Long Term Storage

During Defcon a new tool was mentioned that would automate the hacking of GMail accounts.   This only applies that those of you using GMail, not the Google Hosted Apps.

The problem is in how GMail encrypts traffic.  It only does SSL encryption during the login session.  As described here and here, this leaves your actual email unencrypted and a door for someone to get into your account later.

The simple fix is to go into your account Settings, scroll to the bottom, select “Always Use HTTPS” and click save changes.  This will cause your entire session with GMail to be encyrpted and mitigate the risk of your account being hijacked.  Combine this with Perspectives and you have a pretty solid security setup.

A nice article over at Arstechnica talking about a project some Carnegie Mellon students have been working on called Perspective.

It is a SSL and SSH security enhancement which helps prevent Man In The Middle attacks by giving you a 3rd party “perspective” of the site you are visiting.  I know you are asking, what does that mean and how is that my problem?

As this article over at TechDirt describes, the little pad lock has been one of the best things for Internet security.  Users, for the most, recognize and trust it to indicate that the site and the data about the transaction is secure.  A MITM attack is where a cracker intercepts your requests to initiate a secure connection and places them selves in the chain.  If done correctly, you, your browser, and the 3rd party have no idea that someone is listening in.  If this attack succeeds, the cracker now has access to all of the information that is encrypted which could be credit card numbers and passwords.  For you Linux/Unix users out there, SSH is susceptible to this attack as well.

The perspectives project, as they describe it, “designed Perspectives to supplement [Trust-on-first-use] applications with spatial and temporal redundancy”.  It works like this…

You visit a site which has a self-signed certificate. (Nobody wants to spend the rediculous ammount of money required to get a 3rd party signed cert.)

With out Perspectives, Firefox will give you a big warning that most users promptly ignore and select to add the exception.

Perspectives places itself in that step instead.  When you receive the public certificate of the site, perspectives goes out and queries their servers.  Their servers will then connect to the site and send back what they received.  The plugin then compares the two.  If they match, then the certificate is accepted as being valid and Fx doesn’t prompt you with the warning.

There are some additional configuration choices that can be turned on to further enhance this by requiring the signature to have been valid for X number of days.  This acts as a further validation in case the attacker is able to intercept all requests to the site.

All in all, this is yet another tool in the arsenal to keep our computing safe.  I hope that Mozilla, OpenSSL, and OpenSSH take this project to heart and integrate it into their suites as well as some large companies step up and offer their services as a notary.

You can obtain the Firefox extenstion here and an OpenSSH client here.

Getting the Citrix ICAClient to work in Linux or Ubuntu specifically is a fairly simple task. There is one catch that will get cause the most hangup.

The hangup comes from the design of the ICAClient and a common issue with linux distros.

The ICAClient requires that it trust the certificate chain back to your citrix server or xenapp server as it is now called. Unfortunately, the client only ships with a handful of Root CA certs. This means you must manually import your own.

If you are running Ubuntu ( I am sure there are others that can benefit from this), you can take advantage of the very complete store you likely already have on your install.

First step. Check to see if you have the ca-certificates package installed and if not, install it.
sudo apt-get install ca-certificates
This places all of your root ca-certificates in the /usr/share/ca-certificates directory. The one we are interested in is those for mozilla.

Next step is to link the citrix directory to the mozilla collection of certs.
cd /usr/lib/ICAClient/keystore
sudo mv cacerts cacerts.orig
sudo ln -s /usr/share/ca-certificates/mozilla cacerts
And that is it. Fire up Firefox or your browser of choice and connect to your citrix apps.

Because I hate making SSL exceptions in Firefox, I decided to change the keys.  It was suprisingly simple

They are located in /etc/vmware/ssl  I replaced mine by using the existing names.  Renaming the originals to .old or something descriptive like that.

Alternatively, you could edit the hostd/config.xml file and update the values in the <privatekey> and <certificate> attributes and then update /etc/vmware/locations file.  Do a search for “rui”.  There are two places to update as well.

The number following some of the files is the create date in Epoch.  Mine currently does not match and I am able to access the WebUI with out any SSL errors.  I suspect it has to do with the uninstall process.  If the times do not match, the uninstall script will not remove it.

I found a Unix Epoch converter.

Useful commands for generating keys, csr’s, and certs..

http://shib.kuleuven.be/docs/ssl_commands.shtml

I will have to come back later to put in some others.