After I updated to version 1.7. I could not connect to our internal repository anymore. The connection failed with the following error: SSL error: sslv3 alert certificate unkown.

SSL error: sslv3 alert certificate unknown

Our internal respoitory is secured with a certificated issued by our internal CA infrastructure.

Root CA

|
v

Intermediate Certificate

|
v

Repository certificate

Surfing to the svn repository does not produce an error, so the certificate chain is fine. At first I figured that Tortoise was using its own certificate store, but it turns out that Tortoise does use the Windows Root CA store, so there is no need to add the Root CA.

After some more investigation we found out that Tortoise does use the Windows Root CA store to validate the certificate chain, but does not use the Intermediate CA store to complete the certificate chain, like windows does. Since all our client machines have the intermediate certificate in the Intermediate CA store we never noticed that the certificates offered by apache were not chained. After chaining the repository certificate with the intermediate certificate Tortoise was able to talk to the repository again.

How do I know my cloud service is being hacked and abused if it is not running inside my datacenter? What possibilities do I have to check if my employees are acting along the lines of my Acceptable Use policy? Where are the logs of that abuse, and how can I trust the logs? How do I know that my data is not copied elsewhere in the cloud, and analysed offline by my competitor?

With regards to cloud storage, the CDMI (Cloud Data Management Interface) is trying to address some of the questions, but is only one step forward.

Cloud service providers still have a long way to go. An initiative like Eurocloud  is doing great work in paving the road to trust in cloud service providers.

When cloud service providers will be able to succesfully address the concerns, they have a big advantage over the classical IT model of running your own IT: they provide all the securities you would normally build and control youself, but combined with cloud advantages like fast provisioning and fast reuse of resources.

Small and medium-sized business will then be able to actually get a better and more secure service with cloud services, then what they could build and control themselves.

What does this mean for SBP? Sure there will be competition from the cloud providers. But we are nothing more than just another cloud provider. We build services for our clients with our own cloud technologies of fast provisioning, centralized log analysis, but since we build private clouds for our customers, these customers can demand tailored solutions to address their specific needs and concerns.

Cloud computing is not a threath to our business model, but is preparing the market more and more for putting commodity services in the big generic clouds, combined with the need of supporting highly tailored private clouds.

So it is time to face the fact: Schuberg Philis, the private cloud company!

Q: What is Hack in the Box?

A: There is not simple answer to that, but let me give it a try. There are two parts to the Hack in the Box: the websites and the conferences. But mostly HitB is a group of people bundled in a not-for-profit organisation.

Q: What is the difference between the HitB conferences and other conferences like Black Hat, DefCon, BruCon, Source, etc?

A: Hack in the Box is really a different conference. It is different from Black Hat because Black Hat is a commercial organisation and we are not. Black Hat conferences are too expensive. In a sense we are more like DefCon, but we are different as well. Hack in the Box tries to bridge the gap between three groups. The underground, the security professional and law enforcement. We want to create an environment that promotes open discussion between all these groups.

Q: Is Hack in the Box a Security conference or a Hacker conferences?

A: We are a mix of both, this is what we try to be.

Q: Why did you pick Amsterdam for this conference?

A: Because I love Amsterdam. Besides that I have relatives in The Netherlands, and being familiar with Amsterdam and the Netherlands really helps when you want to set up a conference.

Q: The conference is at its 3/4 mark right now, how do you feel it is going?

A: I’m really happy with the conference, there will be another HitB in Amsterdam for sure. We did not quite make the 500 attendees we would have liked, but with over 200 people we did not fail. We will be planning the conference a little bit earlier in the year, say the mid May timeframe

Q: If you’d have to name one reason to attend a hack in the Box conference what would it be?

A: It’s a different conference.

To enter a bash shell on your Equallogic box you open a terminal session to your array and type:

> su exec bash

Be aware of the following message!

You are running a support command, which is normally restricted to PS Series Technical Support personnel. Do not use without instruction from Technical Support.

That simple!

Now you can execute shell commands like ifconfig, uname etc.

From this shell you can also restart the Equallogic Management Engine without rebooting your controllers. In my case it solved issues with replication schedules that did not get executed anymore. You just enter:

# eqlinit restart MgmtExec

To check the status of the MgmtExec you enter:

# eqlinit status

NB. Be careful because entering the bash shell and executing commands from here is not supported by Equallogic!!

