Cupfighter.net

A few days ago while starting TortoiseSVN it prompted me to update to version 1.7

After I updated to version 1.7. I could not connect to our internal repository anymore. The connection failed with the following error: SSL error: sslv3 alert certificate unkown.

SSL error: sslv3 alert certificate unknown

Our internal respoitory is secured with a certificated issued by our internal CA infrastructure.

Root CA

|
v

Intermediate Certificate

|
v

Repository certificate

Surfing to the svn repository does not produce an error, so the certificate chain is fine. At first I figured that Tortoise was using its own certificate store, but it turns out that Tortoise does use the Windows Root CA store, so there is no need to add the Root CA.

After some more investigation we found out that Tortoise does use the Windows Root CA store to validate the certificate chain, but does not use the Intermediate CA store to complete the certificate chain, like windows does. Since all our client machines have the intermediate certificate in the Intermediate CA store we never noticed that the certificates offered by apache were not chained. After chaining the repository certificate with the intermediate certificate Tortoise was able to talk to the repository again.

There are many concerns these days on security when taking services from cloud providers. All the areas where Schuberg Philis is actively being audited on, are area’s of concerns for IT managers.

How do I know my cloud service is being hacked and abused if it is not running inside my datacenter? What possibilities do I have to check if my employees are acting along the lines of my Acceptable Use policy? Where are the logs of that abuse, and how can I trust the logs? How do I know that my data is not copied elsewhere in the cloud, and analysed offline by my competitor?

With regards to cloud storage, the CDMI (Cloud Data Management Interface) is trying to address some of the questions, but is only one step forward.

Cloud service providers still have a long way to go. An initiative like Eurocloud  is doing great work in paving the road to trust in cloud service providers.

When cloud service providers will be able to succesfully address the concerns, they have a big advantage over the classical IT model of running your own IT: they provide all the securities you would normally build and control youself, but combined with cloud advantages like fast provisioning and fast reuse of resources.

Small and medium-sized business will then be able to actually get a better and more secure service with cloud services, then what they could build and control themselves.

What does this mean for SBP? Sure there will be competition from the cloud providers. But we are nothing more than just another cloud provider. We build services for our clients with our own cloud technologies of fast provisioning, centralized log analysis, but since we build private clouds for our customers, these customers can demand tailored solutions to address their specific needs and concerns.

Cloud computing is not a threath to our business model, but is preparing the market more and more for putting commodity services in the big generic clouds, combined with the need of supporting highly tailored private clouds.

So it is time to face the fact: Schuberg Philis, the private cloud company!

By Frank Breedijk – During Hack in the Box Amsterdam I had the opportunity to sit down with its founder and CEO Dhillon Andrew Kannabhiran. I asked him about the Hack in the Box organisation, the conferences and why it was located in Amsterdam.

Q: What is Hack in the Box?

A: There is not simple answer to that, but let me give it a try. There are two parts to the Hack in the Box: the websites and the conferences. But mostly HitB is a group of people bundled in a not-for-profit organisation.

Read more…

As you have probably read in cupfighter article: Undocumented Equallogic CLI Commands, there is still much to discover under the hood of these great boxes. You would figure that if Equallogic runs on top of netBSD that it should be possible to run shell commands. Well it is, but you have to leave the Equallogic CLI and open up a bash shell to perform these tasks.

To enter a bash shell on your Equallogic box you open a terminal session to your array and type:

> su exec bash

Be aware of the following message!

You are running a support command, which is normally restricted to PS Series Technical Support personnel. Do not use without instruction from Technical Support.

That simple!

Now you can execute shell commands like ifconfig, uname etc.

From this shell you can also restart the Equallogic Management Engine without rebooting your controllers. In my case it solved issues with replication schedules that did not get executed anymore. You just enter:

# eqlinit restart MgmtExec

To check the status of the MgmtExec you enter:

# eqlinit status

NB. Be careful because entering the bash shell and executing commands from here is not supported by Equallogic!!

