Certificate CA pinning

With many MITM attacks, you get fake certs.  CA pinning would help to fix this: The browser would retain a copy of every cert that it gets in a local DB and if it gets a different cert next time you visit the same domain or if the signing CA is different, it gives you a warning.  Carry on at your peril.   This kind of attack is mainly the state sponsored threat actor: they have the resources and the clout to persuade a CA operator to sign a bogus cert and\or onsert themselves in DNS traffic.

Ok, so since writing this article, I have discovered Certificate Patrol Firefox plugin, which does exactly what I described above.  Just like all most great ideas – someone has had it already!  If you use firefox, go grab the plugin.

USB Firewall

I have not found one of these,  but can't beleive it doesn't exist: A little USB dongle that plugs into your work desktop and will charge your mobile phone but without making the desktop see your phone as a device.   Basically, connect the volts, but not the data.  Obvious really.  Someone tell me why it won't work?

Bloody Symantec are still Rubbish!

Fancy a laugh? Here is a hilarious transcript of a “support chat” with a symantec bod showing why their customer support is the worst on the planet.  For Gods sake don’t buy anything important from these people!

Toby Seaman has entered room.

Gnanamurthy has entered room.

Email with reconnect link has been sent to:turbotas@yahoo.com

If you get disconnected, click the link to reconnect to the same chat session.

Gnanamurthy You are being transferred to Gnanamurthy.

Gnanamurthy  Hi , my name is Gnanamoorthy from Norton Support, how are you doing today?

Toby Seaman good thanks

Gnanamurthy I understand that you are unable to restore the backup. Am I correct?

Toby Seaman That is correct. So I have purchased Ghost version 15. I have been supplied with a .gho files and it seems that ghost version 15 does not support .gho files any more. so I think I need to download an older version of ghost.

Gnanamurthy Just in case I need to call you back, can I please have your phone number with the country and area code?

Toby Seaman UK +44xxxxxxxxxxxx

Gnanamurthy The .Gho file is from a old version of Norton. Norton Ghost 15 does not support it as it uses .V2i files.

Gnanamurthy May I know which version of Ghost is used to backup .Gho file?

Toby Seaman that’s correct, well done. So I need to restore the .gho file so I would like to downgrade the ghost version to a version which does support .gho files. this was the only reason I purchased ghost.

GnanamurthyThe old version of Norton Ghost cannot be purchased now. But I can give you the link to download the Gho explorer which you can use it to restore the files and folders from the .Gho file.

Toby Seaman no. I don’t need to explore a ghost file I need to restore it. I don’t wish to purchase an old ghost version, I want to downgrade the existing one.

Gnanamurthy I am sorry Toby. There is no option to get the old version of Norton Ghost as they are not supported now.

Toby Seaman so, I need to restore a ghost file .gho. Please escalate this issue.

Gnanamurthy You’re using an older version of Norton Ghost backup. I’m afraid that chat, email and phone support for this product has been discontinued. For assistance with this product we’d recommend that you search our online knowledge base that you’ll find here: www.symantec.com/search.

Toby Seaman I’ve tried that already. No joy. I don’t need product support for an older version. I know exactly what I need to do. I just want to restore a .gho file. Please tell me how to downgrade the license to a version that works.

Gnanamurthy If you have the old version of Norton Ghost that is used to create that .gho file, you can use it to restore the backup. The Ghost 15 license cannot be downgraded to the old version as they are unsupported now.

Toby Seaman I already explained that I don’t have an old version of ghost. My business uses a lot of symantec products. at this point we need to restore a .gho file image of an important device. I do not need to hear that ghost no longer supports .gho files. I need solutions. I’ve purchaed the current up to date version of ghost and I want to restore a .gho file. I’m happy to download an unsupported version of ghost to do that. Please tell me urgently how to make this happen.

Toby Seaman Hello?

