drawings on the big whiteboard, how appGATE Security Server enables roaming users to identify themselves, have their role and its current implications in term of access to applications and data checked by Sun's Identity Management suite so that the system knows that, while they are travelling, they are currently in service, so have access to all their applications (albeit in a potentially limited fashion do the the remote location or constrained device), or maybe that they are travelling and not in service, so only have access to a subset of features (like, just e-mail). I was showing how only one port needs to be open on the appGATE security server (usually port 22 for SSH), and that there is never direct contact from the outside of the network to the inside, but rather that the security server offers a relay to a view on what specific tasks and resources are allowed given the user's current context.

I had also told him that this was secure enough to be used by defense, government, banks and other very sensitive customers worldwide and that this was a very cool company as their stuff was running on Sun hardware, and about how the roaming features allowed the underlying network variations to be abstracted from the applications by the appGATE client on the device.

And then I woke up. 2:15 AM, in my usual hotel in Newark... So here I am writing about this. Yes, there would have been many more things to say about the Sun / appGATE partnership, about how appGATE's solutions perfectly complement Sun's own Secure Global Desktop offering when roaming is key and how appGATE is packaged through Sun's CRS service in the form of easy to order, and use, appliances... but it was just a dream, so limited in time and scope.

And talking about time... it's about time I got back to bed and tried to get back on track to California time. This week will be a long week, and unfortunately, I don't know if, or where, I'll be able to sip a glass of delicious Chartreuse. One more thing to look forward to when I get back home to my lovely family.

Wednesday Dec 10, 2008

Remotely connecting to a Solaris machine... with security, minimal fuss and stuff!

I figured (OK... it was suggested to me by Karim Berrah who runs the CHOSUG Wiki) that others might be interested in knowing how I remotely connect to my favorite OpenSolaris machines.

It's actually very simple... all the tools are there for you!

The basic protocol that we will be using is called VNC. OpenSolaris comes with 2 different VNC servers.

The first one is the traditional "vncserver" process, which you can start manually, specifying resolution "-geometry XxY" and a number of virtual display to use ":X". E.g. "vncserver -geometry 1024x768 :2". The first time you use vncserver it will ask you to specify a password to protect the conenction to your system. (You can change it later with "vncpasswd".) If you don't do anything special, the session starts with twm as the window manager. You can edit the .vnc/xstartup file and change the "twm &" line to start some other window manager if you want. But twm is very lightweight. You can kill the vnc server by using "vncserver -kill :X" where X is the same you used to start the server. You can run multiple vncservers...

The second means comes bundled with GNOME, and is done using vino, which is the GNOME vnc server. It is embedded with GNOME and starts when you start your session.  You first configure and enable it with the command vino-preferences (or through the menus System->Preferences->Desktop Sharing). Allow users to view and control your desktop... and very important, set a password! Current build of OpenSolaris has an "Advanced" tab there that offers additional options. Have a look. Note that since vino is sharing your GNOME display it is automatically set to number :0.

To connect to your machine from remote, there are 2 ways. The "fat" way by using the native VNC client "vncviewer :X" where X is the number you defined when starting vncserver or, for vino, :0.

You will be prompted for the password you specified.

Vino is interesting as, since it's integrated with GNOME, it offers full DBus integration... but has the drawback of being fixed to :0 ... and requiring the GNOME session to be started on the machine by loging in... where vncserver can be remotely started from a shell and doesn't require the user to be logged in, but doesn't offer that full GNOME integration.

VNC traditionally uses 2 ports to work.

One is the normal VNC protocol port and is 5900+X (where X is the number you chose when launching vncserver)... so 5900 for vino and (in my example when I used :2) 5902. This needs to be tunneled if you are going to go through a NAT router.

The second port is 5800+X (same rules for X)... and that's the Java client for VNC. This is the light way of accessing it. If your server is, say, :0 (case of vino) just open a browser to http://yourhost:5800/ and it will start a Java vncviewer directly to port 5900. VINO comes with the Java client by default. vncserver doesn't (you have to manually add -httpd to the vncserver command - i.e. vncserver -httpd -geometry 800x600 :2). This Java solution is nice as it doesn't require a local vncviewer client... can be run from any modern browser with a Java VM installed.

