Wednesday 21 December 2011

Security Theatre in the Hospital

I was listening to the radio this morning and heard this story about how the local children's hospital is reducing waste.

One of the things they are removing from the emergency rooms is the paper that lays across the examination tables.

An emergency room doctor explained that the paper doesn't really contribute to the infection control program at the hospital, it's only really there for patient peace of mind.   You know, so it looks clean and fresh, and through its use, convinces us that the room is clean.

Sounds a lot like security theatre.

Thursday 24 November 2011

Happy Thanksgiving!

Just a quick note to wish all of my American friends a happy thanksgiving.

(Even though they didn't wish me one on my thanksgiving.)

Friday 18 November 2011

Domino Disk Performance

So, today marks the first day that I've had a chance to play with our new Domino server.   Most of the hardware is pretty standard.   IBM 3650M2 hardware, 12GB of RAM and 2 quad core CPUs.

Usually, the performance bottleneck I run into is disk access.   Today, I'm trying some new hardware to see if we can eliminate that bottleneck.

Here are my first results:

This spike was the result of starting a compact -C on a database with a size of 1.6GB and 150,000 documents.  It took 2 minutes to complete.

I'll let you know how performance continues.

Thursday 17 November 2011

RCMP Camera Gaffe and Security Policies

I read about the RCMP's gaffe with leaving images from past investigations on a camera used for surveillance of a suspected graffiti artist, and immediately thought of this article entitled "IT Security policies Widely Ignored, Survey Suggests".

Is that what happened?   Was it a process issue, or a policy issue?

I wonder if we'll ever know?

Wednesday 16 November 2011

Anonymous and the City of Toronto

Toronto Mayor Rob Ford is confident that City of Toronto systems are secure after a threat from hacking group Anonymous.

I read that in an article from SC Magazine.  He really couldn't say anything else, but I wonder if he really believes it.   I also wonder what City of Toronto CIO David Wallace is thinking...   After large takedowns of Sony and the like by Anonymous, he's probably not as confident.

Tuesday 15 November 2011

Help: Domino ACLs and Email Address as User Login

It's not often I resort to the LazyWeb method of looking for information, but I haven't had any luck finding what I was looking for otherwise.

I have a client who wants to use their email address to log in to a Domino web application.

My memory tells me that there is/was an issue with this and using Groups in the ACL of the Domino database.

Can anyone point me to any resources on how to do this, or that it can't be done, or anything along those lines?


Friday 4 November 2011

Security Notice: THC-SSL-DOS, Lotus Domino and SSL Regegotiation

A group called released a tool called THC-SSL-DOS.  Here's a clip from their site:

THC-SSL-DOS is a tool to verify the performance of SSL.

Establishing a secure SSL connection requires 15x more processing
power on the server than on the client.

THC-SSL-DOS exploits this asymmetric property by overloading the server and knocking it off the Internet.

This problem affects all SSL implementations today. The vendors are aware
of this problem since 2003 and the topic has been widely discussed.

This attack further exploits the SSL secure Renegotiation feature
to trigger thousands of renegotiations via single TCP connection.

Its also been covered in various places on the web, like here or here.

While it doesn't look like there is much that can be done to mitigate it, you may get some relief for your Lotus Domino servers (and other software that uses Domino as a platform) by disabling SSL Renegotiation.

It's an option available in the following releases of Lotus Domino:

  • Lotus Domino 8.0.2 Fix Pack 6 +

  • Lotus Domino 8.5.1 Fix Pack 4 +

  • Lotus Domino 8.5.2 +

  • Lotus Domino 8.5.3 +

The fix is the Notes.ini parameter below.


This Notes.ini parameter was originally released in response to CVE-2009-3555 which detailed a Man-In-The-Middle attack that would allow the attacker to insert data in HTTPS sessions, and possibly other sessions secured by SSL.   (I'm looking at you LDAP, SMTP, and POP3)

Wednesday 2 November 2011

National IT Day in Canada

Today is National IT Day in Canada.

I guess this is the day I get some respect...

Hmm. Nothing yet. Guess I'll keep waiting.

Tuesday 1 November 2011

Greece, a Referendum and Security

About now, some people will be pontificating that if Greek citizens vote down austerity measures, Greece will run out of money in a matter of days, and that the world/European economy will go into a tailspin shortly thereafter.

I suspect that if that occurs, there will be a rather public hack of Greece's infrastructure, taking advantage while they are down.   Quite possibly, it will be an inside job, by someone disgruntled that they are broke.


Spoofing a Cell Tower

It's interesting that a little more than a year after a security researcher proved at DefCon that he could spoof a cell tower, the UK police have purchased a system to do the same thing.

Keyloggers 101

Great video post from the Ethical Hacker Network on Keyloggers.

Shows the basics about keyloggers, how hidden they are, and how to detect them.

Thursday 27 October 2011

VirusTotal - Free Online Virus, Malware, and URL Scanning

I found out about VirusTotal today.

It's run by a Spanish company, and offers free, online virus checking.

The best part in my mind?  It's crowd-sourcing your anti-virus.

You submit a suspect file, it's scanned by 42 different anti-virus applications, and the results get displayed to you.  If the file is picked up by at least one of the 42 anti-virus programs, then they each get a copy of the file to test to improve their products.

By you testing a file, you're potentially helping keep everyone safe.

Tuesday 25 October 2011

Reading List for 24 Oct 2011

A few good articles I read today:

Tool lets low-end PC crash much more powerful webserver
Hackers have released software that they say allows a single computer to knock servers offline by targeting a well-documented flaw in secure sockets layer implementations.


Down the Rabbithole Podcast Episode 4 - Effective Small Business Security


Pocket Guide To Securing Mobile Devices
With workers bringing their own smartphones and tablets into the company, IT security needs to focus on creating a more secure environment, not on securing each device


Stay Cool, Nobody is Calling Your Baby Ugly
Conversations for developers and information security specialists.


Six Security Assessments You’ve Never Had But Should

Friday 21 October 2011

Electronic Communications Privacy Act targeted by Internet Rivals

Both Facebook and Google have also come out against the ECPA to protect information entrusted to them by their users.

