Hi! Thanks for swinging by. You’re probably here because you saw me speak at VANTUG on Tuesday, February 5, 2013. Thanks for attending.
As promised, here’s links to the things I spoke about that evening. Please let me know if you have any questions!
I had a great time at CanSecWest. I have been following the relevant hashtags on twitter and figured I should toss all the resources and fun media coverage for the event.
I’ll update this as I round things up. Feel free to send me more links via comment or @buulam
Safari/MacBook Air Winners: @VUPEN
Internet Explorer Winners: @stephenfewer
– Video Interview: https://threatpost.com/en_us/blogs/pwn2own-winner-stephen-fewer-031011
- Network Application Firewalls vs. Contemporary Threats – Brad Woodberg, Juniper
- Runtime Firmware Integrity Verification: What Can Now Be Achieved – Yves-Alexis Perez and Loic Duflot, ANSSI
- IPv6 Implementation and Security Round Table – A Moderated Disagreement or a Chorus? – David Shinberg, Marc “van Hauser” Heuse, Guillaume Valadon and additional members TBA
- Is Your Gaming Console Safe?: Embedded Devices, an AntiVirus-free Safe Hideout for Malware – DongJoo Ha and KiChan Ahn, AhnLab Inc and Korea Financial Telecommunications & Clearings Institute
DongJoo Ha @ChakYi
KiChan Ahn @Externalist
- Chip & PIN is Definitely Broken – Andrea Barisani and Daniele Bianco, Inversepath
- iPhone and iPad Hacking – Ilja van Sprundel, IOActive
- Welcome To Rootkit Country – Graeme Neilson, Aura Software Security
- Borken Fonts: The Story of Naive Parsers and Attacker Controlled Reboots – Marc Schönefeld, Red Hat
- Deconstructing ColdFusion – Chris Eng & Brandon Creighton, Veracode
- Security Defect Metrics for Targeted Fuzzing – Dustin Duran, Matt Miller, David Weston, Microsoft
- GRAPE: Generative Rule-based Generic Stateful Fuzzing – Nicholas Green, FourteenForty
I’ve been attending CanSecWest for the last two days. I’m lucky for two reasons: Not only is this internationally renowned security conference held right here in Vancouver, but this isn’t normally a conference I am sent to and we happened to score me a free pass this year.
You may not have heard of CanSecWest but a bit more people will have heard of Pwn2own, the contest where over $100,000CAD and the target hardware is given out as prizes for compromising browsers and smart phones.
So far, IE, Firefox, Safari, iOS and Blackberry OS have been compromised. Windows Phone 7, Chrome and Android have so far survived.
What I found interesting was Blackberry OS, touted to be very secure was compromised due to a webkit vulnerability. Now before the attempt was made, I watched a battle begin at the pwn2own area, where a representative from RIM Security was trying to make certain that the Blackberry Torch that was targeted would be patched with a recent OS patch, which it had not been yet. The patch was released with Canadian carriers recently but not other countries. RIM works with carriers on their OS updates as they each get OS’s flavored to their liking.
Well the Blackberry got pwned. RIM didn’t get to apply that latest patch. But, it wouldn’t have mattered. The webkit patch hadn’t yet been implemented in the latest Blackberry OS anyways!
Google on the other hand, is fairly quick with patches to Chrome. You barely even know they’ve done it. It hasn’t fallen over so far at the contest. That webkit bug Blackberry fell to was patched by Google long ago.
But I don’t really like what I see. RIM has to maintain so many flavors of OS, across so many of their platforms and then multiply that by all the carriers they work with. This is obviously slowling down the patching process. As if it wasn’t already slow enough considering they have to encourage users to take the time to update their firmware in the first place.
iOS has its faults but at least they’re pretty quick with their updates. And while many are critical of iTunes, it is pretty nice that it tells you right away if there is a software update available and encourages you to upgrade – even making the process super easy with a simply backup and then restoring your settings after the update. And yes, Apple’s security folks were on site today as well and said they’ll be implementing patches in order to plug the holes found by the famous Charlie Miller, who pwned the iPhone 4.
Perhaps now that Blackberry has to be even more aware of vulnerabilities of their phones now that they’ve added a webkit browser, they should re-evaluate the efficiency of their patching.
UPDATE: Well, looks like Google may be eating their words. The bug that pwned Blackberry OS might be in Chrome. I’ll try to find a valid link with info.
UPDATE2: Ok, here is a link http://www.zdnet.com/blog/security/google-first-to-patch-pwn2own-webkit-vulnerability/8427
Surprisingly, RSA has released a software token for Nokia phones. I wonder how long it will be supported for since Nokia has announced they’ll be going with the Windows Phone 7 operating systems.
Well, I didn’t quite get to publishing this once a week. I’ve been collecting a few links but never hit the publish button. But now here they are.
– I hadn’t realized Google’s search bar had a built in calculator that included a handy trick of calculating transfer times if you give it file size and bandwidth!
– When I first started integrating IP storage, the big rules of thumb when provisioning the switching was Jumbo Frames and Flow Control. I never really observed performance improvements to write home about when enabled Jumbo Frames and in this blog post, some measurements were actually recorded. The results were quite interesting and is worth reading through.
– A reality show featuring LIGATT Security employees. Not sure how well it will fair against Jersey Shore.
– A big announcement last week was the depletion of IPv4. Well, sort of. The final /8’s were given out to each RIR and they are expected to be dished out from there within months. Time to start brushing up on IPv6 although it still sounds like it will be a few years before anything major changes.