Here is an added bit of magic... I don't like to run vnc over a cleartext network connection. VINO supports encryption, but not all clients. So what I do is that I don't open 5800+X and 5900+X on my NAT router. Instead I open port 22 and SSH to my server, and there, through SSH I tunnel ports 5800+X and 5900+X. And from my client machine I "vncviewer localhost:5900+X". This is now tunneled through SSH from my client machine to the actual server.

My favorite application to do this SSH magic is AppGate's MindTerm. It's a free (for personal and small business) Java SSH client. It's a jar file that can be run as an application or hosted as a Java applet (I have the application on my OpenSolaris laptop, but the applet served from the web server on my home network so that it's always available to me wherever I am comming from). When you launch it, you specify which machine you want to connect to. You do the login... and then Tunnels->Setup and select "Add". Since I have vino on my local laptop, I can't use local port 5900... so I forward 5901 to the remote "localhost" 5900 (since the remote server is also running vino on :0). This is done by selecting

- Type : local

- Bind address : localhost

- Bind port : 5901

- Dest address : localhost

- Dest port : 5900

And then clicking OK. Voila. You can then run "vncviewer :1" from a terminal and it will connect to vino (:0) on the remote machine, tunneled through SSH.

Have fun!


Tuesday Jun 17, 2008

Why high definition DVDs are good for privacy and security...

So here's the situation... nowadays, when crossing border control, and in particular when entering the US of A, you may be asked to turn over your laptop, and other electronic devices to border control who, fearful of terrorists crossing their border, will want to search your corporate data for any kind of document that my prove you are on your way to planning something nasty.

Bruce Schneier has commented many times on how you should prepare your laptops, cell phones, and other devices so that when seized, nothing bad happens.

There is one additional option that he doesn't mention (yet), but that I think will become more and more feasible given where the media industry is taking us.

Take a movie. Yes, one that you rightfully own, of course. Convert it into a Divx (you bought the movie, you should be able to view it on the player of your choice). Actually, my friend Darren Moffat suggests even better, take a personal home movie that you made with your own camcorder, so that there are no issues whatsoever about fair use or alternate formats... you made the movie, it's yourse to do what you want with it. If it's a normal movie, you get an 800MB file... that's small... but if you take an average HD-DVD (R.I.P.) or BluRay movie, then you get a multi gigabyte file. That's much better...

What can one do with a multi-GB file of seemingly random bytes. Well, you can tweak lower order bits to hide data inside it. That's called steganography. And with multi gigabytes of storage to start with, you can store a whole lot of useful information.

Suddenly, that 32 GB SDHC card you just bought can be used to watch a movie on the plane all while carrying your sentitive personal or corporate data. And all in perfect deniability. "Mr Officer, this is just a Divx which I've been watching on the plane during the flight where they had very boring movies scheduled. Here let me show you that movie." and you go on to play it in your favorite (open source) media player to prove your case.

I love technology!

Thursday Jun 21, 2007

Fun ways to freak off airport security



Fun way #1 : pack one or more harmonicas in your hand luggage.


It seems that it looks like gun chargers with the 10 little metal slots (yes, I (try to) play blues harp).

Optional bonus way : add a mini photo tripod in same bag. Guaranties bag examination, if you want my opinion. :)


Oh well... another day, another plane. 

Thursday Mar 15, 2007

ZERO-DAY vulnerabilities?

OK... so I keep hearing about zero-day vulnerabilities... I think journalists sometimes need to get a clue.


ZERO-DAY vulnerability is a term that doesn't make sense.

Think about it.

 The real term they are looking for is zero-day ATTACK or zero-day EXPLOIT. These terms refer to an attack (or attack code) that appears on the net on the same day (or before) a vulnerability is made known, or disclosed in some other way. In this context, the attack or exploit is truely on day zero of the vulnerability being known... since, in most of the cases of this happening, it is when the attack / exploit becomes public that the vulnerability becomes known.

Often, actually, this is because the vendor affected by the vulnerability didn't want it publicized (for fear of loss of reputation) so the users actually end up not being protected on the day the attack is out in the wild. This is ridiculous, of course, but some companies still believe that. Mostly, these are companies developing software in closed-source mode, rather than open source.