CNet: Google, Facebook go retro in push to update 1986 privacy law

Ars Technica: The Shocking Strangeness of our 25-year-old Digital Privacy Law

Electronic Communications Privacy Act and the Cloud

Electronic Communications Privacy Act and the Cloud

Great article from Threat Level.   Worth the read, and giving some thought to how you or your company may be affected, especially if you are a foreign company with cloud services in the United States.
ECPA allows the government to obtain, without a warrant, any content stored in the cloud — such as files in a Dropbox account, if it’s older than six months. It goes without saying that there was no such thing as cloud-storage services available for the average Joe Sixpack when Reagan was president. Now those services have become mainstream, yet the Reagan-era law applies.

Thursday 20 October 2011

Running a Security Program without a Budget

I've been thinking more and more about small businesses and security recently.   Most small businesses don't have the budget to run their own security program.   These organizations, that employ many, many people, are often left vulnerable.   Larger organizations have the budget to fund a security program, while most small businesses don't.

I've pointed out before that most small businesses don't have an information security program.

I spotted a great article earlier today that dealt with the concept of security below the poverty line, and it contained both a podcast, and a link to a research paper published by the 451 Group.   I'm not going to link directly to the research, as the 451 group decided to make it available for free through The Ashimmy Blog, and not through my site.  Credit where credit is due.

As a small business owner, what 4 steps can you take to drastically improve your security?

  1. Introduce an acceptable use policy.  Let your employees know what is, and what isn't acceptable.  Teach them what to watch for, and why, and who to advise when something looks wrong.

  2. Implement forensic accountability.  Do away with shared passwords and shared accounts.  You want to make sure that should something go wrong, you can determine who did what.

  3. Purchase legitamate software.  Downloading pirated software can often introduce backdoors and other malware into your system that your anti-virus won't detect.

  4. Maintain physical security.  Make sure that no one can just walk into your office, pick something up (or drop something off) and walk out.

Wednesday 19 October 2011

SANS Ouch! - October 2011

The latest edition of SANS Ouch! is out.

Every month they publish a newsletter directed at the typical web user.  Not those of us with a heightened awareness of security, but people like your office manger, mail room clerk or your parents.

This month's newletter deals with a critical step in protecting your data.  Backups.

I encourage you to take a look, and disseminate it to your staff.   In fact, they even encourage you to do that.

It is available in English, French, Arabic, Italian, Korean, Malaysian, Polish, Portuguese, Spanish, and both Simple and Traditional Chinese.

You can now follow Securing the Human on Facebook and Twitter too.

Friday 14 October 2011

Conference Call Systems and Security

I found a very interesting article talking about the security surrounding conference call systems, and the ease there is with some systems to allow you to eavesdrop in on calls.
Your competitors are simply dialing into insecure conference call lines and silently listening in. This happens at all levels … from the executive team making bajillion dollar decisions all the way down to those of us in the trenches talking shop on the technologies we use to build solutions. And the problem is only going to get worse as the workforce continues to migrate to more distributed environments.

It's a great article, and a really good read.   I even mentioned it to an acquaintance, and told me of a time it happened to him.

The Vulnerability We All Love to Ignore - NovaInfosecPortal

Scary.  (And not in a good Halloween-type scary...)


Thursday 13 October 2011

Trade Magazines: eWeek

I've been reading eWeek on and off for quite a few years now.

They bill themselves as:

Enterprise IT’s trusted source for product information in an actionable context, including expert labs analysis and practical tools for evaluating, acquiring, installing, configuring and maintaining technology products and services.

It's a trade magazine for Enterprise IT professionals.  If you qualify, you can get a free print or digital subscription if you live in the US or Canada.

They have fairly timely news and opinion pieces, both of which are rather high level overviews.   Not alot of depth to the articles.   I find it rather advertiser heavy, and content lacking, but it is free, which means that the advertisers pay for it.

RSS Feeds:

Domino not starting on Windows 2008 R2

If you are like me and setup your Domino server on one IP address and move it to another, under Windows 2008 R2, you may end up in a situation where the server refuses to start after you change the IP address.

To fix it, add the following line to your notes.ini file, replacing with the IP of your server:


Thursday 6 October 2011

Facial Recognition on Spark

There are many privacy concerns about facial recognition.

Imagine being able to identify someone by taking their photo with your phone.   What about combining that with cloud computing to determine someone's address, and date of birth?   Or perhaps their Social Security Number?

Worse yet, who is already using facial recognition?   What if the police were using it in conjunction with CCTV feeds to track you, or someone you know?   What if criminals were instead?

There was a great piece on Spark, a radio show on the CBC that shows how technology affects our lives.  I encourage you to have a listen.

Wednesday 5 October 2011

Published: Securing Lotus Domino For the Web - Email Relay

Due to issues I had with Scribd, I'm posting my paper entitled "Securing Lotus Domino For The Web - Email Relay" here on my site.


Securing Lotus Domino for the Web - Email Relay

Friday 30 September 2011

Every Application and Device Needs a Retirement Plan

Here's a great headline that grabbed my attention this morning:
Air traffic control data found on eBayed network gear

Turns out this fellow in the UK bought a Cisco switch on Ebay for £20.    When he saw the sticker on the back that said NATS (National Air Traffic Services), he started poking around.

He found internal VLAN estate data, information about the SNMP community strings (read and write, named after aircraft funnily enough), some ideas about password composition, VTP Trunk info and password, and details of upstream switching.   Enough that it would allow you to plug it into a port connected to the NATS network and 'become' part of the network, allowing you access to all the network traffic.

My first thought after reading this article?    How does the NATS in the UK not have a retirement/decommissioning plan that would have addressed this?    After all, the UK was the country that developed the ITIL framework, and system decommissioning is a core part of the service lifecycle.


Canadian Government Proposes Mandatory Data Breach Reporting

The Canadian Government proposed changes to the Personal Information Protection and Electronic Documents Act (PIPEDA) that would force organizations to report personal information breaches to both the privacy commissioner and the affected individuals.

