I was able today to complete an integration of Oracle DBMS plus Oracle Application Express (also known as ApEx) with my Open Source One Time Password (OTP) daemon. More, I was able to protect given ApEx applications through combining a Web Application Firewall (WAF) inside ApEx. This integration will enable customers to deliver secure misson-critical enterprise web applications. A paper will come soon… stay tuned!

A hardcoded password-related security vulnerability has been discovered which apparently affects every HP MSA2000 G3 modular storage array shipped to date.

Apparently a hidden user exists, that is built into the system and doesn’t show up in the user manager, and the password may not be able to be changed (unconfirmed), creating a perfect “backdoor” opportunity for an attacker to gain access to potentially sensitive information stored on the device, as well as systems it is connected to. The hard coded user and password in the HP MSA2000 is set to an embarrassingly simple:

username: admin

password: !admin

Because the password can’t be changed or deleted, it creates another serious enterprise vulnerability. Similar vulnerabilities were recently discovered in Cisco Unified Video Conferencing products, where a linux shadow password file contained three hard-coded usernames and passwords.

More on the SecurityWeek website.

A beta preview of the TOTP algorithm has been implemented into OTPD, the Open Source OTP daemon I maintain. Aside TOTP, The Feitian c200 hardware token is also supported. Apparently it should be compliant to the TOTP standard, and it is somehow, but the fact that the time seems rounded to the next minute.

The TOTP daemon has been tested also with the OATH Token for iPhone, and it’s fully compliant. You’re more than welcome to report hardware and/or software tokens that works with it.

If you wish, you can check out the sources from Google’s SVN, full instructions are available on the project “source” section.

I started integrating TOTP into my Open Source software OTPD, a multi-protocol OTP server for Linux and Solaris that is capable of integrating with FreeRADIUS. The initial tests with softokens are fine, but it fails with an hardware token. If you have any TOTP compliant device, you have the secret seed, and you wish to contribute, please send me the device for testing.

The GnuTLS project is going to add OpenPGP support as a Transport Layer Security (TLS) Authentication mechanism, as described by the same author in RFC5081.

Currently GnuTLS has experimental support for OpenPGP keys. OpenPGP keys are similar to X.509 certificates, in the sense that hold public key parameters. However they also allow for non-hierarchical trust models. This is not like an other new feature. It is more like a policy change. Here follows a description of both models.

I’ve researched about it for many years, but in my opinion it is far more better than other proposals such as gpgauth or mod_auth_pgp. At the moment, there’s a web server implementation through mod_gnutls under apache2, but no real client implementation is available. An example server and client is provided in the sources as gnutls-serv and gnutls-cli.

It sets the foundation for OpenPGP authentication, but it has still to be adopted into real programs. Will we assist to a real peer-to-peer authentication mechanism and success where PKI failed? I believe that the technology is there, we need to understand if there’s a will for it.

More on the GnuTLS web site.

Staring from today, both Filatelia and Pontiradio for iPhone are available for iOS 4.0 from the AppStore.
Just run a standard update from iTunes.

We have reported that Filatelia and PontiRadio are crashing with iPhone OS 4.0. I had a debug of both having the same problem on an SDK API that have changed the behavior. I am working on the issue and I will release the newer version as soon as possible.

I think that BetterSoftware 2010 was a great conference. It was maybe more oriented to developers rather that what I’m used to, but I do appreciate the organization very much and the folks as well.

As far as my talk is concerned, thanks to anyone listening. The slides are available here, while official the link for the talk is here, I do expect that the guys from Develer are going to publish the video of the talk sooner or later.

My slides have been released for the OSS BarCamp in Dublin, here there are:

• File System Comparison
• OTP with Open Source Software
• Protecting confidential files with SE-Linux

Hope you enjoyed!

Slides are now available for the AIPSI Meeting of today on Cloud Computing and Security. Here’s the link:
http://www.gpaterno.com/publications/2010/AIPSI_Virt_April_2010.pdf