Juniper SSL VPN and Firefox on Windows whitepage work around

My company does a lot work with Juniper SSL implemenations.

There has been some odd behavior in Firefox on Windows machines when connecting to Juniper SSL VPN. Immediately after login users are taken to a blank white page. The URL of the page contains data/home/starter0.cgi?check=yes . The page you should be redirected to includes data/home/starter.cgi?check=yes.

Juniper’s suggested work around is to go back to the sign in screen and login again or to remove the 0 from between starter and .cgi. Both are manual solutions, wouldn’t it be easier to have an automatic solution.

Well here it is.

Download the Firefox add on Redirector - https://addons.mozilla.org/en-US/firefox/addon/5064

After installation you will need to restart Firefox

Open Redirector by right clicking on the R in the status bar in Firefox

Click Add…

The Example url is the full url you get stuck on i.e. https://this.ismyexample.com/data/home/starter0.cgi?check=yes

The Include Pattern is https://this.ismyexample.com/data/home/starter0.*

Redirect to is https://this.ismyexample.com/data/home/starter.cgi?check=yes

Set the Pattern Type to Wildcard and click Test pattern

You should get a message that indicates that the pattern matches. If not go back and check your typing.

Click Ok

Click Close

Go back and log in again. You should go right past the page you were getting stuck at previously.

Be safe

James

Keep a hand on your iPhone

Adam Dodge pointed me to this article on CSO Online this morning - http://www.csoonline.com/article/446281/IPhones_Can_Be_Unlocked_Without_Password
This afternoon a customer stopped by with an iPhone and was kind enough to let me test the hack out.
I was able to confirm that the simple tap sequence does work. But only if you have your home button set to go to your Favorites. My customer had his set to go to iTunes (go figure - he wanted to listen to the music on his iPhone).
So rather than remove all of your Favorites, set your home button to go to iTunes instead.
Be safe out there
James

Pop Culture Security Episode 2

Michael Santarcangelo and I have released the second episode of the Security Catalyst Show: Pop Culture Security.

The show is available here. Show notes are available here.

This time we are taking a different approach, we are covering two topics using several movies.

Michael and I had a great time recording the episode and hope that you enjoy it. We also want you to take what you hear and start applying it.

Be safe out there.

James

DNS vulnerability - patch it

I have been watching a lot of the reaction to the DNS vulnerability that was revealed by Dan Kaminsky and multiple vendors yesterday.

There has been a few people who have downplayed the seriousness of the situation and for those of you still in doubt that this is a serious situation, I will point you to the retraction by Thomas Ptacek over at Matasano Chargen. Mr. Ptacek has always been one to stick to his guns when challenged about his postings and it shows the seriousness of the situation.

I think Microsoft is underplaying the seriousness of the situation by only rating the patch important. This will probably change as soon as there is an exploit in the wild. I think that is unfortunate, DNS is core to the way we traverse the Internet - you got to this blog via DNS, I posted it using DNS and all e-mail is delivered via DNS. DNS is core to the way we work.

There are servers that have been found to not be suceptible to this vulnerability. The first was DJBDNS. Dan Kaminsky did announce that there is another secure DNS server: PowerDNS made by Bret Huber. OpenDNS has stated in their blog that their implementation is secure against this vulnerabilty, which makes me feel better since I use them at home.

If you run a DNS server and you are not sure that you are vulnerable, check the CERT advisory for your vendors status. If your vendor is listed as anything other than not vulnerable, follow the link to your vendors website.

Be safe out there,
James

DNS trouble in the offing

Dan Kaminsky released information today about a rather serious vulnerability in the implementation of DNS on most major platforms.

Microsoft has posted information about it on its site here.

Rich Mogul has an interview with Dan here.

Arthur over at Emergent Chaos has posted here

Why should this concern you? Microsoft is listing it as important rather than serious, but I think they are undervaluing the seriousness of this vulnerability.

