Sumo Consulting^2.0

Posting this for consumption by Google, so that when this happens to me again I can search Google and find the answer on my own blog. Then I feel silly. Then I am happy I solved my problem.

NetDirect is a Java based VPN client that requires a the installation of a little ActiveX control and then runs in the systray.

The Problem

I have two computers running this virtually identical Vista configurations. One works, one doesn't.

I'm on Vista Ultimate, and had tried getting NetDirect to work in both Firefox. Essentially, I got to the point where a little popup window opens up, I can see the NetDirect icon in the systray, and the client appears to be starting up. Then I get a long pause in feedback and an error. The output I see in the popup is as follows:

Downloading zip file...
Extracting zip file...
Loading library...
NetDirect: Initializing...
[[[ long pause here ]]]
NetDirect: TapAdapter IP not Assigned
NetDirect: Stopping...
NetDirect: Stopped!

At this point the window closes and the systray icon goes away. I tried a number of things including starting the browser "as Administrator" and also had searched Google for answers without any luck.

The Solution

The problem may have been due tot he fact that I already had installed (months earlier) OpenVPN to use a different client's VPN. As I was hunting around the system for the "TapAdapter" mentioned in the error message, I found a start menu option under OpenVPN that said "Delete ALL TAP-Win32 virtual ethernet adapters". Woah - that looked promising!

So I ran the bat file, it deleted some stuff, then I tried starting up the NetDirect connection again. Wham! It worked! Problem solved!

Note: I also started Firefox "As Administrator" when first installing the NetDirect client (it downloads and installs a couple of things). This may or may not have mattered.

• Comments (0)

As posted to Slashdot today, the source code for an algorithm has been posted that promises to find MD5 collisions, making it even more important to add some salt to any use of hash().

• Comments (1)

I just noted today that the login screen for CFMX 6 and 7 includes a version number and patch level. Using this information an attacker can readily identify unpatched machines which are ripe for attack.

This is yet another reason to protect your entire CFIDE directory from prying eyes, and perhaps it would be a good idea for Macromedia to remove this information from the administrator login screen in future versions.

• Comments (5)

So I just returned from the First Annual Software Security Summit and have security on the brain. I thought I'd post about a little something that's always bothered me - weak protection of passwords in web applications.

Many web applications don't handle much sensitive data. If someone breaks into the (fictional) web application for my mother's quilting guild, quilt-o-rama.com, no-one's going to care that all their quilting patterns have been stolen. They might even care if someone gets a list of all the guild members. However, there is one bit of data stored in this web application that's of value - their passwords.

Let's face it, people don't use different passwords. They should, but they don't. That means passwords become:

A globally shared key that opens all doors.

Now you may be saying to yourself, "But Cameron, that's the user's fault that they use the same password for everything.". Sure, some responsibility does fall on the user. But we all know perfectly well that most people aren't going to choose a unique password if they can get away with it. Therefore we have to be willing to accept some responsibility when protecting our user's passwords.

Since we know people are going to do everything in their power to choose an easy to remember (weak) password, we should protect it. This responsibility falls on us - the application developers. We have become custodians of a huge library of personal keys. Keys that might unlock data at banks, home computers, offices, government records, and quilt-o-rama.com - for most users the key is the same (or very similar) for all of these.

Attackers are always looking for the weakest point to attack. Do you have a site that stores passwords in plaintext? Do you keep up with security bulletins? Do you think no-one cares about breaking into your little boring site? Congratulations, you are the weakest link (goodbye)!

In security circles, this is commonly referred to as "key management". Your bank may encrypt your account data six ways from Sunday, but if the encryption key is easy for an attacker to discover, the encryption becomes meaningless. The data might as well have been in plain text all along. People go to all sorts of lengths when it comes to key management to make sure that the same encryption key isn't used in too many places, that it's not easy to discover, and that it's routinely rotated in case an old key is discovered at some point.

The concept of password management is no different. It's a key, not an encryption key - but a key still. It unlocks information, but unlike encryption keys the same password is often used everywhere, very rarely rotated, and often not very well protected. And your web application's users have shared their keys with you. They have trusted you to keep it safe for them.

You are holding valuable keys. Are you doing your part to protect your user's bank accounts, businesses, and other personal information?

• Comments (2)

This week I will be attending the First Annual Software Security Summit, a conference focused on writing secure software and understanding secure software architectures. If anyone else in the Macromedia/ColdFusion community is attending, shoot me an email and I'll keep an eye out for you.

• Comments (0)

A post from Netcraft entitled Non-Microsoft Browsers Have Spoofing Flaw shows that Firefox isn't immune to security flaws either. This flaw can be used by phishers to spoof a URL by inserting Unicode characters into it. Read the article for more.

• Comments (0)

Last Thursday, CNN.com ran a story on a security threat to wireless users called an Evil Twin. Essentially, all an attacker does is give her AP an identical SSID as the legitimate AP, drop it within proximity of wireless users, and wait for people to connect.

The end user has no idea that they are connecting to the wrong AP, and the attacker is able to conduct any number of attacks on the user including a man in the middle attack or simple packet capture.

Being seduced by an Evil Twin can be deterred by using WEP or WPA security, though there is still no guarantee that you are secure. WEP's been pretty well compromised and it's well accepted that WPA's days are also numbered.

Ultimately, the solution doesn't lie on the network layer, but on the data layer. If you really want to secure yourself, use something like ReefEdge's Dolphin. This software's an all in one wireless router/firewall with VPN capabilities. Place Dolphin on a machine between your wireless router and the rest of your network and it will regulate and secure access. From their site:

The Dolphin software transforms dedicated x86 hardware into a secure wireless gateway. Dolphin is ideal for a home environment or for IT professionals interested in exploring wireless network security. Dolphin supports secure authentication, IPSec security, and session roaming across subnets. Users authenticate with the wireless LAN using SSL and Dolphin enforces security policies based on type of user. Dolphin even supports encrypted access for trusted users via IPSec.

Cool stuff huh? With Dolphin, you can forget about WEP or WPA. The pipe to your network is regulated by a free enterprise strength security appliance that you can assemble yourself! Very cool stuff!

Note: As of this posting, the techzone.reefedge.com domain doesn't seem to be responding. Oh well, try try again.

• Comments (0)

So you think you do a good job with security. You spend precious time every week/month making sure that you download all the latest updates and patches for desktops, databases, and web servers. You encrypt customer information before you back it up and store it offsite in a guarded facility. You are the most paranoid programmer around, validating all form input, and detecting scripting attacks on the fly. Then you walk down the hall and see four boxes of chock full of customer data sitting outside the backdoor of your office. None of it is encrypted, none of it is guarded. It's just sitting there out in the open.

This photo was taken in the office building I work in every day. Those boxes have been sitting in a hallway outside of the back door of a mortgage banking company for the past THREE DAYS!!!!

You might also notice that the door is propped slightly open by a deadbolt that's extended. This door has been propped open in this way every day since I've worked in this building.

You are only as secure as your weakest point, and that point isn't always on the network.

Although many of these security issues are created by a Space Cadet in an Administrative Assistant's shoes, it's also common for software developers to focus on application security while neglecting physical security. While a developer may remember to lock her workstation every time she walks away from it, what about that debugging output sitting on her desk? Is there customer information on it? Did she leave it out on top of her desk at the end of the day when she went home? Should it be thrown away? Should it be shredded? Maybe it should be locked inside the desk. It's always a good idea to think about the physical security of data and not just the electronic security of it. Not enough of us do.

• Comments (1)