Blog Stats
  • Posts - 86
  • Articles - 0
  • Comments - 23
  • Trackbacks - 0

 

Friday, August 29, 2014

Root certificate problem in the pipeline


Not particularly fresh news to some people but definitely important for anyone relying on SSL connections to websites who now need to plan for getting SSL certificates from a Root CA that uses SHA-2.

Microsoft Security Advisory 2880823

Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program

Published: November 12, 2013

Executive Summary

Microsoft is announcing a policy change to the Microsoft Root Certificate Program.
The new policy will no longer allow root certificate authorities to issue X.509 certificates using the SHA-1 hashing algorithm for the purposes of SSL and code signing after January 1, 2016.
Using the SHA-1 hashing algorithm in digital certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.

Recommendation: Microsoft recommends that certificate authorities no longer sign newly generated certificates using the SHA-1 hashing algorithm and begin migrating to SHA-2.
Microsoft also recommends that customers replace their SHA-1 certificates with SHA-2 certificates at the earliest opportunity.

 

For example, here are the details from a current VeriSign certificate:

clip_image002

 

Will this impact any versions of Windows?

According to:

 

Windows PKI Blog

SHA2 and Windows

Published: September 30th, 2010

 

the support for SHA2 will vary:

No support for SHA2 – Windows XP sp2, Windows 2003 sp2

Limited support for SHA2 – Windows XP sp3 with KB 938397/KB 968730, Windows 2003 sp2 with KB 938397/KB 968730

Full support – Windows Vista and above

Note – “Limited support” added by the hotfixes mentioned includes the following SHA2 hashes: SHA-256, SHA-384, SHA-512 (but not SHA-224).

 

What’s up with SHA-224?

According to Alejandro Campos Magencio’s cryptography blog

Decrypt my World

SHA-2 support on Windows XP

Published January 23rd, 2009

Regarding SHA-224 support, SHA-224 offers less security than SHA-256 but takes the same amount of resources. Also SHA-224 is not generally used by protocols and applications.

 

Further reading

Security Research and Defence Blog

Security Advisory 2880823: Recommendation to discontinue use of SHA-1

Published November 12th, 2013

Tuesday, April 1, 2014

Handy Windows end-of-support page


Reference articles

Product Start date Mainstream support ends Extended support ends
Windows Server  2003 R1 & R2 Varies 13/Jul/2010 14/Jul/2015
Windows Server  2008 R1 & R2 Varies 13/Jan/2015 14/Jan/2020
Windows Server  2012 R1 Varies 09/Jan/2018 10/Jan/2023
Windows XP (Home, Professional, Media Centre, Tablet) Varies 14/Apr/2009 08/Apr/2014
Windows Vista 25/Jan/2007 10/Apr/2012 11/Apr/2017
Windows 7 22/Oct/2009 13/Jan/2015 14/Jan/2020
Windows 8.0 / 8.1 Varies 09/Jan/2018 10/Jan/2023
Windows XP Professional for Embedded Systems 31/Dec/2001 14/Apr/2009 08/Apr/2014
Windows XP Embedded 30/Jan/2002 11/Jan/2011 12/Jan/2016
Windows Embedded for Point of Service 06/Jun/2005 12/Apr/2011 12/Apr/2016
Windows Embedded CE 6.0 30/Nov/2006 09/Apr/2013 10/Apr/2018
Windows Embedded Standard 2009 14/Dec/2008 14/Jan/2014 08/Jan/2019
Windows XP Embedded POSReady 2009 10/Mar/2009 08/Apr/2014 09/Apr/2019
Windows Embedded Handheld 6.5 17/Dec/2010 13/Jan/2015 14/Jan/2020
Windows Embedded Standard 7 29/Jul/2010 13/Oct/2015 13/Oct/2020
Windows Embedded Compact 7 15/Mar/2011 12/Apr/2016 13/Apr/2021
Windows XP Embedded POSReady 7 10/Sep/2011 11/Oct/2016 12/Oct/2021
Windows Embedded 8.0 /8.1 Varies 10/Jul/2018 11/Jul/2023
Windows Embedded Compact 2013 11/Aug/2013 09/Oct/2018 10/Oct/2023

Demystifying Point of Sale Malware and Attacks


Orla Cox has blogged about the various threats to Point-Of-Sale (POS) terminals on Symantec’s website:

Demystifying Point of Sale Malware and Attacks

There’s an associated whitepaper which is also worth a read:

Attacks on Point of Sales Systems (PDF)

The coming months should be interesting as cybercriminals start making use of the stockpile of Windows XP exploits they’ve been building up ready for the operating system’s end-of-support date to arrive.

