More OpenSSL Horror – CCS Injection Vulnerability – Fix Your Linux Servers…

nbeam published 9 years ago in Information Security, Linux, OpenSSL, SSL, Ubuntu. Tags: , ,

1

Read about it more in detail here on Redhat’s site. This vulnerability affects all applications using certain versions of OpenSSL, so this is a cross-platform issue.

This isn’t nearly as atrocious as Heartbleed was as there isn’t a chance of leaking your private keys. However, if you use Qualsys labs excellent SSL web scanner to check your site’s security, this will immediately degrade your web application to an “F”.

Scrutiny of SSL has been ramped up significantly in the wake of Heartbleed, so if your application deals with any kind of regulated data I suggest you patch your servers immediately.

For Ubuntu users, this means it is time to do an OS upgrade to 14.04 LTS if you aren’t running a previous LTS version that is still receiving security updates…

do-release-upgrade your way to a safer tomorrow…

I have tagged this post with “heartbleed” as folks researching that issue need to pay attention to this one as well. The fix is the same; patch OpenSSL!

Regards!

References:
https://access.redhat.com/site/articles/904433
https://www.ssllabs.com/ssltest/analyze.html

Firefox is still a fail… Back to Chrome…

nbeam published 9 years ago in Uncategorized.

0

I have been a Chrome user since shortly after the browser launched. I contend that no other Browser can quite match Chrome for speed and clean UI design.

However, in light of the recent NSA scandals and growing privacy concerns, Firefox had caught my eye again as being a browser that is wholly open-source in nature.

So I have given it a go… a really strong go. I pretty much switched off of Chrome entirely. This was no simple task. As a person that does a lot of research I often find myself handling 30 or 40 tabs at a time and have a fairly extensive bookmark library. However I am soon going to be switching off of firefox and back to Chrome or something else… Here is why… (more…)

Quick thoughts on Tablet vs Laptop Form Factors

nbeam published 9 years ago in Uncategorized.

0

I was reading a quick post today from one of the few bloggers that I currently follow and, as usual, he had some good insight into some current technological trends… namely the growing inclusion of touch-screens on everything. His article is worth the read and it will pique your interest if this is something you at all care about (I realize the vast swathe of humanity out there really doesn’t :)…).

Read it here:
http://senk9.wordpress.com/2014/05/25/my-thoughts-on-user-inputs-and-keyboards/

He also made a statement about how multi-monitor setups are crutches for those of us who don’t do good window management (I disagreed :)…). I went to write a “quick” response and realized I had a post on my hands. Happens every now and then…

You see, I have been in-and-around the tablet scene for several years now and have watched android grow from version 1.6 all the way up to 4.4. I have probably owned/used 40+ tablets in my time, mostly Android however a fair bit of Apple has been mixed in. I have also been doing hardcore IT work now for a while (going on 4 years I think?) and use a traditional desktop (ancient though they may be…) and laptop for most of that. So I have my feet firmly planted in both worlds. I agree that the idea of a converged device is probably where we are heading and I don’t necessarily have an issue with it. Anyhow, here was my response:
(more…)

Managing ADMX files… Windows Server 2008 R2 Domain Controller & Windows Server 2012 / Windows 8 Member Machines

nbeam published 9 years ago in Domain Administration, Group Policy Management, Microsoft, Server 2012, Server 2012R2, Windows Administration. Tags: , , ,

2

One of my glorious privileges in IT is managing and enforcing security policy for the company I work for. Being a windows shop, one of the primary tools I use to that end is Group Policy.

For those of you not familiar with Group Policy, it is Microsoft’s gift (and sometimes curse) to admins such as myself. Group Policy, especially in a Domain, is an incredibly powerful tool. It can be used to do all kinds of things, from the simple to the bizarre… across your entire enterprise. The basic premise is that you have a “policy” for how you want your machines to work. For example, you might want to enforce strong passwords, or you might want to do something as granular as granting one particular group of people specific security rights to a local folder on all workstations, perhaps you need to make sure that inbound RDP sessions are disabled by default on a specific set of machines… whatever you want, particularly if it is a Microsoft feature, most likely it can be centrally controlled and administered via group policy. Suffice to say, it is an absolutely essential tool for any Windows Administrator in any large enterprise (you know, more than 2 servers and 10 endpoints…), particularly when it comes to security. That is as much as I will say about it in this post.

I was presented with a particular problem recently. We needed to disable a windows feature that was introduced in Server 2012/Widows 8. Group Policy should do the trick… however when I started digging around in the console I wasn’t finding the setting I needed. It quickly dawned on me that the majority of domain controllers are running Windows Server 2008 R2… and the server I am trying to edit policy on is referencing policy definitions for Server 2008 R2 / Windows 7 and therefore wouldn’t be aware of settings for Windows 8 / Server 2012 machine. What’s an admin to do?
(more…)

Fix Your Weak Windows Server SSL Issues… Registry Update File Provided

nbeam published 9 years ago in IIS, Information Security, Microsoft, SSL, Web Administration, Windows Administration. Tags: , ,

3

In a post Heartbleed world, implementation of SSL is being scrutinized like never before (at least in my short years of experience in information security). Even though Microsoft/IIS implementations were hardly, if at all, affected by Heartbleed, they do often suffer from other common SSL vulnerabilities. This is particularly true of Microsoft Server 2003 R2 / IIS 6.5 and older setups.

Back in the olden days (you know, like 5 – 10 years ago…) before massive Chinese super-computers, NSA spying programs, and 30-core processors, a 48-Bit SSL cipher may have been considered sufficient as the length of time it would take to brute-force decrypt collected data was significant on the hardware of the day. No so much anymore.

Fast forward to today, many environments still have aging servers sitting around from a bygone era whose weak implementation of SSL pose a security risk. It is time to turn off archaic SSL ciphers on these old boxes and strengthen your connection security.

So… before you read any further, you need to check a few things to find out if this article is relevant to you.

First, do you host any websites in IIS that use SSL? (i.e. do they have “HTTPS” preceding the URL?) (more…)