Archive

Archive for February, 2015

Current Security Nightmares

February 10, 2015 Leave a comment

What’s going on out there in the networks in the last couple of days? We had a strange hack into a US health insurance provider exposing tens of millions of SSNs and addresses, a temporary shutdown of a online tax service due to identity theft fraud, a database security issue that came up just by accident using a search engine and finally today there was high level politician dumping emails containing personal information of residents of a US state.

Diving just in two of those security issues with some more detail:

The database issue I mentioned does affect MongoDB, a popular NoSQL database system. Three students just ran over round about 40.000 open MongoDB databases, containing sensitive information up to credit card information, names and email addresses. Anyone might wonder how that could have happen: by just using default configuration values without checking them.

noauth
    Default: true
    Disable authentication. Currently the default. Exists for future compatibility and clarity.
    For consistency use the auth option.

So it’s default to disable authentication? For future compatibility? Seriously? Wait… let’s check the auth option for consistency reasons…

auth
    Default: false
    Set to true to enable database authentication for users connecting from remote hosts. Configure users via the mongo shell. If no users exist, the localhost interface will continue to have access to the database until you create the first user.

Yeah… great… Authentication is disabled by default… Pretty consistent…

Source for both: Configuration File Option – MongoDB Manual 2.2.7

Whoever did that decision, I won’t be in his position right now. We’ll see how long it might take until both options are flipped with their default configuration. The conclusion should be: the more you trust a product, the more you should focus on the default configuration before going into production. Spending too much trust in a vendor / community just because you’re a “fan” of the tool will put you at risk if you loose the insight on the configuration options.

The second issue I’d like to dive into is a US politician and potential presidential candidate just dumping emails containing sensitive data of Florida state residents. He just approached to shed some transparency into his work by posting emails he exchanged with residents of the state of Florida. Unfortunately he and his team did not redact the emails before. So he just dumped emails containing SSNs, clear text names and even emails with the following text add-on:

Confidential communications intended for indicated recipient only

Just keeping in mind that this guy might be a future president of the United States of America, trying to rule the world I’m getting worried and afraid. Guys like him are deciding on rules affecting hundreds of million of people without having the touch of a sense in how to deal with their residents data. Is that the future we’re moving into? I don’t hope so. It should be mandatory for politicians to have a brief understanding of privacy, data security, encryption and the way how to deal with sensitive information. I’m really upset right now…

Categories: Privacy, Security

Microsoft going to deprecate IDMU-features in Windows Server

February 5, 2015 Leave a comment

With this blog post, Microsoft is announcing to deprecate the Identity Management for Unix features in Windows Server, starting with Windows Server 2012 R2. Affected features are:

  • the UNIX attributes tab in the User and Computers (dsa.msc)
  • NIS (Network Information Service)
  • RSAT (Remote Server Administration Tools)
  • In the comments of the blog post, a member of the Active Directory Documentation Team made clarification that the Active Directory schema will not be touched. So extensions in place will stay as well as the data stored in these attributes.

    Microsoft made the decision to deprecate their features and to recommend using alternative tools for managing Unix attributes and features using Windows Server.
Categories: IDM, Tools

Installing and Configuring ForgeRock OpenDJ on Windows

February 4, 2015 3 comments

Unfortunately I’m currently out of business while being home sick. But this gives me the chance to get hands-on on some tools I have on my list to discover them during this year. The first of them is the OpenDJ LDAP Server of ForgeRock.

I’ve used the nightly build of OpenDJ 2.7 and ran through the MSI installation wizard first.

01

02

For the initial shot I’ve used the default installation directory.

03

04

The installation is done pretty quick. What I’m missing here is to start the configuration wizard directly out of the installation wizard. @ForgeRock: Maybe this might be a good add-on to future releases of OpenDJ.

To start the graphic installation you’ve to execute the setup.bat file located in the installation directory without any additional command line parameter.

05

This I the upcoming configuration wizard.

06

The first configuration screen comes up with the FQDN of the server we’re currently running on, asking for the LDAP Listener Port (default 389, my configuration will be 1028 as there are other LDAP servers already running on my current machine). I’ve left the administration port at 4444 as I’ve no service bound on this port yet.

For testing purposes I’ve not configured LDAP secure access yet, I’ll add that in a later blog post.

Last step on this configuration screen is to define the root user DN and password for the administration account.

07

The next screen is to configure replication if needed. I’m planning to set up a Linux server in parallel hosting a OpenDJ LDAP Server as well and to have it replicating with my current server. So I’ve left the default replication port, configured it as secure but left the replication information empty as this is my first OpenDJ LDAP Server so far.

08

Next configuration step is the definition of the Directory Base DN. I’ve chosen

dc=corpdir,dc=local

for this initial shot (you might see different DNs in later blog posts).

There are some options to load data initially using a LDIF file or to import sample data for testing purposes as well. I’ve decided to just create the base entry so far and to set up the remaining LDAP structure later on.

09

The next screen is to define specific Java runtime options. I’ve used default here.

10

The next screen allows to review all settings before finishing the installation.

11

The configuration wizard is now taking care of creating my LDAP instance as I’ve configured it in the screens before.

In the end we do have a running instance of the ForgeRock OpenDJ LDAP Server. Pretty simple, isn’t it?

Categories: ForgeRock, IDM, LDAP, Open Source, Tools

Troubleshooting SAP .Net Connector issues

February 2, 2015 Leave a comment

While working with the SAP .Net Connector in a demo environment I was struggeling with the following error message being posted by my SAP connectivity component:

The type initializer for 'SAP.Middleware.Connector.RfcConfigParameters' threw 
an exception.

Checking the application eventlog I found the following error message:

Activation context generation failed for "C:\Program Files (x86)\Quest Software\Quest One Identity Manager\sapnco_utils.dll". Dependent Assembly Microsoft.VC80.CRT,processorArchitecture="x86",

publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.4053" could not be found. Please use sxstrace.exe for detailed diagnosis.

This came with the Event-ID 33 of source SideBySide.

This error message indicates that the Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package ATL Security Update is missing. The update is available here:Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package ATL Security Update

More details on the Security Update is available here: Description of the security update for Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package: July 28, 2009

Categories: Programming