Tuesday, February 10, 2009

We are moving

as of now, please refer to http://blog.remes-it.be aka 'The Security Kitchen'.
This blog is officially closed.

Monday, January 26, 2009

because not everybody will use transparent proxies.

As I travel around and attach my laptop to different networks, I'm left to disable/enable the proxy server settings ever so often. I grew tired of it and that's why I messed around with a small vbscript that :
a) detects whether the proxy settings are enabled or disabled
b) asks you to reverse that state

you may want to add additional code to enable disable different proxies.

Here's the code :
const HKEY_CURRENT_USER = &H80000001
const HKEY_LOCAL_MACHINE = &H80000002
strComputer = "."
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\"&_
strComputer &"\root\default:StdRegProv")

strKeyPath = "Software\Microsoft\Windows\CurrentVersion\Internet Settings"
strValueName = "ProxYEnable"

oReg.GetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName,dwValue
If dwValue = 1 Then
answer=Msgbox("Proxy is currently enabled. Disable it?",36)
ProxyOn = True
Elseif dwValue = 0 Then
answer=Msgbox("Proxy is currently disabled, Enable it?",36)
ProxyOn = False
End if

If ProxyOn=False Then
If answer = 6 Then
dwValue = 1
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName,dwValue
Elseif answer = 7 Then
dwValue = 0
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName,dwValue
End if
Elseif ProxyOn=True Then
If answer = 6 Then
dwValue = 0
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName,dwValue
Elseif answer = 7 Then
dwValue = 1
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName,dwValue
End if
End If

Have fun!
Stay Secure!

Wednesday, January 7, 2009

why procedures are important.

It's 2am as I write this blogpost and first let me give you a little history :-)

The past 2 days I spent at the hospital because I went through some excrutiating pain because of a 2mm big kidney stone. It was detected on a scan and I was instructed to drink as much fluids as possible while on painkillers and some other alleviating drugs. I also had to pee through a sift, so I would be able to find the stone if it so chose to make its exit.
(TMI ? Maybe, but bear with me ;-) )

This evening I was painfree and I was discharged from hospital (thank God, I'm back with the family again. I also chose to take my little sift home. No stone was found yet and I wanted to see that little bugger.

So, here I was, just after a shower, and I needed to pee, badly. Our bathroom is upstairs and my little sift was in the toilet room downstairs. I was juggling with the thought of peeing upstairs, without my sift, because I was really feeling tired but I told myself 'no, you HAVE to use the sift'.

I don't have to add that the stone has chosen to make its exit now. I caught it and I'm happy.

All this to tell you that, however tired or stressed you are, whatever deadline you are up against, procedures are massively important in our job. If you decide to cut corners because you know better and/or because you think that 'one time doesn't hurt', you might as well be wrong this one time. Think about it, be flexible, but don't sacrifice procedure just for the sake of it.


Tuesday, December 30, 2008

Dear Internet, I love you

but I don't trust you anymore.

I remember meeting U here in the good ol' days
I would never pick the flower of my favourite protegé
Maybe if I would have
Then U would not treat me this way
U tricked me - but U will not anymore

No, no
I love you, but I don't trust U anymore

It doesn't happen very often that I can quote an appropriate Prince lyric when blogging about Information Security :-)

For the third time this year this year the internet has been broken, this time it's the fact that some Certificate Authorities failed to phase out MD5 signatures from their PKI back when MD5 collisions were proven (2004). Kudos to Mr. Appelbaum and Mr. Sotirov.
You can read all the juicy details here : http://www.phreedom.org/research/rogue-ca/
Great work.


Now where are we ? What can we do ?

Let's list the CA's that are identified as issuing MD5-based certs in 2008 and by default trusted in our browsers :

RapidSSL

FreeSSL
TrustCenter
RSA Data Security
Thawte
Verisign.co.jp

These CA's have promised to move to SHA1 as soon as possible, In the mean while it might
be better not to trust them. That means removing them from the certificate store in your favorite
browser. I did just that on my machines.