Yesterday and today are filled with trainings and Wednessday and Thursday are reserved for the briefings which will be covered by cupfighter.net

Hopefully I will be able to give you pretty quick coverage as I previously did at Black Hat USA, Defcon, Hacking at Random and Confidence 2009.02.

Black Hat CEO Jeff Moss previously explained that by moving the conference from Amsterdam (the home town of Schuberg Philis) to Barcelona Black Hat would be able to expand the briefings from a two track to a three track Schedule, only one track smaller then the massive Black Hat conference in Las Vegas.

From the entire overwhelming schedule I have so far selected the following talks:

Day 1

• Keynote by Max Kelly – CSO of Facebook
• Felix FX Lindner: Defending the Poor
• Roelof Temmingh: Unveiling Maltego 3.0
• Stephan Chenette: Fireshark – A tool to Link the Malicious Web
• James Arlen: SCADA and ICS for Security Experts: How to avoid being a Cyber Idiot
• Enno Rey & Daniel Mende: Hacking Cisco Enterprise WLANs

Day 2

• Thai Duong & Juliano Rizzo: Practical Crypto Attacks Against Web Applications
• Christian Papathanasiou: Abusing JBoss
• Steve Ocepek & Wendel G. Henrique: Oracle, Interrupted: Stealing Sessions and Credentials
• David Lindsay & Eduardo Vela Nava: Universal XSS via IE8s XSS Filters
• Christiaan Beek: Virtual Forensics

Besides the two day day program I will naturally be speding time socializing, networking and maybe even talk to some podcasting people.

Stay tuned.

So with all this power and cooling hardware in place, we’re protected against everything… right? Well think again, because the power grid and air conditioning systems are also controlled by…. software! A seemingly harmless software update to the ACU’s inside one of our suites caused a control valve to react in the opposite way its control software thought it was sending them, effectively shutting down cooling and causing a 10 degrees centigrade temperature rise in little over 30 minutes. These are the type of temperature rises which ultimately cause hardware to auto shutdown. In this case, the problem was cleared before reaching critical levels. If it hadn’t, we would have been able to transparently fail everything over to a remote location, since the typical infrastructures we build are based on a twin data center active / active concept.

This again proves that it doesn’t always have to be the often cited ‘plane crash’ which proves the point for building mission critical infrastructures, like our customer’s, inside multiple data centers. Actually, I don’t think there are any recorded events of an airplane crashing into a data center. Instead, something like the firmware controlling your ACU’s can jeopardize all equipment inside a single room or even an entire data center. Plan for failure and expect failure to come from unexpected sources.

All things considered, the twin datacenter active/active configuration is indeed too hot to handle!

So basically DARPA hid 10 red weather balloons all over the continental United States, and the challenge was to find them all, submit their latitude and longitude, and to find them first. Of course a team from MIT won the competition. How long did it take to find them? A month? A week? Just 8 hours and 52 minutes. How did they do this? By using social media and social networks of course.

Officially the DARPA Network Challenge states:

The DARPA Network Challenge is a competition that will explore the roles the Internet and social networking play in the timely communication, wide-area team building, trust and urgent mobilization required to solve broad-scope, time-critical problems.

So that’s all well and good, fun and interesting and such. But the thing that got me thinking, the thing touched on in the marketing website article was not the discovery of the (in advertising lingo) “big idea” a.k.a. the red balloons. But rather it was the MIT team’s process and approach to solving the problem that is the new “big idea.” The process invented by MIT’s team to rapidly assemble and task it’s newly formed “red balloon team” community worked, and it easily slipped into the operational ethos of bloggers, Facebook users and Twitter users (of course, having decided to donate the $40,000 cash prize to a charity probably helped too). The success of that process demonstrates to me (and DARPA who will interview the MIT team and it’s “community” of participants) the real value of social networks and the internet.

What the marketing website article is trying to say is that ad agencies used to be doing nothing but looking for the next “big idea” and then pitching it to their clients. But along came the internet and changed all that. There are plenty of these big ideas to go around, and depending on how immersed you are in all this social media/networking stuff, more and more of them are starting to come from end-users or consumers. Take the Swiffer for example, it was an idea suggested by a consumer responding to an initiative called “Connect and Develop” from Proctor and Gamble to gather feedback and ideas from their customers.

Crowd sourcing: No one is as smart as everyone.

