.blog

You might have seen the headlines about the recent successful attack against digital certificates signed using the MD5 hashing algorithm. This weakness affects everything from email to banking and it is important to be conscientious about what sites and certificates you trust. Fortunately there are a few things you can do to protect yourself.

The First thing you want to do is to tell your web browser to check for server certificate revocation. This ensures that the issuing CA has not revoked the server certificate. If someones certificate is forged and that certificate is revoked you don’t want your browser to continue to trust it. To enable this option you need to open up the Options Tab, view Under the Hood and scroll down to the Computer-wide SSL settings.

Another thing you might want to do is ensure your trusted website is not depending on the flawed algorithm. You can view the signature algorithm by first clicking on the secure connection icon in the omnibar.

This will display the security information for the website. Click Certificate Information to view details on the server certificate.

You want to examine the Signature algorithm in the details tab. As long as your trusted website is not using MD5 (md5RSA) you should be ok.

This means that your bank or email provider is not depending on the flawed algorithm. The only catch to this is that a phisher could forge this part of the certificate to provide misleading information. So only use this technique to verify that your currently trusted site is not depending on MD5.

If you find that a site you trust is using MD5 then my recommendation is not to use that online service, because even if the certificate hasn’t been compromised the security of the site is inadequate and those responsible for the security of the site haven’t taken the precautionary steps to ensure your online safety.

Most people have probably explored the application shortcut available through the Chromium menu. What this does is make a shortcut on your desktop or in your quicklaunch area that passes a command-line switch to Chromium telling it to launch the web address in application mode.  What most people don’t realize is that Chromium accepts about one hundred different switches from the commanline.  Now most of those switches aren’t going to be useful at all unless you are a developer, but some are pretty cool. For instance, did you know that you can automatically launch your browser in incognito mode?

PS C:\chrome-win32> .\chrome.exe --incognito

If you can examine the source code you’ll find these switches in \chrome\common\chrome_switches.cc

I had never heard of threatfire until this weekend, and to be honest I wish that I could forget the experience. Threatfire is a security monitoring system that hooks into you systems and watches for malicious activity. It installs several filter drivers, including TfKbMon.sys which is installed as a Keyboard filter driver (a legitimate keylogger).

What had happenned is this driver either malfunctioned or didn't uninstall properly, which rendered the keyboard useless. Actually, the keyboard was ok, it’s just that the filter driver was intercepting calls to the default ps2 windows driver (i8042prt.sys).

To correct the problem i ran the threatfire removal utility which uninstalled the driver but left quite a bit in the registry, including the entry that called it as the upper filter driver for the keyboard. Now just the fact that this program has a removal utility aside from the regular uninstall routine should be a crapware warning sign in itself…norton also has a removal utility… coincidence?

anyways, after a bit of searching (regscanner is a great tool for this) I found this key

HKLMSYSTEMControlSet001ControlClass
{4D36E96B-E325-11CE-BFC1-08002BE10318}

which defines the UpperFilters for your keyboard. A normal configuration will only have kbdclass set for UpperFilters in this key. So I reset that and then imported a good registry entry for the i8042prt services and the kbdclass (download).

of course, to make things very difficult all this was done with the on on screen keyboard, one click at a time…and when u type over seventy words a minute that is just aggravating!

the vulnerability behind MS08-067 has been generating alot of noise on the wire lately. This vulnerability could allow remote code execution through RPC and does not require authentication. One thing that many people are not mentioning is that a default XP/SP2 install is not vulnerable because the service is protected by the firewall. The attack vector just isn’t available thanks to that one improvement Microsoft made many years ago. Here is the Vulnerable Function, the POC and the Security Bulletin.

i’ve written a touch implementation for windows that follows the Single Unix Specificaton. it’s uploaded here with the source code.

Along with the utility, i wrote a function called StringToSysTime that might be helpful when working with times in windows. It allows you to convert a date string in [[CC]YY]MMDDhhmm[.SS] format to a SYSTEMTIME structure. Along with the helper functions it tests for a valid date and time.

I have finally published a tool that i’ve been sitting on since early January. It is called usbHistory and is a command-line tool to extract trace evidence of USB activity from the windows registry. It gathers information such as the last time the thumb drive or mp3 player was connected to the machine as well as the last drive letter.

you can check out the article on my site here.

I have posted a tutorial and introduction to GUI programming with Pelles C on my site. I originally wrote it on the neworder forums over the span of a day or two. For the intro you will need to install Pelles C and should familiar with programming in C (to include the use of pointers).

here’s the link