J Wolfgang Goerlich's thoughts on Information Security
WatchGuard 11.1 and HTTP headers

By wolfgang. 25 November 2009 07:17

WatchGuard 11.1 firmware came out recently and it features a new security option: replacing HTTP headers. The firewall admin can maintain a set of approved HTTP headers. As web traffic flows thru the WatchGuard proxy, it inspects the packets, and removes header not in the list.

Certain websites may have an issue with this, such a websites that rely on non-standard HTTP headers. If that happens, the firewall admin has two choices. The non-standard headers can be added to the approved list. Alternatively, the website can be added to a proxy bypass list. Then the web traffic from this site bypasses the proxy rule altogether.

What risk is this control mitigating? Several HTTP attacks rely on host header manipulation or header injection. There are also web attacks that cram two or more HTTP responses into one TCP packet (HTTP response splitting). Both are thwarted by configuring the HTTP proxy in 11.1.

Is it worth the effort? Time will tell.


Security | Systems Engineering

Pentetration testing Microsoft Office Communication Server

By wolfgang. 22 November 2009 09:48

Pentesting your Microsoft Office Communication Server? Need a tool? Viper Labs updated their OAT (OCS Assessment Tool) to v2.0 this month. OAT automates testing OCS with: online dictionary attack, domain user enumeration, presence stealing, contact list stealing, domain IM flood, communicator call DoS, and domain call walk. Like SimWitty, OAT is written in C# and available under the BSD license.

"VIPER Lab created OAT because OCS and other Microsoft products are frequently being used as part of a unified communications infrastructure in many enterprises. Our mission is to help IT manager and security practitioners evaluate the security architecture of their deployments and ensure that their mission-critical communications and systems are protected."



Security | Systems Engineering

The pack is not online -- Diskpart errors on some file systems

By wolfgang. 21 November 2009 06:38

VDS returns the following when you select a partition format that it does not recognize:


C:\> Diskpart

DISKPART> list disk
DISKPART> select disk (id)
DISKPART> list part
DISKPART> select part (id)

Virtual Disk Service error:
The pack is not online.


The pack is not online error (VDS_E_PACK_OFFLINE 0x80042444L) is returned when Diskpart attempts to get the file system properties on, say, an ext3 or hfs+ file system. Diskpart works only with Fat and Ntfs file systems. If the goal is to delete the non-Microsoft partition, use the clean command.


DISKPART> list disk
DISKPART> select disk (id)



Systems Engineering | Troubleshooting

Audit for SSL/TLS renegotiation

By wolfgang. 16 November 2009 14:43

An SSL/TLS renegotiation attack has been carried out against Twitter. The Register has some details on the Twitter attack, while Educated Guesswork has the technical details on the renegotiation vulnerability itself.


SSL/TLS renegotiation has been used to get a web server to downshift its cipher and key length before. The new angle is using renegotiation to cause both the web server and the browser to renegotiate and create a man-in-the-middle scenario. Once in the inserted in the middle of web server and browser, the attacker can access the HTTP stream unencrypted.


Being an IT operations security guy, my focus is on auditing for and protecting against the weakness. The mitigation is simple: disable renegotiation. As for auditing, you can use openssl on any Linux OS to test.


sudo openssl s_client -connect www.yourhosthere.com:443


You will see the certificate chain, server certificate, SSL handshake, and SSL session details. The session is established when you get prompted verify return code: 0 (ok).


Now suppose OpenSSL reports verify error:num=20:unable to get local issuer certificate.)I have seen this error on GoDaddy websites. To resolve, browse to the website with Firefox. Open the certificate viewer and click the details tab. There, below the details, click the Export button. Save the certificate file in the x.509 PEM format with a .pem extension (Example: godaddy.pem). Then rerun OpenSSL and specify the certificate authority file.


sudo openssl s_client -connect www.yourhosthere.com:443 –CAfile godaddy.pem


Make an HTTP request and then request renegotiation.





The error ssl handshake failure indicates the web server is denying renegotiations.  If OpenSSL renegotiates successfully, you will see a new certificate path and then read read:errno=0. Contact your web server administrator if the server renegotiates.



(Update 2009-12/18: You can use the Matriux distro to perform the above steps.)