This is one of the ideas that forms the center of the disruptive technology called the internet. We experience successive waves of change that are emanating from the fact that virtually anyone can publish their thoughts, ideas, images, and video for the rest of the world to find. And sometimes conditions conspire to allow a simple idea or thought to permeate the minds and hearts of millions of people in a near instant. Such things are often called internet memes.

The first wave that hits you is email. Everyone starts here and sees the value of being able to send and receive email. Even my parents have been hit by the power of this medium of communication. The next wave I think that hit was port 80 traffic: http protocols for websites and web pages. Then e-commerce as a wave of online shopping, followed by an MP3 wave (napster at first, iTunes music store now), and most recently by a youtube.com or video wave.

In each of these waves, traditional media entities have been deeply disrupted by the free flowing of ideas and assets. Email killed the telegram (Western Union decommissioned the service in 2006 after over 150 years of use) and is digging into postal service revenues since day one. The websites and webpages have largely up-ended magazines and newspapers so that printed editions are now becoming increasingly scarce. MP3s have both salvaged and savaged the recording industry. And in January 2009 YouTube.com recorded over 100,000,000 viewings per day.

So all of this will continue happening, the waves of disruption (disruptive to traditional thinking and doing at least) will keep on coming. Publishing will become easier, in all sorts of media. Access will be expanded to include more and more people. And our part in all of it, at least in my view, is to remember to try to step back and think about the process of change that is going on. The new ways we can solve problems using this incredible web of technologies and people addicted to them. That will remain a valuable skill and insight to achieve and maintain. Learning how to program perl is great, or some other language. But eventually perl won’t matter that much. We won’t need to pay so much attention to the underlying technologies of the internet because they will (rightly) recede into the background. What will remain will be pure freedom of communication and expression I imagine. And the possibilities at that point will be blinding. So don’t fret about the big red balloons, just try to keep being a curious, problem-solving clever monkey and you’ll always have interesting work to do.

More of often then not, the contractual agreements between assessor and client and client and service provider together with a “third party waivers” or similar documents do not cover everything that the three parties want to commonly agree upon. After reviewing quite a number of these documents, I decided to write a template agreement (which can be downloaded below) for exactly this situation. This document is not a replacement for the agreement between the client and the assessor, but as an additional agreement between all three parties.

Madison Gurkha and ITsec have both reviewed and contributed to this agreement and we will use it in our future dealings.

The agreement covers the following topics.

Scope of the assessment:

• What will be tested?
• When will the test take place?
• What kind of tests will be conducted?

Contractual agreements:

• Does the assessor have a contract with the client?
• Does the client have a contract with the service provider?

Legal liability:

• Do both the client and the service provider waive prosecution of the assessor?

Risks:

• Are all parties aware of and agree to the risks of a security assessment?

Practical matters:

• The client requests the service provider to support the assessment
• Who are the points of contact?
• Where will the assessment take place?
• How will the results be reported?

Confidentiality:

• All parties agree to confidentiality

The agreement template is released without any reservations of rights. This means you can use and adapt this agreement as you see fit, but completely at your own risk.

You can download the agreement here:

• Security Assessment Agreement Outsourcing v1.0 (Word document)
• Security Assessment Agreement Outsourcing v1.0 (PDF)

I would like to thank the following people for their contribution:

• Madison Gurkha: Hans van de Looy and Arjan de Vet
• ITsec: Tjerk Nan and Jan van Ek
• Fox-It: Mark Koek
• Arron Finnon (aka @f1nux)
• Colin McLean
• Robert Ladyman

Sorry what do I need to remember?

As allways Google was my friend and pointed me to this post.

The key is the value  WindowPos in this registry key: HKCU\Software\Microsoft\Office\12.0\Outlook\Options\Reminders

If you delete this key from the registry and restart Outlook the reminders window is back to its normal size.

Event ID 5156 means that WFP has allowed a connection. When most connections are allowed your security log will fill up very fast.

You can disable Object Access auditing but then you’ll miss other events which might be of interest. So, instead, let’s just disable Success Auditing for Filtering Platform Connections. It’s not possible to disable auditing subcategories with a policy or other GUI tool, but I found out that you can enable and disable specific subcategories with a special command-line tool: Auditpol.exe, which is included with Windows Vista and Windows Server 2008. I used the following command:

auditpol /set /subcategory:”Filtering Platform Connection” /success:disable /failure:enable

As you can see this disables Success auditing for the Filtering Platform Connection subcategory.

