BruCON is an annual two-day conference by and for the security and hacker community. The conference offers lectures and workshops on a multitude of topics like computer security, privacy, information technology and its implications on society. It takes place at the Surfhouse in Brussels, Belgium on September 18 and 19.

Tickets should be purchased asap as from the 1^st of July the price raises from €180 to €250. The staff didn't forget students ! Their price is €50 till the 1^st of July.

The presentations on IPv6 security, MPLS hacking, Cyberwarfare, Social engineer techniques, Cloud Computing Security, Open source Information gathering, Dangers of Social networks, and much more, there will be interesting workshops and other events.

Unfortunately I won't be able to go as I'll be in Canada because of a wedding. But count me in for the second edition!

Are you also one of those complaining about having to go abroad for a decent security conference?

Stop worrying, BruCON is finally here. It's the first Belgian security conference taking place on the 18th and 19th September.

Security researchers: Check out the Call for Papers:
Visitors: Keep the date free in your agenda and subscribe to the blog and RSS feed.

e-land meldt dat Symantec een Europees ondezoek gedaan heeft betreffende de IT-beveiliging van de KMOs.

De verbazende conclusie luidt:

Belgische bedrijven scoren hier vrij goed op.

De kwaliteit van de argumenten waarom onze KMOs goed bezig zijn vind ik wel droevig:

Zo beschikken ruim vier op de tien kmo’s in België over een eigen IT-manager, wiens taak en verantwoordelijkheid het is om zich om computers en bijhorende beveiliging te bekommeren. Daarnaast doen Belgische kmo’s meer dan in de buurlanden een beroep op een externe expert die mee de IT-beveiliging in goede banen moet leiden. Ook inzake de uitrusting zelf, lijken de Belgische kmo’s goed te zitten. Zowat drie op de vier beschikken over "de vier beveiligingsvormen die door experts als de belangrijkste worden beschouwd: antivirus, antispam, firewall en back-ups".

Is de aanwezigheid van een anti-X product en een firewall indicator van de kwaliteit van IT security? Zijn dat geen standaard elementen die deze tijden ook maar een noodzaak zijn?

Enkele vragen die bij mij direct opkomen zijn: a) wat is de kwaliteit/efficiëntie van deze producten, b) zijn deze wel up-to-date?, c) hoe zijn deze geconfigureerd? d) zijn de backups getest?, e) waar worden de backups bijgehouden? (brand, diefstal,...), f) is er een disaster recovery plan?

En dan denk ik nog niet aan de andere zaken zoals de g) opleiding van de eindgebruiker, h) paswoord en account policy, i) confidentialiteit, j) beschikbaarheid, ...

Ik kon spijtig genoeg het origineel rapport niet terugvinden...

Instead of showing off to the press and pushing the fault on others backs they should simply stay silent and be ashamed of the situation they created.

And yes, I consider the media also as partially responsible by giving those minority extremists such a big voice.

This short howto explains how to use the Belgian eID to login on your Mac OS X machine. In this document I assume your cardreader is detected/installed and you are administrator of your machine. I am using Mac OS X 10.4.11.

Enable SmartCard authentication (only Mac OS X 10.4)

The happy owners of Leopard, Mac OS X 10.5, shouldn't change anything in their configuration file. Just jump to the part about access permissions.

Probably for performance reasons Apple didn't activate SmartCard login by default. So we will need to change a few configuration files to enable it. This procedure is explained on this page. Here's my own documentation with the examples for the Belgian eID.

The instructions in this part should be exactly the same on your system.

$ sudo -s
Password:
$ cd /etc/
$ cp authorization authorization.20080707.orig
$ cp authorization /tmp/authorization.mod

Now edit the temporary file using your favorite editor or by using the graphical editor if you prefer.

