RSA posted SP4 Patch 4 of their Authentication Manager product today. There are a few pages of fixes in the README, but the most significant is that Authentication Manager can now be installed on Windows Server 2008 (both 32 and 64bit). 

This is significant, as until now Windows Server 2003 was the most recent Windows version supported - this has been a growing source of frustration for RSA shops.

Long story short, I've installed it in a production environment on Server 2008, it works exactly as you'd expect. Good on them for catching up !

ps - The native AD integration (via LDAP) also works quite nicely - this is recent but not new in this release.

===============
Rob VandenBrink
Metafore

Symantec published today a report that spam attacks via social networks (Facebook, Twitter and YouTube) grew in popularity between April and June 2011 for the purpose of distributing spam, malware and phishing attacks. 

Other statistics of interest is that most of the spam was launched from botnets; 57% of it originated from the United States with another 19% originating from various European countries.

Of course, Symantec reminds it readership that "Needless to say, none of these social network sites are behind these spam attacks. Social networks are employing a variety of techniques to protect users from such attacks and fraudulent activities involving user accounts." [1]

[1] www.symantec.com/connect/blogs/social-network-attacks-surge

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

Community SANS SEC 503 coming to Ottawa Sep 2011

SSL or TLS is *the* security protocol to encrypt in particular HTTP traffic. We all know it, love it, and then ignore various pop-ups telling us that in ever so cryptic ways that someone is playing a man in the middle attack on us.

I don't want to go over the basics here, but just talk about various tricks and issues that I see sometimes left out.

What about different certificate "Classes"

SSL plays two important roles: It encrypts traffic AND it verifies that you are connected to the correct server. Your browser knows that it connects to the correct server because the server presents a certificate that includes its host name, among other information, and is signed by a trusted certificate authorities.

Certificate authorities vary in how they validate the information in the certificate, and what information is actually validated:

Domain: This is the simplest (and cheapest) type of certificate. All it verifies is that the host name. Usually, you can get these certificates in a few minutes as long as your e-mail address is listed in the domain's whois record. For example, if you own the domain name "bigbank.com", you can get a certificate for it, no mater if you are affiliated with a company called "bigbank" or not.

Organization: This is the next class of certificates, sometimes called "Class 2" certificates. In this case, the certificate authority verifies that you are associated with the respective organization that owns the domain name. You typically need to fax in a copy of a photo id, a business license or other paperwork. Now, the name of the business is validated by the certificate as well.

EV (Extended Validation) Certificates: This type of certificate is the most expensive to get, and requires additional paper work and validation. The goal is to better validate the business name the certificate is used for. As a "reward", many browsers will display the business name, not just the host name, as part of the URL bar. Banks frequently use this type of certificate.

I need a certificate that covers multiple host names

No problem. You got two options:

Wildcard certificates are used for a domain, and they will work for all hostnames in that particular domain (e.g. *.example.com)

Multiple Domain Name Certificates can list various host names from different domain. For example, we use one for isc.sans.edu that covers some of the old host names we used like incidents.org and isc.sans.org.

I am using NameVirtualHosting (1 IP = Multiple Hostnames)

Now this is a tricky issue. If you use SSL, the entire HTTP stream, including headers, is encrypted, In order to figure out which key to use to decrypt it, the server needs to know the host name, which is encrypted... classic catch 22. As a result, you can not use multiple SSL certificates on the same IP address unless each server listens on a different port. However, modern browsers have a solution referred to as "SNI" (Server Name Indication, see RFC 4366) . With server name indication, the host name is sent in the clear as part of the client establishing the SSL connection (the SSL Client Hello message). Now the server knows what host name you are trying to connect to, and can use the right key.

Sadly, Windows XP DOES NOT support this extension to SSL, which limits its usefulness at this point. But it is a great option for small sites with limited user groups that don't use Windows XP. Internet Explorer 6 doesn't support it either, but I hope you aren't using that ;-)

In order to support SNI, you also need a recent version of openssl and Apache on the server. In cases where I can't update openssl and apache, I had good luck using nginx as a proxy (it supports SNI). Microsoft IIS will not support SNI last time I checked.

HTTP Strict Transport Security

This is a new features, introduced in Firefox 4. Other browsers start picking it up as well. The feature is intended to tell a browser to only use HTTPS, not HTTP, to connect to a particular host. It protects against attacks that try to redirect the user to an HTTP version of the site. All you have to do is add a an HSTS header to your server response:

Strict-Transport-Security: max-age=100 ; includeSubDomains

The "max-age" will tell the browser for how many seconds it should remember this setting. The optional "includeSubdomains" parameter will extend this preference to any subdomains.

Couple Links related to SSL:

https://www.ssllabs.com/ - great site to check if SSL is configured correctly (make sure to check the "Do not show the results on the boards" checkbox)
hacks.mozilla.org/2010/08/firefox-4-http-strict-transport-security-force-https/ - details about HSTS
www.ietf.org/rfc/rfc4366.txt - RFC for SNI

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

How are you dealing with Malicious Domains?