The changes are part of a proposed bill that died on the floor of parliment when Canada went to the polls to elect a new government this past May.
"Ensuring trust and confidence through the protection of personal information is essential to the growth of the digital economy.  Our government will continue to help protect consumers and businesses from the misuse of their personal information, thereby increasing confidence in the online marketplace." - Industry Minister Christian Paradis

Organizations would be required to inform individuals if there had been a breach that might result in 'significant harm' to an individual.   Significant harm could be defined as identity theft, fraud or risk to a person's reputation.

Other changes that could be made to the Personal Information Protection and Electronic Documents Act (PIPEDA) could include:

  • Clarifications that organizations can disclose personal information requested by government institutions and law enforcement and security agencies without a warrant, subpoena or court order.  The change would prohibit such organizations from notifying those affected by the disclosure of their personal information if the law enforcement or government institution requesting the information objects to the disclosure.

  • Changes to the Act would allow for the release of personal information to help protect victims of financial abuse, locate missing persons or identify people who might be injured, ill or deceased.

  • Disclosure of personal information without consent would be allowed for private sector investigations and fraud prevention.

  • Consent would no longer be required for the collection, use and disclosure of information needed for managing employment relationships, information produced for work purposes, information used for due diligence in business transactions, or business contact information for day-to-day business.


Tuesday 27 September 2011

How To: Mitigate the SSL/TLS Vulnerability for Lotus Domino

I've been doing quite a bit of research into the BEAST (Browser Exploit Against SSL/TLS) vulnerability that security researchers Juliano Rizzo and Thai Duong demonstrated at the ekoparty security conference in Buenos Aires on Friday.

The session at ekoparty revealed the technical details about how the exploit works and the vulnerability it exploits.   The vulnerability has been known for quite a while.

The vulnerability affects SSL/TLS ciphers that use the Cipher Block Chaining (CBC) mode. These include the popular AES and Triple-DES encryption methods.  The easiest way to mitigate the vulnerablity is to switch to an encryption algorithm that doesn't use CBC, like those based on the RC4 stream cipher.

Interestingly enough, Google websites don't use CBC based encryption.  They use the RC4 encryption cipher instead.


Domino Server BEAST Mitigation - With Internet Site Documents

  1. In the Domino Administrator Client, open the 'Configuration' tab and expand 'Web' and 'Internet Sites'.

  2. Open the Internet Site Document for the server.

  3. Click on the 'Security' tab.

  4. Under 'SSL Options' section, change the 'Protocol Version' to 'V3.0 only'.

  5. Under the 'SSL Security' section, modify the list of SSL ciphers so that only the following ciphers are selected:

    1. RC4 encryption with 128-bit key and MD5 MAC

    2. RC4 encryption with 128-bit key and SHA-1 MAC

    3. RC4 encryption with 40-bit key and MD5 MAC

  6. Save the Internet Site Document.

  7. Restart the HTTP task.

Domino Server BEAST Mitigation - Without Internet Site Documents

There does not seem to be a way to specify the SSL protocol version for Domino without using Internet Sites.   There is a SSL Protocol Version field on the server document, however it states that it does not apply to the HTTP task.

With that said, I look forward to the day that there is TLS support for Lotus Domino.   (And data-at-rest encryption that is stronger than RC4, but that's for another day.)

NIST Releases Guide for Conducting Risk Assessments

National Institute of Standards and Technology (NIST) has released the Guide for Conducting Risk Assessments (NIST Special Publication 800-30, Revision 1).

As threats to cyber systems grow more and more complex, risk assessments help companies determine appropriate responses to mitigate risks to their organizations, guide investment strategies and maintain ongoing situational awareness of the state of their systems.

Overall guidance for risk assessment for information security can be found in Managing Information Security Risk: Organization, Mission, and Information System View (NIST SP 800-39).


Microsoft Releases a TLS 1.1 Fix Tool for Windows

Microsoft has released a security advisory relating to the SSL/TLS vulnerability previously discussed.   Included in the advisory are a workaround and a tool that can implement a fix on Windows 7 and Windows Server 2008 R2 systems.

If you're using a version of Windows prior to version 7 or Server 2008 R2, your system doesn't even support TLS 1.1.   Your only hope is that server admins fix the SSL/TLS problem on their web servers.

Interestingly enough, the RC4 cipher suite is unaffected.   Only encryption based on CBC (cipher block chaining) is affected.   RC4 is a streaming cipher, which is not affected.

Friday 23 September 2011

Pssst... Want to buy some patient records?

You know, probably not the best words in an article about lost patient records to link ads from if you want your website to look legit.

Just saying...

Swedish Computer System Crash; 50 000 lost medical records

A computer system crash in Region Skåne, Sweden have resulted in the loss of appointment and prescription records, but may have resulted in the loss of over 50 000 medical records.

The affected hard drives have been shipped to a Norwegian company to attempt to recover the information lost in the crash that occurred on August 22, 2011.  (Almost a month ago as of the publication of this post.)

The cause of the crash is still under investigation, and the extent of the data loss is still unknown.
”We have never before lost so much information,” Mette Marklund, director of the National Board of Health and Welfare’s Southern Region, told DN. ”It can be a great risk to patient safety when we do not have access to adequate information. But, we do not know yet what to rebuild.”

Interestingly enough, Region Skåne is scheduled to launch a central medical record system for the entire nation in 2012.

Ed. Note:  I'm not certain how a health organization in a first world country could have started a project so large and so far reaching and not have given any thought to data backup or disaster recovery, especially when you consider the risk to human life that the loss of medical records might entail.



Thursday 22 September 2011

My ATM is running Windows 98?

Picture this, you walk up to an ATM belonging to your bank and find the error below on the screen.

Do you change banks?



(IN)SECURE Magazine number 31 is available

If you work in IT security, and you don't read (IN)SECURE Magazine, you should take a look at it.

Here is the article list for issue 31:

  • The changing face of hacking

  • Review: [hiddn] Crypto Adapter

  • A tech theory coming of age

  • SecurityByte 2011: Cyber conflicts, cloud computing and printer hacking

  • The need for foundational controls in cloud computing

  • A new approach to data centric security

  • The future of identity verification through keystroke dynamics

  • Visiting Bitdefender's headquarters

  • Rebuilding walls in the clouds

  • Testing Domino applications

  • Report: Black Hat 2011 USA

  • Safeguarding user access in the cloud with identity governance

Wednesday 21 September 2011

IBM Lotus Domino and the SSL/TLS known vulnerability

Based on this article, I started thinking about how the fallout from the SSL/TLS vulnerability may affect me.

I wasn't ready for what I found.

As it turns out, as detailed in this IBM tech note, there is no support for TLS 1.0, TLS 1.1 or TLS 1.2 for Domino's http server.   There is only support for SMTP (through STARTTLS) and SIP (for Sametime) within Domino.   All other Lotus Domino Internet based protocols (HTTP, LDAP, POP3, IMAP) support SSL up to 3.0.

So...    As for a plan, it looks like you can probably put your Domino servers behind a Websphere Edge Server doing reverse proxy.   Much like you would have to do if you were looking to make Domino FIPS 140-2 compliant.






Looking for a Lotus job?

If you are looking for a job revolving around one of the IBM/Lotus technologies, make sure you take a look at Tom Duff's website.   He posts daily on the new jobs that surface in the Lotus world.

Duffbert's Lotus Jobs


Known Vulnerability in SSL/TLS is now a Problem

In case you didn't read it here, or here, there has been a successful exploit for a long known vulnerability in all versions of SSL and TLS 1.0.

Although the vulnerability has been known since the early iterations of SSL, up until now, it was thought to be un-exploitable.

Thanks to the work of Juliano Rizzo and Thai Duong (who previously brought an issue to light with ASP.NET that caused Microsoft to release an 'out-of-band' patch), the vulnerability has been exploited through a web browser.

What does this mean for us, the security practitioners?   It may be time to implement and enforce the use of TLS 1.1 or TLS 1.2 soon.  Attacks against SSL/TLS 1.0 have yet to show up in the wild, but it is only a matter of time.

Still unsure about what SSL/TLS is?   Here's a good reference.

(Note: I didn't like the spin used by the news article entitled "Online banking encryption broken" on the CBC's website about the exploit.  It harkens to fear mongering to me.)

Update: The presentation to be given at the EKOParty security conference will provide all of the details on the exploit.  It may be related to this paper.

Tuesday 20 September 2011

Cybersecurity Awareness Month

The Department of Homeland Security (DHS) in the United States has set October as Nati0nal Cybersecurity Awareness month.

Despite choosing one month to bring public awareness to cybersecurity,  most security professionals recommend practicing cybersecurity year round, not just in October.

You'll probably want to think about things on the list below during October.

  • Anti-Virus

  • Firewalls

  • Backups

  • Software Updates

You should also review the list of what to do when things go wrong (as most things eventually will).   You can find that resource here:

Friday 16 September 2011

Great Deal - Games on Sale

Mrs. Tiggy Winkle's in Ottawa has a Groupon deal today.

$15 for $30 Worth of Toys and Games

They have a fairly good selection of board games, and a fair number of Euro games.

Thursday 15 September 2011

Great Cryptography Reference

Do you know some of the basics of cryptography, like what a Caeser cipher is?   How about a Vignere table?  Are you looking for an easy reference on what data encryption is?

Check it out!

Securing The Human

Part of SANS security awareness program is a site called 'Securing The Human'.

Every month they publish a newsletter directed at the typical web user.  Not those of us with a heightened awareness of security, but people like your office manger, mail room clerk or parents.

This month's newletter, appropriately called 'OUCH!', deals with privacy and security surrounding social networking.

I encourage you to take a look, and disseminate it to your staff.   In fact, they even encourage you to do that.

It is available in English, French, Arabic, Italian, Korean, Malaysian, Polish, Portuguese, Spanish, and both Simple and Traditional Chinese.

Thursday 11 August 2011

Using Comics to Teach a Lesson

I'm a closet comic fan, I always have been.   I've found it can be a great way to get a lesson across, especially to children and teens.

As a result, I always enjoy when I find a comic that I can use as part of a training I am giving, or a presentation I make.   I found one of those yesterday, and I wanted to share it.

Post it in your lunchroom, post it on a bulletin board.  Post it where people will read it, and hopefully learn from it.

Wednesday 10 August 2011

Wikimania Prize Package

I got my Wikimania prize package in the mail the other day.

There were numerous items including a Spam Sentinel t-shirt, some IBM bottle openers, IBM bottle sleeves, and the best part, a copy of the Mastering XPages book.

Gotta love it!

Update: I just got a note from one of the organizers asking if I got the mugs.   Yup, I did.  Two shiny IBM mugs as well.   I'll snag a photo of it all tonight.

Admin Notes: The Hidden Field

I was implementing a third party plugin to Domino this morning, and was asked to put a certain value in a certain field.

However, search as I did, I couldn't find the field in the server document.

As you know, the server document uses the server form (server) in the address book (names.nsf).   I opened Domino Designer, opened the form, found the field I was looking for, checked the 'hise when' value, and discovered what I had to do to make it visible.

Could only happen in Domino, and for that I love it.

Wednesday 27 July 2011

Insider Threat: Your Data Is For Sale

Security firm SailPoint released the results of a recent survey that shows that your corporate information may be for sale.  The SailPoint Market Pulse Survey examined the current state of employee compliance with corporate policy related to private and sensitive data.

Here's what they found:
22% of US, 29% of Australian and almost half of British (48%) employees who have access to their employer's or client's private data, and who answered the question, indicated they would feel comfortable doing something with that data, regardless if that access was intentional or accidental

10% of American, 12% of Australian and 27% of British employees with access admitted they would forward electronic files to a non-employee

9% of Americans, 8% of Australians and 24% of Britons of these same groups admitted they would copy electronic data and files to take with them when they leave a company

While only 5% of American and 4% of Australian employees with access who answered the question selected this response, an alarming 24% of British employees with access said they would feel comfortable selling data.