Quick overview of DNS for you. DNS is like the yellow pages of the Internet. Computers work better with numbers and people work better with words. When you want to find CNN.com your browser contacts a DNS server to find out what IP address the site resides. This is similar to the physical address associated with a business in the yellow pages. Think of the IP address as directions to that particular business. A typical IP addres looks like this 192.168.140.25 The first set of numbers (refered to as an octet) is essentially the city in which the business resides. The second set of numbers is the neartest major street to the business. The third set of numbers is the street of the business and the final set of numbers is the street address of the business.
What DNS does is allow you to type in the name of the site you want to go to and have all of the "travel information" for your destination be given to you.
Now imagine someone sets about printing yellow pages with incorrect information that will bring them profit. So rather than going to the real CNN.com (64.236.91.23) your DNS server has been given spoofed information to send you to a malicious website at 172.16.91.23.

If you manage DNS servers, you should patch them as soon as possible. If you don't, you may want to make sure whoever does manage your DNS has patched their systems.

Be safe out there,
James

(Edit) - as of 2:15 PM CDT Microsoft does not appear to have released the patch for this vulnerability.

(Edit 2) appears that the patch is showing up as 2 different Knowledge Base articles: kb951746 and kb951748

Patching and updating

I recently performed a series of Nessus scans for a client who had acquired a competitor. I can't offer specifics but there was a bit of a shocking revelation for me. Some companies are still not actively patching there computers. There was a computer with no patches for an old Operating System.

Microsoft provides WSUS for free.

Patch your systems.

Patching is a base level activity - it needs to be done. You don't have to have a high end software solution for all of your applications. You can even use the Windows Update website to keep you up to date (or patched with the last patches for the OS)

Be safe out there.
James

Interesting series of events

I was driving back from a client sit on Tuesday and saw an event that unsettled me. As I came up I-35 into downtown Kansas City, I noticed that there was a car several hundred yards ahead of me pulled over on the side of the road. As I got closer I saw the driver get out and run around to the passenger side and yank the door open. The driver then pulled the passenger out of the car and ran back around to the driver side and drove off, leaving the passenger standing on the side of the highway.

I don't really have an insight as to what was going on other than what I observed. Two adults traveling down the road, one of them was apparently angry enough to leave the other on the side of the highway.
Does the driver feel justified leaving the passenger on the side of the road?
Does the driver believe that whatever happened just prior to pulling over was so bad that endangering the passenger by leaving them on the side of the highway was the right thing to do.

(this next section is not intended to minimize the seriousness of what happened but it was part of the thought process I had afterward)

How often do we make business decisions based upon a reaction to a situation without fully thinking through the ramifications? I will own up to being guilty of this and I am going to work on thinking about the ramifications of my action before acting.

How often do our users not think about the ramifications of what they are doing? "I just wanted to do a little shopping during my lunch hour" "I downloaded some videos while I was on the road, I didn't think it would be a problem to leave them on my laptop."

We need to start working with our users to get them thinking about their actions in terms of its effect on the company. Larry Pesce spoke on this on Episode 111 or PaulDotCom Security Weekly. Michael Santarcangelo has written a book on the subject and he and I are podcasting a series on using pop culture to relate security topics to other business users.

Be safe out there.
James

What don't your users understand and help explaining it to them

Do you know what your users are confused about?

Do you know which acronyms you use that they are confused about?

Are you not sure how to explain a topic to your user community?

Michael Santarcangelo and I started a new podcast series in May based on the peer to peer session I facilitated at RSA Conference 2008 entitled "Pop Culture Security Awareness; finding security in the movies, TV, and other media." The premise is to use pop culture references to explain more complex topics in a way that connects you to your users and provides them with greater understanding.

Michael and I want to bring this to a larger audience and here is how you can help us. We would like to know what questions are coming up for you that you would like a clearer way of explaining. Please send your feedback to popculturesecurity@securitycatalyst.com. Better yet call our feedback number at 206-350-8346.

Kees and Andy have a couple of great points that I want to reitterate

My friend Kees Leune makes a great point about the disappearing edge.

A couple of years back it would have been fine to throw up a firewall to protect your network. Attacks were mostly inbound in nature and could be dealt with in a straight forward manner.

The siege mentality could be used to defend your network. If I put up enough outward facing defenses (firewall, anti spam, virus scanners, etc..), I can protect my castle. What we run into today is that the attacks are drawing us out to them, our trade routes and water supplies have to be monitored and checked. The cross site scripting vulnerabilities that PayPal revealed that it had shows this very well. We trust PayPal with our money, but they still have vulnerabilities.

In todays network traffic needs to be monitored for anomalies. If you are not running an IRC chat or you employees are not supposed to be accessing IRC, monitor for that traffic. It may be legitimate, but it might not be as well.

The "bad guys" knew in medeaval times that if a direct assault did not work, if you can get someone to come out and take something from you (i.e. Troy) you have a greater success. They no longer have to lob dead animals over the walls at us. They set them outside our walls and let us know that they are providing them as food to us. Today's "bad guys" are adapting as well

This leads me to what Andy Willingham talks about in this blog post.

Just because we've always done it that way does not make it the best way to do it now. On a regular basis go back and reevaluate your policies and procedures. Ask questions that have not been asked before. Ask questions that have been asked before, you may be suprised that you get a different answer. Don't just accept "let me get back to you about that" as an answer.

The "bad guys" are willing to question the way things are done, hence how they find vulnerabilities. Take a page from their book. Look at your network from a different point of view. Rethink your network.

That's enough for me today.
Be safe

James

Wow, I'm on a podcast

Michael Santarcangelo invited me to take part in the May 2008 Security Roundtable discussing the RSA Conference. I was honored to be asked and got a chance to participate with some of my fellow attendees:

Dr. Anton Chauvakin | http://chuvakin.blogspot.com/

Jennifer Leggio | http://mediaphyter.wordpress.com/

Martin McKeay | http://www.mckeay.net/

Michael Santarcangelo | http://www.securitycatalyst.com/

We had a great time recording and could have probably gone on for quite a bit longer about the experiences we all had. The podcast is about an hour and we hope you enjoy it. Please provide feedback here, I am interested to know what you thought.

I was using a SnoBall microphone from BlueMic and thought the performance was very good.

I also have to apologize again for not posting in over a month.
I had a fairly lengthy post on my experience at the RSA conference and the surrounding events, and failed to post it. Then I started a new job which has taken up quite a bit of my thought cycles.
Hopefully I will get back to a regular posting cycle now.

Go out and be safer

James

Open letter to SC Magazine

Thanks for your (repeated) kind offers to purchase tickets for the SC Magazine Awards banquet in San Francisco next week. I will not be able to attend because the RSA Speakers Dinner is scheduled for the same time. Please discontinue sending me notices to purchase tickets.
Respectfully,
James


side note - This is not intended to be belligerent or knock SC Magazine in any way, I am just weary of receiving the e-mails. I also promised someone that I would post this if I got another SC Magazine Awards banquet request. You can figure out the rest.

OT - power of Free

One of my favorite authors and podiobook performers Scott Sigler is fortunate enough to have one of his works being released in print on Tuesday April 1. Leading up to that he is releasing a free PDF of the book through his publishers website, available here. The novels are very well written and are enjoyable reading. I will warn you, Scott is a sick and demented individual and his novels are much the same way, so if you are easily disturbed or do not enjoy horror this is not the author for you.
The novel is also available in an audiobook format here

Let's see where the carriers go with this

PC World has an article about a company called TapRoot that has developed a product that will allow users with 3G mobile devices to create a mobile hot spot using their phone. The main emphasis of the article is that it will be really easy to set up the WiFi connection on the phone to connect to the laptop.

I have one real problems with the assertion it will be easy to set up as compared to other methods of using your phone to connect.

I have a Windows Mobile device and I use it to connect to the Internet on a fairly regular basis. The hardest part about setting it up was finding the ActiveSync install CD for my laptop. All I need to do get to the Internet is connect the phone with a USB cable, allow it to finish syncing, launch Internet Sharing on my phone and push connect. Within seconds I am on the Internet and working. I really not sure how that qualifies as difficult. I can still place calls and use the Internet. I've done similar things with my BlackBerry and I have even used my Windows Mobile device with Linux .

There is a PDF about their product here. It is a centrally managed solution either at the carrier or the Enterprise level. From what I have read TapRoot is only going to sell to the carriers who will the resell the service to their clients. This might be a product to watch.

On the other hand I'll probably stick to using my USB cable, I always keep one around.

