security – Capi's Corner

Enable RSA-based public-keys for ssh when accessing legacy devices

When accessing old devices that are not yet using modern encryption algorithms, current Ubuntu installations might reject connection due to the signature algorithm for the public keys being disabled, e.g.

sign_and_send_pubkey: no mutual signature supported

You can enable this on a per-command level by adding the following option to your SSH command line:

ssh -o PubkeyAcceptedKeyTypes=+ssh-rsa ...

As an alternative you can add this permanently for a host by adding it to the host’s configuration in your $HOME/.ssh/config:

Host myhost
  PubkeyAcceptedKeyTypes +ssh-rsa

This also works for other key types like ssh-dss.

Note: In general you only should do this if you access legacy devices where you have no possibility to upgrade to state-of-the-art encryption algorithms. Those algorithms got deprecated for a reason. Therefore always do this on a per-command or per-target-host level instead of blindly enabling those algorithms in your global SSH config.

Router default password database

If you ever get to forget the default password of your router, you might have high chances of getting it back from the Default Router Passwords Database.

25C3 CTF – 2nd place for Hagenberg’s team “h4ck!nb3rg”

Yesterday’s CTF of the 25C3 resulted in a very respectable 2nd place of the team “h4ck!nb3rg” from Hagenberg. It was an amazing experience being part of this! Thanks to the team and everyone involved in the organization of the event!

TrueCrypt 5.1 is out!

The new TrueCrypt 5.1 version finally enables hibernation with pre-boot authentication. I am going to try it out as soon as possible. A big thank you to all the developers!

Update 2008-03-16: Today I finally had time to test out pre-boot authentication. It simply worked great. No problems at all. As I was using it on a notebook, I was very happy about the possibility to interrupt and resume the encryption process.

[tags]encryption, windows, truecrypt[/tags]

TrueCrypt 5 is out!

After quite some time, a new version of my favorite encryption tool is out: TrueCrypt developers have released version 5 of their product, introducing a new killer feature (among others): System Volume Encryption with pre-boot authentification (only Windows 2000/XP/Vista). This means, that TrueCrypt will encrypt everything on your system drive, including page- and hibernation file, ~~finally making hibernation a safe and easy possibility~~.

I am going to look into this next week, as I need my notebook on Saturday (just in case anything goes wrong).

Update 2007-02-08: As my first commenter below points out, it seems hibernation is disabled by TrueCrypt while having your system partition encrypted. I don’t really understand why at the moment, but I will investigate further. For me this is a primary show-stopper, as this was the long-awaited functionality I was waiting for.

Nitpickers Corner¹: Of course I am aware why encryption and hibernation in general are no-goes together, but I don’t understand why this is an issue when full-system encryption is enabled.

Update 2007-02-08 (again): Ok, in this TrueCrypt forum thread they explain why they cannot support it at the moment: Windows treats the hibernation file differently, it seems to bypass the TrueCrypt driver and therefore would still write keys to disk without encryption. Ok, still get to wait for my dream feature then, but I still refuse to buy PGP 🙂 Thanks to the developers for their great work anyhow!

¹ a tribute to Raymond Chen 🙂

[tags]security, encryption, truecrypt, windows, linux, osx[/tags]

The Storm Worm

I want to point out a very interesting article by Bruce Schneier about the Storm worm. If it were not so illegal, the techniques used by this worm are very, very advanced and very interesting from a development and network/load-balancing point-of-view. Anyone interested in development, network administration, and security should read the article.

The worm has grown to a real epidemic by continuously adapting, changing its code, the code signature, etc. It has infected this huge number of computers because the resulting bot-net is hardly ever used, it keeps in a dormant stealth mode. Most users are not aware they are infected with the worm because it tries to avoid detection by not using to much ressources and therefore hardly attracts attention by system administrators. Bruce Schneier points out that maybe we should be worried about what’s coming in “Phase II”, once the gigantic bot-net is brought into action.

To avoid detection, the worm and the bot-net operators apply several advanced load-balancing and stealth techniques, namely a DNS technique called “fast flux” which very effectively blurs the traces to the real operators.

As I said, it is very interesting read. I recommend you also follow several of the outbound links.

.NET strings are not always immutable!

Strings are immutable. If you want to modify a sequence of characters, use StringBuilder. At least, that’s whats officially said. But in the framework there is at least one method that does modify a string:

TextRenderer.MeasureText() with ModifyString and EndEllipses will modify your string to match the ellipsed text if ellipsing happens. You can look at this VB# example on codeproject using TextRenderer.MeasureText() for trimming text on how it is used.

The string seems to be modified directly in native code by DrawTextEx from user32.dll. Additionally to the scary fact that strings are not immutable, the length of the string is not updated, regardless if the resulting string is shorter!

For instance if you have a string “aaaaaaa” which will be truncated to “aa...“, the Length property will still return 7 for the shortened string. The debugger shows that the string will in fact be “aa…\0a” after the operation. So maybe it might be right that the string is still 7 characters long but most outputting functionality like Console.Out.WriteLine() gets confused sometimes and stops any further output to the debugger or console under certain conditions.

A very quick investigation of the System.Drawing assembly using Lutz Roeder’s fabulous .NET Reflector showed that at least there should be no memory corruption in case “WW” would get ellipsed to “W...“, as DrawTextEx takes the length of the buffer and should result only in “W.“.

Summing up, I find the corruption of an immutable string by an official Microsoft API very troubling.

Vista UAC: Firefox (and other Mozilla apps) automatic updates

If you disable the automatic installer detection of User Account Control (UAC), for instance because it interferes with your every-day operations (like in my “Git and Windows Vista” article), you will notice that the Mozilla updaters don’t work as expected. Automatic updates will fail. This is due to the fact that the updater will not be automatically elevated any longer.

As the easiest workaround, you should perform the following steps:

Once you get notified about the update and you are asked if you want to install it, say “No”.
Close the Mozilla application in question.
Search for the application in your “Start” menu.
Right-click the entry and choose “Run as Administrator…”
Choose “Check for Updates…” in the “Help” menu
Confirm you want to install the update and walk through the update process.

The installation will now work. For security reasons you should close the application once installation is finished, because it will still be running with elevated privileges. Now start the application again normally.

The same principle works for any application that is not Vista-aware and fails on automatic update. For security reasons make sure you keep the time you run with elevated privileges as short as possible.

phpMyAdmin with mod_fcgid

I am currently migrating my server configuration away from mod_php towards mod_fcgid (the successor of mod_fastcgi), as this allows me to use different users for executing scripts in different directories. I use this to have every hosted virtual domain using its own system user. This should (in theory) prevent one buggy application to take over all other hosted domains as well.

I though faced one problem: I could not get phpMyAdmin working and this was a requirement of one of my clients. phpMyAdmin kept popping up the authentication dialog over and over again when using HTTP Basic Authentication.

After searching some time, I noticed that, when using PHP in CGI mode, the authentication data is not passed over to the script by default. A FAQ entry of phpMyAdmin brought the solution to this issue: a ReWrite Rule was needed for the directory containing phpMyAdmin:

RewriteEngine On RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization},L]

Suddenly phpMyAdmin worked 😉

Apache: Force SSL for a Directory Using .htaccess and mod_rewrite

To force SSL on a given directory using .htaccess, use the following code. It requires mod_rewrite enabled in Apache. Adjust the path in the RewriteRule to match the full qualified URL of the HTTPS-domain.

RewriteEngine On RewriteCond %{SERVER_PORT} !443 RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]