Gnanamurthy I understand that Toby. I do not have any other options. There are no support documents regarding the old version of Norton Ghost available. I can only help you to restore the files and folders not the entire backup.

Toby Seaman Can you escalate this issue. Presently all you are doing is demonstrating why I should never buy another Symantec product ever.

Gnanamurthy Okay Toby. I will escalate the issue to my supervisor. You will be getting the call back from him within 24 hours.

Gnanamurthy May I have your time zone along with your telephone number and country name?

Toby Seaman Are you sure this will happen? last time this was promised the call back never happened

Gnanamurthy Sure Toby. You will be getting a call back from my supervisor.

Toby Seaman Okay. In the meantime im completely screwed, so I will try to find a proper version of ghost which supports .gho files on bittorrent. I guess you are happy with this since you no longer sell or supply a working version of ghost?

Gnanamurthy Okay Toby. May I have your time zone along with your telephone number and country name?

Toby Seaman Ok. thanks for your permission to download an illegal copy of Symantec ghost.

Toby Seaman My phone number is 0xxxxxxxxxxxx

Toby Seaman My country is England

Toby Seaman My Timezone is GMT

Gnanamurthy Norton does not recommend to download a pirated version from internet.

Toby Seaman It’s not pirated: you just said you don’t sell it anymore and you have utterly and completely failed to assist me in my time of need. It’s not my fault that your version 15 no longer supports .gho files. So I will find a ripped off version that works, I’ll restore my image and wait for a phone call sometime in the future from your supervisor.

Gnanamurthy Is there anything else I can help you with?

Toby Seaman I’m going to put this trsanscript on my Blog as it shows another hilarious support failing at Symantec. Please note that you have no helped me at all so far.

Gnanamurthy I can help you if you have any issues with the Norton Ghost that you have purchased. But .Gho files are created by old version of Ghost which are unsupported and there are no support documents available. So I do not have any other options.

Toby Seaman You could try to help me find out where to get my license downgraded urgently.

Gnanamurthy There is no option to downgrade the Norton Ghost license. If there are any options available , I would be happy to provide it to you.

Toby Seaman That is crazy.

Toby Seaman here is my blog post with your companies poor customer service recorded for all to see:

Toby Seaman https://www.turbotas.co.uk/recent-news/78-chuckles/266-bloody-symantec-are-still-rubbish.html

Gnanamurthy Is there anything else I can help you with?

Toby Seaman No, I’m busy searching the internet for an old copy of Ghost which supports .gho files. You have been no help whatsoever.

Gnanamurthy Thank you for contacting Norton support. Have a great day!

PS3 Root Key Broken

News just in is that the Root Keys used to sign content for the PS3 has been broken by ~geohot:

erk: C0 CE FE 84 C2 27 F7 5B D0 7A 7E B8 46 50 9F 93 B2 38 E7 70 DA CB 9F F4 A3 88 F8 12 48 2B E2 1B
riv: 47 EE 74 54 E4 77 4C C9 B8 96 0C 7B 59 F4 C1 4D
pub: C2 D4 AA F3 19 35 50 19 AF 99 D4 4E 2B 58 CA 29 25 2C 89 12 3D 11 D6 21 8F 40 B1 38 CA B2 9B 71 01 F3 AE B7 2A 97 50 19
R: 80 6E 07 8F A1 52 97 90 CE 1A AE 02 BA DD 6F AA A6 AF 74 17
n: E1 3A 7E BC 3A CC EB 1C B5 6C C8 60 FC AB DB 6A 04 8C 55 E1
K: BA 90 55 91 68 61 B9 77 ED CB ED 92 00 50 92 F6 6C 7A 3D 8D
Da: C5 B2 BF A1 A4 13 DD 16 F2 6D 31 C0 F2 ED 47 20 DC FB 06 70

This is big news as it seems that this key is built into the hardware and can’t be changed.

More info on this issue at Kotaku.

How many 27001 standards?