I did change the original title as it was based on my initial reaction to the article and that changed after doing some further reading about the product.

Be safe

James

Sometimes when life gives you lemons...

The past couple of days have been interesting for me.

On Monday afternoon I got a meeting request from scheduling coordinator at my employer to meet with my supervisor as soon as I got back to the office. I was in the process of troubleshooting a new VPN system at a customer at the time and did not think much of it. As the afternoon progressed it became apparent that the troubleshooting was going to take longer than I had originally thought due to some legacy configurations on the clients network (but that will be another story for another time). So I asked to schedule an appointment on Tuesday to meet with my supervisor.

On Tuesday I continued to work on the clients network and was able to navigate through the legacy configurations to interconnect the new remote sites to the rest of the network and then on a series of questions that another client had about setting up DNS records and resizing the C: drives on some of their core servers.

Over the past month or so I had noticed that many of my fellow security engineers had been sitting around the office with me and when I commented on this to my supervisor he was concerned but there should be quite a bit of work upcoming (in the pipe was the term he used). I was hopeful that this would be the case and that most of would be out working on a regular basis again.

Unfortunately the work has not materialized as they had planned/predicted and cost cutting methods need to be taken. I was one of the cost cutting methods.

It worked out very similarly to what happened to Andy last year (read about it here).

I walked into the meeting with some suspicion of what was going on as my inquiries as to what was the meeting was about were met with silence. After a brief chat about the clients I had worked on earlier in the day, my supervisor told me that he had to make a difficult decision and due to my salary as it compared to a couple of the other engineers who also had not been billable I was going to be laid off.

This is not necessarily a bad time for this to have happened. I am going to be facilitating a Peer2Peer session at the RSA Conference in San Francisco. So if you are going to be in attendance and would like to set up a meeting with me, please e-mail me using my contact information under my details.

I was also wise enough to have discussed the possibility with my wife that morning, so we were prepared for this possibly happening.

I am thankful for her support and the support I have received from the other Trusted Catalysts and other members of the Security Catalyst Community.

I'll post my resume on line within the next couple of days. Thoughts, prayers and suggestions would be appreciated, comment below.

Dirty Water

JJ has a post on her blog about the unknown status of the water glasses at hotels.
I drink a lot of water and have a water softener - reverse osmosis system at my home. I tend to notice a lot of the interesting flavors and aromas in water because of that. JJ makes a good point about figuring out where those flavors and smell are coming from, this also applies to security. Once you recognize that you have a problem, you need to figure out what is the source of the issue. How did the infected file make it into your network - e-mail (the water itself), a portable device or some other means (the glass or pitcher). If you know what is causing the issue, you have a better chance of avoiding other problems in the long run.
If your network keeps getting infected but your e-mail is not the source, it is time to start looking at other sources. An infected laptop or thumb drive could be indicative of problems at an employees home, if you don't work to fix that issue you will end up with the infection returning again.
Be Safe
James

Apple borrowing a trick from Microsoft.

Martin and Andy had interesting experiences with the Apple Updater last week.
I used to run Safari in a VM on my workstation to test out applications at a previous employer. I have not used it very frequently over the past year or so. I was prompted to update it several times over the course of the last year when I was running the VM. I was prompted over the weekend to install on main system, which did not (and does not) have Safari installed.
I am a bit disappointed that an application vendor would try to install something on my system without it having been installed before. I wonder how many people installed the software without reading what they were going to install.
This is nothing new. Microsoft has attempted similar things in the past through Windows Update - making XP Service Pack 2 a required update - the Genuine Advantage software - there are other examples.
We can also look to the web, ActiveX controls, javascript, flash can all be automatically installed if the settings in your browser are incorrect (fortunately most of these do not work if you have kept the default settings).
Is this what we can expect in the future from software vendors. I would hope not. I might have had a different reaction to this if Apple had announced that they were planning this.
I have not seen a response or announcement from Apple as yet, and would be interested in know what they have to say.
I was originally going to say that I was never going to use Safari again, but I have a iMac in my basement that I use from time to time so that would not have been an accurate statement on my part. Will I install it on Windows, probably not. Will I buy another Apple product, we'll see.
John Lilly, the CEO of Mozilla, has a different take. I can't really blame him, but I am more on the annoyed side than angry. But I don't have a horse in that race. (Sorry for the bad pun - I have to get those out of the way from time to time).