15% of American, 29% of British and 18% of Australian employees use their mobile devices to access their company's private Intranet or portals

Ed. Note: At those levels in Britain, I would think twice about storing more data than absolutely required in Britain if I didn't have to.


Tuesday 26 July 2011

Ontario Cancer Screening Records Go Missing

Ontario's Privacy Commissioner is looking into reports that the whereabouts for up to 15 screening activity reports is unknown.   These reports contain the Personal Health Information (PHI) of up to 6,490 Ontarians.

The Privacy Commissioner's office is still investigating the status of 11 other reports that could jeopardise the PHI of another 5,440 individuals.

The records contain information such as names, birth dates, gender, health card numbers and cancer screening test information.   The whereabouts of the documents has been unknown since their being sent to doctors during the February - March 2011 time frame.
"Medical test results rank among the most sensitive personal information about an individual," said Commissioner Cavoukian. "I am astounded that such a loss could take place. The first step is to minimize any harm by locating as many of these reports as possible. As part of our investigation, we will be looking at steps that can be taken to ensure that this type of breach doesn't happen again.

Notification to potential victims will be sent in the coming weeks.

Ed. note: It's rather scary that at the moment, we don't know if the data has actually been lost in transit or simply misplaced upon being received.  What we do know is that the information lost pertains to individuals ranging in age from 50 to 75 years old.  That is a prime target age range for scammers and fraud artists.




Admin Notes: Domino and Encryption

I often find myself running for this information, and I'm going to keep it here.   That way, it may benefit someone else as well.
Lotus Domino Server/User ID

- RSA dual-key Cryptosystem and RC2, RC4 and AES algorithms for encryption

- RSA keys can be at any of the following strengths:

    - 630 bit (Domino R6+)

    - 1024 bit (Domino R7+)

    - 2048 bit (Domino R8+)

- RC4 algorithm key

    - 128bit (Domino R6+)

- RC2 algorithm key

    - 128bit (Domino R6+)

- AES algorithm key

    - 128bit (Domino R8.0.1+) (Required for FIPS)

    - 256bit (Domino R8.0.1+) (Required for FIPS) 

Lotus Network Encryption

- RC4 key

    - 128bit (Domino R6+)

Local Database Encryption

- RC2

    - 128bit (Domino 6+)


    - 128bit (Domino 8.0.1+ based on UserID/ServerID encryption level)  (Required for FIPS)

    - 256bit (Domino 8.0.1+ based on UserID/ServerID encryption level)  (Required for FIPS)

Internet User

- X.509 certificate

SSL Encryption

SSLv3 Cipher Settings

    - AES encryption with 128bit key and SHA-1 MAC

    - AES encryption with 256bit key and SHA-1 MAC

    - RC4 encryption with 128bit key and MD5 MAC

    - RC4 encryption with 128bit key and SHA-1 MAC

    - Triple DES encryption with 168bit key and SHA-1 MAC

    - DES encryption with 56bit key and SHA-1 MAC

    - RC4 encryption with 40bit key and MD5 MAC

(MAC is Message Authentication Code, which ensures that a message has not been tampered with.)


Domino 8.0.1 and up support the Federal Information Processing Standard (FIPS) by using a FIPS 140-2 certified cryptographic library.  This certification applies only for Domino encryption, not for SSL encryption.   FIPS certified SSL requires that a proxy server that meets the FIPS standard be placed in front of the Domino server.


Wednesday 20 July 2011

Lotus Domino Denial of Service Attack

Credits to Tom Duff.
Packet Storm is reporting a Lotus Domino Denial of Service issue...

# Exploit Title: Lotus Domino SMTP router, EMAIL server and client DoS - all 3 may crash
# Date: July 16, 2011
# Author: None - looks like a malformed Kerio generated calendar invitation was the reason this was discovered -
# Software Link: none - cut/paste the malformed meeting invitation show below, send into some Domino shop as a mime type text/calendar with a filename.ics
# Version: 8.5.3 and very likely all 7.x and 8.x
# Tested on: W2K3, W2K8, XP running 8.5.3
# CVE : none - but IBM has patches for this and other

Particularly ugly in that the rest of the page has the cut and paste code for making the attachment that will crash the server...

Admin Notes: Is your SMTP server running TLS?

I found a great website today that allows you to check if the mail server for your domain supports TLS.

This is a great tool to see if an email you send a client, colleague or even your buddy will be transmitted as open text.   It's also a great tool for troubleshooting your Domino mail server.

Check it out here:

Wednesday 29 June 2011

Policies and Controls are King in the IT Security world

I came across an article by Roger Grimes over at Infoworld on how security policies and controls are the real power when it comes to IT security.

Roger mentions the SANS 20 Critical Security Controls for Effective Cyber Defence, which are a great read for anyone looking at updating or auditing your policies for completeness.

The SANS top 20 controls are a must for any organization:

  1. Inventory of Authorized and Unauthorized Devices

  2. Inventory of Authorized and Unauthorized Software

  3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers

  4. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

  5. Boundary Defense

  6. Maintenance, Monitoring, and Analysis of Security Audit Logs

  7. Application Software Security

  8. Controlled Use of Administrative Privileges

  9. Controlled Access Based on the Need to Know

  10. Continuous Vulnerability Assessment and Remediation

  11. Account Monitoring and Control

  12. Malware Defenses

  13. Limitation and Control of Network Ports, Protocols, and Services

  14. Wireless Device Control

  15. Data Loss Prevention

  16. Secure Network Engineering

  17. Penetration Tests and Red Team Exercises

  18. Incident Response Capability

  19. Data Recovery Capability

  20. Security Skills Assessment and Appropriate Training to Fill Gaps

If you are missing policies dealing with any of these, this would be a great time to look at implementing them, especially with such a great resource now available.


Tuesday 28 June 2011

Me Personally? I love DAOS...

I think DAOS is great, and why?   Because of the screenshot below.   A database a quarter of that size would make most admins cry, but with DAOS, it hums along beautifully.

Makes me wonder if this type of scenario is what IBM had in mind when they designed DAOS.

Oh, and the size is not an error.   Logically, it actually is 140GB in size, with about 53,000 attachments.

