[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fed-Talk] Paranoid or what

Subject: Re: [Fed-Talk] Paranoid or what
From: Shawn Geddis <email@hidden>
Date: Wed, 18 Jan 2006 18:32:22 -0500
Delivered-to: email@hidden
Delivered-to: email@hidden

/usr/sbin/ocspd

This is the "Online Certificate Status Protocol" daemon that processes ALL Certificate Validation. This handles both CRL - Certificate Revocation Lists & OCSP - Online Certificate Status Protocol validation of certificates.

You configure which CRL or OCSP or even both CRL & OCSP validation you want your client to perform -- along with if it is required, off, or best attempt. This is configured under Keychain Access-- >Preference->Certifricates.

http://searchsecurity.techtarget.com/sDefinition/ 0,,sid14_gci784421,00.html

Mac OS X 10.4.x provides client-side OCSP, while server side is provided by one of the following vendor products of your choice:

CoreStreet		http://www.corestreet.com/
Tumbleweed		http://www.tumbleweed.com/

It is good to be paranoid, but this is not an item you need to be paranoid about...

-Shawn

On Jan 18, 2006, at 6:22 PM, Michael Pike wrote:

Ok... this whole screen not locking after 10.4.4 and nobody else having the problem really concerns me.

I did a (at the shell) process monitor (ps aux), and didn't notice anything weird other than:
/usr/sbin/ocspd
There is no manual entry for it, and when run directly it just says "Abort Trap".... after a reboot, my machine now locks properly upon screen saver abort.

I'm not in a high security agency, but it strikes me as very peculiar that my computer sat all night on a screen saver and when I came in in the morning didn't require a password, even though I rebooted after the 10.4.4 update.

I use Filevault as well for file protection, but I am worried that perhaps a key logger or something may have been installed.

To my knowledge, to install an application they would still need my admin password, but they could install a binary application at the shell level and effectively install a key logger or some other type of malware without an admin password considering they potentially had access to my account and shell.

Does anyone know what this OCSPD application does? We had some linux machines at one time that got the "froggy" bug (showed up as frgy in process monitor) that would capture passwords and email them out.

Would it be overkill to rebuild my machine from scratch, or is there an easy way to determine if something has been placed on here to capture keystrokes, keychains, etc.
Singing - "I always feel that.... somebody's watching meeeeeeeeee",
Mike
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/fed-talk/email@hidden
This email sent to email@hidden


- Shawn
___________________________________________
Shawn Geddis                           T (703) 264-5103
Security Consulting Engineer    C (703) 623-9329
Apple Enterprise Sales              email@hidden

Apple Computer, Inc.
1892 Preston White Drive          T (703) 264-5100
Reston, VA 20191

Attachment: smime.p7s
Description: S/MIME cryptographic signature

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/fed-talk/email@hidden

This email sent to email@hidden

References:
	>[Fed-Talk] Paranoid or what (From: Michael Pike <email@hidden>)

Prev by Date: Re: [Fed-Talk] Paranoid or what
Next by Date: [Fed-Talk] encrypting e-mail using DoD CAC
Previous by thread: Re: [Fed-Talk] Paranoid or what
Next by thread: [Fed-Talk] encrypting e-mail using DoD CAC
Index(es):
- Date
- Thread

Home