Parallèlement, le BSI et le CERTA ont demandé à Microsoft de corriger ces faillent de sécurité qui pourraient avoir de grands impacts sur le grand plublique; les risques d’impacts sur les achats en ligne riques d’être gros, et d’apporter plus à la “crise” qu’aux comptes des commerçants.

Microsoft ont fourni une première réponse et contournement qui limiterait les risques mais ne les annule pas : mettre le niveau de sécurité sur le niveau “élevé” pourrait réduire les risques dûs à l’utilisation des contrôles ActiveX et Javascript. Il va sans dire qu’en désactivant ces deux fonctionnalités il devient difficile voire même impossible de parcourir quelques sites Internet.

Firebug

We start with the most useful one : Firebug.

Firebug integrates with Firefox to put riches of development tools at your fingertips as you are browsing. You are able to edit, debug, and monitor CSS, HTML, and JavaScript alive in any web page…

It lets you trace and fine-tune every line of HTML, JavaScript, and the Document Object Model (DOM). It’ll report on under-the-table AJAX queries, tell you the time it takes a page to load up, and allow you to edit a web page on the fly. The only thing it can’t do is allow you save your modifications back to the server.

Changes made in Firebug are not permanent. They just apply to the individual instance of the page you are changing. If you refresh the page, all alterations will be lost. If you navigate out from the page, all modifications will be lost.

If you’re accomplishing a test that implies locally altering HTML, JavaScript, or the DOM, make sure to copy and paste your changes into a separate file, or all evidence of your test will be lost. In a pinch, a screenshot works for recording test results, but can’t be copied and pasted to re-execute a test.

View Source Chart

View Source Chart allows you to graphically view HTML Tag edges, delimit Tag Nesting Order, Structure and Hierarchy. And finaly, adds a Simple but Powerful interface to Source Code.

The difference between source charting and identation only formating is that it allows user to :

* Rapidly scan and recognize a document’s tags without reading a single tag
* see how deeply nested an element is just by looking to its left (no scrolling/finding/reading tags)
* identify an element’s containing tags without being forced to scroll, find and read each tag

install it from here

Tamper Data

TamperData is an extension to track and modify http/https requests and is used for security testing more than for design matters.

you can get it here

Edit Cookies

Edit Cookies is the only Firefox extension that allows one to change any aspect of a cookie from within the browser itself.

get it here!

User Agent Switcher

The User Agent Switcher extension adds a menu and a toolbar button to change the user agent of the web browser. It’s designed for Firefox, Flock  and Seamonkey, and will run on any operating system  that these browsers support including Windows, Mac OS  X and Linux.

The extension is available here

SwitchProxy

SwitchProxy allows you manage and alternate between multiple proxy configurations rapidly and easily. You can also use it as an anonymizer to protect your computer from prying eyes.

have it here

I can not list all extensions, but I believe these are the most important in my point of view.

Thank you for your time and happy reading.

DNSSEC provides:

1. Origin authentication of DNS data,
2. Data integrity
3. Authenticated denial of existence.

These functions are based on asymmetric cryptography system

In other words, if an attacker attempts to create a DNS response that has been altered from the original authentic response in some fashion, and the attacker then attempts to pass the response off as an authentic response, then a DNSSEC-aware DNS client should be able to detect the fact that the response has been altered and that the response does not correspond to the authoritative DNS information for that zone. In other words, DNSSEC is intended to protect DNS clients from forged DNS data. This protection does not eliminate the potential to inject false data into a DNS resolution transaction, but it adds additional information to DNS responses to allow a client to check that the response is authentic and complete.

As I said before, dnssec is based on cryptography, especially Public key cryptography which relies on a public and private key pair

Two types of keys are identified for use in zone signing operations. The first type is called

A Zone Signing Key (ZSK) and the second type are called a Key Signing Key (KSK). The ZSK Is used to sign the RRsets within the zone, and this includes signing the ZSK itself, the KSK is used to sign root of the Zone, which includes the ZSK and the KSK and may also be used outside the zone either as the trusted anchor in a security-aware server or as part of the chain of trust by a parent Name Server.

DNSsec mechanisms require also changes to the DNS protocol. DNSSEC adds four new resource record types: Resource Record Signature (RRSIG), DNS Public Key (DNSKEY), Delegation Signer (DS), and Next Secure (NSEC). These new RRs are described in detail in RFC 4034

What are the uses of each resource record?

DNSSEC uses public key cryptography to sign and authenticate DNS Resource record sets (RRsets).

