certificate authority

Aug 22 2008   8:02PM GMT

Poor Spelling = Identity Lost

Posted by: Troy Tate
administration, Networking, forensics, Security, Browsers, web, reporting, WWW, intellectual property, CA, certificate authority, malware, SSL, design, website, howto, network analysis, online identity, risk, awareness, blog, vulnerability, MITM, man-in-the-middle

Well, I am not the best speller and I know that is true for most people. I have recently discovered how this human weakness can get you into trouble and cause identity loss as well as potential financial loss.

This issue has recently come to light with some of the Black Hat presentations. The actual presentation can be found here. This example actually refers to SSL VPN attacks but consider what would happen if an attacker was able to create a man-in-the-middle SSL proxy using a typosquatting domain name. For example, what if you typed https://www.mybnak.com/myaccount into your browser. The actual address should be https://www.mybank.com/myaccount. This is just a simple typographical error right? Hmmmmm… maybe not!

Consider if an attacker purchased the domain name mybnak.com. They then were able to get an SSL certificate or create a self-signed one that to an uneducated user looked ok. Have you ever seen a message like the following?

How many of you (come on, admit it now) have clicked on this or know someone who would click on this without thinking a second time? Say you did click on Yes and proceeded. The website you go to looks exactly like the one where you intended to go! This is because the address you mistyped into your browser actually goes to an SSL proxy and you just said you trusted the website. You have now fallen into the man-in-the-middle attack.

This looks like the following picture:

This attacker now takes all the traffic you send it, reads it, saves what it wants, repackages it, sends it to your intended destination and returns information back to you (keeping copies of what information is returned) without you knowing that someone is between you and your intended bank. Phishers do use a similar mechanism although a savvy consumer might actually see that the address in the address bar does not match their intended destination at all. In my example, YOU mistyped the address!

Well if this does not scare you into making sure you can type addresses or keep accurate bookmarks then read some of the following and make up your own mind:

Mozilla SSL Policy Considered Bad for the Web

SSL VPN might not be as secure as you think

Black Hat 2008 Aftermath

But, on the other side of this argument consider this story about how a MITM attack saved Columbian hostages.

The internet is not a place to be ignorant about your surroundings. Users must be vigilent and savvy about its use. Maybe there should be internet driver testing and licences?

Thanks for your time. Let’s be good network citizens together & practice safe networking!

Aug 20 2008   6:19PM GMT

Did you see this? - Need some Exchange advice/support

Posted by: Troy Tate
administration, tools, Microsoft Windows, web, CIO, DataCenter, DataManagement, WWW, CA, spam, certificate authority, digital signatures, email, RSS, wiki, Exchange 2007, Outlook Web Access, Policy, Exchange, design, OWA, website, anti-virus, Performance, Powershell, howto, policy enforcement, awareness, blog, toolkit

Maybe you have already read my post about implementing new Exchange 2007 mailboxes for over 2000 users. If not… look here. So, as you see from this event, ongoing support for these global users on a new messaging system is going to be a real challenge.

I found a great blog posting with links to some excellent Exchange resources. Keep this in your toolkit for those times you just can’t find the answer elsewhere to those nagging Exchange problems. I see lots of other IT people struggling with this system and looking for support here at IT KnowledgeExchange.

Some other Exchange resources I recommend are:

Microsoft Exchange Server Resource Site

E-mail archiving

Seven ways to organize your e-mail

MessagingTalk.org - Portal for Microsoft Exchange Messaging & Collaboration

Thanks for your time. Let’s be good network citizens together & practice safe networking!

Jul 25 2008   12:41PM GMT

2000 users - new mailboxes - one weekend - DONE!

Posted by: Troy Tate
administration, Networking, tools, Microsoft Windows, internet, CIO, DataCenter, DataManagement, CA, antivirus, certificate authority, digital signatures, email, Exchange 2007, Outlook Web Access, Exchange, design, OWA, Microsoft, troubleshooting, Powershell

Well, we did it! We implemented new mailboxes on Microsoft Exchange 2007 for over 2000 users in one weekend. Of course it took lots of planning, testing and blood, sweat, tears during the process, but we are now on one e-mail platform where there were at least 5 before. We had more domains than we needed and now the company is on one domain. We had to plan and provide for inbound messages still to the old domains.

The implementation was not without a couple of minor glitches and learning how users use the application. One glitch was a mistyped IP address. This prevented e-mail flow for a short period of time, however that is not a huge issue since SMTP servers will continue to retry sending messages. Another issue that was encountered was administrative rights to “shared” mailboxes like customer service or supply buyers.  This has now been resolved and users are getting full use from the system.

We still have some work to be done on things like:

• proactive system monitoring to detect issues before the users do;
• alternatives to sending large attachments (our attachment limit is 15MB);
• running Outlook Anywhere so a mobile user can attach to their mailbox without having to use VPN;
• supporting mobile devices like smartphones (our focus is on Windows Mobile v6 and up);
• user certificates using private PKI to allow for digital signatures and encryption.

So, as you see, work in IT never finishes… it just continues to grow as more services and systems are implemented and change happens. Please feel free to leave a comment if you would like more information about our implementation process and decisions we made along the way.

Thanks for your time. Let’s be good network citizens together & practice safe networking!

Jun 17 2008   2:28PM GMT

Certificates - who do YOU trust?

Posted by: Troy Tate
Security, Verisign, certificate authority, digital signatures, Exchange 2007, Outlook Web Access, OWA, Network Admission Control, Thawte

We are currently going through design and implementation of an Exchange 2007 environment in my organization. Our current e-mail architecture is varied and does not have any version of mail services newer than 6 years old. So, we are learning a lot about Exchange and how it can fit our environment of over 2,200 users globally.

Part of our requirements includes providing access to downlevel clients (Windows 2000 and below) as well as access to remote users. This will be easily accomplished through Outlook Web Access (OWA). As you know, OWA login is usually done on a page with an https or secure sockets layer (SSL) address. The SSL encryption is provided by a certificate hosted on that server. The certificate can be self-signed by the server, signed by an authorized certificate authority (CA) in the organization or by a trusted third-party provider like Verisign or Thawte.

If the certificate is self-signed by the server or by an organizational CA, then somehow the clients need to know about the trusted root or they need to accept the warning that the browser gives when they login to the website. You want the users to understand what trust means or take the question out all together. I vote for the latter. Remove doubt that the certificate is from a trusted source.

For the external OWA connections, we are purchasing certificates from a recognized third-party. I have gone through several iterations of getting certificates though since this is my first time getting these for an Exchange environment. There is a particular “flavor” of certificate known as a subject alternative name (SAN) or unified communications certificate. A great article on this can be found here. (Take note of the root website here. It is one of the best and most readable Exchange resources you will find since it comes from the Microsoft Exchange product team.)

So, I am now in the process of getting these SAN certificates and will be implementing them this week so the errors will go away when users login to these portals since they know and trust the root certificate authority.

The next challenge is to address this same issue on internal private OWA servers. We will be implementing a two-tier enterprise CA architecture using an offline root and a single enterprise CA. We will be publishing this through Active Directory so the clients recognize this as an internal trusted root. We are then positioned to use this CA for other uses: digital signatures, S/MIME, 802.1x, device authentication and other uses.

As you can tell, this has been a lot of education and work for my company. We have had some help in these efforts since this is entirely new to us and we have to implement it successfully the first time. I will let you know how things go.

Thanks for your time. Let’s be good network citizens together & practice safe networking!