The Black Hat organization has graciously facilitated Cupfighter.net to cover Black Hat Europe, currently underway in Barcelona Spain.

Yesterday and today are filled with trainings and Wednessday and Thursday are reserved for the briefings which will be covered by cupfighter.net

Hopefully I will be able to give you pretty quick coverage as I previously did at Black Hat USA, Defcon, Hacking at Random and Confidence 2009.02.

Read more…

With ever increasing complexity in the software stacks running on our systems, we are starting to take stuff that feeds us, like power and cooling for granted. Sure, on a global scale we have one of the most reliable power feeds from the net in the Netherlands. This is backed up by diesel engines and a fully redundant power grid inside our primary data center. To get the generated heat out, there’s a fully redundant cooling system in place.

So with all this power and cooling hardware in place, we’re protected against everything… right? Well think again, because the power grid and air conditioning systems are also controlled by…. software! A seemingly harmless software update to the ACU’s inside one of our suites caused a control valve to react in the opposite way its control software thought it was sending them, effectively shutting down cooling and causing a 10 degrees centigrade temperature rise in little over 30 minutes. These are the type of temperature rises which ultimately cause hardware to auto shutdown. In this case, the problem was cleared before reaching critical levels. If it hadn’t, we would have been able to transparently fail everything over to a remote location, since the typical infrastructures we build are based on a twin data center active / active concept.

This again proves that it doesn’t always have to be the often cited ‘plane crash’ which proves the point for building mission critical infrastructures, like our customer’s, inside multiple data centers. Actually, I don’t think there are any recorded events of an airplane crashing into a data center. Instead, something like the firmware controlling your ACU’s can jeopardize all equipment inside a single room or even an entire data center. Plan for failure and expect failure to come from unexpected sources.

All things considered, the twin datacenter active/active configuration is indeed too hot to handle!

I stumbled across this article about a clever challenge involving 10 red balloons. I read about it after following a link on a design studio’s Twitter posting. DARPA (Defense Advanced Research Projects Agency of the US government and creators of the internet back in the cold war days of the 1960s… read Bruce Sterling’s “A Short History of the Internet” written in 1993 if you have never heard of DARPA) took the 40th anniversary of the creation of the internet to pose the question: “Can any real world problems be solved by using the internet?” They came up with the DARPA Network Challenge.

So basically DARPA hid 10 red weather balloons all over the continental United States, and the challenge was to find them all, submit their latitude and longitude, and to find them first. Of course a team from MIT won the competition. How long did it take to find them? A month? A week? Just 8 hours and 52 minutes. How did they do this? By using social media and social networks of course.

Officially the DARPA Network Challenge states:

The DARPA Network Challenge is a competition that will explore the roles the Internet and social networking play in the timely communication, wide-area team building, trust and urgent mobilization required to solve broad-scope, time-critical problems.

So that’s all well and good, fun and interesting and such. But the thing that got me thinking, the thing touched on in the marketing website article was not the discovery of the (in advertising lingo) “big idea” a.k.a. the red balloons. But rather it was the MIT team’s process and approach to solving the problem that is the new “big idea.” The process invented by MIT’s team to rapidly assemble and task it’s newly formed “red balloon team” community worked, and it easily slipped into the operational ethos of bloggers, Facebook users and Twitter users (of course, having decided to donate the $40,000 cash prize to a charity probably helped too). The success of that process demonstrates to me (and DARPA who will interview the MIT team and it’s “community” of participants) the real value of social networks and the internet.

What the marketing website article is trying to say is that ad agencies used to be doing nothing but looking for the next “big idea” and then pitching it to their clients. But along came the internet and changed all that. There are plenty of these big ideas to go around, and depending on how immersed you are in all this social media/networking stuff, more and more of them are starting to come from end-users or consumers. Take the Swiffer for example, it was an idea suggested by a consumer responding to an initiative called “Connect and Develop” from Proctor and Gamble to gather feedback and ideas from their customers.

