Lab Notes

Elektron 2.0.2118

2009-02-03T05:39:08Z

Today we posted Elektron 2.0.2118 for both Windows and Mac OS X. This is a bug fix release, adding the following fixes:

Fixed a small memory leak when using ODBC for authentication
Fixed a bug formatting Elektron account usernames in Elektron Settings
Fixed a bug that prevented PEAP users from successfully authenticating against an upstream RADIUS server
Fixed a bug that prevented MAC address authentication with certain Netgear devices
Changed the message logged when an invalid Message-Authenticator is received
Fixed a bug that resulted in Directory Services authentication failing for users who are members of many groups
Fixed a bug that resulted in a spurious EAP-FAST PAC logging message
Fixed a bug that prevented EAP-FAST from successfully authenticating MS-CHAPv2 users over non-anonymous connections
Fixed a bug that could cause a crash on Windows when running with Delay Access-Reject (an option that is disabled by default)
Fixed a bug in the Elektron Settings application that would cause username triggers to appear incorrect after reordering policies

If you have enabled the "Delay Sending Access-Reject Messages" option (see Elektron Settings->Authentication Settings) on a Windows server, this is a necessary upgrade. If you are using EAP-FAST or using Elektron as a front end to another RADIUS server, this is a recommended upgrade. As always, please let us know if you have any trouble or questions.

Creating a Rogue CA Certificate

2008-12-31T05:56:30Z

At the Chaos Communication Congress today, researchers presented a paper describing their technique for forging certificates to appear as if they were signed by a trusted certificate authority. How they did it, in a nutshell:

Obtain a legitimate certificate from a certificate authority that uses MD5 in its signatures.
Generate a fake certificate for the rogue web site, adding an extension that contains a precisely calculated string of bytes so that the MD5 digest of the fake certificate matches the MD5 digest of the legitimate certificate from step 1 (this step took the researchers about 18 hours using an array of 200 Playstation 3 systems, whose Cell processor is especially adept at performing the kinds of computations necessary).
Copy the signature from the legitimate certificate to the fake certificate.

The upshot is that any certificate signed by an authority using MD5 is suspect. RapidSSL accounted for nearly all of the certificates that the researchers identified in their sampling, but Thawte and several others were also singled out. Beware of any web site that uses one of these certificates; even if your browser says that the certificate is valid, it may not be. (n.b., not all Thawte certificates are vulnerable; our own web site uses a Thawte certificate that was issued with a SHA-1 signature).

This presentation comes on the heels of last week's revelation that a certificate vendor has been issuing certificates with no verification. In that case, a user was able to get a certificate issued in the name of "www.mozilla.org" despite not having any affiliation with Mozilla.

And to bring this all back around to Elektron, I'll note that Elektron has always signed its certificates using SHA-1.

Major Privilege Escalation Bug in Mac OS X 10.4 and 10.5

2008-06-19T18:04:14Z

In case you haven't seen it, any user with an account (admin or not) on Tiger or Leopard can run any command as root. Contrary to some published reports, physical access to the machine is not required; commands can be executed over an SSH or ARD/VNC connection as well.

Overheard at the WWDC Keynote

2008-06-10T02:30:14Z

"That's not a feature, that's a bug!"

— An attendee's reaction to Steve Jobs' announcement that Microsoft Exchange support is the one new feature in Snow Leopard

iPhone 2.0 to Include 802.1X

2008-03-06T19:53:58Z

One of the nicer (for us, at least) announcements to come out of the iPhone presentation this morning is that the next generation of iPhone software will include an 802.1X supplicant, so it will work with Elektron. Apple is currently taking applications for their beta program. Every singly person here has an iPhone, so we had to create a second Wi-Fi network with WPA Personal security enabled to work around the lack of a supplicant.

Time Capsule

2008-01-15T18:39:22Z

It's an AirPort Extreme with a 500GB or 1TB drive specifically targeting Time Machine backups. At $499, it's very aggressively priced; comparable to low end NAS units that don't include access point functions. I wonder what "server grade hard drive" means — I suspect that just means it's not a 2.5" ATA drive (which has been the knock on using the Mac Mini as a server). Here at the Labs, Mac users get an external Firewire drive and a copy of SuperDuper! for backups. I don't think we'll be replacing that low-tech-but-bulletproof setup anytime soon, but Time Capsule looks really nice for a home setup, particularly in a household with multiple Mac users.

New Xserves

2008-01-08T19:26:05Z

Looking good. Available with four or eight cores, and memory is now expandable to 32 GB. The base models are price competitive with similarly equipped Sun and Dell machines. Plus, they're available with zippy SAS drives. For us IT geeks, this was a bigger announcement than the speculative ultraportable at MacWorld next week.

Mac OS X 10.5.1

2007-11-15T20:24:01Z

Among the fixes is "Resolves an issue with saved passwords for wireless networks." That one has been bugging me since installing Leopard. Available now via Software Update.