Thursday, February 20, 2014

MCPs–we’re not all evil.


This quote (from the "License to Summon" rulebook for The Laundry role playing game system) may amuse.

Laundry employees can get a license to summon. It’s not that hard. Just complete a few basic Health and Safety and Demonology Courses, do the test, complete the very simple practical exam, and you’re certified. Peter-Francis Young has one, for Yog’s sake! It’s less demanding than getting a Microsoft Certified Professional qualification, and just like an MCP, a license to summon allows you to loose mind-eating horrors on an unsuspecting world.

The games designers are obviously continuing with the anti-Microsoft digs found in the source material, the “Laundry Files” series of novels written by Charles Stross. In his writings, Charles does not come across as a big fan of the Microsoft range of products. In fact, last October he ranted at length on “Why Microsoft Word must Die”. Not a happy man as far as IT goes.

Tuesday, February 11, 2014

End of PCI Compliance for Windows XP


Microsoft has announced that Windows XP will reach end-of-life on April 8th, 2014.
Windows 2000 already reached end-of-life on 13th July, 2010.

PCI-DSS Compliance requires all elements of a Point-Of-Sale (POS) payment application environment to be supported by their vendors with security updates, which includes the operating system the application runs on. Security updates from Microsoft for an operating system come to an end when it is no longer supported. At that time, PCI-SSC will regard any merchant using that operating system as being non-complaint with PCI-DSS. This is covered in the PCI-DSS documentation under “Requirement 6: Develop and maintain secure systems and applications”:

6.1 Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. Deploy critical patches within a month of release.

It’s therefore a good idea to upgrade any operating system being used for a POS payment system that is no longer supported or will soon reach the end of support. Not doing so may expose merchants to the risk of fines and penalties should their environments be compromised whilst not being compliant with the PCI-DSS.

References

  1. Windows XP SP3 and Office 2003 - Support Ends April 8th, 2014
  2. Extended Support for Windows 2000 Server Ends on July 13, 2010
  3. Microsoft Support Lifecycle
  4. PCI DSS Quick Reference Guide

Monday, January 20, 2014

I thought “Print Screen” did just that


Just had an Adobe update install unwanted applications - Google Chrome and a browser toolbar. Irritating, I know, especially as it means I missed the sneakily hidden opt-out tick box. This just reinforces the knowledge that I could never work in marketing as it would mean discarding my moral code.

But I digress.

I took some screenshots to compose a vitriolic Tweet around and noticed that something weird was going on with the clipboard.

Here’s what the screen looked like to my eyes (or to my SmartPhone):

image

Here’s what went into the clipboard after I pressed the Print Scrn button on the keyboard:

image

Where have the tail and the black outline to the box gone?

Wednesday, October 23, 2013

I’m going to have to stop using MS Virtual PC 2007


For many years now I’ve been happily chucking around Windows XP virtual hard disks and loading them with Virtual PC. Sadly I’m going to have to turn to something modern as the virtual processor is no longer up to scratch, as I found when trying to install Windows 8.1 evaluation.

image

In the past this would have been a Blue Screen but they’re handled differently in Windows 8, usually with a frowning emoticon.

0x0000005D means UNSUPPORTED_PROCESSOR and the solution would be to enable No-Execute Memory Protection in the BIOS.

Virtual PC is ancient so the AMI BIOS has no such setting on any of the menus.

image

Off now to find a virtualisation product I like.

