In just a week the long awaited conference HAR is taking place. Time to have a little overview:

• Tickets are unfortunately not available anymore, don't even bother coming to the event without ticket as door-sales won't be done. Next time, try to plan your holiday a little earlier.
• If you arrive early and want to help build up simply create your wiki-profile page based on the volunteer-template. Your arrival date will automagically appear in the volunteers page. Helping a hand is a great way to have fun and meet very interesting people.
• Like always we Belgians group together. This year Belhack (belsec people and the former Iguana colony) and Hacker Space Brussels join the forces. If you don't like a calm place you can join the Belgian Embassy that has a more noisy reputation.
• Print out your ticket, don't forget your tent, prep and harden your computer and phone, stop worrying, and prepare yourself to enjoy your stay.

Oh, last but not least: You will probably see many BruCON people. Did you already book that ticket?

A common thing I experienced in my job was that small businesses don't have money or time to organize Security Incident Handling. Fortunately SANS published a whitepaper that proposes an approach, specifically for the small business.

A challenge exists when attempting to provide the Small Business (SB) owner with a workable procedure and resources for security incident handling. Considerable research has been accomplished, with a focus on the steps necessary to create and organize an Incident Handling Team in large organizations, but the resources required for such a project do not scale down to anything usable by the Small Business community. This paper reviews current best practices in the security community, and proposes a compromise that scales these steps into something workable and acceptable to the SB community. The paper also references SANS checklists to assist the SB owner step through the processes before, during, and after a security incident, along with literature, vendor, and tool resources.

Happy Bday Belsec !

Today, Belsec exists 1 year
Some exclusive articles, free stuff and other goodies will be posted there this week, so make sure you don't miss it.

e-land meldt dat Symantec een Europees ondezoek gedaan heeft betreffende de IT-beveiliging van de KMOs.

De verbazende conclusie luidt:

Belgische bedrijven scoren hier vrij goed op.

De kwaliteit van de argumenten waarom onze KMOs goed bezig zijn vind ik wel droevig:

Zo beschikken ruim vier op de tien kmo’s in België over een eigen IT-manager, wiens taak en verantwoordelijkheid het is om zich om computers en bijhorende beveiliging te bekommeren. Daarnaast doen Belgische kmo’s meer dan in de buurlanden een beroep op een externe expert die mee de IT-beveiliging in goede banen moet leiden. Ook inzake de uitrusting zelf, lijken de Belgische kmo’s goed te zitten. Zowat drie op de vier beschikken over "de vier beveiligingsvormen die door experts als de belangrijkste worden beschouwd: antivirus, antispam, firewall en back-ups".

Is de aanwezigheid van een anti-X product en een firewall indicator van de kwaliteit van IT security? Zijn dat geen standaard elementen die deze tijden ook maar een noodzaak zijn?

Enkele vragen die bij mij direct opkomen zijn: a) wat is de kwaliteit/efficiëntie van deze producten, b) zijn deze wel up-to-date?, c) hoe zijn deze geconfigureerd? d) zijn de backups getest?, e) waar worden de backups bijgehouden? (brand, diefstal,...), f) is er een disaster recovery plan?

En dan denk ik nog niet aan de andere zaken zoals de g) opleiding van de eindgebruiker, h) paswoord en account policy, i) confidentialiteit, j) beschikbaarheid, ...

Ik kon spijtig genoeg het origineel rapport niet terugvinden...

As a reaction on the eID comments of Philip and Guy.

So, if they pushed on data retention laws and interceptable cell phones, what would be the odds of them giving up control of your keys?

This is not completely correct with the Belgian eID. Let me explain. The government indeed generates the private keys on separate machines before uploading them to the card. This is (they say) for performance reasons and they (they say) delete the original private keys completely from the systems. This is indeed a practice that is contrary to all the PKI principles. I won't discuss this part.
But if you analyze the eID card a little better (check my post) you will see that the card contains two types of certificates. One for Authentication and one for Signature. These certificates are not usable for data encryption.
Knowing that the government can create their own certificates (you do thrust them as a CA) they can easily generate new certificates that contain 'valid' data. There is no need to keep the private keys of the population to perform identity hijacking.

Why you should distrust your Belgian eID card?

When speaking about the eID it's important to specify what part you are talking about. Is it the SmartCard or is it about the Government-issued-certificates?
The SmartCard contains some empty slots (check my post) and that you can upload or generate your own private keys on the card. These keys can be considered secure as long as the SmartCard hasn't been cracked.

Edit: When I speak about trust it is about 'relative trust' depending on the environment and situation. Security is not binary, it's never either a 1 or a 0

While researching a little more the eID I wanted to download the sources of the application again. My good old link http://readers.eid.belgium.be isn't working anymore.

Google-cache tells me it did exist in the past. And that there were some other pages on this site.

But now I get a very pretty (NOT) error:

Some quick research shows me the server runs: WebSphere, and an old version of Apache/2.0.52 that can have some security issues.

No contact information to report this...the search for the sources continue

In my previous post I explained how to use your Belgian eID to login on your openVPN server.
I did use a simple hello-world script to check the authorization. The username (rijksregisternummer/numero du registre national) was hardcoded in a file.

This evening I finally quickly enhanced the script do perform database authorization:

Download the full script. Or see the relevant database part:

if ($x509 =~ /\/serialNumber=([^\/]+)/) {
    # Accept the connection if the X509 common name
    # string matches the passed cn argument.
    my $dbh = DBI->connect('DBI:mysql:sslvpn', 'sslvpn', 'sslvpn')
            or die "Couldn't connect to database: " . DBI->errstr;
    my $sth = $dbh->prepare("SELECT `id`, `name`, `firstname` FROM `users` WHERE id=$1")
            or die "Couldn't prepare statement: " . $dbh->errstr;
    my @data;
    $sth->execute() 
            or die "Couldn't execute statement: " . $sth->errstr;

    # Read the matching records and print them out          
    while (@data = $sth->fetchrow_array()) {
        $id = $data[0];
        $name = $data[1];
        $firstname = $data[2];
        #print "Database result: \t$id: $firstname $name\n";
    }

    # Authentication failed -- Either we could not parse
    # the X509 subject string, or the common name in the
    # subject string didn't match the passed cn argument.
    if ($sth->rows == 0) {
        print "TLS-VERIFY: EE - Unknown user: $x509\n";
        $result=1;
    } 
    # Authentication is OK
    else {
        print "TLS-VERIFY: OK - $id - '$firstname $name' logged in\n";
        $result=0;
    } 
    $sth->finish;
    $dbh->disconnect;
}

The database:

CREATE TABLE `users` (
  `id` varchar(11) NOT NULL,
  `name` varchar(255) NOT NULL,
  `firstname` varchar(255) NOT NULL,
  PRIMARY KEY  (`id`),
  KEY `id` (`id`),
  KEY `id_2` (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;

INSERT INTO `users` (`id`, `name`, `firstname`) VALUES 
('83021811535', 'Vandeplas', 'Christophe');