Please wait for a site operator to respond. You are number 1 in the queue. Your wait time will be approximately 0 minute(s) and 30 second(s).
You are now chatting with ‘Tim’
Your Issue ID for this chat is LTK16502038781X
Tim: Welcome to our Live Chat service.  How can I help you?  Are you or your company an ANSI Member?
you: Hi there Tim. I’m looking to buy PDF versions of ISO27001 and ISO27002 but am a bit confused.
you: there seems to be quite a few versions of both starting at $30 and rising to a few hundred on your ANSI website

you: so for example there is BS ISO/IEC 27001:2005/BS 7799-2:2005 for $144

you: and INCITS/ISO/IEC 27001-2005 for $30
you: and Information Security Package 27001 for $50
you: so I’m somewhat confused.
Tim: There are many adoptions of these standards by other standard developing organizations.  The original standards have the following designations:  ISO/IEC 27001:2005 for $129 and the ISO/IEC 27002:2005 for $206.  Or, you could purchase the two original documents together in the “ISO/IEC 27001 and 27002 IT Security Techniques Package” at a discounted price of $295. 
you: um, so what is the $30 version?
Tim: The $30 version is the INCITS adoption of the ISO/IEC 27001 and ISO/IEC 27002 standards. 
you: and will be completly different?
you: or the words are the same and the header is different
Tim: We can’t say that there hasn’t been changes made to the orginal document.  You will need to contact INCITS for clarification.  
you: but how can it be ISO27001 if they have changed anything?
Tim: That is an agreement between ISO and INCITS.  ANSI does not review the adoptions for changes.  If you’re unsure of the adopted standards, we recommend purchasing the originals by ISO.  
you: but on the INCITS Website it says that the INCITS version is ANSI approved. Thats’ you?
Tim: It has been ANSI approved as an adoption of the ISO/IEC 27001 and ISO/IEC 27002.  
you: so that must mean that its an acceptable document
you: i.e. ANSI considered it to be not different to the ISO version?
you: I’m just trying to work out if I’m paying $99 more for the same thing.
Tim: You will need to contact INCITS to determine if any changes have been made.  ANSI does not review the body of the standard when it is adopted.   
you: that does not make any sense. you are saying that ANSI adopts a version of a document that might be completely different to the thing it purports to be?
Tim: ANSI does not adopt standards.  INCITS adopted the ISO/IEC original document.  ANSI approved the adoption but did nto review if any changes were made to the document.  ANSI is not the copright holder of the document.  You will need to contact INCITS if you want to find out if changes were made to the document by INCITS.  
you: okay. It soundss really odd to me that from you I can buy about 5 different versions of 27001 and you don’t know whats in any of them except the ISO version.
you: I will indeed contact INCITS
Tim: Thank you.  I’m sure INCITS will be able to answer your questions regarding their adoption of the ISO/IEC 27001 and ISO/IEC 27002.  
you: thanks Tim. This has been my weirdest conversation for many weeks!

Rock Band 3 #FAIL

Rock Band 3: A great game idea let down by not being properly finished and by awful support.  I bought this game because the blurb said that all the previous Rock Band titles supported song export. Not only is this not correct but the export features of Rock Band 2 and Lego Rock Band are broken and you cannot get these songs into Rock Band 3.  Rock Band Beatles will not export at all. Couple this with the incomplete on-line experience – game linking is advertised but broken – and you have yourself a classic game to avoid for now. 

As if game problems were not bad enough:  the hardware is now made by Madcatz.  Those are the same people that bought you Drum Kit Dampers that made drums louder and plastic drum stick which break when you play the drums.  Yuck!  do yourself a favour, ignore this game until the problems are fixed.  Play some Guitar Hero!  If you don’t have any of the RB series and simply have to buy one, buy RB the original first, it’s really cheap now and all the bugs are ironed out.

band practicing on studio
Photo by Hans Vivek on Unsplash

US Copyright Office: Finally Something Smart

The US Copyright office just published their 3 yearly update to the US copyright law and they have finally seen some sense and provided some exclusions for the DMCA.  This is really big news as finally there is some consumer protection provided.

