Dan Griffin's Blog

Comments on security, PKI, smart cards, cryptography, and entrepreneurship.

SubVersion has for at least a couple years been the standard for version control for distributed projects. However, I wasn’t, until very recently, satisfied by any of the pre-built server distributions for Windows.

Yes, I know, you’re supposed to run SVN on Apache on Linux. But sometimes, especially if you happen to be a Windows shop, there are some undesirable hidden costs in doing that.

Anyway, I’m happy to report that support for SVN deployment by Windows non-developers has improved. For example, Collab.net has a good server distro - see http://www.collab.net/downloads/subversion/. It can operate as a stand-alone service (i.e. without a web server dependency).

Collab.net includes a command-line client, which is also fine, but the standard SVN client for Windows is pretty much Tortoise (http://tortoisesvn.tigris.org/).

Permalink | Comments (0)

http://live.sysinternals.com/

You can now run the tools directly from the web. Pretty useful for Windows security hackers! My all time fave is definitely procmon, although tuning the event filter always takes some extra time.

Permalink | Comments (0)

Check out the latest, significantly updated, version of JW Secure’s (free!) smart card debugging utility at http://www.jwsecure.com/downloads.shtml. Unlike the previous command-line incarnation, this version is fully GUI-based.

Special thanks to everyone who Beta-tested and provided feedback! New feedback and feature requests are always welcome.

Permalink | Comments (0)

Congratulations to the 2008 University of Washington Business Plan Competition winners!

http://bschool.washington.edu/cie/bpc/

Permalink | Comments (0)

Got private keys?

May 22, 2008

If you’re running Debian, or are interacting with an outsourcer or host that does, you needs to regenerate your crypto keys. Not fun.

http://www.theregister.co.uk/2008/05/21/massive_debian_openssl_hangover/

Permalink | Comments (0)

http://www.shakacon.org/

Unfortunately, it overlaps with TechEd IT Forum this year, otherwise I’d be all over that.

Permalink | Comments (0)

http://www.youtube.com/watch?v=GuhD8RgIS7E
http://www.youtube.com/watch?v=xSTXOz6ovH4

Permalink | Comments (0)

See this new site - http://www.microsoft.com/whdc/device/network/default.mspx, and specifically the WFP section about half-way down the page. Includes a link to this WFP sample (http://blogs.msdn.com/onoj/archive/2007/05/09/windows-filtering-platform-sample.aspx), produced last year by JW Secure!

Permalink | Comments (0)

I’m sitting in the Krakow airport, waiting for my return flight via Chicago, very tired, but also very glad I came. Foremost, I met new colleagues and made great connections at Confidence. And I learned a lot. Can’t wait for next year!

The second day of the conference (Saturday) started with Adrian Pastor’s (http://www.gnucitizen.org/about/ap/) discussion on embedded device hacking. His first demo consisted of injecting an XSS link into the administrative log of an Axis 2100 web camera. Assuming you can get the admin to look at the log, it’ll run your script on the camera, which supports both ‘mish’ (a minimal shell) and PHP.

Adrian has also spent a lot of time hacking British Telecom’s home broadband routers (see the site referenced above). I have no doubt that he’s made some great friends at that company ;) Other attacks:

[Update - the plane from Krakow loaded faster than I thought, and then I went to sleep, so now it's Monday and I'm back in Seattle.]

  1. Using embedded devices, when not segmented, as a stepping stone for Java script-based networking scanning
  2. Stealing password files from embedded devices. For example, many store plaintext passwords, and some are susceptible to pre-authentication attacks, especially via whatever CGIs they may expose.

Petko Petkov (http://www.gnucitizen.org/author/pdp/) was next on the Saturday conference speaker list. Highlights:

  1. UPnP fun. If you can get a DSL router to run your script, then you can probably reconfigure it and other devices on that network via UPnP. For example, setup a port forwarding rule for all incoming email …
  2. Lack of filtering for RDP (as in, Microsoft Terminal Server connection short-cuts) and Citrix files. Particularly regarding the latter, which allows an attacker to send a victim a Citrix connection file which, when run, can automatically connect to a remote system, run a program, then disconnect. The user will have no idea what just happened (delete files, open a port, whatever).

Dinis Cruz (http://blogs.owasp.org/diniscruz/) was up next, and demonstrated a custom scriptable front-end he wrote (called F1) for Ounce Lab’s source code scanning product. F1, written in C#, is like an IDE on steroids. One of the panels uses the GLEE graphing/flow-chart control, for example, which looks totally cool. I hope he’ll post more information about his work; perhaps we’ll see it when the Confidence slides go up.

After Dinis came lunch. After lunch, the weather was so nice that I pretty much just sat around and conversed with attendees outside for the rest of the day. Very relaxing!

One highlight I neglected to mention from the first day - Alberto Revelli presented his Sqlninja (http://sqlninja.sourceforge.net/) tool, which does some cool things, including the “DNS tunneled pseudo-shell”.

Permalink | Comments (1)

Summary: Poland is beautiful, the people are great, and hacker conferences rarely disappoint!

Here’s where I’m staying (an apartment located next to this square). The apartment itself is very European! My only complaint is that, being right on the main square, people don’t start quieting down until after 2am. Then again, I’m jetlagged, so it doesn’t matter.

The keynote this morning was Joanna Rutkowska. While I didn’t see her presentation at RSA (slides for that are here), I do think her session this morning was based on the same deck. The prototype her lab has done on nested hypervisors (http://bluepillproject.org) looks cool, as does the work they’re doing on Phoenix HyperSpace.

I had the unfortunate distinction of being the first speaker after her ;) Most noteworthy of my presentation was an informal poll I conducted at the beginning - namely, whether anybody travelled farther than me (Seattle is 12 hours of flight time to Krakow) in order to be here this week. The answer, out of approximately 350 people, appears to be ‘No’. I don’t think I should be proud of that, though …

I received good questions during my talk, such as why Vista to Vista IPsec uses 3DES by default, rather than AES, for example. Anyone know? I note that AES isn’t even available in the IPsec policy snap-in. My guess would be that this is dictated by the standard, or at least was at the time of implementation.

Also, why all installers automatically run as Administrator on Vista. This actually came up initially during Joanna’s talk, and was re-visited during mine. She correctly observed that the recommended behavior for Windows application installers is to place their binaries under “\Program Files”. Hence privileged access is required. The question is whether major application compatibility problems would be incurred by limiting installer privilege by default. For example, instead of full
admin, use an account with only append rights.

That suggestion is misleading, though. There will continue to be a need to allow at least some installers to run as admin. Thus, the bad guys will have an out. Whoever is configuring the system is going to have to make a “reputation” decision before installing software. As in, do I trust the company or person that provided me with this installation package? Professional system administrators are expected to make an informed decision and then lock down the environment (and, in theory, not grant users administrative access).

The majority of home users, on the other hand, remain susceptible, having to make the same judgments without the benefit of IT experience.

Permalink | Comments (1)
Newer Posts »