Friday, 30 September 2011

Every Application and Device Needs a Retirement Plan

Here's a great headline that grabbed my attention this morning:
Air traffic control data found on eBayed network gear

Turns out this fellow in the UK bought a Cisco switch on Ebay for £20.    When he saw the sticker on the back that said NATS (National Air Traffic Services), he started poking around.

He found internal VLAN estate data, information about the SNMP community strings (read and write, named after aircraft funnily enough), some ideas about password composition, VTP Trunk info and password, and details of upstream switching.   Enough that it would allow you to plug it into a port connected to the NATS network and 'become' part of the network, allowing you access to all the network traffic.

My first thought after reading this article?    How does the NATS in the UK not have a retirement/decommissioning plan that would have addressed this?    After all, the UK was the country that developed the ITIL framework, and system decommissioning is a core part of the service lifecycle.


Canadian Government Proposes Mandatory Data Breach Reporting

The Canadian Government proposed changes to the Personal Information Protection and Electronic Documents Act (PIPEDA) that would force organizations to report personal information breaches to both the privacy commissioner and the affected individuals.

The changes are part of a proposed bill that died on the floor of parliment when Canada went to the polls to elect a new government this past May.
"Ensuring trust and confidence through the protection of personal information is essential to the growth of the digital economy.  Our government will continue to help protect consumers and businesses from the misuse of their personal information, thereby increasing confidence in the online marketplace." - Industry Minister Christian Paradis

Organizations would be required to inform individuals if there had been a breach that might result in 'significant harm' to an individual.   Significant harm could be defined as identity theft, fraud or risk to a person's reputation.

Other changes that could be made to the Personal Information Protection and Electronic Documents Act (PIPEDA) could include:

  • Clarifications that organizations can disclose personal information requested by government institutions and law enforcement and security agencies without a warrant, subpoena or court order.  The change would prohibit such organizations from notifying those affected by the disclosure of their personal information if the law enforcement or government institution requesting the information objects to the disclosure.

  • Changes to the Act would allow for the release of personal information to help protect victims of financial abuse, locate missing persons or identify people who might be injured, ill or deceased.

  • Disclosure of personal information without consent would be allowed for private sector investigations and fraud prevention.

  • Consent would no longer be required for the collection, use and disclosure of information needed for managing employment relationships, information produced for work purposes, information used for due diligence in business transactions, or business contact information for day-to-day business.


Tuesday, 27 September 2011

How To: Mitigate the SSL/TLS Vulnerability for Lotus Domino

I've been doing quite a bit of research into the BEAST (Browser Exploit Against SSL/TLS) vulnerability that security researchers Juliano Rizzo and Thai Duong demonstrated at the ekoparty security conference in Buenos Aires on Friday.

The session at ekoparty revealed the technical details about how the exploit works and the vulnerability it exploits.   The vulnerability has been known for quite a while.

The vulnerability affects SSL/TLS ciphers that use the Cipher Block Chaining (CBC) mode. These include the popular AES and Triple-DES encryption methods.  The easiest way to mitigate the vulnerablity is to switch to an encryption algorithm that doesn't use CBC, like those based on the RC4 stream cipher.

Interestingly enough, Google websites don't use CBC based encryption.  They use the RC4 encryption cipher instead.


Domino Server BEAST Mitigation - With Internet Site Documents

  1. In the Domino Administrator Client, open the 'Configuration' tab and expand 'Web' and 'Internet Sites'.

  2. Open the Internet Site Document for the server.

  3. Click on the 'Security' tab.

  4. Under 'SSL Options' section, change the 'Protocol Version' to 'V3.0 only'.

  5. Under the 'SSL Security' section, modify the list of SSL ciphers so that only the following ciphers are selected:

    1. RC4 encryption with 128-bit key and MD5 MAC

    2. RC4 encryption with 128-bit key and SHA-1 MAC

    3. RC4 encryption with 40-bit key and MD5 MAC

  6. Save the Internet Site Document.

  7. Restart the HTTP task.

Domino Server BEAST Mitigation - Without Internet Site Documents

There does not seem to be a way to specify the SSL protocol version for Domino without using Internet Sites.   There is a SSL Protocol Version field on the server document, however it states that it does not apply to the HTTP task.

With that said, I look forward to the day that there is TLS support for Lotus Domino.   (And data-at-rest encryption that is stronger than RC4, but that's for another day.)

NIST Releases Guide for Conducting Risk Assessments

National Institute of Standards and Technology (NIST) has released the Guide for Conducting Risk Assessments (NIST Special Publication 800-30, Revision 1).

As threats to cyber systems grow more and more complex, risk assessments help companies determine appropriate responses to mitigate risks to their organizations, guide investment strategies and maintain ongoing situational awareness of the state of their systems.

Overall guidance for risk assessment for information security can be found in Managing Information Security Risk: Organization, Mission, and Information System View (NIST SP 800-39).


Microsoft Releases a TLS 1.1 Fix Tool for Windows

Microsoft has released a security advisory relating to the SSL/TLS vulnerability previously discussed.   Included in the advisory are a workaround and a tool that can implement a fix on Windows 7 and Windows Server 2008 R2 systems.