It could also be because an attacker found a flaw and decides to exploit it as soon as possible before it gets known or fixed... but in the open source world, this is almost never possible given that good guys find the flaws at about the same speed as the bad guys... and immediately report them to the vendors (see my previous (in French) entry on telnet hole in Solaris that was fixed extremely fast thanks to this being disclosed to us so quickly).


So... back to zero-day vulnerabilities. It's simple... vulnerabilities are found on the day they are found. So they are either all zero-day... or it really doesn't make sence to call them zero-day... but it should be the same for all vulnerabilities.


Unfortunately, journalists without a clue think that it sounds more impressive (more hacker-style?) to call something "zero-day"... than not... and it sounds/looks so good when put just in front of the word "vulnerability" that they can't just resist.


Tomorrow we'll have zero-day operating systems... zero-day software (available the day it is made available?)... zero-day news (oh... wait... that's already usually the case, thanks to companies like Reuters who do a fantastic job of bringing in the news in as close to real time as possible)...


All right... so. Takeaway from today's rant : only call zero-day things for which it makes actual sense. zero-day attacks : yes. zero-day exploit : yes, zero-day vulnerability : just say NO!

Tuesday Feb 13, 2007

Un bug majeur de Solaris 10 - découvert grace à la communauté

Alors voilà... depuis le temps qu'on le dit, enfin une démonstration flagrante de l'intérêt que représente le logiciel libre en matière de sécurité. Ce week-end, une faille très sérieuse de sécurité a été découverte concernant Solaris 10.

En fait, une simple commande permet de se connecter en tant que n'importe quel utilisateur sur un système Solaris 10 (ou Solaris Express) sans avoir à entrer de mot de passe. Le bug se situe dans la façon dont in.telnetd gère le passage de certains paramètres.

 Ce qui est interéssant, ici, à part la facilité avec laquelle on peut donc devenir root sur une machine Solaris, est que :

  1. Si on a installé une version récente de Solaris avec le mode "Secure By Default", telnet est désactivé et on n'est pas sujet au bug.
  2. Si on utilise des rôles pour administrer la machine, il ne se passe pas grand chose si un intrus se connecte en tant qu'un utilisateur normal (y compris root), car il reste, ensuite, à utiliser les mécanismes normaux pour prendre l'un des rôles administratifs afin de pouvoir faire quoi que ce soit.
  3. Comme je le disais plus haut, c'est grâce à la communauté OpenSolaris que le bug nous a été signalé très rapidement et qu'en quelques heures, nos équipes ont alors pu déveloper des patches temporaires et correctifs permettant de contourner le bug, et de le corriger.

Certes, on aura encore des bugs, et certains, même, concernant la sécurité, mais grâce à la communauté OpenSolaris, nous pouvons les découvrir rapidement, et les corriger à temps, idéalement, avant qu'ils puissent être exploités par les criminels.

Monday Nov 27, 2006

Direct blogging from a cell phone - a security issue?

So I got my new Sony Ericsson W850i and I decided to take a picture with it... no much fuss there. Given that it's a cell phone, and not a real camera, I wasn't looking as much for quality as I was looking to see what I can actually do with a cell phone.


Well... Now I know. After taking my picture, I have a "More" menu that appears... and one of the entries is "Blog this". I wondered how easy it could be so I tried it. I was prompted to enter a title... and a body for the blog... then I press "Send"... After a few moments of processing, the result was this :


Interestingly enough, I can now walk into an area... take a picture, and in a few seconds, this picture is sent out and posted properly to a web log. I'm sure this will drive bonkers corporate security people. No luck now if, after seeing me take a picture, they try to take away the memory card in my phone. The picture is not only already sent out... but published. If you have an RSS reader linked to my blog... you are actively reminded that the picture is there.


Some businesses already were preventing use of digital cameras... and in some cases cell phones, but it's now really becoming an interesting issue to manage!


 The world we live in is really turning into something fun.



Wednesday Nov 08, 2006

New airline security measures. Measure your fluids...

Starting this week, traveling by plane has been made much more painful.
Now you have to make sure you don't carry with you liquids in too big
quantities, and the liquids that you carry need to be properly visible.

