This weekend, I put a Linksys WRT54G at my sister’s apartment to enable her(and her boyfriend) to share the internet connection. No big deal off course but I also thought it would be nice if the router could act as an OpenVPN client so my network and her network would be securely connected through the VPN. This enables her to pop mail from our mailserver in a secure manner and it enables me to give some remote support by VNC-ing to her computer.

So how to do this?

1. Upload DD-wrt’s latest ‘VPN’ firmware build for the WRT 54G
2. Generate certificates for the WRT router on the central server (a linux box at my home network in this case which hosts the PKI)
3. Add the following to the central server OpenVPN conf file: route 192.168.10.0 255.255.255.0
4. Create a ccd file with the same filename as the name you chose for the WRT during certificate setup and put the following in the file: iroute 192.168.10.0 255.255.255.0
5. Make sure the WRT syncs its time through NTP. Otherwise certs might be detected as invalid!
6. Paste these certs in the web interface of the DD-WRT and do the basic configuration through the webinterface.
7. Adapt openvpn.conf to my specific setup by enabling the following in the DD-WRT startupscript:

   sleep 20
   echo "auth SHA1" >> /tmp/openvpn/openvpn.conf
   echo "cipher AES-256-CBC" >> /tmp/openvpn/openvpn.conf
   killall openvpn
   openvpn --config /tmp/openvpn/openvpn.conf --route-up /tmp/openvpn/route-up.sh \\
   --down /tmp/openvpn/route-down.sh --daemon

8. Adapt the firewall script to disable natting and accept traffic for the OpenVPN interface on the WRT. Real firewalling will be done on the central linux box

   iptables -t filter -I FORWARD -i tun0 -j ACCEPT
   iptables -t filter -I FORWARD -o tun0 -j ACCEPT
   iptables -t filter -I INPUT -i tun0 -j ACCEPT
   iptables -t filter -I OUTPUT -o tun0 -j ACCEPT
   iptables -t nat -I POSTROUTING -o tun0 -j ACCEPT
   iptables -t nat -I PREROUTING -o tun0 -j ACCEPT

9. Done! Both networks are now interconnected!

It took me some time to get it up and running Saturday but I think that the little hangover I had from a fine party I attended Friday night in Leuven was to blame for that (damn you Cristal beer )

Since there were some serious vulnerabilities discovered in VMware products lately, it is time to upgrade to the latest releases of their software if you are running it.

I run a VMware server @home on my Core 2 Duo machine to test some OS/configurations without the need of physical machines. In the beginning of this year I needed to replace the hard drive of this machine and since it is a Core 2 Duo I chose to install a 64 bit Debian on the machine as main OS.

Ever since then, I was having strange problems with the VMware server on that machine. It was able to run a windows guest (except if the guest was under high load) but unable to run a linux guest. When I booted a linux guest OS on the server it simply crashed the host. And I do mean crashed, the system was totally unresponsive and nothing was to be seen on the screen or in the logs pointing to a cause of the error. I blamed it on the ‘experimental’ 64 bit support in VMware server although it seemed to run fine on some Xeon systems @work. Anyhow, a virtual machine crashing the host machine is not good! It means that there are some very serious issues in the software which could possibly be exploited for bad.

With the new release out today, I checked the release notes hoping for a clue that my issue was finally resolved. A lot of issues were fixed but my specific issue was not mentioned. A little disappointed, I started the upgrade process from my 1.0.3 to 1.0.4 anyway and it appears to be that I am lucky today because I am now able to run windows, linux and other guests without problems! So the issue must have been resolved by one of the fixes they implemented in 1.0.4!

Only yesterday, I wrote that my exam results could swing eitherway but it turns out they swung the good way!

update: the paperwork is processed, it is official now : https://www.isc2.org/cgi-bin/cert_verification.cgi

Ok, I have not been that good in updating my blog here this last month. Main reason for that was that most of my free time in the weekends and last weeks went to studying for the CISSP exam.

But since I took the exam last week in Amsterdam, I should have some more time now to write here more regularly again. If you are curious if I passed the exam… so am I . It will take 4-6 weeks until I know if I passed or not. If you want to know my gut feeling: it can swing either way. I won’t be surprised if I passed but I won’t be surprised too if I have to go for a second try later this year.

Besides studying, going out, barbequing and regular work stuff I went to a Sourcefire product training in the UK in August. After my previous rant about product trainings, you might understand that I was very skeptical about the training. However this one was different. It was actually a good training to my surprise!

On a more materialistic note, I also ordered a new company car (VW passat ComfortLine 2.0 TDi) to replace my current Peugeot 407 2.0 HDi and I got myself a new mobile. If all goes well the new car should arrive early November.

