Posts Tagged security

Do the images you post online pose a security risk?

Take a look at this report on what may be included in the images you upload for the world to see to find out.

Here’s the abstract:

Unless your digital camera or camera equipped cellphone is more than fifteen (15) years old, the chances are good that any pictures taken with that device contain metadata; which describes the (who, what, where, when and how)conditions under which the picture was taken.  The metadata is stored with the picture in an image file, and goes everywhere the file is copied, uploaded ordownloaded.  This metadata is meant to help us, document the moment a picture was taken, and also to maintain the fidelity of edited or printed copies.  But as discussed in my article on Augmented Reality, once an image file containing metadata leaves your possession, there are a variety of ways in which that same metadata can be used against you.

So, just how dangerous is image file metadata?  In the past, there have been numerous discussion, examples and demonstrations of how much usefulinformation can be extracted from image files.  But publicly, nobody has admitted performing a risk assessment of image file metadata.  I suspect that such assessments already exist, but are probably classified as CUI (Controlled Unclassified Information).  And so, I have undertaken the task of performing aqualitative risk assessment to answer the question.

Share/Save

Tags: , , , ,

Certificate Information Extractor

While working with SSL certificate based authentication I developed a handy tool to display the contents of certificates. Both PKCS12 .p12 certificates (commonly used for client authentication) as well as standard public .cer certificates.

Here is my utility to check certificate information.

And if you are looking for a couple of certificates to use to try this tool out, here is a PKCS12 self-signed certificate. Or, you could use my handy self-signed PKCS12 certificate generator and make your own.

Special thanks to John Veldboom for his ColorPal app which helped me make the more appealing to the eye.

Tags: , , ,

Is there a such thing as a cyberwar?

Intelligence Squared held an interesting and thought provoking debate recently where the concept of cyberwar was addressed.

The central issue in the debate is this: Are we justified in calling any form of aggression carried out in a synthetic space such as the internet a “war”?

In my estimation Bruce Schneier brings up some very good points and concerns in his portion of the debate. Points and concerns that, as far as I could tell, were never really addressed by his opponents.

As attacks, specifically attacks likely carried out between government organizations, become more frequent settling the question of cyber warfare will only get more and more important.

Some questions worth considering are: Where are the lines between enemy combatants and non-combatants? Are there any “civilians” in a cyberwar? Should we give up trying to secure everyone and split off “critical” parts onto their own private network? What about the weapons of a cyberwar? Have we thought about what it means to consider information as a weapon in itself?

All of these questions have serious ramification in how we go about addressing the issues we face. And if we consider the issues to be important, how much more important are the terms and definitions that frame the issues? It is wise to not offer an answer or solution without first making sure one has the question or issue properly defined.

Here is the full IQ2 debate to help give you a good overview of the issue:

The Cyber War Threat Has Been Grossly Exaggerated from Intelligence Squared US on Vimeo.

Tags: , ,

Secure client authentication with php-cert-auth

Most websites employ a simple authentication mechanism generally consisting of a username and a password. While this method is certainly acceptable and secure for most applications, I want to take a minute to explore a more complex and, if employed correctly, more secure method of authenticating a user to a website.

This method employs the public key infrastructure (PKI) via client based SSL PKCS12 certificates.

First you need to make sure your server is conigured to use SSL properly. Setting up SSL in Apache is beyond the scope of this post, but here is a great HOWTO on it. You’ll also need to make sure you configure Apache to export the SSL variables it gathers to PHP.

Here is the Apache config setting to allow the SSL environment variables to be correctly exported to PHP (via the $_SERVER variable).

SSLVerifyClient optional_no_ca
SSLVerifyDepth  10

SSLOptions +ExportCertData +StdEnvVars

Next you’ll want to grab a copy of our handy php-cert-auth class from here. The configuration is pretty straightforward, feel free to include config parameters in the class directly if you don’t want to worry about maintaining a seperate configuration file.

Here are a few examples of what our class will allow you to do.

To download a self-signed certificate:

header("Content-Type: application/x-pkcs12");
header('Content-Disposition: attachment; filename=client.p12');

$countryName = "US";
$stateOrProvinceName = "Georgia";
$localityName = "Roswell";
$organizationName = "Werx Limited";
$organizationalUnitName = "Labs";
$commonName = "Wes Widner";
$emailAddress = "[email protected]";

$cert = new WerxLtd_Auth_Cert();
$pks12 = $cert->getPKCS12SelfSigned(
	$countryName,
	$stateOrProvinceName,
	$localityName,
	$organizationName,
	$organizationalUnitName,
	$commonName,
	$emailAddress
);

echo $pkcs12;

/*
 * You can also parse the pkcs12 data back out via: openssl_pkcs12_read($pks12, $data, null);
 */

Here is how you could go about authenticating a user:

$cert = new WerxLtd_Auth_Cert();
if($cert->hasClientCert()) {
	$keyid = $cert->getSubjectKeyIdentifier();
	// You can then use this key to query a list of known keys associated with valid users
}

This package is not designed to work in a stand-alone fashion. It is designed to be a helpful passwordless enhancement to an existing authentication system. Since the subjectKeyIdentifier is unique for each certificate that is issued1, it is wholly possible to associate it with a user’s account and check the supplied user certificate against a list of known client certificates in order to authorize the user in a transparent fashion.

There are many other ways a client certificate can be used to make your application even more secure. Like encrypting information before it is saved to permanent storage. You can also use the information contained in the client certificate to automatically fill in form fields. The biggest pitfall I can see to employing client certificates is the added complexity of the application.