The release notes also include this chestnut:

In Security preferences' Firewall tab, the "Block All" option is now called "Allow Only essential services"

So "block all" apparently didn't mean "block all."

Elektron and Leopard

2007-10-27T21:43:21Z

The lab rats have been busy this weekend making sure that Elektron is fully compatible with the final release of Leopard. It only took a couple of minor tweaks, and a new release is now available! You'll only need this release if you're planning on running Elektron on Leopard; if you are keeping your server on Panther or Tiger (or Windows, for that matter) your existing Elektron installation will continue to authenticate Leopard users just fine.

The biggest Leopard Wi-Fi news is the disappearance of Internet Connect. All Wi-Fi configuration now occurs in the Network preference pane inside System Preferences:

One handy new feature is the ability to store 802.1X configurations on a per-user, per-system, or Login Window basis. The per-user configuration is basically how Tiger works; per-system allows you to create a single configuration for all users on the system (that is, the 802.1X login identifies the machine rather than an individual user), and the Login Window configuration allows the user to specify a username and password at login time to connect to the network before logging in. This final configuration is important for users without local accounts.

All in all, a very nice release.

Elektron 2.0.1755

2007-09-04T19:12:33Z

A new bug-fix release of Elektron is available for both Windows and Mac OS X. This fixes intermittent issues with Windows XP client logins failing. If you've had trouble with Windows XP users connecting, you'll want this version.

Get it from our support page.

AirPort Base Station Update 2007-002

2007-08-14T23:00:07Z

The new release includes updated firmware for AirPort Extreme 802.11n base stations. It's not documented, but the new firmware apparently allows you to establish an L2TP VPN tunnel through the base station (previously, a bug limited access to PPTP VPNs only).

AirPort Extreme Update 2007-004

2007-07-31T20:13:21Z

Available now from Apple. Use Software Update to get it, or you can download it yourself from Apple's support page. "This update is recommended for all Intel-based MacBook, MacBook Pro, and Mac mini computers and improves the reliability of AirPort connections." No specifics mentioned, so it's unclear if this update addresses the kernel panic problem.

New Elektron Release: 2.0.1744

2007-07-29T02:50:46Z

This is a bug fix release. It fixes a memory leak in Windows authentication, a bug in how Elektron determines which Active Directory groups a user belongs to, and removes the reliance of the Elektron double-clickable Windows certificate installers on msvcrt8.dll. This release is recommended for Windows-hosted Elektron servers, and optional for Mac OS X-hosted Elektron servers. Get it from our support page.

PARC: Wi-Fi PKI Usability Stinks

2007-07-27T18:07:48Z

The title actually paraphrases Drs. Balfanz, Durfee, Smetters, and Grinter, but the gist is correct: managing your Wi-Fi PKI is nigh impossible. We've been seeing this here at the Labs from the beginning — from day one, the vast majority of our technical support questions have been certificate-related.

PARC conducted the study on Wi-Fi PKI usability, "In Search of Usable Security: Five Lessons from the Field." [PDF] two years ago. They asked expert computer users to try to configure their Windows XP machines to connect to the PARC Wi-Fi network:

Once the wireless network and the PKI were in place, our HCI researcher studied eight subjects’ enrollment experiences. All the subjects had advanced degrees, typically PhDs in computer science and related disciplines, but the average time it took for them to request and retrieve their certificates and then configure their systems was 140 minutes. More significantly, despite using a fairly automated Web-based enrollment system (similar to those used by commercial certificate vendors such as Verisign) and the GUI-based 802.1x wireless configuration software provided by Microsoft Windows XP, the process involved a total of 38 steps to complete enrollment.

Executive summary: "We took a bunch of computer science Phd's, gave them explicit step-by-step instructions, and it still took them over two hours to complete the configuration task, and in the end they didn't know what they had just done to their computers."

Microsoft is clearly aware of the problem, as they modified the Wi-Fi network enrollment process in Vista to suck slightly less. They've still got a long way to go, though. Personally, I'm a fan of the Mac OS X process: just connect to the network, the Mac asks "hey, I've never seen this certificate before, should I trust it?" and you're off. Clearly, Apple is on to something. Of those technical support questions I mentioned above, a lot of them start with "Help: my Macs connect to my Elektron-secured network just fine, but my Windows XP machines refuse to connect!" We've never once received the opposite.

A Real iPhone Exploit?

2007-07-23T18:15:30Z

A brace of industry pundits has been claiming for months that the iPhone suffers from poor security. Today, the first actual exploit appeared. I haven't verified this myself, but from the (incomplete) description, it seems plausible. "This looks like a very genuine hack," says Steven M. Bellovin, a respected computer security researcher.

The attack requires a user to visit a malicious website. My favorite question from the FAQ: "Could the vulnerability be used to 'unlock' the iPhone from AT&T?" The authors demur, but if it could, the attack might be a blessing in disguise!