Category Archives: Lessons Learnt

An interesting vulnerability has been discovered in MySQL and MariaDB.

Essentially it means that under certain conditions it is possible to provide any password and MySQL it will accept it.

This flaw is a programming error and its because of an incorrect casting. This can result in incorrectly calculating the password that the login attempt provides is the same as the one that is for authenticating against.

This only happens 1 in 256 due to the random string that MySQL uses in the authentication procedure.  All encryption is vulnerable to a poor quality random number generator. Which whilst not the cause of this problem is related to the fact that it’s possible so frequently.  Whilst 1 in 256 might sound like a large number of authentication attempts. In computer terms, the completion of this task can take approximately a couple of seconds.

For Exact details click here.

Learn how YGHT can help you increase your cybersecurity

If you don’t already know, LinkedIn had around 6.5 million usernames and passwords released into the wild.  According to this official LinkedIn blog page:

“[Accounts will now] benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases.”

After Eight years from having the LinkedIn password breach incident, a U.S. court issues the hackers sentence. The Hacker is sentenced to 88 months in US prison.

finally has been sentenced to 88 months in United States prison, that’s more than seven years by a federal court in San Francisco this week.

You mean to say – you weren’t hashing and salting the passwords before?! 

That is ridiculous! 

That’s one of the most obvious ways to protect your passwords and should be employed by every authentication system no matter how large or small.

5 tips for securing your social media accounts

Learn how YGHT can help you increase your cybersecurity

One of the projects I am working on is to get a multi-tenanted URL filtering proxy to work. That in itself has not been particularly difficult. It’s just a case of knowing where to find the various Linux config files in the product we have chosen: NetSweeper.  This project is now fully load-balanced with high availability (HA) failover and works with Internet Explorer and a few other mainstream browsers perfectly.  It even does Man-In-The-Middle style SSL intercepting to make sure it filters as much as possible.

Mozilla Firefox has been my downfall on this project.  Usually, I hold Firefox high, but for all its greatness, it sucks at listening to the operating system for proxy settings and using Window’s built-in authentication methods. 

There will be another article in a couple of weeks or so when I next look at this project about how I bully Firefox into doing SSL stuff. Also, forcing it to use Proxy settings but at the moment I haven’t had time to work on that.  What I have done though is get Firefox to work with Windows Single Sign On (SSO).

Basically you can manually set sites to which you want to use SSO. Simply, by visiting a special URL in the browser:

about:config

First of all you get a warning telling you that you need to be careful.  But then you get a very long list of configurable variables.  For SSO you need the variable called:

network.automatic-ntlm-auth.trusted-uris

(use the filter bar at the top and search for ntlm)

If you double click this setting you can url’s to which you want to enable SSO like so:

http://internalserver     or     http://www.google.co.uk

If you need more than one URL, just seperate them by a comma.

Now that’s all well and good. But the fact is that in a domain situation you probably need to do this on hundreds of computers.  I found a vbs script online that claimed to fix this problem and it works very well with only one problem.  Because some of our users have non-standard profile locations we needed to modify it a little.  You can find our version here:

Firefox NTLM Authentication / Single Sign On

Please note, to put that into production you will need to rename the extension to .vbs, put it in a network share and play with group policies.  That bit is down to you!

I wish I could take credit for this script but I found the original online and then one of my colleagues had a bored 10 minutes so he modified the script for me.

Edit (20151017): The vbs script I referenced is no longer available, here is a Google Cache copy of the article.

Learn how YGHT can help you increase your cybersecurity