Friday, June 28, 2013

DataCash @ Hackathon


Back in May, DataCash was a sponsor for one of the biggest networking events for payments developers – Trans-hacktion. The 3-day Hackathon, organised by Birdback, was focused on the latest innovations in the payments and financial technology and held at the London Google Campus. 

hackathon-logo

The event included demos from DataCash and other payments companies followed by hacking sessions. Teams had to hack a product that used partner APIs and present the hack in 3 minutes on the final day. The prizes up for grabs were:

KingHacker3D Printer & Champagne
1stPebble Watch & 1 year of GitHub Silver plan
2ndAIAIAI Headphones & 1 year of GitHub Bronze plan
3rdRaspberry Pi & 6 months of GitHub Bronze plan
APIUp Bracelet. Nintendo NES + Super Mario Game
ANDBerg Cloud Little Printer & 100$ AWS credit & more...

Thursday, June 20, 2013

Keep your Root Authorities up to date


By default, Windows will automatically update it’s internal list of trusted root authorities as long as the Update Root Certificates function is installed. This should be enabled by default and takes manual intervention to remove it.

image

With this component enabled, the following happens:

If you are presented with a certificate issued by an untrusted root authority, your computer will contact the Windows Update Web site to see if Microsoft has added the CA to its list of trusted authorities. If it has been added to the Microsoft list of trusted authorities, its certificate will automatically be added to your trusted certificate store.

If the component is not installed and a certificate from an untrusted CA is encountered then the following text will be seen:

image

This is an inconvenience for the person browsing the site as they need to click to continue. Applications, though, will be unable to proceed and will throw an exception. Example:

ERROR_WINHTTP_SECURE_FAILURE
12175 (0x00002F8F)
One or more errors were found in the Secure Sockets Layer (SSL) certificate sent by the server.

If you look at the certificate’s properties, you can see the “Issued by:” value:

image 

This is the name of the server that issued the certificate. It is not the name of the Trusted Root Certificate Authority. To find that instead use the “Certification Path” tab.

image

Highlight the issuing server and click “View Certificate” button to reveal the issuing CA – in this case “VeriSign Class 3 Public Primary Certification Authority – G5”.

clip_image002[9]

This must match a Trusted Root Certificate Authority certificate in the current user’s certificate store.

image

So turn on automatic updating of trusted root authority certificates.

For Windows Vista and above, this option is controlled through Group Policy. See the “To Turn Off the Update Root Certificates Feature by Using Group Policy” section of the following TechNet article:

Certificate Support and Resulting Internet Communication in Windows Vista

If Windows Update is a blocked site then download and deploy the latest pack of root certificates from Microsoft:

Failing that, find a machine that has the latest root certificates installed and export them from there:

  1. Open up the Certificates console
  2. Right-click the required Trusted Root Certificate Authority certificate
  3. Choose Export from “All Tasks” to open up the Certificate Export Wizard
  4. Choose an export file format – DER should be fine
  5. Provide a file name and complete the export.
  6. Move the file to the machine that’s missing the certificate
  7. Right-click the file and choose “Install Certificate” to open up the Certificate Import Wizard
  8. Do not allow the wizard to automatically select the certificate store. Instead choose “Place all certificates in the following store” and click Browse
  9. On the “Select certificate Store” window, enable “Show physical stores” and highlight “Trusted Root Certification Authorities \ Local computer”
  10. Complete the import

image

Thanks to Gurpal Basra for his valuable input.

Friday, October 5, 2012

An MSMQ Viewer for NServiceBus


Daniel Halan has developed an MSMQ Viewer for NServiceBus:

I've lately been working with a scalable cloud solution, and then it's good to use a Service Bus for sending commands, events and messages around the network. Now I tried few MSMQ message viewers that are available, but they all lacked the real-time feedback that would be nice when debugging or just want to know what is happening behind the scenes. So from that a new small application grew, called "ServiceBus MQ Manager". It's a small application that will monitor queues with a set interval, and present the Events, Commands and Messages that are there, but also keeping messages that has been retrieved (deleted) from the Queue.

which you can download through a link on his blog.

 

 

Copyright © John Breakwell