- I have been working on getting our firewall setup for our VMware View demo. Our last View demo environment was PCoIP internally but it had yet to be integrated into the Security Server and so any remote View access was leveraging good old Microsoft RDP. Well as of View 4.6 we can now have PCoIP proxied through the security server. You will need to open up the PCoIP port (TCP/UDP 4172) directly do the Security Server in your DMZ and then open PCoIP from the Security Servers to your View VM’s. Documentation was a bit scarce at the time and if it still is in a couple weeks, maybe I’ll do a write up on all the firewall ports needed and RSA setup.
We did a very rough side by side comparison of the View 4.6 environment with our XenApp 6 + NetScaler/Citrix Access Gateway Enterprise environment and they yielded roughly the same results for youtube’ing and basic tasks. HDX was not enabled for XenApp.
Some key things to note are:
– PCoIP is UDP based
– PCoIP leverages AES-128 and therefore there is no SSL tunneling involved
– Not sure if there’s a streamlined way to distribute the View client
– RSA SecurID was tested and works great including support of New PIN mode and had native (as opposed to RADIUS) support
Today while downloading the latest RSA Authentication Manager Service Pack (3), I figured I may as well download the Overview & Tutorial that I’d always seen but never investigated.
This is actually a really good tutorial for new RSA SecurID customers or even ones who have just upgraded to version 7.1 because of the huge change in user interface. It gives really quick and to the point instructions on day to day activities.
I look forward to providing this to my customers to supplement the Knowledge Transfer I normally provide in my implementation projects.
One often overlooked detail in basic Check Point setups is setting up your SmartView Monitor (SVM) alerting.
The available alerts include handy notifications about CPU spikes, low disk space, sync state and policy installations.
To begin setting this up, you will first need to establish that you have a mail relay to send through. You may need to ask your email administrator to allow the IP address of the firewall to send email through the email server.
After that is sorted out, you will setup a sendmail string within SmartCenter’s General Properties. This is actually detailed with this SecureKnowledge article sk25941
Basically you need to go into:
General Properties -> Log and Alert -> Alert Commands
You’ll find a field to enter a mail alert script. Here is what it should look like:
internal_sendmail -s ‘Check Point Alert’ -t
-f firstname.lastname@example.org email@example.com
-s is followed by the subject line you desire
-t is followed by the mail relay you want to use, it can be a hostname if you have name resolution on the SmartCenter
-f is followed by what you want the sender address to be, generally the hostname of your SmartCenter
and the end of the string is simply the destination address(es)
Now that you have set that up, you will want to open up SmartView Monitor and click tools -> Start System Alert Daemon. Give it a few moments to start the daemon, then click Gateways -> Threshold Settings.
Go ahead and click Edit Global Settings. From here you can enable alerts by checking them off, selecting your thresholds and change the actions to “Mail”.
If you have a distributed environment, or multiple gateways, you can actually have different thresholds for each object. You can customize each object by highlighting the object in SmartView Monitor and then clicking Gateways -> Threshold Settinngs and then select Custom. From there you are setting thresholds for that specific object.
You should be able to set the Policy Install Time alert for a quick and easy test.
If you are not running highly available, synchronized Smart Centers for your Check Point VPN-1 environment, you might be looking into making sure you have a backup setup. Even if you have high-availability management, I’d still recommend it – I’m sure it will help you sleep at night.
Check Point SPLAT includes a pretty easy to use utility to automate backups and send them right over to an SCP server. Unfortunately, not the case if you use Windows for your Smart Center operating system.
Here’s a simple script I use in a Windows environment. Use notepad to create a file and save it with the extension .bat to turn it into an executable batch file.
For this example, I’m creating cpbackup_script.bat
net use y: \\srv-backup\CP_CFGDUMP /USER:cpbackup **password removed**FOR /f “tokens=2 delims= ” %%D in (‘echo %DATE:/=%’) do SET DATEN=%%Decho/ | %FWDIR%\bin\upgrade_tools\upgrade_export “Y:\cpexport_%DATEN%.tgz”
The first line will map a Windows share to a drive letter, in this case Y:
srv-backup is obviously a backup server on this network
CP_CFGDUMP is a folder that has been setup on srv-backup
cpbackup and **password removed** is a local username and password setup on srv-backup
So, you’re going to need to ask your Backup Administrator (that could be you!) to setup this folder, and user account for you to pop the backup into. Then have you Backup Administrator take backups of that folder.
The next line in the script is purely to pull the current time, populate a variable which is used in the next line.
The next line is using the upgrade_export command from Checkpoint and outputs the exported file into the share on the backup server, while appending a time stamp onto the end of the file.
Now that you have this script, you can setup a Windows Scheduled Task to run this whenever you’d like. Then coordinate with your backup administrator to make sure the backup is taken shortly after the script has run it’s course. It’s usually anywhere from 2 to 10 minutes in my personal experience.
Hope that helps you out and leave comments if you have questions or suggestions.
I’ve used an iPhone for the past couple years in a corporate environment, taking over from my long time BlackBerry use. It’s market share growth, combined with the growth of smart phone use has put a target on the iPhone’s back.
This gentleman has compiled a lot of info about the iPhone Security Framework and reviews some vulnerabilities. Worth a read if you’re assessing the technology from a security prospective for use in your environment.
This blog has some really useful stuff. I recommend you follow it if you are interested in any of the technologies the author discusses.
Today I’ve been looking into different approaches to failing over from an MPLS connection to a site, to a VPN connection. This White Paper isn’t my exact scenario but I know I’ll find it useful in the future so I’ll drop it on here.