For more info check out this article:

http://msdn.microsoft.com/en-us/library/bb309058(VS.85).aspx

Click here to view the embedded video.

I recently got my invitation to sign up for Google Voice (previously known as Grand Central) but was confronted with a couple of challenges. The first one being that the service is not offered outside the US yet. Since I’ve been living abroad for the last few years, I’ve gotten used to finding myself on the wrong side of the “geo-fence” that sites put up, using your IP address to determine whether you might be in the US or not. So to begin the process of responding to the invitation email, I needed to proxy my web browser traffic thru a server in the US (there are scores of anonymizing proxies and plain-old-vanilla proxies, but I’m lucky to have friends with computers with reasonably low latency ping times). Once that was done, I began the 4 step process of registering a phone number so that I could get on with finding out what GV can do.

So many choices for phone numbers, but fortunately they came up with an interesting combination of methods to choose an available number. You can search by zip or area code of course, and you can also search by text string. What better way to make your Google Voice phone number easy to remember or say to someone than to look for your favorite phrase or handle/call-name. Since physical location does not matter so much these days, why not pick a phone number that hails from “Pocahontas, Mississippi?”

The next challenge was a bit tougher, the service needs at least one phone number to ring you on when you get a call to your GV number. That number has to be a US number (due to the way calls are charged in the US versus Europe. [I found an interesting discussion about this and how it impacts the possibility of deploying GV in Europe.

With some blind optimism, I entered my US efax/j2 number, hoping that when they called it to request the two digit verification code currently displayed on my browser, they might provide an alternative method for me to verify that I own/use the phone number in question in their voicemail message. Nope.

So my options at this point were to either setup a Skype-in number for something like 15 euros for 3 months so that I could answer the automated GV phonecall, or ring a friend in the US, give his number and send him the verification code so that I could finish the registration process. You will correctly guess that I opted for the latter.

Finally I get to see the interface, check out the settings page, and read the little help buttons that explain exactly what the “do not disturb” checkbox does (this is something that I need to use of course, so that my friend does not get called each time I receive a call to my GV number). I have to say that there are only a few advantages to using Google Voice as an expat over simpler services like efax/j2. One of them, however, is pretty darn helpful. Voicemail transcripts. Although the technology still  has a ways to go before being 100% (most speech to text systems fail to get near 100% really, so who can blame them at this point), you certainly can get the gist of a message by reading the transcript. The transcribed words that the system is sure about are in black text, and the words which the system had doubts about are in a lighter shade of grey. And just like a karaoke machine, the highlighting of the message text in red underline as you listen to the audio voicemail message is kind of fun in it’s own right. What I’m not entirely sure about though is how or why the transcript engine/system decides that a transcript is not possible. The first GV voicemail message that I left for myself was marked “Transcript not available.”

Being the responsible beta user that I am, I immediately clicked on the feedback link to let them know of my question about the criteria under which a transcript might not be available. This took me to a nice little Google docs form for providing feedback. Ok, I’m game. A simple email form is not enough control over what folks put into the feedback, so I write up my question, I hit submit and get a cheeky little reply saying that an unexpected error occurred, they are rather embarassed about it of course, and that I can rest assured that geeks have been notified that the error took place. So much for my first interaction with the community of GV developers.

One more thing worth mentioning is the GV mobile application. Having a blackberry (or iPhone) means that I can (and did) download the GV mobile application, giving me the equivalent of visual voicemail for free on the service. This is nice. Of course if I want to listen to the voicemails, I need to download them first, but that is to be expected. The real time saving feature here is not necessarily being able to listen to my GV messages whereever I happen to be, but instead the sheer time saved by being able to see who the message is from and read the transcription in just a few seconds.

Oh and I suppose being able to send and receive SMS/text messages for free with my friends and family in the US is also a perk. They intend, I supposed, to eat some of Skype’s lunch in this kind of “messaging for free” model. I wonder if they plan to have an API exposed so that I can do this with a script? I admit that I’m not the real target audience subscriber for Google Voice, but I’m on board at the moment and am thinking that it has some nifty features (I didn’t even mention the widgets/gadgets that you can use where the person never knows what your GV number is… nice for security/anonymity).

Question: Anyone else trying to integrate GV into their point of presence without being in the US at the time?