Splunk – SSL Settings for Web Interface

I was pointed at a great blog post on Hardening SSL Settings by Hyneck Schlawack to mitigate a number of attacks against SSL and then to evaluate it against the Qualys SSL Labs.

So I set out to figure out how much of the advice I could incorporate into Splunk SSL settings. I found that because Splunk uses CherryPy for the web server. That meant disabling server side SSL compression was problematic and I still have not solved that part. We need this to help mitigate the recently covered “Breach” and the old “Crime SSL” attack. Still I was able to adjust things to mitigate Beast and greatly improve the score given by the Qualys tool. Granted there are blog posts out there on setting up apache as the web front end and relaying traffic through to Splunk’s CherryPy. That would give us the controls we need. However, I like to write stuff up for now as Splunk vanilla doing it just with what is available in their install.

We will need to edit the web.conf file for Splunk. We can just take the recommended cipher list from Hyneck’s post. It addresses the Beast attack by eliminating CBC based ciphers from the available list to spunkWeb. We force SSLv3 only. And of course we have SSL enabled on the web interface.

One thing to note is that although we include the better newer ciphers in the list they will do nothing for us until openssl in Splunk is upgraded in a patch to support TLS 1.2. Right now it still only supports TLS 1.0. We put the list in and when the update covers it the newer ciphers should just start working.

Add the following stanza then bounce your Splunk service:

[settings]
enableSplunkWebSSL = 1
supportSSLV3Only = true
cipherSuite = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:RC4-SHA;

Share

Mac Shell Script – Crack PGP WDE

While I am working on a crowbar version for PGP whole disk encryption.  I took a few minutes to modify the previous script for PGP virtual disk files to hit wde drives in case you need something right away.  Keep in mind you need to determine the drive number with something like df, diskutil etc.

When running the script you will see output like

Operation failed! (errno = -12000)
cannot recognize user record at index 1536:
reached end of user record list
ERROR, wrong passphrase.
Operation failed! (errno = -12000)
Password found!

Operation failed! (errno = -12000)
cannot recognize user record at index 1536:
reached end of user record list
ERROR, wrong passphrase.
Operation failed! (errno = -12000)
Password found!

Here is the script.  Obviously you will need to change the path to your dictionary and the number after the –disk to match the drive you are attacking.  If  you are clever the command for pgpwde is the same under windows with pgp installed.  You could build a similar script there.

#!/bin/bash

for word in $(cat /Volumes/ExternalDrive/Dictionaries/test.txt | grep -v “#”)

do

echo -n $word | pgpwde –auth-disk –passphrase $word –disk 0

if [[ $? = 0 ]]

then

echo “Password found!”

echo $word

exit 0

fi

done

echo “password not found :(“

exit 1

Share

Mac Shell Script – Crack PGP Virtual Disk (PGD)

Today I was not up for doing any full program code.  On top of that I recorded an upcoming Typical Mac User show with Victor answering some listener questions about file encryption.  One of the things we talked about was PGP for Mac.  I got to wondering.  What are the odds that they provide a command line option for mounting PGP encrypted discs?  Can I do yet another dictionary attack script?

Here is what I have initially found.  Note we are talking about a PGP virtual disk file setup for passphase NOT key authentication.  You must have the commercial Mac PGP Whole Disk Encryption application installed.

There is a pgpdisk –mount command.  So can we toss it in a loop like we did for DMG files?  Why of course we can!  Note that you need to change to the desired dictionary path and file.   Same for the target .PGD file you want.  Note on the PGD file my example is PGPTest with the full path minus the extension in the below example.

You will notice when you run your attack that you see some text about “Error -11998 – buffer too small”  This is because normally if the passphrase you enter is wrong it will prompt you three more times.  The way we are piping in at the front of the line with the echo we cause it to error and ignore those multiple entry attempts and keep going through our dictionary file.

#!/bin/bash

for word in $(cat /Volumes/ExternalDrive/Dictionaries/test.txt | grep -v “#”)

do

echo -n $word | pgpdisk –mount /Volumes/MyBook/PGPDisks/PGPTest –passphrase $word

if [[ $? = 0 ]]

then

echo “Password found!”

echo $word

exit 0

fi

done

echo “password not found :(”

exit 1

Share

Hard Crashing my Macbook Pro

I recently moved over completely to a macbook pro at work.  I had a windows XP desktop with dual monitor support and had two external drives hooked up via firewire.  On top of that I use PGP and had full disc encrypted both my external drives.