The public keys are stored in DNSKEY Resource records, Digital signatures are stored in RRSIG resource records while, The NSEC resource record lists two separate things: the next owner name (in the canonical ordering of the zone) that contains Authoritative data or a delegation point NS RRset, and the set of RRTypes present at the NSEC RR’s owner name but for A DS RR it refers to a DNSKEY RR by Storing the key tag, algorithm number, and a digest of the DNSKEY RR, The DS RR appears only On the upper (parental) side of a delegation

Deploying Dnssec

1. Enable dnssec in authorative and recursive servers : Means that your dns will support dnssec functionality, so you have to add the following line in named.conf file (named configuration file):

Options {Dnssec-enable yes; };

2. Generate zsk and ksk for each zone :
   i/ Create zsk key:

   Dnssec-keygen -a rsasha1 -b 1024 -n zone ecole.com

   This command will generate 2 files with the following extensions:

   .key is public portion of the key

   .private is private portion of the key

   ii/ Create the ksk key:

   dnssec-keygen -a rsasha1 -b 1400 -f KSK -n zone ecole.com

3. Include keys in the zone file : we have to add the public portions to the zone file either but just including using this syntax :

$INCLUDE keys/Kecole.com.+005+12513.key; KSK

$INCLUDE keys/Kecole.com.+005+03977.key; ZSK

Or using command line mode :

Cat keys/Kecole.com.+005+12513.key >> ecole.db

cat keys/Kecole.com.+005+03977.key >> ecole.db

4. Sign the zone using the following command:

Dnssec-signzone -o ecole.com -t -k Kecole.com. +005+12513 ecole.db Kecole.com.+005+03977

5. Update named.conf file :

Replace :

zone “ecole.com ” {

file “ecole .db “;

};

With:

zone “ecole.com ” {

file “ecole.db.signed “;

};

6. Creating a secure delegation :

The process for signing a sub domain is essentially similar to that defined for signing a zone with one single difference; A Delegated Signer RR can be added to the ecole.com zone file to create secure delegation.

In fact we have to follow the same steps described before but while singing the zone we have to use the command:

dnssec-signzone -o etudiant.ecole.com -t -g -k Ketudiant.ecole.com.+005+64536

etudiant.db Ketudiant.ecole.com.+005+48560

The -g argument is used to generate two special files called dsset-etudiant.ecole.com. (Containing the DS RR for the parent) and keyset-etudiant.ecole.com. (Containing a copy of the public Key DNSKEY RR of the KSK).

When the parent administrator receives the dsset-etudiant.ecole.com. and, optionally, the keyset-etudiant.ecole.com. files, they are placed in the same directory where the ecole.com zone is signed. The dsset-etudiant.ecole.com. File is included in the original ecole.com zone. Re-sign the zone by executing the dnssec-signzone command exactly as before

The only thing that has changed is the additional Ds reecords in the new zone file, so that the sub domain zone gets its authentification through the delegation point in ecole.com in the parent zone

You may understand more the use of the Ds record in my next article which will be about DLV System and how to create a trusted anchor within a chain of trust

I hope it was useful and I want to thankyou for your time.

While some may be looking to phish your personal information and identity for resale, others simply just want to use your computer as a platform from which to attack other unknowing targets.  Below are a few easy, cost-effective steps you will be able to take to make your computer more protected.

1. Always make backups of important information and store in a safe place separate from your computer.
2. Update and patch your OS, browser and software frequently.  If you have a Windows OS, start by going to windowsupdate.microsoft.com and running the update wizard.  This program will help you find the latest patches for your Windows computer.  Also go to officeupdate.microsoft.com to locate possible patches for your Office programs.
3. Install a firewall.  Without a good firewall, viruses, worms, Trojans, malware and adware can all easily access your computer from the Internet.  Consideration should be given to the benefits and differences between hardware and software based firewall programs.
4. Review your browser and email settings for optimum security.  Why should you do this?  Active-X and JavaScript are often used by hackers to plant malicious programs into your computers.  While cookies are relatively harmless in terms of security concerns, they do still track your movements on the Internet to build a profile of you.  At a minimum set your security setting for the “internet zone” to High, and your “trusted sites zone” to Medium Low.
5. Install antivirus software and set for automatic updates so that you receive the most current versions.
6. Do not open unknown email attachments.  It is simply not enough that you may recognize the address from which it originates because many viruses can spread from a familiar address.
7. Do not run programs from unknown origins.  Also, do not send these types of programs to friends and coworkers because they contain funny or amusing stories or jokes.  They may contain a Trojans horse waiting to infect a computer.
8. Disable hidden filename extensions.  By default, the Windows operating system is set to “hide file extensions for known file types”.  Disable this option so that file extensions display in Windows.  Some file extensions will, by default, continue to remain hidden, but you are more likely to see any unusual file extensions that do not belong.
9. Turn off your computer and disconnect from the network when not using the computer.  A hacker cannot attack your computer when you are disconnected from the network or the computer is off.
10. Consider making a boot disk on a floppy disk in case your computer is damaged or compromised by a malicious program.  Obviously, you need to take this step before you experience a hostile breach of your system.