Almost two weeks back now from a relaxing vacation in Provence, France

A relaxing vacation means enjoying the peace and quiet of Southern France, enjoying the good food, excellent wine, the good weather, seeing some nice sights and catch up on some reading.
Most of my vacation reading went to the 1000 page CISSP exam guide as I needed to start preparing for my exam (planned for the 8^th of September). However, I also packed some fiction and some popular science magazines. I like the popular science magazines on vacation because they are light reading and they offer some interesting facts about various topics. Downside of these magazines is that they tend to oversimplify the science behind the facts and sometimes make obvious mistakes.

Nevertheless, I read an interesting article in Quest about psychological views on our human attention span. I had some misconceptions about this (thanks to popular believe). Some of the things I learned:

• Men and Women are equally good or bad in multi-tasking. Researchers have shown that there is no sexual difference in the human ability (or inability to multi-task).

• We can do two things at the same time but only one of those things can be a difficult task which requires our conscientious brain part. This means that we can for example drive a car and have a conversation with the person sitting next to us. This because, for experienced drivers, driving a car is an automated task which does not require our full attention. For student drivers, this is a different case as driving is not yet an automation and does require their full attention.

• Although we can drive a car and have a conversation, there is a difference when we have a conversation with someone next to us than when we have a conversation with someone on the phone (handsfree or not). This is because the person next to us shuts up when the traffic situation gets dangerous or warns us if we don’t drive carefully. The person next to us does that because he knows that the driver’s attention is required on the road in those cases. The person on the phone does not have the traffic context and thus cannot warn us for danger. He keeps talking no matter what situation the driver is in, or how the driver is driving. This makes having a phone conversation in the car more dangerous than you might think.

• We are not good in multi-tasking between tasks which actually require our full attention span. If we multi-task between for example reading e-mail, typing an sms, writing a report and reading other information, we can only do one thing at a time. This means we need to context switch constantly to finish all tasks simultaneously. Researchers have shown that when doing this, our IQ drops 10 whole points and the quality of our work drops as well. Therefore, it is better to finish a task or sub-task, giving it your whole attention span before moving to the next one.

Another article focused on the psychological virtues of doing nothing. It seems that when our brain is un-stressed and is not focused on anything, the creative processes start and great ideas are born. So I plan to be very creative!

The colocated server where this site is hosted went down this morning. My monitoring system detected this but since I only read the alert an hour ago, the outage was bigger then expected. After I raised a trouble ticket, the tech support dude replaced the power supply withing 15 minutes (!) and the server was back up and running.

Actually, since we have more than one colocated server, the outside world shouldn’t have noticed a thing. But since I didn’t (yet) set up the web service high availble over all servers, this website had an outage of about 4 hours

When my bank started with online banking a few years ago, the authentication they used was a client certificate protected by a password. From time to time one had to renew the certificate and change the password. Off course, this type of authentication is vulnerable to various phishing attacks.

Last year, they rolled out a digipass system to authenticate their users in a more secure way. This particular digipass works with a challenge response code. A challenge is displayed on the website. The response code, which authenticates the user, can be generated by the digipass. The digipass can generate the correct response only by inserting your smart bank card in the device and entering your pin code on the digipass. This makes the authentication strong and two-factored. It consists of something you have (your bank card/digipass) and something you know (your pin code). Furthermore the challenge/response changes every time so it cannot be reused.

However, this system is still vulnerable to phishing proxy attacks. In these attacks, the phisher lures the victim to his website. The attackers’ website merely acts as a man-in-the-middle reverse proxy to the real banking website. This way, the strong authentication gets passed on to the bank but the attacker has a way to modify the transactions.
Off course you might think that SSL would prevent these types of phishing and in a way it does. However, we are now seeing an emerging number of so called bank trojans. These trojans manipulate the data before it enters the SSL secured channel. They wait until the authentication is complete and when a transaction is made, they can add their own malicious transactions masqueraded from the user.
The major vulnerability which both of these attacks exploit is the integrity of the transaction. You have SSL securing the channel, Strong Authentication to add security to the authentication but no integrity of the data transferred in the transaction.

Last month, my bank upgraded the security of the online banking application to mitigate this vulnerability. As you can see in the screenshot below, the response to authorize a transaction is now the result of a cryptographic function which includes the total amount of money in the transactions.

This is explained to the user by highlighting the total value of the transactions in red so the user can make the connection and can check if it is valid or not.
For the Bank Trojans, this is bad news as the user will now notice when a hidden transaction is smuggled in the application because the red value would be different than the one the user would expect.