Indian users of Groupon subsidiary face password breach

An Australian security consultant, Daniel Grzelak, discovered an SQL file with over 300,000 usernames and plain text passwords from by conducting a Google search.
The entire user database of Groupon’s Indian subsidiary was accidentally published to the Internet and indexed by Google.

The database includes the e-mail addresses and clear-text passwords of the site’s 300,000 users. It was discovered by Australian security consultant Daniel Grzelak as he searched for publicly accessible databases containing e-mail address and password pairs.

Grzelak used Google to search for SQL database files that were web accessible and contained keywords like “password” and “gmail”.

On a side note, this is the same Daniel Grzelak who created, as a side project,, a website that allows you to search a database of known-compromised e-mail address and password pairs to see if your password has been compromised.

Monday 27 June 2011

Bioware Account Breach

I got an email the other day, one I wasn't expecting to receive, because I wasn't even aware that the organization had a data breach.  (But then, how could I?  They've been coming fast and furious for a while now.)

The email looked like this:
We recently learned that hackers gained unauthorized access to the decade-old BioWare server system supporting the Neverwinter Nights forums. We immediately took appropriate steps to protect our consumers' data and launched a thorough ongoing evaluation of the breach. We have determined that no credit card data was compromised from the servers, nor did we ever have or store sensitive data like social security numbers. Our investigation shows that information such as user names, encrypted passwords, email addresses, mailing addresses, names, phone numbers, CD keys and birth dates from accounts on the system may have been compromised, as well as other information (if any) that you may have associated with this forum account. In an abundance of caution, we have disabled your legacy Account. To create a new account please visit

We take the security of your information very seriously and regret any inconvenience this may have caused you. If your username, email address and/or password on your Neverwinter Nights account are similar to those you use on other sites, we recommend changing the password at those sites as well. We advise all of our fans to always be aware of any suspicious emails or account activity and report any suspicious emails and account activity to Customer Support at 1-877-357-6007.

If you have questions, please visit our FAQ at or contact Customer Support at the phone number above.

Aaryn Flynn
Studio GM, BioWare Edmonton
VP, Electronic Arts

Now, to be honest, I didn't even realize that I had an account at the Bioware forums.  I haven't actually played Neverwinter Nights in almost 7 or 8 years.  As a result, I'm not even sure what my username or password would have been.

I suppose that's the first lesson for me, I should be more diligent about logging where I have accounts.   I've started that recently by beginning to use LastPass, but prior to that, the odd email that arrived often reminded me that I had an account with a given service provider.

The breach was discovered on June 14th, 2011.  The first place they notified customers was on the forum itself.  Which is great for people who still use the resource, but doesn't do much for the rest of us.

My email came on June 23rd, 2011.  It contained a link to the EA customer support site.   (I wasn't even aware that EA had purchased Bioware.)

I'm not concerned about it taking a week to let me know about the breach.  First of all, the accounts compromised got locked down according to EA.  And they notified current users via their forum.   As a past user, there isn't much that I could have done to protect myself, and I make sure that I have unique passwords on each site I use so my other accounts shouldn't be at risk. (You do that too, right?)   I'd much rather a bit of a delay in warning me, than a constant back and forth about what data was actually taken.

So, in the end, the attackers have my:

  • user name

  • encrypted passwords

  • email addresses

  • mailing addresses

  • names

  • phone numbers

  • CD keys

  • birth date

The username, email address, encrypted password and CD key I'm not as worried about, I've moved a few times since I registered the account, so my address or phone numbers don't bother me.  I am concerned about my birth date and real name, but I can't easily change them...

Friday 24 June 2011

Is speed a good thing in disclosing security breaches?

How quickly do you feel a company should notify you that your personal data has been exposed as the result of a security breach?

There have been a number of high profile data breaches recently, such as Sony, Epsilon and Honda Canada.  Each company took a different amount of time to notify customers, but that is because they are allowed to.  There are no laws that specify how quickly they must advise you that your private information may have become public.

Sony, who has lost more than 100 million records this year, took 3 days after the detection of the Sony Playstation Network breach to advise customers.

Epsilon, who lost millions of customer account data belonging to more than 50 major companies, contacted people only a day after the breach was discovered.

Honda Canada, who suffered a breach in March, didn't notify people until May.

Reuters is reporting that a new US data breach bill would set a mandatory maximum on the amount of time a company can delay advising the public.  The current version of the bill states that companies don't have to tell the public until 48 hours AFTER the investigation of the breach is complete.  Hopefully that gets strengthened, as an investigation can drag on for a very long time.

Thursday 23 June 2011

Basic Information Security Practices missing at most Small Businesses

As I read this article earlier today, I have to say that I am not really all that surprised.

Most small businesses are more concerned with their day-to-day operations and where the next client is coming from than they are around spending the time to creating policies and processes to manage security.
Although 78.6% of respondents were aware of the legal requirements of storing, keeping, and disposing confidential data, 31.1% never trained staff on the company’s information security procedures and protocols, and 35.5% of companies have no protocol in place for storing and disposing confidential data.

With any small business there is only so much time and so much to get done.  Most processes exist, but are usually non-documented, and quite often verbal.
“Most things are passed around in an oral tradition, rather than a written tradition. Information is imparted verbally, and companies don’t tend to have formal policies and procedures in place until that start to grow more”

Without a training program, and documented procedures, what are the chances that something like this may happen more and more often?

Tuesday 21 June 2011

Canadian Privacy Commissioner criticizes Staples

The Canadian Privacy Commissioner, Jennifer Stoddart, has found that Staples Canada Inc. failed to fully wipe customer data from returned devices such as laptops, hard drives or USB keys prior to reselling them.
The Staples audit included tests on data storage devices (ie. computers, laptops, USB hard drives and memory cards) that had undergone a "wipe and restore" process and were destined for resale.  Of the 149 data storage devices tested, over one-third (54 devices) still contained customer data - in some cases, highly sensitive personal information such as Social Insurance Numbers, and health card and passport numbers; academic transcripts; banking information and tax records.

This brings a few questions to mind.