Does this bring any kind of additional security? I'm not sure.

Large liquid containers now need to be checked in. OK... fine. It's away and can't be acted upon to do something bad.

Small liquid containers of less than 100ml can be taken on board, but need to be in sealed transparent plastic bags.

the rationale behind this? If the bag is sealed, it becomes very
difficult to examine what is inside the bottle. Could one small bottle
contain nitric acid, and another contain glycerin? Maybe 200ml of
nitroglycerin won't do much to a plane (though I'm sure that, next to a
fragilized area such as a door frame or a window, it would do
interesting things), I'm certain that with 2 bottles of 100ml of
adequate products one can easily make a binary neurotoxin that would
quickly kill everybody on board a plane and result in the plane
crashing in the ocean just as well as if there was a bomb on board.

these measures are to make a show. They are in place to tell passengers
"see how painful it is to travel? it's because we have put in place
extremely strong security measures." They are in place to tell
potential terrorists "see, you have no chance of getting through our
security measures." But in effect, they haven't increased our security
against dedicated attempts at generating terror. They are just slowing
down our business and costing money. Money for passengers who are
wasting time (time=money in today's society), and money for airlines
and airport coerced into putting these security measures in place.
Governments (follow my gaze westward) revel in security considerations
to justify political agendas.

Net result, from a security perspective? NIL.

We need to solve problems... not address movie scenario threats.

Wednesday Sep 27, 2006

Google Archive Vos Conversations - Google Archives Your Conversations

(In English below)
Bon... vous utilisez les services de Google. Super. Moi aussi. Vous utilisez meme Google Talk. Encore mieux. Un produit basé sur des standards (le protocole Jabber de messagerie instantanée)... Mais saviez-vous que Google archive toutes vos converstations avec Google Talk? Si dans votre page Google Mail, vous cliquez sur un de vos contacts, vous avez la possibilité de voir les "conversations récentes"...

La question qui se pose est, bien évidement : "Mais qui a accès à ces archives?" En temps normal, uniquement vous, bien sur... mais, et en cas de pression? Pression légale? Pression financière (corruption ou autre)? La perspective, en matière de respect de vie privée, est effrayante!

Heureusement, certains outils de messagerie instantanée comme GAIM (Windows, Linux, et a peu près tous les dialectes d'Unix), Trillian (Windows seulement) ou Adium (MacOS) supportent le chiffrement de vos échanges en messagerie instantanée. Avec GAIM, il faut un plug-in qui s'appelle OTR... avec Adium c'est automatiquement inclus. Et ces deux produits sont compatibles... on peut se parler confidentiellement de GAIM à Adium et vice-versa. Ces outils supportent tous les protocoles de messagerie instantanée du moment (IRC, MSN, AIM, Yahoo, ICQ, Jabber, Gadu-Gadu...). Je vous invite très ardemment à les essayer et à gagner en confidentialité dans vos échanges avec vos ami(e)s, amant(e)s, collègues, partenaires d'affaires!

(En Français ci-dessus, mais ça, vous le saviez déjà)
So... you use Google's services. Great. So do I. You even use Google Talk. Even better. A product based on standards (the Jabber instant messenging protocol)... But did you know that Google archives all of your Google Talk conversations? If you go to your Google Mail homepage and click on one of your contacts, you have the option to view "recent conversations"...

The question that arises is, of course: "So who has access to these archives?" Normally, of course, only yourself... but, what happens in case of pressures? Legal threats? Financial pressure (corruption or other)? This is a frightening thought for pricacy!

Fortunately, some instant messenging tools like GAIM (Windows, Linux, and just about any Unix dialect), Trillian (Windows only) or Adium (MacOS) enable encryption of instant messenging conversations. With GAIM, you need a plug-in called OTR... with Adium, it is built-in. And these two products are interoperable... you can chat confidentially between GAIM and Adium clients. These tools support all of the current instant messenging protocols (IRC, MSN, AIM, Yahoo, ICQ, Jabber, Gadu-Gadu...). I strongly encourage you to try them and gain in privacy in your conversations with friends, lovers, collegues, or business partners!




« July 2016