I can only applaud my bank for following up on the latest threats in phishing and online bank fraud.
The greatest threat to the current system I currently see is end-user awareness. If the user does not understand or see the importance of the ‘red’ numbers, the banking trojans still win.

I read an article today about major US ISPs which are signing up for GoodMail.

Goodmail offers CertifiedEmail which according to their website does the following:

The Certified Email™ Solution
What is CertifiedEmail?
CertifiedEmail is a premium delivery option for qualifying senders that positively affects email marketing metrics. Once you have been accepted into the program, your marketing and transactional messages become trusted-class email at participating ISPs. Since they know that your email is authentic and comes from a verified sender, these ISPs convey special privileges.

100% Assured Delivery
Spam filters inadvertently send up to 20% of your permission email into junk folders. In contrast, CertifiedEmail is routed automatically to the inbox, past content and volume filters. You get 100% of your email delivered.

Links and Images Rendered by Default
Nearly all ISPs today disable links and images on default as a protection against phishing. CertifiedEmail messages are presented with all images intact and links working. Users can’t respond if they don’t see your email. With CertifiedEmail, they’ll see it.

Special Blue Ribbon Envelope Icon
ISPs specially mark all CertifiedEmail messages with a blue ribbon envelope icon, which tells consumers that your message can be trusted and is safe to respond to. The email you send as CertifiedEmail is visually differentiated from other volume messages. CertifiedEmail is marked with a blue ribbon envelope in your inbox. When you open a CertifiedEmail, you’ll see the blue ribbon envelope icon again – just outside the body of the email message.

It is troubling that large ISPs like Verizon, At&T, AOL and Yahoo are falling for this marketing nonsense. Much of the same arguments are valid against this technology as I mentioned in a previous post about Domain Keys.

Even worse in this technology are the 100% delivery guarantee and the guarantee that images are displayed in the e-mail client. Of course these are handy guarantees if you are a legit mass mailer but two major problems pop up in my mind.

A promise of 100% delivery guarantee is something no one can ever make good. The reason for this is that the sender does not control the final destination (my mail client/mail server). If the receiver has a spam system which does not care about GoodMail, then it falls back on the usual spam detection filters. I wonder how GoodMail’s legit mass mailers will react when they see that the 100% they bought isn’t really what they thought it would be. The same goes for the displaying of images. You cannot guarantee that if you don’t control the end point.

The other problem is the scary thought that some of the CertfiedEmail senders might get owned by a spammer and become zombie hosts in the spammer’s botnets. In this scenario, the spammer will be able to send out CertifiedEmail by using the zombies as a relay point. This would be great from the spammer’s point of view because much of the spam filters get bypassed.

Still not a good solution for the spam issue, it seems.

After a nice relaxing and sunny weekend with not much IT related activity, this week starts for me with a two day training on ISS SiteProtector. I didn’t receive training yet from ISS in the past so I was curious what the quality of their training would be. It turns out that it is just another boring product training. Time to rant.

I received official product trainings so far, if I remember correctly, for Check Point, BlueCoat, RSA, InfoBlox, Radware and TrendMicro . The only ones who were any good were Check Point and BlueCoat. I would bet that if I follow them now, they wouldn’t be any good either but I was younger, less experienced and easier to please in those days.
The main reason why I am not a fan of product oriented trainings is that every vendor seems to think that a training is no good unless it provides all of the following:

• A trainer who cannot answer all your (sometimes simple) questions (although I must say that the ISS dude does a pretty good job at answering questions)
• Powerpoint slides who contain at least 4 full length (15 words minimal) sentences making them impossible to focus on, let alone summarize the topic.
• Lab exercises which challenge exactly two of my brain cells. Anything which expands on the product’s advanced features and could possibly challenge the trainee is feared by the trainer.
• A certification which you can only take after you took the training.
• A course handout who counts at least 50+ pages per training day and explains everything in a matter my 9 months old nephew could understand.
• At least one co-student who has absolutely no clue about the topic at hand. (Seriously: Thinking that an IPv4 address can end in 256 when you are in an IPS course? Time to think about a career change dude.)

I would much rather prefer to lock myself in a room with a demo (license or appliance) of the product, the manual and play with it myself to prepare for the certification that our vendors demand from engineers. Of course, in most cases you cannot take the certification from the vendor unless you take the training…

The best training I attended so far, apart from my college education, was the SANS GCIH. No surprise that SANS is a vendor neutral training which is not product but technology and business oriented.

Just My 2 cents.

I just saw a video of the new Microsoft Surface Computing platform :

The first multi-touch display which will be available to consumers will be the iPhone but I think multi-touch displays will become the next revolution in input technology. Goodbye mouse and keyboard?