Be Safe
James

Social Networking

I have noticed a large number of my fellow security bloggers and Security Catalyst members participate in a few different social networking sites.  I have been reluctant to get involved with most of them because of what I see as their aims.  This is not a critique of others who have joined, I just wanted to share my thinking.
I am a member of LinkedIn and the Security Catalyst Community because of their focus on career and security.
I have avoided joining FaceBook and MySpace because I am 35 and married and can't really justify joining to myself.  And probably not to my wife either.  So if you come across someone claiming to be me on either of those sites and you don't see a post here that says that I have joined, don't believe that they are me.  I did have a friend get pranked by some coworkers of his that mad it appear as though he was involved in activities outside of his marriage, his wife recently was shown the page and did not take to the joke.  I think he is still sleeping on the couch and none of his coworkers are welcome at their home at the moment.
I am not on twitter because I think that it would take up a lot more of my time than I can really justify.
I don't want to put myself too far out there.  I am a fairly private person with people I do not know and I don't know more than 1% of the Internet. 
How will I manage to not share more than I need to:

1. I will not share anything that I am not comfortable telling my mother or my daughter
2. I will not join sites that do not have some direct connection to my business life
3. I will not lie or misrepresent myself to others
4. I will take what others say about me with a grain of salt and will ignore things said by people I do not know.
5. I will always reread before I post.
6. I will apologize if I have said something inaccurate or incorrect.  I will not apologize for disagreeing.
   

Those are some basic guidelines for myself, if I come up with others that I am willing to share I will post them.  Take them or leave them, but please think before your post

Be safe

James

Odd experience subscribing to a magazine

This is not necessarily a direct security related post, but it is based in the mindset that I have when I am shopping and a lesson that I learned the easy way.
I recently subscribed online to a magazine I had been reading for a while. I am not going to name the magazine because the issue was with perception and not with anything that they were doing. The magazine subscription is $49 per year in US dollars, the publisher and subscription company are based in Europe and use local currency for the exchange rate.
No where in the process of setting up my subscription did I notice anything that indicated that the transaction would be in anything other than US dollars. Though my first clue should have been that the name of the processing company included the name of the country in which the publisher is based. I may have completely missed a notice related to this, but I have gone back through the process and do not see anything related to this.
What brought the exchange rate to my attention was when I was entering receipts later in the day, I took the print out from the purchase and was shocked to see that the amount was not $49 US but 114 (Local Currency to Publisher). I made a couple of calls to the New York location for the magazine and they explained that it was local currency and not US dollars.
I was a bit concerned that I had been ripped off but after verifying that the exchange rate was correct. I let the matter drop.
Then I started thinking about it. This was a legitimate purchase, how easy would it have been for them to bump up the amount they were taking from the account.
So I started reviewing what I had done to ensure that my transaction was not going to go bad.

1. Know who you are dealing with - don't buy things from a retailer you know nothing about - do research - Google is your friend.
2. Do not use your actual credit card number - just about every bank has an online feature to allow you to generate a temporary card for use on line. Use this service.
3. Read your receipts - this is the one thing I know that I need to do a better job of, pay attention to what the final total you agreed to pay ended up being.
4. Follow up with your bank - check to make sure that if you have made a purchase at a sight that makes you uncomfortable, check your statements or better yet log on to you credit cards website regularly and look for charges you do not recognize.
5. Trust your instincts - if you don't think you should be buying it there, don't. If it costs a dollar more to get it from a major retailer, but saves you time and money by not endangering your finances, then the dollar is worth it.

Hopefully some of that will help someone.

Be safe, shop smart

James

Club Penguin

Martin McKeay has a good post about Club Penguin at his site.
I have been reluctant to sign up my daughter for similar clubs and admittedly have not done research to see which are the most secure. I heard of Club Penguin a few months back when they were purchased by Disney and now I think I will take a closer look before deciding.
Thanks Martin for reminding me to look into things like this.
Be safe
James

Strange DNS issue

I had a customer recently changed ISPs at their main office and suddenly they were unable to connect to their hosted web site. The rest of the world was able to connect to the website but their internal users were getting redirected to the internal pages on their domain contollers - specifically the default web page on an IIS implementation.