Citizens in the UK we can only hope for similar sanity at some point. Read on for the details of the exclusions.

The six “classes” now exempt from prosecution under the DMCA are:

1. Defeating a lawfully obtained DVD’s encryption for the sole purpose of short, fair use in an educational setting or for criticism

2. Computer programs that allow you to run lawfully obtained software on your phone that you otherwise would not be able to run aka Jailbreaking to use Google Voice on your iPhone

3. Computer programs that allow you to use your phone on a different network aka Jailbreaking to use your iPhone on T-Mobile

4. Circumventing video game encryption (DRM) for the purposes of legitimate security testing or investigation

5. Cracking computer programs protected by dongles when the dongles become obsolete or are no longer being manufactured

6. Having an ebook be read aloud (ie for the blind) even if that book has controls built into it to prevent that sort of thing.

expect to see editorial content popping up all over the net discussing this.

See here for the Library of congress link.


HOORAY! SCO Are Finally Sunk!

After 7 years of FUD, FUD, FUD, SCO lost the most important case today: They do NOT own the copyrights to Unix.  This means that all the other lawsuits will collapse almost instantly.  Poof.  Luckily SCO will go down the tubes too and that will be that.  Excellent.  Finally.  Phew. http://www.novell.com/prblogs/?p=2153

When Danger is an apt name!

Microsoft\Danger and T-Mobile don’t seem to have quite got the cloud concept yet.  Yes it’s true that cloud users don’t have to worry about ther data – it’s all safely tucked away somewhere and your cloud provider sorts it all out.

Alas it seems that Microsoft\Danger got a bit confused during Cloud Computing 101 and went away thinking that no-one had to worry about the data.  So they didn’t.

They have come clean on the T-Mobile website and told SideKick users not to turn off the devices as the data now lives nowhere else.  In a cruel extra twist, the SideKick Devices are useless now as just about everything it does requires the cloud – it retains nothing at all during reboot for example.

The T-mobile article is here. In the meantime you would be right if you were really nervous about trusting these guys with your data!

It seems that the only person to show incredible foresight was the person that came up with Danger as the name of the company.

Microsoft have had a couple of years now since they acquired Danger to make the services offered resilient.  Seems that they failed.  Epic Fail.

Oh and BTW, Azure, Microsofts flagship cloud OS launches in a month or so.  What-Could-Possibly-Go-Wrong.

Certificate Fingerprints

There have been some very nasty certificate based vulnerabilities announced recently and these amount to an attacker being able to act as  MITM (Man In The Middle) on pretty much any SSL conversation.  All the attacker has to do is insert themselves somewhere in your traffic chain between you and your target web site.

As these vulnerabilities turn into real exploits, you should be really really really (got the picture?) careful what sites you log into and give your personal info to.

The nature of these attacks will mean that your browser is completely fooled into thinking it is talking to the real PayPal.com or Ebay.com. When spoofed, you will most likely experience normal logon and purchasing, but your details are phished for future use.  Even certificate verification checks such as CRL, OCSP Validation and path validation will work as you would expect.  Nasty.

I suggest therefore that for the next few weeks, while we see how bad this really is, you check independently the certs of all sites that you need to log in to.

I have printed out the SSL certs for the sites that I use often so I can check them for myself, but you may want to use this article which has the cert hashes for 4 common sites, PayPal.com, Amazon.com, eBay.com and of course, TurboTas.co.uk.

It would be very hard for an attacker to make the fake cert match these hashes, so that’s what you need to check. Bear in mind though this web page could be MITM attacked too, so unless you know your connection to turbotas.co.uk is unspoofable, don’t trust this source either as the pictures could be replaced.

The best bet all around is for you to print out every cert you encounter for the next few weeks and every time you revisit a website, check the cert against your hard copy.  read on for the certs.