General: May 2008 Archives

Implementing Verisign PKI

The past couple of weeks I've been working on implementing a PKI solution from Verisign.

Its been a long road. Its been a couple years at least since I first started working on PKI implementation products. The purchase was delayed a couple of times. Then the implementation was delayed. Once we got to doing the implementation, it was rather straightforward. I'm happy with the way things are going, and I'll be happier as we get the product deployed to larger test groups.

There are a couple of things we still need to work out:
1. I've got a couple users where they could enroll for the encryption certificate and it was escrowed correctly, but there was a cipher issue and the certificate couldn't be added to the browser.
2. The last two modays I've found the Luna SA (a HSM) were not bound to Active Directory. I'm still gathering information on this. I t hink when the domain controller reboots, the Luna fails to rebind on its own, but I need to verify this.
3. On the RA, if I do a service verification (-sV) nmap scan on its port (2003/TCP), the memory spirals out of control. Multiple scans will crash it. That issue will hopefully be fixed in the next version. For now, I'm just going to have to avoid scanning that port.
Professional Services said, "[the application] was designed to be deployed in a control setting. The service wasn't designed to be robust."

I really had a problem with that statement. I hope that was a off the cuff remark rather than official Verisign position. Internal networks behind a firewall aren't guaranteed to be a pristine environment. I'd like my security related services to assume they are going to be attacked and be able to preserve confidentiality integrity and availability.

Unfortunately we aren't well segmented internally. Perhaps I should consider using the Windows Firewall so that only devices that need to talk to the server on that port (such as the web server) are able to do so.

I am happy with the implementation. Any issues we've had are being address.

By Roger on May 31, 2008 6:21 PM | | Comments (0) | TrackBacks (0)

Notes Internet Password Field

I was done in by the Lotus Notes Internet Password hash in R5 today (yeah its ancient).

I changed my domain password and used some words wrapped in parentheses like the following (my Blue shoe). Normally this would be a decent password. But at our company passwords are synched from Active Directory to the Lotus Notes Internet password field. In that field in Notes anything inside parenthesis is presumed to be encrypted already. So anyone in the company looking in the right place could see my password in plain text!

By Roger on May 29, 2008 2:50 PM | | Comments (0) | TrackBacks (0)

New Adobe Flash Vulnerability

There were multiple reports today of an unpatched Adobe Flash vulnerability currently being exploited.

Symantec Bugtraq reports that this exploitation is fairly widespread.SQL injection has been used to insert code onto otherwise legitimate websites that results malware loading to exploit Flash.

Not a lot to be done. You could crawl into the Firefox/noscript cave. I'd suggest having that as an option, but in general keep the antivirus updated and make sure you you're Flash is patched so you aren't exploited by old attacks. Buckle your safety belts it could get bumpy.

UPDATE:
Further reports indicate that this is not a zero day vulnerability. It is exploiting unpatched versions of Flash. Make sure every browser installed is running the current version of flash. IE and Mozilla based browsers use a different Flash install.

By Roger on May 27, 2008 11:50 PM | | Comments (0) | TrackBacks (0)

Soft Skills

On Monday, I went to a Fred Pryor Seminar (I think that used to be called Careertrack) on Managing Emotions Under Pressure. The instructor Dee Yoh has a very interesting story to tell. I wish she had a biography or autobiography available. She is a great presenter and someone who is living the principles taught in the course.

I didn't get a lot of new information to me, but what was important was time to think and reflect away from work and other distractions. I also realized how important it is to continue to work at managing emotions. Lack of emotional control is an impediment to career success. Successful people are always improving themselves. Its very easy for techs to focus on learning more information rather than learning the soft skills.

Rather than writing one really long blog entry today, I think I'll be following up with more details later.

By Roger on May 20, 2008 4:18 PM | | Comments (1) | TrackBacks (0)

Safari Carpet Bomb

Nitesh Dhanjani has reported to Apple three security issues in Apple Safari.

He has found separate issues that allow an attacker to steal files from your system, and write files to the desktop.

By Roger on May 15, 2008 8:22 PM | | Comments (0) | TrackBacks (0)

Security Fixes for Adobe Acrobat/Reader 7.x Released

At long last Adobe has released security updates for Adobe Acrobat and Adobe Reader 7.x. Most Adobe Reader users should have updated to 8.1.2 when these vulnerabilities were first announced. Many users of Adobe Acrobat may not have had the funds necessary to purchase a upgrade. 7.1.0 is a critical update that should be applied immediately if you are using a 7.x version. If you are running 8.x, you should be running 8.1.2, released in February. Versions prior to 7 should be considered unmaintained and are not to be used on Internet connected computers.

By Roger on May 8, 2008 10:37 PM | | Comments (0) | TrackBacks (0)
« General: April 2008 | Main Index | Archives | General: June 2008 »

Search