Security

CentOS/RHEL GnuTLS Dependents

Last week’s announced GnuTLS bug is a serious one, but do you know the ramifications? Many articles painted Linux with a broad brush, claiming Red Hat, Debian, etc were deeply impacted. While it is true that the GnuTLS library is included in all distros (including CentOS and other RHEL flavors), it may not be widely used.

GnuTLS is licensed under LGPL. The alternative OpenSSL library is licensed under a combined BSD(SSLeay) and Apache 1.0 license. Some distros (notably Debian-based) don’t appear to like the licensing complexity that OpenSSL brings, so GnuTLS may be preferred. But many RHEL packages do not seem to be as fearful.

The following command will show all packages that are dependent on GnuTLS. (Which is not to be confused with “yum deplist” for dependencies.)

repoquery --whatrequires --installed --recursive gnutls

For CentOS and others of similar ilk, it is likely that you’ll find that OpenSSL has more dependents than GnuTLS.

PS: a gnutls patch has already been released, so get a jump and install it. Much is made about the need for dependent apps to regression-test, but don’t wait. If all the patch did was correctly fix the goto logic that left a truck-sized hole, I hardly think the fix could be any worse.

Share/Bookmark

Kali on ChromeBook

http://www.kali.org/wp-content/uploads/2013/03/k-blog.pngI recently purchased a Samsung ChromeBook. Not for ChromeOS, but for the fact that Kali Linux – the network pen-test successor to BackTrack – announced a ChromeBook build. I figured I couldn’t go wrong with $250 for a Linux wireless ultra-portable dedicated to network testing. Turns out perhaps I could go wrong. (continue reading…)


sudo Authentication via SSH Agent

On Linux hosts (CentOS6), I’ve taken great care to utilize two-factor remote shell authentication and limit root access with sudo. But while SSH authentication via the Pageant agent works great for Putty on Windows, with no /etc/passwd password required, it always struck me funny that a password was still needed for sudo authentication.

If only there was a way to use the SSH key-pair to authenticate the sudo access and not require the /etc/passwd password prompt at all. There is!

(continue reading…)


Dropbox Issues With MiniKeePass

From comments to my earlier MiniKeePass articles[1,2], it was clear that there were a couple unanticipated behaviors that some users experienced in the program’s interaction with Dropbox. And while I am certainly no official support channel for either, I thought it would be worthwhile to document & clarify those issues here. It is natural to categorize these behaviors as ‘bugs’, though this is debatable. But just knowing what to expect goes a long way to forgiving.

(continue reading…)


Lock Your KeePass Workspace!

I’ve seen article after article decreeing that “passwords are dead”. Reasons range from the mathematical reality that any string of characters, no matter how random, can be brute-force cracked with enough computing power, to the pragmatic arguments that people are stupid and will pick obvious choices, re-use them frequently, and often write them down in plain sight.

There is no denying the math, but until biometrics and multi-factor authentication become more prevalent, alphanumeric passwords are here to stay no matter how deceased they may actually be. But mathematics aside, it is the human aspect that is the far greater threat to password security.

Luckily, tools such as KeePass – which provide a central database in which to store totally random complex passwords – can be used to offset the exploitabilities of the human element. The database is strongly encrypted (optionally multi-factored), and every resource can have its own unique, randomly-generated, complex password. Best of all, the cut & paste process means there isn’t ever a need for the user to even know what the password may be. Simply let KeePass generate something for the account, and blindly paste the copied value when you need to use it.

But if you are a heavy KeePass user, you probably keep the application open at all times. This is the equivalent of putting all your passwords on a PostIt note affixed to your monitor. If you stepped away from the workstation without locking it, someone could read all your password entries or even use SaveAs to make their own cracked copy of the entire set.

For this reason, unless you live and work alone, I strongly recommend that a workspace-lock be enabled on your KeePass installation. KeePass has a number of workspace-locking options, but none of them are enabled by default. You can lock after a certain amount of KeePass inactivity, workstation inactivity, whenever the app is minimized, when suspend mode kicks in, or when the (Windows) system auto-locks via screensaver.

A locked workspace requires you to reconfirm your pass phrase and/or key file before KeePass can be accessed again. It’s a bit faster than exiting & restarting the app each time – though that is in fact one of the lock options. But some measure of workspace lock is worth the slight inconvenience. Pick one and use it. You’ll be safer for it.

 


Using MiniKeePass with Dropbox

This post is going to be of interest to only a very specific demographic, but based on my web site stats, it seems necessary. Since writing my “story” – it barely qualifies as a “review” – of MiniKeePass, it has (surprisingly) become the most popular item on my blog. And tracking the Google search referrals, by far the biggest impetus for coming to my site has been in a quest for the answer to “how to use MiniKeePass with Dropbox”.

(continue reading…)


Secure Password Management with KeePass and MiniKeePass

I always advise users to create hard-to-guess passwords, never re-use them across sites, and change them semi-regularly. The push-back I get is that this can be a daunting task to try and remember a myriad of constantly-changing credentials, no matter how good the mnemonic techniques may be. But one look at the growing list of high-visibility break-ins and security compromises is all you need as incentive. Why make it easy for crackers to jump from one service to another just because you were a victim of limited brain cells devoted to passwords?

Call it “do as I say, not as I do”, the Cobbler’s Children syndrome, or just simple laziness, but despite the best of intentions I was not following my own advice.

(continue reading…)


Bin Laden News Will Fuel Malware Resurgence

Today’s news that Bin Laden has been killed in a military raid will likely result in an uptick of malware spam in May. Previously, false stories announcing Bin Laden’s death were very effective virus/Trojan delivery vehicles infecting those eager to see details of such an event.

Now that it is true and at the lead of the news cycle, such stories and bogus links will likely see a resurgence. And as a result, it will be that much more difficult to discern the proper from the illegitimate. Everyone should take care when receiving such emails, and to only click through if the source is verified and trusted.


Password Rotation… The Butt End of the Ham?

One of my favorite “fables” from my friend Peter Beddows tells the story of a family that always cut inches off the ends of the ham before cooking. The inquisitive young daughter asked why, but the only answer seemed to be that it was a long-standing technique passed on for generations. They finally asked the great-great-grandmother, who explained that it was – at the time – the only way to fit the roast in her small turn-of-the-century oven.

(continue reading…)


Facebook Insecurity

As Betty White – who hosted Saturday Night Live last night as a result of a grassroots Facebook campaign – said in her opening monologue, “now that I know what Facebook is, it sure seems like a huge waste of time”. Since I am a participant myself, I won’t hypocritically debate the merits. However, I will continue to call attention to the potential privacy risks that careless Facebook participation can incur. And one of the biggies lies with application security.

(continue reading…)


  • DarkSideGeek on Twitter

  • New This Month

    November 2017
    M T W T F S S
    « Apr    
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  
  • Copyright © 1996-2010 The Dark Side Geek. All rights reserved.
    Jarrah theme by Templates Next | Powered by WordPress
    %d bloggers like this: