The past couple of weeks I’ve been working on implementing a PKI solution from Verisign.
Its been a long road. Its been a couple years at least since I first started working on PKI implementation products. The purchase was delayed a couple of times. Then the implementation was delayed. Once we got to doing the implementation, it was rather straightforward. I’m happy with the way things are going, and I’ll be happier as we get the product deployed to larger test groups.
There are a couple of things we still need to work out:
1. I’ve got a couple users where they could enroll for the encryption certificate and it was escrowed correctly, but there was a cipher issue and the certificate couldn’t be added to the browser.
2. The last two modays I’ve found the Luna SA (a HSM) were not bound to Active Directory. I’m still gathering information on this. I t hink when the domain controller reboots, the Luna fails to rebind on its own, but I need to verify this.
3. On the RA, if I do a service verification (-sV) nmap scan on its port (2003/TCP), the memory spirals out of control. Multiple scans will crash it. That issue will hopefully be fixed in the next version. For now, I’m just going to have to avoid scanning that port.
Professional Services said, “[the application] was designed to be deployed in a control setting. The service wasn’t designed to be robust.”
I really had a problem with that statement. I hope that was a off the cuff remark rather than official Verisign position. Internal networks behind a firewall aren’t guaranteed to be a pristine environment. I’d like my security related services to assume they are going to be attacked and be able to preserve confidentiality integrity and availability.
Unfortunately we aren’t well segmented internally. Perhaps I should consider using the Windows Firewall so that only devices that need to talk to the server on that port (such as the web server) are able to do so.
I am happy with the implementation. Any issues we’ve had are being address.
Archive for May 2008
Implementing Verisign PKI
Notes Internet Password Field
I was done in by the Lotus Notes Internet Password hash in R5 today (yeah its ancient).
I changed my domain password and used some words wrapped in parentheses like the following (my Blue shoe). Normally this would be a decent password. But at our company passwords are synched from Active Directory to the Lotus Notes Internet password field. In that field in Notes anything inside parenthesis is presumed to be encrypted already. So anyone in the company looking in the right place could see my password in plain text!
New Adobe Flash Vulnerability
There were multiple reports today of an unpatched Adobe Flash vulnerability currently being exploited.
Symantec Bugtraq reports that this exploitation is fairly widespread.SQL injection has been used to insert code onto otherwise legitimate websites that results malware loading to exploit Flash.
Not a lot to be done. You could crawl into the Firefox/noscript cave. I’d suggest having that as an option, but in general keep the antivirus updated and make sure you you’re Flash is patched so you aren’t exploited by old attacks. Buckle your safety belts it could get bumpy.
UPDATE:
Further reports indicate that this is not a zero day vulnerability. It is exploiting unpatched versions of Flash. Make sure every browser installed is running the current version of flash. IE and Mozilla based browsers use a different Flash install.
Managing Emotions Under Pressure – part 2
This is part 2 of a series posts reflecting on a Fred Pryor class titled Managing Your Emotions Under Pressure.
There is more pressure than ever in the workplace. There is just a lot of information to absorb and a lot of tasks to perform. Most of my readers will understand that. They use RSS feeds to sip from the firehose of information that is the Internet. Many of my readers will like me be in Information Security. We’ve got to stay one step ahead of a motivated attacker and protect the business even when the users don’t want to be protected.
Pressure can lead to overreacting emotionally. Overreacting emotionally can have great negative effect on the career.
We’re supposed to be always learning and building our skills. Skills aren’t just picking up another certification, or studying up on the benefits/drawbacks of bitlocker when compared to GuardianEdge. Skills include managing your emotions.
Doing so isn’t easy. Stephen Covey says it takes 6 times to learn and 21 times for it to become a habit. Making changes could be a lifelong effort.
German contract virus
I’m seeing some new virus detections on the SMTP layer.
Filename : vertrag.exe (vertrag is contract in German)
Detected as: New Malware.co
Subjects: Mietvertrag (Mietvertrag is German for lease according to babelfish.)
Abbuchungsvertrag (Deduction contract in German)
Tilgungsvertrag (Repayment contract in German)
Grandcentral.com badness
looks like someone forgot to renew grandcentral.com. doh!
http://www.iptools.com/dnstools.php?tool=whois&user_data=grandcentral.com
Domain Name: GRANDCENTRAL.COM
Registrar: EASYDNS TECHNOLOGIES, INC.
Whois Server: whois.easydns.com
Referral URL: http://www.easydns.com
Name Server: NS1.EASYDNS.COM
Name Server: NS2.EASYDNS.COM
Name Server: NS6.EASYDNS.NET
Name Server: REMOTE1.EASYDNS.COM
Name Server: REMOTE2.EASYDNS.COM
Status: clientHold Updated Date: 20-may-2008
Creation Date: 19-may-1997
Expiration Date: 20-may-2008
Soft Skills
On Monday, I went to a Fred Pryor Seminar (I think that used to be called Careertrack) on Managing Emotions Under Pressure. The instructor Dee Yoh has a very interesting story to tell. I wish she had a biography or autobiography available. She is a great presenter and someone who is living the principles taught in the course.
I didn’t get a lot of new information to me, but what was important was time to think and reflect away from work and other distractions. I also realized how important it is to continue to work at managing emotions. Lack of emotional control is an impediment to career success. Successful people are always improving themselves. Its very easy for techs to focus on learning more information rather than learning the soft skills.
Rather than writing one really long blog entry today, I think I’ll be following up with more details later.
Typhoid Mary and Sophos AV for *nix
As I’ve posted previously, currently I’m doing an eval with Sophos to potentially replace our Symantec Antivirus with Sophos Antivirus, HIPs and Firewall. Sophos provides support for a wide variety of Operating Systems.
I haven’t crossed that bridge yet, I did talk to my pre-sales support (hi Chris) about the issues with 1) convincing Linux, Solaris and Mac users to follow the company policy and install antivirus and 2) the new burden with these people now thinking you provide support for anything that goes wrong with their system because it must be the AVs fault.
Mark Harris Director of SophosLabs has written a blog entry covering some of the same type of information. He announces Sophos Anti-Virus for UNIX 7.0 beta and explains why Antivirus for Unix is even necessary.
Safari Carpet Bomb
Nitesh Dhanjani has reported to Apple three security issues in Apple Safari.
He has found separate issues that allow an attacker to steal files from your system, and write files to the desktop.
US Tax Court Phishing
MX Logic has a writeup on US Tax Court phishing emails seen today.
The email from noreply@ustaxcourt.org has a link to download “a Copy of the Order, Letter, Notice or Other Document Being Appealed”. The website was not online when checked on it.