Crowd sourcing: No one is as smart as everyone.

This is one of the ideas that forms the center of the disruptive technology called the internet. We experience successive waves of change that are emanating from the fact that virtually anyone can publish their thoughts, ideas, images, and video for the rest of the world to find. And sometimes conditions conspire to allow a simple idea or thought to permeate the minds and hearts of millions of people in a near instant. Such things are often called internet memes.

The first wave that hits you is email. Everyone starts here and sees the value of being able to send and receive email. Even my parents have been hit by the power of this medium of communication. The next wave I think that hit was port 80 traffic: http protocols for websites and web pages. Then e-commerce as a wave of online shopping, followed by an MP3 wave (napster at first, iTunes music store now), and most recently by a youtube.com or video wave.

In each of these waves, traditional media entities have been deeply disrupted by the free flowing of ideas and assets. Email killed the telegram (Western Union decommissioned the service in 2006 after over 150 years of use) and is digging into postal service revenues since day one. The websites and webpages have largely up-ended magazines and newspapers so that printed editions are now becoming increasingly scarce. MP3s have both salvaged and savaged the recording industry. And in January 2009 YouTube.com recorded over 100,000,000 viewings per day.

So all of this will continue happening, the waves of disruption (disruptive to traditional thinking and doing at least) will keep on coming. Publishing will become easier, in all sorts of media. Access will be expanded to include more and more people. And our part in all of it, at least in my view, is to remember to try to step back and think about the process of change that is going on. The new ways we can solve problems using this incredible web of technologies and people addicted to them. That will remain a valuable skill and insight to achieve and maintain. Learning how to program perl is great, or some other language. But eventually perl won’t matter that much. We won’t need to pay so much attention to the underlying technologies of the internet because they will (rightly) recede into the background. What will remain will be pure freedom of communication and expression I imagine. And the possibilities at that point will be blinding. So don’t fret about the big red balloons, just try to keep being a curious, problem-solving clever monkey and you’ll always have interesting work to do.

My work as security engineer for Schuberg Philis often requires me to deal with the following situation. A customer of our requires us to facilitate a security assessment or the infrastructure we manage on their behalf.

More of often then not, the contractual agreements between assessor and client and client and service provider together with a “third party waivers” or similar documents do not cover everything that the three parties want to commonly agree upon. After reviewing quite a number of these documents, I decided to write a template agreement (which can be downloaded below) for exactly this situation. This document is not a replacement for the agreement between the client and the assessor, but as an additional agreement between all three parties.

Madison Gurkha and ITsec have both reviewed and contributed to this agreement and we will use it in our future dealings.

The agreement covers the following topics.

Read more…

Every now and then Microsoft Outlook decides to show its reminders in a strangely deformed reminder window.

Sorry what do I need to remember?

As allways Google was my friend and pointed me to this post.

The key is the value  WindowPos in this registry key: HKCU\Software\Microsoft\Office\12.0\Outlook\Options\Reminders

If you delete this key from the registry and restart Outlook the reminders window is back to its normal size.

When you install McAfee on Windows Server 2008, and probably Windows Vista also, you can get a lot of messages in your security log. Like this one:

Event ID 5156 means that WFP has allowed a connection. When most connections are allowed your security log will fill up very fast.

You can disable Object Access auditing but then you’ll miss other events which might be of interest. So, instead, let’s just disable Success Auditing for Filtering Platform Connections. It’s not possible to disable auditing subcategories with a policy or other GUI tool, but I found out that you can enable and disable specific subcategories with a special command-line tool: Auditpol.exe, which is included with Windows Vista and Windows Server 2008. I used the following command:

auditpol /set /subcategory:”Filtering Platform Connection” /success:disable /failure:enable

As you can see this disables Success auditing for the Filtering Platform Connection subcategory.

For more info check out this article:

http://msdn.microsoft.com/en-us/library/bb309058(VS.85).aspx