Have you ever been trying to get commercial smart card solution available on the marked to work with more than just one operating system? Then you might be familiar with that it’s not a walk in the park to get it to work. During my evaluation of both hardware and software I quickly noticed that trying to mix hardware and software from different vendors wasn’t that great idea and didn’t work out that well – So much for standards.

Having used OpenPGP for quite some time and earlier PGP (OpenPGP derives from PGP, first created by Phil Zimmermann) on various operating systems I’ve quite often been looking into the possibility of using some kind of token to keep my encryption and ssh keys safe and a simple USB-memory isn’t an option. Problem is that it hasn’t been that easy earlier and as well it also depends on what kind of token you chose. From that start I’ve been looking at using smart card solution and while evaluating different smart card readers it clearly looks like that USB CCID (Chip/Smart Card Interface Devices) based dongle reader seems to be the best and actually the easiest solution when having several operating systems in mind (drivers are available for two of the operating system that I use; Windows and Linux).

When starting to look into this topic I gave it a try with GemPlus PC400 smart card reader which works fine under Windows and Linux, but unfortunately missing drivers for OS2 which is another operating system I still use. Linux drivers for the GemPlus PC400 smart card reader can be found at LinuxNet and there is an active software bounty available at OS2 World for those who wants to continue on that track.

There are various smart card implementations available and one of the widely available solution for at least Windows and Linux system is U.S. Department of Defense CIC, Common Access Card which is a Java Card OpenPlatform card with GSC-IS (Government Smart Card Interoperability Specification) applets which is primarily used to access email with varying levels of support for the mentioned operating systems. There are various manufacturers that sells this kind of smart card. For larger corporation or due to customer demand the DoD CIC smart card might be the track to continue on when selection standard to build ones solution around.

In my case since I wanted to use GnuPG I’ve choosen to use the OpenPGP Card based on the ISO 7816-4,-8 specification for smart cards.

Features of this card are:

• 3 independent 1024 bit RSA keys (signing,encryption,authentication).
• Key generation on card or import of existing keys.
• Signature counter.
• Data object to store an URL to access the full OpenPGP public key.
• Data objects for card holder name etc.
• Data object for login specific data.
• Length of PIN between 6 and 254 characters; not restricted to numbers.
• T=1 protocol; compatible with most readers.
• 40mm * 10mm sized writable field on the front matter.
• Specification freely available and usable without any constraints.

There shouldn’t be any problem to use DoD CIC smart cards; but I haven’t had the possibility to verify this myself and how well this card works together with GnuPG and OpenPGP. But, it’s my understanding that it works as supposed.

The GnuPG client and plug-in used for the mentioned systems supports PKCS#11 and by this it’s possible to get everything, with some tweaking, to work all together with a single smart card with a RSA-key for signing and ssh key handling. Getting it to work with Thunderbird and Enigmail is really easy and works more or less out of the box.

So by looking at open source utilities I’ve achieved my goal to get a working solution for secure handling of my encryption keys for at least two out of three operating system that I use.

Kim Haverblad

Bookmark to:

Couple of month ago and after getting totally sick of all the spam in my mailboxes, so I changed the configuration and installed greylisting support on the mail server. So how does greylisting work? What happen is that each time a given mailbox receives an email from an unknown contact (ip), that mail is rejected with a ”try again later”-message. This, in the short run, means that all mail gets delayed at least until the sender tries again – but this is where spam loses out! Most spam is not sent out using RFC compliant MTAs; the spamming software will not try again later. That did the trick for while… but now during the last couple of weeks I have noticed that MSN Hotmail accounts are being used as sender and by that avoiding getting blocked by the greylisting – highly annoying! Then again, it’s was just matter of time before this would happened.

Question remains if Microsoft is sleeping or what – since these activities can’t really pass by without any notice by MSN. They should now have quite a few high volume users that send quite a few e-mails. Sending abuse reports to Microsoft seems to work (slowly) even if I don’t get any feedback from them; then again I guess that I’m not the only one with this problem. Having an anti-spam policy isn’t enough and doesn’t do the trick of blocking spam. Microsoft has also admitted that up to 98 percent of messages sent to Hotmail addresses are spam. Question is if not 98 percent of messages sent from Hotmail addresses are spam as well.

According to Sarah Lefko, MSN product manager, MSN has been very aggressive and proactive in protecting MSN Hotmail users from spam and together with SenderID blocking 20 millions e-mails per day. Problem is that it just doesn’t work.

What would the solution be then? Well, I’m really tempted to block Hotmail and don’t accept any e-mails from hotmail.com domain. Then again, it’s just really a bad work around of the problem. Also, how can it be that Google’s Gmail account isn’t abused? So far I haven’t received a single spam from gmail account….. yet.

Kim Haverblad

Bookmark to:

As a frequent flyer within Europe one takes notice of the increased and changed security activities due to the unprecedented events of 11 September 2001. Although there has been an increase in the level of security at many airports, the question is still if all airports have made the proper changes.