Who are these individuals who would return a device to a store, and blindly trust that the store will do what is in their best interest, rather than in the store's best interest.

The privacy commissioner stated that:
...although Staples generally has good privacy practices, it had not met its obligations under Canada's private-sector privacy law with regard to returned data storage devices.

How many organizations have a policy regarding data storage devices, and the safeguards around their disposal?  I would imagine that most do, but that won't protect the individual consumer.

Personally, I'd like to know the policies of a store before returning data storage hardware, such as cell phones (did you wipe the address book before you returned it?), smartphones (same goes for emails), USB drives, laptops, external hard drives, internal hard drives, computers, or memory cards to them.

I'd want to know if they wipe them, a little bit about how they wipe them, and as a purchaser of previously purchased goods, I'd want to know if the device had been checked for viruses and other malware.

And the next time I return hardware to a store, or purchase a previously purchased device, I will ask.

Friday 17 June 2011

IamLUG - North American Lotus User Group

Once again, I beleive for the third year, St. Louis is opening its doors to Loti from across North America.

Founded on the 'free' conference ideal, IamLUG has offered more than 25 sessions each year with the optional 'TackItOn' full day of training on specific subjects.

This year's session list looks great, and the speakers rock.   It's happening on August 1st and 2nd, with the 'TackItOn' day being Aug 3rd.

You can find more detail here.

Thursday 16 June 2011

Taking Security Too Far: Breaking the Business Process

Read the following statement:
apparently the advent of 3D projectors is severely cutting the amount of light that reaches the screen because projectionists are not changing out the 3D lenses for 2D screenings as they should

Would you believe that a poorly planned security process is at fault of our enjoyment of 3D movies?  With more and more thought being given to security, and protecting the intellectual property of the organization, it is possible for those controls to go too far.
Hollywood is making a trade-off here: believing that 3D and digital are the new technologies that will get people back into theaters BUT believing that anything not locked down will be copied and redistributed without payment, the studios et al have opted to secure the projectors. Understandable. But in doing so, they've made it difficult for the people running the projectors to do their jobs properly.

While it is a great idea to make sure that the business is protected, making security too much of a challenge for people to do their jobs results in poor returns for everyone.
Opening the projector alone involves security clearances and Internet passwords, 'and if you don't do it right, the machine will shut down on you.'

when the designers developed the projector's security, they failed to consider who would be using it, their level of technical capabilities, and their own internal risk model ("If I do this complicated and difficult thing and make a mistake the projector will lock up and the screening will have to be canceled and I'll probably get fired.") The upshot is poor design that defeats the purpose.

When you are designing your next security model, give lots of thought to the business and its ultimate goals.  Make sure you are not a hindrance to the bottom line.

Reference: When Threat Models Collide

Wednesday 8 June 2011

Conservative Party of Canada Contributor Information Leaked

According to @LulzRaft, it looks like there was a data breach of campaign contributor information that went along with the fake news release when the Conservative Party of Canada website was breached.

Update:  @LulzRaft is not connected to @LulzSec.


Technology, Law and the Canadian Workplace

Tod Maffin from the CBC interviews 2 lawyers about Canadian Law, and Technology in the workplace.

Wikimania - Please don't post (I want to win...)

Yeah, the title is a bit tongue in cheek, but seriously...

I entered an article in the Wikimania contest last year, and I even won a book, and a number of other small items.

I've entered again this year, on the very day the contest opened.   I suspect that I was even pointed out for it.

Sharing with the community is a great way to develop friendships and share information.  (And win prizes.  After all, who doesn't want to be recognized for their work.)

Security Review - 6/7/2011

Similar to a number of other breaches (Sony, Epsilon, Lockheed-Martin), hackers seem to mostly be targeting the 'larger' targets, that will bring a lot of public exposure.

The Conservative Party of Canada site was the target of such an attack this week, as were many branches of the Sony empire.  The Kingston Police department just got their website back online on Tuesday following a breach.

It's no surprise then that Vermont Democrat Senator Patrick Leahy has introduced a bill that would set a national standard for notifying consumers of breaches, and would make it a crime to conceal a data breach.

Is there any doubt why Canadian companies are wary of the cloud?
As a result, Canadian firms tend to experience fewer security lapses. On average, 43% of global companies reported a breach within the last year versus 38% in this country.

Tuesday 7 June 2011

Hackers target Conservative Party website

Despite news on the Conservative Party of Canada website, Prime Minister Stephen Harper was not airlifted to a hospital in Toronto following a choking incident at breakfast with his children.

In fact, it was an attack by hackers targeting the Conservative Party website.

The CBC has more details.

Hackers make off with Government of Canada data

Back in April 2010, two groups (The Citizen Lab and The SecDev Group) discovered that government computers in 103 countries were compromised by hackers from China.  They wrote about it in a published report called Shadows in the Cloud.

Fast forward to the fall of 2010 when Communications Security Establishment Canada (Canada's electronic eavesdropping agency) started looking for signs that Canada's governmental networks had been compromised.

Fast forward to January 2011, when a hack was discovered in three Canadian government departments including the Department of Finance and an agency of the Department of National Defence.

A memo written at the end of January 2011 states:
"Indications are that data has been exfiltrated and that privileged accounts have been compromised,"

Moving on to February 2011, when Prime Minister Stephen Harper says that the government has a strategy to protect computer systems, but admits that cybersecurity is a "a growing issue of importance."

And now in June 2011, through a memo that the CBC received through an access to information request, that hackers stole classified information.

So, what's happened in the interim?

Departments have set up workstations on each floor where employees can go to access the Internet for work purposes.   And what happens when those are busy?   They take their laptops down to the local coffee shop and access needed resources there.

So, now that the secure corporate environment has been breached, the next target will be the coffee shop wireless connection.   My guess is that the wireless connections at coffee shops probably don't undergo the same rigorous security that goes into a typical corporate network.   But in this case, whoever the hackers are that infiltrated the government networks, they have definitely flushed the game out of the woods.

Wednesday 1 June 2011

Tomorrow is IPv6 day!

Tomorrow is the Internet Society's World IPv6 day.