Apache | Cryptography | IIS | Security

Building our own cloud

By wolfgang. 6 November 2009 10:29

I have been thinking a lot about IT service architecture. After all, my theme this year is "Security is Design". How can we maximize the benefits of new technologies while minimizing the security risks?

Take cloud computing. The buzz is that cloud computing reduces costs and increases scalability. Cloud computing, specifically with cloud hosting, does this by putting our servers in a multi-tenant environment and then charging based on utilization. So organizations get pay-as-you-go pricing that is shared across scores of customers (tenants). Add self-service and rapid provisioning, and you get a fast and flexible solution.

That makes the IT operations side of my brain happy. But then my IT security side chirps up.

Multi-tenant increases security risks as we no longer have end-to-end visibility and control coverage. Think of the property security of an apartment versus a private home.  Multi-tenant decreases responsiveness, too, as the service provider must balance the needs of his organization against the needs of yours. Think the customer service you get from your telephone utility versus your in-house telecommunications specialist. Above and beyond that, simply by being a new architecture, cloud computing will bring an entirely new set of risks that can only be identified with time.

So how can we balance the benefits and risks of cloud computing? One way is to bring the cloud computing technologies in-house. The basics are readily available: virtualization, rapid provisioning, self-service, resource pooling, charge back. A data center built on the cloud computing model, but leveraging the best of an internal IT team: responsiveness, responsibility, and business domain knowledge.

My team has been using the terms "in-house cloud" or "private cloud" to describe our efforts to achieve this balance. This week, vendors led by EMC launched www.privatecloud.com as a resource building such beasts. Check out their definition of private cloud. While the blog is VMware and EMC based, I wager it is only a matter of time before Microsoft and Compellent come out with comparable information.

Done right, private clouds or cloud computing built in-house will provide a smooth transition for organizations to get the benefits of this new architecture.


Security | Systems Engineering | Virtualization

Use Diskpart to Create and Format Partitions

By wolfgang. 5 November 2009 02:24

To use the command line to bring a disk online, create a partition, and format it, run the following commands:

 C:\> Diskpart

DISKPART> list disk
DISKPART> select disk (id)
DISKPART> online disk (if the disk is not online)
DISKPART> attributes disk clear readonly
DISKPART> convert mbr (or gpt)
DISKPART> create partition primary
DISKPART> select part 1
DISKPART> active (if this is the boot partition)
DISKPART> format fs=ntfs label=(name) quick
DISKPART> assign letter (letter)
DISKPART> list volume

The following are common errors displayed if you miss a step:

DiskPart has encountered an error: The media is write protected.
See the System Event Log for more information.

Resolution: run "attributes disk clear readonly" before trying to clean the volume and create the partition.

DISKPART> convert mbr

Virtual Disk Service error:
The specified disk is not convertible. CDROMs and DVDs
are examples of disks that are not convertable.

Resolution: clear all data off the disk before converting by running the clean command.

DISKPART> create partition primary
Virtual Disk Service error:
There is not enough usable space for this operation.

Resolution: run "clean" before trying to create the partition.

DISKPART> format fs=ntfs quick
Virtual Disk Service error:
The volume is not online.

Resolution: online the disk, create the partition, and convert to mbr before formatting.

The following are common errors displayed if there is a hardware problem:

DiskPart has encountered an error: The device is not ready.
See the System Event Log for more information.

Resolution: If the event log entry states "The driver detected a controller error on \Device", the problem is likely your storage controller on your mainboard. Check your hard drive connections and reload your storage conroller driver. If the event log entry states "VDS fails to write boot code on a disk during clean operation. Error code: 80070015@02070008", the hard drive itself has failed.

The following are common errors you may see if there is a hardware problem:

DiskPart has encountered an error: The media is write protected.
See the System Event Log for more information.

Resolution: Running "attributes disk clear readonly", as mentioned above, is the first step. Next, the disk is may be locked by an active process, in which case a reboot generally clears the error.

If the disk is a USB flash drive, check that it does not have a write protect switch. The Imation Clip and the Kanguru Flash Blu II, for example, both have this feature and will cause the above error if protected. USB devices may also need a low-level format to reset the drive. In these cases, please see the manufacturer for such tools. (Patroit has such a tool here.)

If the disk is SAN attached storage, check that the LUN is not presented in a read-only state. Windows Server 2008 also has a condition were SAN storage is erroneously reported as read-only. See the Microsoft article 971436 for details and a hotfix.



    Log in