I hope these recommendations will help you.

Happy staying in Ntsysv Blog!

In a previous article I talked about disabling Autorun facility in Windows using a registry value suggested by US-CERT. To remind the reader, the key and value are :

Path : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf
Value : @=”@SYS:DoesNotExist”

To deploy this configuration using GPO, we need to create a new, or may be update an existing one, administration file. Administration files are normally located in folder :

%systemroot%\inf

and have .adm extension.

I will not go into details of ADM files syntax, version control and Operating System filtering, as it will need more than one article, but anyway : here is a prototype you can always use with Windows XP (and above?) and you can change the key and values but keep the same syntax. For interested readers, I recommend this document : “Using Administrative Template Files with Registry-Based Group Policy” from Microsoft site.

So, the ADM file I propose for this configuration:

CLASS MACHINE
CATEGORY !!category
KEYNAME “SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf”
POLICY !!policynameautorun
ACTIONLISTON
VALUENAME “@”        VALUE “@SYS:DoesNotExist”
END ACTIONLISTON
ACTIONLISTOFF
VALUENAME “@”        VALUE “”
END ACTIONLISTOFF
END POLICY
END CATEGORY
[strings]
category=”Custom Policy Settings”
policynameautorun=”Disable autorun”

save this lines as “customPolicies.adm” for example, and import it as an administrative template. To do so, develop “computer configuration“, then right click on “administrative templates” group,  and choose “Add/Remove templates”, click on “Add” and browse for your file. Once selected, validate and close; You’ll see your new group of policies (that is named “category” in the adm file) in the groups tree. You can see this steps in this video.

One done, you man not see the new policy as there’s a default filtering. To disable filtering, right click on “administrative templates”, select “Display” menu and then “Filtering”; uncheck all checkboxes. Have a look here :

Some explanations about parameters used in the above example :

• KEYNAME : Registry key to change/create.
• ACTIONLISTON : actions to perform when the policy is enabled
• ACTIONLISTOFF : actions to perform when policy is disabled
• strings section : values for substitution variables, noted with double exclamation mark (!!category for example). These varibales are used for portability between different language versions of Windows.

Having the adm file imported does not mean it is in use and applied. You need to create a new strategy (or update an existing one) to use the policy. Then you have to link this strategy to the Organisational Unit (OU) you want.

In the client side, you need to run gpupdate in the command prompt if you want the modifications to be applied right at the moment without waiting any longer. Gpupdate command replaces secedit command available in Windows 2000 and older versions. Please refer to the help of these commands for more details.

I hope you enjoyed reading and it was useful.

In a previous article we saw how to disable low dik space warnings in Windows systems, in this article we will talk about Autorun.

Microsoft Windows come with the AutoRun feature which make applications start automaticaly when inserting a CD/DVD, mapping a network drive or plugging a USB key. This is the worst case because everyone can plug a usb key to move data, to get pictures from a friend, to copy music …etc.

When a Removable Device is connected to computer, either the autorun launches the exe/.com file to witch a Autorun.inf file point to, or the user double click on the icon to browse the device content. In both cases, a hidden execution happens and make the computer infected. As an example, the Malicious software W32.Downadup uses this technique to spread.

In Microsoft, we can read many articles, such :

• How to correct “disable Autorun registry key” enforcement in Windows : which details also how to disable autorun useing Group Policy Objects (GPO)
• How to Enable or Disable Automatically Running CD-ROMs
• How to disable the use of USB storage devices (more radical solution!)

Today I received an US-CERT notification to say that those solutions are not effective when a media is first time connected to computer. In the Technical Cyber Security Alert TA09-020A we can read :

The Autorun and NoDriveTypeAutorun registry values are both ineffective for fully disabling AutoRun capabilities on Microsoft   Windows systems. Setting the Autorun registry value to 0 will not prevent newly connected devices from automatically running code specified in the Autorun.inf file. It will, however, disable Media Change Notification (MCN) messages, which may prevent Windows from detecting when a CD or DVD is changed. According to Microsoft, setting the NoDriveTypeAutorun registry value to 0xFF “disables Autoplay on all types of drives.” Even with this value set, Windows may execute arbitrary code when the user clicks the icon for the device in Windows Explorer.

The proposed solution is to set the following value to registry :

Path : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf

Value : @=”@SYS:DoesNotExist”

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@=”@SYS:DoesNotExist”

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

Hope you found this post useful, and I’d like to invite you to subscribe to my feed to keep in touch with future posts.