$ vi /tmp/authorization.mod
$ open -a "Property List Editor" /tmp/authorization.mod

Make the following changes to the mechanisms Array inside the system.login.console rights (Line 452):
After the string <string>builtin:auto-login,privileged</string> add the string <string>builtin:smartcard-sniffer,privileged</string>.
After the string <string>builtin:reset-password,privileged</string> remove the string <string>authinternal</string> then add string <string>builtin:authenticate,privileged</string>

Make the following changes to the "mechanisms" Array inside the "authenticate" rules (Line 649):
Add the following string to the beginning of the array <string>builtin:smartcard-sniffer,privileged</string>
After the string <string>builtin:authenticate</string> remove the string <string>authinternal</string> then add the string <string>builtin:authenticate,privileged</string>

Now copy the file to the right place on your system:

$ cp /tmp/authorization.mod /etc/authorization

You can check the differences here or download the original and modified file (Mac OS X 10.4.11)

$ diff -uN /etc/authorization /tmp/authorization.mod 
--- /etc/authorization  2008-03-23 17:53:36.000000000 +0100
+++ /tmp/authorization.mod      2008-07-07 11:19:05.000000000 +0200
@@ -449,9 +449,10 @@
                        <key>mechanisms</key>
                        <array>
                                <string>builtin:auto-login,privileged</string>
+                               <string>builtin:smartcard-sniffer,privileged</string>
                                <string>loginwindow_builtin:login</string>
                                <string>builtin:reset-password,privileged</string>
-                               <string>authinternal</string>
+                               <string>builtin:authenticate,privileged</string>
                                <string>builtin:getuserinfo,privileged</string>
                                <string>builtin:sso,privileged</string>
                                <string>HomeDirMechanism:login,privileged</string>
@@ -645,8 +646,9 @@
                        <string>evaluate-mechanisms</string>
                        <key>mechanisms</key>
                        <array>
+                               <string>builtin:smartcard-sniffer,privileged</string>
                                <string>builtin:authenticate</string>
-                               <string>authinternal</string>
+                               <string>builtin:authenticate,privileged</string>
                        </array>
                </dict>
                <key>authenticate-admin</key>

Access permissions (everyone)

We now enabled SmartCard authentication. The question that remains open is: Who owns what SmartCard?

On the eID card there are two private keys present. One for signing purposes and one for authentication. We will use the authentication key of course.
Go back to your Terminal that was logged in as root and type the following command. This will list the hashes of the keys.

$ sc_auth hash
3F5C816C10AB60926E2E8A3CD9096C1F8AF34C9C PrK#2 (authentication)
35BDB8600FA219204D28FAD856380F6E06123B62 PrK#3 (signature)

$ sc_auth accept -u chri -h 3F5C816C10AB60926E2E8A3CD9096C1F8AF34C9C

If desired, more than one smart card can be associated with a single user account by running the script again with the hash from the additional card(s).
We can check if it's OK:

$ dscl . -read /Users/chri
...
AuthenticationAuthority: ;ShadowHash;HASHLIST:<SALTED-SHA1,SMB-NT,SMB-LAN-MANAGER>
  ;pubkeyhash;3F5C816C10AB60926E2E8A3CD9096C1F8AF34C9C
...

Test your configuration

That's it. Save all your open files, log out of the system and connect your SmartCard. You should see the Enter PIN when your card is connected:

Debug info

When entering the cardreader in /var/log/secure.log (open using Console). If you don't see these messages check that your cardreader is configured correctly on the system.

com.apple.SecurityServer: Token reader CCID Smart Card Reader 0 0 inserted into system
com.apple.SecurityServer: token inserted into reader CCID Smart Card Reader 0 0
com.apple.SecurityServer: reader CCID Smart Card Reader 0 0 inserted token
  "BELPIC-534C494E336600296CFF2491AB111E14" (BELPIC-534C494E336600296CFF2491AB111E14) 
  subservice 2 using driver com.apple.tokend.belpic

After a successfull login see these messages:

SecurityAgent[1994]: Showing Login Window
SecurityAgent[1994]: User Authenticated: continue login process
com.apple.SecurityServer: Succeeded authorizing right system.login.console 
  by process /System/Library/CoreServices/loginwindow.app for authorization 
  created by /System/Library/CoreServices/loginwindow.app.
com.apple.SecurityServer: Succeeded authorizing right system.login.done 
  by process /System/Library/CoreServices/loginwindow.app for authorization 
  created by /System/Library/CoreServices/loginwindow.app.

Links

Apple Smart Card Setup Guide
Mac OS X 10.4: Enabling smart card login