Shortly after completely shifting over to my mbp I found it hard crashing.  I mean the hard crash that says on the laptop screen that you have to use the power button to reboot and recover from a crash.  It took some basic troubleshooting but here is what I found.  Running OSX Leopard with VMWare fusion.  I have Windows XP with PGP installed inside of it.  I had to change the connection of the external drives from firewire to usb.  This is because vmware cannot pass through firewire devices to the XP VM.  It has to be usb.  I plug in the drives while XP has focus and I get the normal prompt for the drive passphrase.  I enter it and everything mounts up fine.  It is not till after a good 5 minutes or more with no specific time that the crash will occur.  Every time.  I rebooted, let the drives connect but I hit cancel so they never mounted using PGP and left the mbp running while I went to lunch.  Magic, no crashes occur.  Lastly I go to decrypt the drives and I find that PGP on the mac side can mount the drives but says it cannot decrypt them because they were encrypted using PGP for Windows.  So I had to hook them back to my old desktop and decrypt them.  Fortunately I saved uninstalling PGP from the desktop as my last step and had not done it yet.

I have to make some decisions about the type of data on the external drives, maybe just encrypting some of it as a pgp disk file instead of full disc encryption.  Mixing PGP FDE inside vmware is definitely a quick way to crash your mac repeatedly.  I had even posted this on twitter and got a response back from vmware.  They agree its an issue something about hardware, drivers etc.  Of course no solution.  Likely that is something for PGP to work out.

Share

SSH Screencast Series

Well a nice long but fun screencast series is all in the can.  You can find the first episode of eight over at typicalmacuser.com.  I spent a good bit of time doing the recording and thanks to Victor for the editing and post production.  By the time the series is over you will know pretty much everything I know about SSH.  At least all the juicy functional parts.  It is done for the target audience of Mac users so it is all about setting it up and tunneling all sorts of traffic through it to protect yourself when on public wifi hotspots or other risky public networks.

Share

Loss of Laptops – Negligence on whose part?

I am completely disgusted by a local event here in Tennessee. Two laptops were stolen from the Davidson County Election Commission over the Christmas holiday. They likely held 337,000 identities including the SSN, name and address of registered voters. You can read about it in the Tennessean article.

1. Why on earth was there no alarm on a building associated with election records? A rock through a window and two laptops vanish?!?

2. Why on earth were two laptops with such data left outside a safe? Surely such backup units are regularly stored in a secure location.

3. Why on earth were they not equipped with encryption?

So who is to blame? The user/custodian of the laptops? The physical security contractor? The IT department?

It comes down to what are the policies in place. After all IT in government and business alike only can do so much if management is not forced to provide funds and resources to meet the policy. If the policy did not exist then I recommend the council members should consider resigning themselves. If the policy was in place fire the IT head. the physical security head and terminate the contract of the physical security vendor. That should send a message of accountability. It should not be a surprise to these people that such information which is required to achieve the electoral mission would be at risk without proper measures.

Share

Disk Utility – Sparse Image

For those whom prefer the GUI Disk Utility on a Mac. To create the same spare image 5GB file do the following.

  1. Start up Disk Utility from the Applications->Utilities folder
  2. Click the drive to highlight where you want create the image file.
  3. On the menu, click File – New – Blank Disc Image
  4. Change the dialog options to match the below image.  Give it a file name like backup and click create.

New Blank Image
Uploaded with Skitch!

Share

Disc Image – Why not to use a plain Dictionary Word

In the process of playing with backing up to disc images I wanted to play around how to automate the password entry. I may get into why in a future post. Whatever you do, do not use a plain dictionary word to secure your images. Here is why. I based it on the scripts I found at: http://ask.metafilter.com/47171/How-to-crack-a-disk-image

Modified and tested. Worked like a champ when I added my chosen password to a dictionary text file of words. In the below example I used a path to where I have a large collection of dictionary files used for password cracking in forensics etc. This is not the fastest thing in the world but it works if the chosen password shows up in the word lists you throw at the image.

#!/bin/bash

for word in $(cat /Volumes/ExternalDrive/Dictionaries/test.txt | grep -v “#”)

do

echo -n $word | hdiutil attach /Volumes/iPod/Backup/Backup.sparseimage -stdinpass

if [[ $? = 0 ]]

then

echo “Password found!”

echo $word

exit 0

fi

done

echo “password not found :(”

exit 1

Share