Let’s take Sweden’s largest airport, Arlanda, Stockholm, as an example and compare it with for example Heathrow Airport, London, UK. The fist thing that one notice at Heathrow is that you are informed that it can take up to 30 minutes to pass through the security controls. At Arlanda the LFV Group Swedish Airports and Air Navigation Services has in their contract with G4S (former Falck Security) stated that the maximum time to pass through the security area should be 5 minutes.

I have often passed through Heathrow airport with my notebook during the last 10 years and I have been numerous times been asked to turn on the notebook so that the security personnel could verify that it’s working system I’m carrying around and not a dummy. At Arlanda the only ask you to open up the notebook so that they can check that there is a keyboard (or what ever they’re looking for), but nothing about turning on the system to see if it actually works. Actually I’ve never been asked to turn on the notebook at a Swedish airport at all.

Shoes and belts that usually have some kind of metal and of course usually trigger the metal detectors have to be removed and x-rayed at Heathrow. At Arlanda you might be asked to unbuckle the belt to check that you’re not hiding anything, but that is more an exception than a rule.

During 2005 there were a number of incidents at Arlanda where both knifes and bomb bags, IED (Improvised Explosive Device), where missed out in the security controls; controls made by LFV Group. Both LFV Group and G4S got loads of unwanted media cover due to that both organisations was proven not to take the security activities seriously enough. An anonymous employee with G4S Security also went out in the Swedish press and informed that they during one day made 20 random securities check of hand luggage but in their internal reports wrote that performed 130 security checks just to fulfil the contract with LFV Group. Other anonymous G4S employees has reported that they have been informed an hour before when security checks would be performed by LFV Group.

Either has LFV Group and G4S not learned anything from earlier negative media coverage or it’s just that they have tighten up the information that could leak out to the media really hard. Since when travelling via any of the Swedish airports the security checks sometimes feels a bit random. So far Sweden haven’t had any major incidents. But, there is clearly a need for improvements at the Swedish airports.

Kim Haverblad

Bookmark to:

Well, it’s time to update your WordPress installation to the latest release (2.3.1) if you haven’t done so yet. Janek Vind has posted a less critical cross-site scripting vulnerability that applies to version <2.3.0.

Input passed to the ”posts_columns” parameter in wp-admin/edit-post-rows.php is not properly sanitised before being returned to the user. So this can be exploited to execute arbitrary HTML and script code in a user’s browser session in context.

Janek Vind’s original advisory can be found here and the latest version of WordPress can be found here.

If you want to speed up the upgrade of WordPress I also suggest that you take a look at WordPress Automatic Upgrade that takes care of the upgrade for you. WordPress Automatic Upgrade allows a user to automatically upgrade the wordpress installation to the latest one provided by wordpress.org using the 5 steps provided in the wordpress upgrade instructions.

Kim Haverblad

Bookmark to:

The Swedish tax authorities (IRS), Skatteverket, has lately started to look into home pages that they think generate revenue via banner income and now wants to force Swedish ISP:s to release their customers records.

Swedish ISP Bahnhof is one of several companies that received a request from Swedish IRS to release customer records between 2004-2006 and have specific been asked to release following:

• Name
• Address
• Personal code (identity) number
• Date for check-in
• Date for check-out
• Total billing amount
• Server type and IPs
• List of domains hosted
• Host configuration files

To be mentioned is that Swedish IRS is not asking for specific customers records that they believe have participated in any kind of criminal act – they are asking to get what ever they can get and then poke around until they stumble over something of interest.

Bahnhof:s CEO Jon Karlung says in an interview that they have no reason of releasing such information due to that it would be against the Swedish law (the law about electronic communication). Even if they will be fined 80 000 USD for not comply with the request made by the IRS. Jon Karlung also says that they don’t oppose to release specific information about customers if the IRS (or any other authorities for that matter) can show suspicion about ongoing criminal activities. This is not the case here since the IRS want to harvest ISP customer records for what they define as suspicious economical activities.

Swedish IRS spokesperson, Dag Hardyson, is confident that Bahnhof will release the requested information even if this case has to go to county administrative court and says that he has full confidence in the injunction made towards Bahnhof and that the injunction itself is according to the Swedish laws and don’t want to make any comments to Bahnhof:s legal interpretation and says that he has full confidence with their legal department interpretation and recommendations.

All in all it seems that our privacy is more and more compromised on a national and EC level and in the name of fighting terrorist and criminal activities. Don’t get me wrong here; I fully agree that we should fight activities that threaten our community. But it seems that all laws that wouldn’t be passed 10 years ago due to privacy intrusion gets fast tracked and passed.

To wrap it all up, the problem is also that we have two different laws that collide with each other and by that there is a deadlock regarding this entire story until it has been seattled in court. So I’m looking forward to see what happens next.

Kim Haverblad

Bookmark to: