The problem: Using Digital Certificates issued by a Certification Authority (CA) with curl.

The situation: I have a .cer (Digital Certificate) file, .pfx (Personal Information Exchange file i.e., the private key for the certificate). I cannot use either of these to authenticate to the web service as curl would not accept these formats.

The solution:
1) Convert it into PEM format (X.509 certificate) using openssl.
openssl pkcs12 -in abcd.pfx -out abcd.pem
Enter a passphrase and a password.
2) Still you cannot use this with curl because you’d get a few errors.
3) Convert this PEM certificate into three different certificates for the client, the private key and the certification authority certificate.
openssl pkcs12 -in abcd.pfx -out ca.pem -cacerts -nokeys
openssl pkcs12 -in abcd.pfx -out client.pem -clcerts -nokeys
openssl pkcs12 -in abcd.pfx -out key.pem -nocerts
4) Use the following command:
curl -k https://www.thesitetoauthenticate.com/test -v –key key.pem –cacert ca.pem –cert client.pem:

This stuff is also mentioned on curl forum at http://curl.haxx.se/mail/archive-2005-09/0138.html

I was being troubled by the error:
The InstallShield Engine (iKernel.exe) could not be launched.
The RPC Server is unavailable.

If you start the service “DCOM Server Process Launcher” you should be able to do away with this error.

An interesting thing happened today …I was trying to redirect some input to /dev/null in cygwin…using something like:
some_exec -p params 2>&/dev/null | grep blah
I kept getting an error : bash: Ambiguous redirect.
I then realized that I should probably doing a simple direct and not a re-direct…seemed to solve my problem. Come to think of it…it makes sense, why should I need to redirect when I’m sending it to /dev/null…should simply be able to direct it using:
some_exec -p paraa 2>/dev/null | grep blah

Having been in application security for more than 2 decades now and officially completing my 18th year now of being meaningfully employed in that space there is just a lot of crud that I have gathered in my brain. Most of that is history of how things came about to be. That stuff is likely not interesting to most but I find it intriguing as to how some seemingly minor decisions of one software vendor can have massive impact to the web application security industry.

Oh the dreaded IE…
Internet Explorer 4, 5 and 6 that started in the Windows XP days (or even earlier, can’t recall) had a setting – the cookie jar was not shared – i.e., if you opened a new window to a site, you would have to log in again unless you used “Ctrl+N” key to open a new window from an existing session. Each new process would have its own cookie jar. For the uninitiated, the “cookie jar” is the internal browser storage of cookies. Cookies are random looking strings that indicate a “trust token” that a web server places in the browser. Since HTTP is a connectionless protocol, this cookie is what preserves the “state” and this is exactly what authorization decisions in HTTP context are typically based on. These cookies are stored in a web browser data storage called cookie jar where each cookie gets stored with the name, value, domain, path (and today, there are few other attributes but that wasn’t the case back in 2004-2005). The browser gets all these parameters from the HTTP response header Set-Cookie. Microsoft, the vendor for Internet Explorer, made a decision that each new window of IE should have its own set of stored cookies that were not shared. Mozilla Firefox and Google Chrome always had a shared cookie jar if I recall correctly.

Along came a Cross-Site Request Forgery (CSRF)…

Jesse Burns from iSecPartners (an NYC-based security consultancy that was acquired by NCC group) back then wrote a paper which I think was the seminal paper on Cross-Site Request Forgery. They called it “XSRF” back then because “XSS” was already in parlance back-then. Thereafter, there were presentations in 2006 about the same by Microsoft. The whole attack was simple. The victim has a browser tab open in which they are logged into a site that has issued that session a cookie value. Due to the browser same-origin policy (a concept that Netscape designed in 1995) that cookie would be resent by the browser in the request as a Cookie HTTP request header whenever an HTTP request was sent to the same domain, protocol (“scheme”) and port. There were few idiosyncracies of IE (which made it infamous back then) such as if the port number did not match IE did not complain and would think that access was allowed per the Same-Origin Policy (SOP). What does that mean? http://example.com and http://example.com:81 would be treated as the same origin! Weird right? It wasn’t the case with other browsers. This was also documented in Michal Zalewski’s book Tangled Web in 2011. Where am I going with this? So while IE did some weird things, it did one good thing – isolate cookie jars. So if you opened up a new window where the attacker ran a payload that sent a request to the site which had handed you a cookie, the new IE window would have no interesting cookies to share with that site – inadvertently protecting the user from being a victim to a CSRF issue. Yes, the hated IE protected the users from being victim to CSRF! Who would have thought? That’s how weird 2005 was 🙂

Fast forward…

Since all browser vendor today have concept of shared cookie jars because who doesn’t like opening new tabs of their favorite cloud consoles without having to re-login right? So what did we the people do? We came up with another attribute that could be added to a Set-Cookie HTTP response header – SameSite attribute which restricted the cookie from being sent unless the request originated from a page on the same site as the cookie issuer.

So there you have it… the history of SameSite and how one of the most hated browsers of the day (IE) did one good thing for users – protect them from CSRF! 🙂

A moratorium for 3 months on the blogspot. The things have changed dramatically when it comes to the life. A lot has happened in my life since the time I left Los Angeles, CA to come to New York, NY. The two of the biggest cities of not only the USA but in the world as well.
First things first…got a job for Ernst & Young’s Advanced Security Center and so like most of the people who work in New York I live in Jersey City, NJ and travel to work. The travel is not too bad as it takes about 45 mins door-to-door. Also, by living in New Jersey instead of 5 boroughs (New Yorkers call the collection of 5 islands of Manhattan, Queens, Brooklyn, Bronx, Statten Island as the 5 boroughs) one saves the 4% annual New York city tax.
Now for the topic of this blog which is “Moving”…which is probably the most troublesome experience that people have. It wasn’t too good for me either but it could have been worse if it were not for the help of some good friends. People say that you realize the truthfulness of your friends during the time of adversity. It was exactly what I found. Whereas some people came to the fore to help me in all the ways they could, some stayed at the bay (and in some cases … making sure that the buoy of my life was in doldrums). Well…having said that life is but a bunch of grapes … some sweet and some sour (this is something I heard in the Hindi Movie “Khatta Meetha”)!
Finding apartments in the New York area can be a harrowing experience, especially if you are hard strung on budget. That was exactly what I found. The best places to look for are New Jersey Craigslist and New York Craigslist. Other places are Rent.com and Apartments.com but I did not find them much useful. I found that New York had some really good places to rent even with a tight budget. All these places were in Queens (Rego Park, Forest Hills). The good part was one could get a 2BR for $1450+ in these places. These places were not too far from the Subway stations and had a travel of 40-45 mins to Manhattan and 1 hr to Long Island (using Long Island Rail Road aka LIRR).
Jersey City in NJ is also a very good bet. But there are some places in Jersey City that are posh as hell but you have to pay the price for the class. Exchange place and Pavonia/Newport are examples of these places (with prices around $1700 for 1 BR) . Grove street is also a place which is somewhere in between the posh and the not-at-all posh. Even though the prices in Exchange place and Newport are really high but the class is well worth the money. Especially when you consider that getting a similar type of apartment in Manhattan will cost at least twice or may be thrice as much. Another avenue for exploration is Hoboken, NJ. Hoboken was personally my favorite place to look for an apartment because it is a place with a vibrancy associated with it. Almost looks like a European city bustling with restaurants and youth on the streets! It is also not too far from New York. However just like Pavonia/Newport & Exchange Place this fun doesn’t come cheap! The apartment costs are similar. The difference between Newport – Exchange Place & Hoboken is that the construction in Hoboken is older and you need a realtor for getting an apartment more than you need in former. Realtors have standard 1 month rent as the fee as their service charges.
In case you are wondering what a realtor is – a realtor is a person who searches for an apartment for you that fits within your budget and choice. But when it comes to realtors one must be wary of them because they can sometimes be a dangerous bet to pick!
West coast was much easier to find apartments in from my experience but it could be because I was looking for apartments in a University area which is probably easier.

-Rajat
http://rajatswarup.blogspot.com/

I was using the vpnc the other day on my Backtrack 4 R2 system to log in to VPN. I noticed that there was nothing that would give me the status of whether or not the tunnel was up. So I wrote a small one-liner to help me:

while [ `ps aux |grep vpnc|grep -v grep|awk '{print $2}'` ] ; do printf "Connected\r"; done


I kept getting the following errors on my AD domain in the event viewer and accounts kept locking out:
Pre-authentication failed:
User Name:      user1
User ID:                DOMAIN\user1
Service Name:   krbtgt/DOMAIN.COM
Pre-Authentication Type:        0x0
Failure Code:   0x12
Client Address: 192.168.246.134

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

In the Directory Service logs I see the following entry:
[snip]
Active Directory could not update the following object with changes
received from the domain controller at the following network address
because Active Directory was busy processing information.

Turns out this happens if you have samba/winbind/AD type infrastructure. If someone has some processes running (Even if they us sudo) and happen to change their password while the process is running on unix (and using kerberos authentication), the accounts lockout because the kerberos ticket granting ticket (krbtgt) is not current and any object access is considered to be a failed login attempt. This locks out the accounts if you have account lockout implemented in your AD domain security policy.