On June 8th, many major world organizations (including Google, Akamai and Yahoo!) will be turning on IPv6 services for a 24 hour test.

More information can be found here.

Tuesday 31 May 2011

Computer Security Policy: Part 1 - Hierarchy of Management Direction

When writing computer security policy, or any policy for that matter, it is important to remember that there is a hierarchy when it comes to the types of documents that make up policy.

  • Laws & Regulations

  • Policy

  • Standards/Directives

  • Procedure

  • Guideline

Laws & Regulations

These are the compulsory rules, with sanctions, declared by the government for all citizens.

Here in Canada, the laws are passed by elected members of parliament.  In the United States, laws are passed by elected members of Congress, and then ratified by the Senate.  The president signs the law into being.


A policy is "a high level statement of enterprise beliefs, goals, and objectives and the general means of attainment" (Peltier).   Another way to look at it is that "policy is the articulation of the intentions of management".  (Fites/Kratz)

It's a course of action or a principle taken by a group of individuals used to govern themselves.


Standards could be defined as required activities that provide a support structure and direction on how to carry out policies.

"A document, established by consensus and approved by a recognized body, that provides, for common and repeated use, rules, guidelines or characteristics for activities or their results, aimed at the achievement of the optimum degree of order in a given context."  (Standards Council of Canada)


A procedure is a set way to perform a task.  It is a series of instructions to be completed in a particular order or manner.


Guidelines are "general statement designed to achieve policy".  (Peltier)

They could also be classified as a forceful recommendation to achieve a certain goal.

Friday 27 May 2011

Domino databases can disappear when UNIX/LINUX server is shutdown


In certain cases on a Domino 8.5.2 FP1 server, the contents of the Domino data directory can be deleted during shutdown on UNIX and Linux platforms. This does not happen frequently or on all Domino servers. However, if this does happen, a backup restore of the data will be necessary.
This IBM Alert addresses an issue with the ~notetmp.reg file on UNIX or LINUX servers running Domino 8.5.2 FP1.

This is what happens:
The problem occurs if ~notetmp.reg points to the Domino data directory as the temp directory and also contains an empty string filename. In that case, Domino sees everything in the data directory as temporary and all files will be deleted at server shutdown. 
More information can be found on the IBM support site.   Reference is SPR# DWON8FVMYS.

Thanks to Gunawan T. Wicaksono for pointing this Alert out.

Tuesday 24 May 2011

Admin Notes: Fixes for File Viewer Vulverabilities in Lotus Notes

Just a quick note to make sure this gets out there.

I'm taking on more 'security' type duties at work.   This is something that falls under both my hats.

IBM Support has released a Flash Alert regarding some vulnerabilities discovered in Lotus Notes.

More information can be found on the IBM Support site.

I do like the fact that they have provided work around information all the way back to Lotus Notes 5.x.

Thursday 19 May 2011

Admin Notes: Lookup of IP address for host failed

If you come across and error like this in your Lotus Domino console, or log file:

"Lookup of IP address for host failed"

Take a look at your Internet Site Documents, chances are one of them (a non-website one) has an invalid domain name.

Wednesday 11 May 2011

Cross Country Lotus User Group - May 12th, 2011

Date:  Thursday,  May 12th, 2011

Time:    1:00pm to 5:00pm –  Eastern Daylight Time  -  Montreal, Ottawa, Toronto
            11:00am to 3:00pm –  Mountain Daylight Time - Calgary
            10:00am  to 2:00pm – Pacific Daylight Time  - Vancouver

1360 René Levesque Blvd West, 13th floor, Conference Room
Local Host: Angela Caruso,
340 Albert St, Room 100
Local Host: Connie Triassi,
120 Bloor Street East   Suite 104
Local Host: Rosie Seth,
227 - 11th Avenue SW,  2nd floor, Room 2-045
Local Host:  Don Gillis,
4611 Canada Way, Burnaby, BC, Queen Charlotte Room
Local Host: Jayne Johnson,

Welcome to the Cross Country Lotus User Group Meeting!


Montreal/ Ottawa/ Markham

Topic  & Speaker
Speakers Location
Meet & Greet

Welcome and Agenda

Lotus Notes 8.5.3  –How to set up Notes 8.5.3 for former outlook users

Mary Beth Raven – IBM
Senior Technical Staff Member - Responsible for UI Design
DraganRAD– DragonRAD is a mobile enterprise application platform that empowers developers without specialized mobile development skills to create data-driven enterprise applications that run across multiple smartphones and tablets including BlackBerry®, BlackBerry PlayBook™, Android™, iPhone®, iPad®, and Windows Mobile™.

Gord Graham – Seregon Solutions


How I got started in XPages development! – My first steps into XPages were daunting because of how much I felt I didn't know, how far behind I thought I would be and how steep I was afraid the learning curve was.  I am happy to report that I am glad I took those first steps and am quite excited about using XPages.  I will explain my background in Notes, the resources I have used to become familiar with XPages and then demonstrate some XPages features and discuss the things that I find really powerful in XPages compared to traditional Lotus Notes development.

Graham Acres – Brytek Systems Inc

TLCC  - The Leader in XPages Training
Paul Della-Nebbia  will take a few minutes to tell us about TLCC’s Introduction to XPages Development 8.5 Workshop coming soon to a city near you!
8.5.x Domino Server Availability and Tuning
Do you want to keep your Domino servers available 99.999% of the time? Is part of that goal to minimize cost and take economic advantage of what's new in Domino for Release 8.5 on? There are capacity planning and administrative actions, design decisions as well as a lack of ongoing and proactive tuning practices that threaten those goals. Gleaning from the struggles, successes and failures of several enterprise deployments using the latest Domino features and configuration options, this session will yield a vital list of items that may need
correction as well as procedural changes going forward.

John Curtis – IBM
Senior Technical Staff Member – Domino Development
End of Meeting

IBM is pleased to provide lunch and refreshments in each of the host cities.

Register for the Event:;=en-US
Upon registration you will receive the information for the web and phone conference. If clicking the link above does not work, please copy the entire link and paste it into your Web browser.