Further reading:

  1. http://www.ietf.org/rfc/rfc3280.txt []

Tags: , , , , , , ,

McAfee Secure URL Shortener Firefox Add-on

McAfee LogoFollowing the release of our extension allowing Chrome users to quickly shorten URLs using the cloud-backed security of the mcaf.ee service, we are pleased to announce the release of an add-on which allows Firefox users to quickly and securely shorten URLs to share with others.

To download and install this extension, head on over to Firefox’s add-on site.

I also want to give a special thank you to the Mozilla JetPack project for making the development of this extension not only less painful than it otherwise would have been, but actually fun. Thanks guys!

Tags: , , , , , ,

McAfee URL Shortener Chrome Extension

McAfee has joined the URL shortening game (alongside known favorites such as bit.ly, saf.li, ow.ly, etc.) with their new service, mcaf.ee. This service is designed to provide the web community with piece of mind knowing that any link referred to by mcaf.ee is secure, containing no malware and not pointing to a malicious site.

To celebrate this exceptional service, we’ve developed a Google Chrome extension which makes using this service a breeze. After installing this extension from the Google Chrome Extensions site you will see a McAfee shield in the unibar area that you can click on to retrieve a shortened link for the current page you are visiting.

This extension uses the mcaf.ee service which utilizes McAfee’s Global Threat Intelligence information. The mcaf.ee service allows users to create short URLs, which are checked against McAfee’s GTI databases prior to being shown to the end user – no more rogue short links (http://mcaf.ee/b1d069) on Twitter going to malware sites.

Enjoy!

Screenshot:

McAfee URL Shortner Chrome Extension

Tags: , , ,

What do I do if my account’s been hacked?

A friend of mine recently asked me via Facebook what he should do if someone he didn’t know and wasn’t friends with on Facebook was able to access private information in he and his wife’s Facebook and email (and presumably other) accounts. Since this is a fairly common concern and question I figured I’d post my response below. Enjoy!

Most likely they have your password (which they might have gotten from a virus, trojan, back-door-worm, or something else.

While anti-virus is great (at this point I feel obliged to mention my employer, McAfee) one area constantly overlooked are apps on Facebook which are malicious. I just got through telling my wife not to install apps on FB unless she absolutely had to (which means, something you will use and use constantly). I used to be bad about installing all the poll and quiz applications on Facebook I came across until I went back through my installed apps one day and noticed that many of them weren’t even named the same thing they were named when I installed them.

So if you are worried that someone has hacked your online accounts the best thing to do is to immediately change all of your passwords. Make sure you use a strong password too (that goes for your wife as well as you).

Also, I highly recommend going through your Facebook applications and uninstalling anything you don’t use as they could be used to harvest your information. Not that you should remove them all (I love Mafia Wars) but if you were to read what a developer has access to you’d certainly think long and hard about each application you install ;-)

Finally, (for the super-paranoid) if you are using a wireless router you should certainly be using some form of wireless encryption (hopefully not WEP because it is vulnerable to attacks). Otherwise all of your information is being transmitted in the clear and can be easily captured with minimal effort.

It’s possible that this person might be getting your personal information another way (via ESP perhaps? :-P) but I think the most likely culprit is your computer/network security.

There’s more that you can do to harden your systems against attack, but these are the most often used avenues of attack. If your adversary is a hacker let me know and I’ll continue listing things you can do to make your systems secure.

Good luck!

Next, we’ll look into some security products and practices that can help you secure your systems.

Tags: , ,

Governments calling citizens to ditch Internet Explorer

Google was recently hit by an exploit McAfee has named “Aurora”. This exploit involves all versions of Internet Explorer (though version 6 is getting most of the attention) which has prompted the governments of France and Germany to warn it’s citizens not to use Internet Explorer at all.

Microsoft initially tried to claim that this exploit was trivial but has since issued an out-of-cycle emergency patch for all versions of Internet Explorer.

Looks like now is the perfect time to switch to one of the more superior browsers like Chrome or Firefox.

Here’s a video detailing how this hack works in action in case you are like me and interested in the juicy technical details:

Tags: , , , ,

Passwords revisited

An analysis of 32million leaked passwords provided some interesting insights into the password selection practices of users. Among the key findings are:

  • The shortness and simplicity of passwords means many users select credentials that will make them susceptible to basic forms of cyber attacks known as “brute force attacks.”
  • Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common password is “123456”.
  • Recommendations for users and administrators for choosing strong passwords.

Also, here are the top 10 most commonly used passwords they found:

1. 123456
2. 12345
3. 123456789
4. Password
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123

I’ve said it before, the first step in computer security is having a strong password policy.

Tags: ,

Password policy: Creating and remembering strong passwords

Passwords are often the weakest part of any security system, partly because we don’t take the time to make them strong enough, change them very often, or use the same one all over the place.

Strong passwords which include a combination of upper and lowercase letters, numbers, punctuation, and are not based on a dictionary word are often not very easy to remember. And if it’s not easy to remember, chances are we’ll either end up writing it down (bad idea!) or we’ll choose a simpler password. Additionally, since we are often faced with a myriad of sites which all require separate accounts (and passwords), using different passwords for each site we use tends to fall by the way side in favor of convenience.

It doesn’t have to be like this.

Here’s a technique I’ve found helpful for creating strong, easy-to-remember passwords. It involves coming up with a unique method of transforming a simple word into a strong password using a few simple rules. The beauty of this system is that, unlike a strong password generator, the passwords you come up with using a system like this are easy to remember and can be unique to each site you use them with.

Here are a few other strong-password-generating ideas:

No matter what you choose to use to help you generate strong passwords. It’s always a good idea to check your password’s strength to gauge how hard it would be for an attacker to guess your password.

Tags: , , ,