To test the process out I connected to their web site - http://www.domain-name.com and I was presented with the beautiful web site that had been crafted for them.

Then I connected into their network and logged on to a server in their environment and tried the same the process of connecting to the web site. This time I was indeed presented with the IIS default page.

The customer thought that they were having problems connecting to the Internet, but I was able to disprove this by being connected remotely to their networks and by being able to connect to other sites on the Internet.

The problem was limited to the customers web site and no other sites.
So first step was to determine where the customers network was directing traffic.
ping www.domain-name.com from my physical location answered back to the actual address 5.16.85.3

Internally to the customer ping www.domain-name.com answered back with the IP address of one of the domain controllers 127.1.0.21, 127.1.0.19, 127.1.0.18.

Next tool to use was NSLookup

Here is this the output I received at my physical location.
C:\nslookup
> www.domain-name.com
Server: other.otherdomain.com
Address: 10.1.1.200

Non-authoritative answer:
domain: domainname.com
Address: 5.16.85.3
Aliases: www.domain-name.com

This looks fairly normal other than the last line, but I will get back to that in a minute.
So do the same process at the client site.

c:\nslookup
> www.domain-name.com
Server: domaindc1.domainname.com
Address: 127.1.0.19

Non-authoritative answer:
domain: domainname.com
Addresses: 127.1.0.21, 127.1.0.19, 127.1.0.18
Aliases: www.domain-name.com

Again the alias shows up. So I paid a visit to may friends at Central Ops a visit

DNS records
name class type data time to live
www.domain-name.com IN CNAME domainname.com 86400s (1.00:00:00)
domainname.com IN NS dns030.b.register.com 86400s (1.00:00:00)
domainname.com IN NS dns010.d.register.com 86400s (1.00:00:00)
domainname.com IN A 5.16.85.3 86400s (1.00:00:00)
domainname.com IN NS dns036.c.register.com 86400s (1.00:00:00)
domainname.com IN SOA
server: dns109.a.register.com
email: root.register.com
serial: 200007331
refresh: 10800
retry: 3600
expire: 604800
minimum ttl: 86400
86400s (1.00:00:00)
domainname.com IN NS dns109.a.register.com 86400s (1.00:00:00)
domain-name.com IN A 5.16.85.3 86400s (1.00:00:00)
domain-name.com IN MX
preference: 10
exchange: mail.domain-name.com
86400s (1.00:00:00)
domain-name.com IN SOA
server: domain-name.com
email: hostmaster.primary.net
serial: 1203777421
refresh: 10800
retry: 3600
expire: 604800
minimum ttl: 86400
86400s (1.00:00:00)
domain-name.com IN NS dns2.primary.net 86400s (1.00:00:00)
domain-name.com IN NS dns1.primary.net 86400s (1.00:00:00)
3.85.16.5.in-addr.arpa IN PTR static-5.16.85.3.primarynetwork.com 86400s (1.00:00:00)


The key here CNAME -what this is telling us is that www.domain-name.com is redirecting to domainname.com for resolution. This works fine out on the Internet but not at the clients office because their internal domain is .... domainname.com.

Here is how this process works on the Internet.
Internet user requests a connection to http://www.domain-name.com and his/her domain name server requests more information from the root dns servers. The root dns server then redirects the request to the specific server that handles .com domains which in turn forwards the request to the server that handles domain-name.com. The server that handles domain-name.com then provides back the alias for www.domain-name.com as domainname.com and the process starts again to request domainname.com. This works because the local dns server has to go out and request this information because it did not know it before. (i.e. its local cache does not contain the information.

Same process occurs at the client site until the alias of domainname.com is given. The local server has a zone record for the domain domainname.com and considers itself an authoritative responder for the domain (which it legitimately is for the internal network).

The fix.
To fix this in the clients office network I added a small zone for www.domain-name.com to the dns servers and pointed its parent/root record to the IP address of the server.
Client PCs were then able to connect to the hosted web site.

Customer was happy and I had an interesting story.

Be safe.

James