In a business environment it's a little bit more complex. Take your time to assess your risk, the game stores in China and Russia probably don't have sufficient stocks of PS3's, so we can assume it will take a while for the first real attack to take place ;-)

An interesting feature in an Active Directory environment might be to control CA certs through Group Policy. You can export root certificates from a trusted machine, or you can download them from the different CA vendors (more cumbersome, yet more secure). The following policy allows you to push out your set of trusted CA's to your install base.
Open Group Policy Management Console
Open a Policy of choice or create a new one
Goto the following policy setting :
Computer Configuration > Windows Settings > Security Settings > Public Key Policies.

And configure as needed.

Ah, but by default, Windows will update the list of trusted CA's itself ... damn that :( Luckily Microsoft has thought about that :-) They're not all bad, you know. This article shows how
to disable this function. The same article lays out how to disable this update feature on stand alone computers. You see, if you want to, you can be in control.

Please note that Firefox keeps it's own certificate store, seperate from Windows/IE. I'm not aware of a possibility to centrally control root certificates in FF. If I stumble upon something I'll post it here in an update.

Now I'm off to go break the internet using a bench of 500 Wii consoles all controled with a Wii Fit board and my Guitar hero guitar. because after all, that is how we roll.

As some wise man said : trust, but verify.

Monday, December 29, 2008

as it stands now this will be my last blog post

Since we have been notified that the internet will break at 3.15pm CET tomorrow. It's nice when the buzz gets at full speed and nobody knows what will happen.

Anyway, Jacob Appelbaum and Alexander Sotirov are presenting 'Making the theoretical possible'
tomorrow at 3.15pm at 25C3.

With a quick count, the internet will be broken 3 times this year. First we had DNS, then Sockstress and tomorrow ... a wild guess would be DNS (again) with a wild bend to abuse SSL weaknesses ... we'll see. BGP ?

If this is goodbye, it's been fun. I love you all, see you on Web 3.0 ;-)


on the risk of inaccurate 'assessments'

I've pondered on a '$security_topic is dead' title for this blogpost, but I managed to steer clear of that one. I personally don't believe that anything (except for Antivirus ;-)) is really dead and my buddhist little toe tells me that if anything is dead, it will most probably live on in another shape or form.

I've been involved in penetration tests, security assessments and audits of different kinds (both regulatory and not) and from both perspectives (as the tester and as the testee). When sitting on the tester chair, I've experienced how hard it is to translate ones findings to a proper report that, without resorting to FUD, accurately assesses the risks the customer is exposed to. On the other hand, I've been frustrated with numerous reports I received that qualified risks as High, Medium, Low and/or Red, Yellow, Green. From a customer perspective, what am I to do with these 'values' ?

While a qualitative assessment is the easiest way to qualify risks, it also completely disconnects us from the business and/or the customer. When making a qualitative assessment we are not taking in account the nature of the business and the processes that our customer actually practices to run his business.
Some practicioners refer to 'best practices' or 'good practices' (marketeers, please take a one-way ticket to a deserted island ?) but still I don't feel that this positively impacts the result of the analysis.

Within the limits of a penetration test, quantitative risk assessment is nearly impossible. First and foremost because you will never* receive accurate numbers within the limited timeframe but again also, and more importantly, because as a technical tester you are completely and utterly disconnected from the business.
Running meaningless numbers through complicated formulas and creating scatter plot
graphs representing risks are probably comparable to trying to kill a deer by
throwing a bullet at it. It does not work.

In short :
a) penetration tests and security assessments are, today, mostly technology oriented.
Yes, we do assessment on the process level too, but not as much and not as thorough.
b) results are often poorly communicated due to lack of connection with the business and/or lack of feedback from the business.
c) customers are not up to par considering risk assessment as a vital part of doing business. Security is still the responsibility of IT.

Conclusion :
If we want to create value by providing penetration testing and security assessment services, we should stop selling 5 days, fixed prices 'solutions' providing a detailed report. We should engage with our customer on a very high level so we can first understand the business and then tailor security solutions to their needs by going through shorter iterative cycles solving problems one at a time, raising awareness throughout the business and in the end providing a company with the necessary processes to tackle security processes on their own.

I'm looking forward to be a part of this in 2009.


Sunday, December 21, 2008

I have nothing more to add



As I am sitting here, watching this video, I really can't say much more. At the moments when you are not tied up in projects, deadlines, working for the boss every night and day, please think about the fact that it is all about love, life and people.

From here I extend to all of you a virtual hug and the sincere wish that whatever you do, whatever you plan allows you and yours to grow.

Love.
Peace out.

Wim