If you're using a version of Windows prior to version 7 or Server 2008 R2, your system doesn't even support TLS 1.1.   Your only hope is that server admins fix the SSL/TLS problem on their web servers.

Interestingly enough, the RC4 cipher suite is unaffected.   Only encryption based on CBC (cipher block chaining) is affected.   RC4 is a streaming cipher, which is not affected.

Friday, 23 September 2011

Pssst... Want to buy some patient records?

You know, probably not the best words in an article about lost patient records to link ads from if you want your website to look legit.

Just saying...

Swedish Computer System Crash; 50 000 lost medical records

A computer system crash in Region Skåne, Sweden have resulted in the loss of appointment and prescription records, but may have resulted in the loss of over 50 000 medical records.

The affected hard drives have been shipped to a Norwegian company to attempt to recover the information lost in the crash that occurred on August 22, 2011.  (Almost a month ago as of the publication of this post.)

The cause of the crash is still under investigation, and the extent of the data loss is still unknown.
”We have never before lost so much information,” Mette Marklund, director of the National Board of Health and Welfare’s Southern Region, told DN. ”It can be a great risk to patient safety when we do not have access to adequate information. But, we do not know yet what to rebuild.”

Interestingly enough, Region Skåne is scheduled to launch a central medical record system for the entire nation in 2012.

Ed. Note:  I'm not certain how a health organization in a first world country could have started a project so large and so far reaching and not have given any thought to data backup or disaster recovery, especially when you consider the risk to human life that the loss of medical records might entail.



Thursday, 22 September 2011

My ATM is running Windows 98?

Picture this, you walk up to an ATM belonging to your bank and find the error below on the screen.

Do you change banks?



(IN)SECURE Magazine number 31 is available

If you work in IT security, and you don't read (IN)SECURE Magazine, you should take a look at it.

Here is the article list for issue 31:

  • The changing face of hacking

  • Review: [hiddn] Crypto Adapter

  • A tech theory coming of age

  • SecurityByte 2011: Cyber conflicts, cloud computing and printer hacking

  • The need for foundational controls in cloud computing

  • A new approach to data centric security

  • The future of identity verification through keystroke dynamics

  • Visiting Bitdefender's headquarters

  • Rebuilding walls in the clouds

  • Testing Domino applications

  • Report: Black Hat 2011 USA

  • Safeguarding user access in the cloud with identity governance

Wednesday, 21 September 2011

IBM Lotus Domino and the SSL/TLS known vulnerability

Based on this article, I started thinking about how the fallout from the SSL/TLS vulnerability may affect me.

I wasn't ready for what I found.

As it turns out, as detailed in this IBM tech note, there is no support for TLS 1.0, TLS 1.1 or TLS 1.2 for Domino's http server.   There is only support for SMTP (through STARTTLS) and SIP (for Sametime) within Domino.   All other Lotus Domino Internet based protocols (HTTP, LDAP, POP3, IMAP) support SSL up to 3.0.

So...    As for a plan, it looks like you can probably put your Domino servers behind a Websphere Edge Server doing reverse proxy.   Much like you would have to do if you were looking to make Domino FIPS 140-2 compliant.






Looking for a Lotus job?

If you are looking for a job revolving around one of the IBM/Lotus technologies, make sure you take a look at Tom Duff's website.   He posts daily on the new jobs that surface in the Lotus world.

Duffbert's Lotus Jobs


Known Vulnerability in SSL/TLS is now a Problem

In case you didn't read it here, or here, there has been a successful exploit for a long known vulnerability in all versions of SSL and TLS 1.0.

Although the vulnerability has been known since the early iterations of SSL, up until now, it was thought to be un-exploitable.

Thanks to the work of Juliano Rizzo and Thai Duong (who previously brought an issue to light with ASP.NET that caused Microsoft to release an 'out-of-band' patch), the vulnerability has been exploited through a web browser.

What does this mean for us, the security practitioners?   It may be time to implement and enforce the use of TLS 1.1 or TLS 1.2 soon.  Attacks against SSL/TLS 1.0 have yet to show up in the wild, but it is only a matter of time.

Still unsure about what SSL/TLS is?   Here's a good reference.

(Note: I didn't like the spin used by the news article entitled "Online banking encryption broken" on the CBC's website about the exploit.  It harkens to fear mongering to me.)

Update: The presentation to be given at the EKOParty security conference will provide all of the details on the exploit.  It may be related to this paper.

Tuesday, 20 September 2011

Cybersecurity Awareness Month

The Department of Homeland Security (DHS) in the United States has set October as Nati0nal Cybersecurity Awareness month.

Despite choosing one month to bring public awareness to cybersecurity,  most security professionals recommend practicing cybersecurity year round, not just in October.

You'll probably want to think about things on the list below during October.

  • Anti-Virus

  • Firewalls

  • Backups

  • Software Updates

You should also review the list of what to do when things go wrong (as most things eventually will).   You can find that resource here:

Friday, 16 September 2011

Great Deal - Games on Sale

Mrs. Tiggy Winkle's in Ottawa has a Groupon deal today.

$15 for $30 Worth of Toys and Games

They have a fairly good selection of board games, and a fair number of Euro games.

Thursday, 15 September 2011

Great Cryptography Reference

Do you know some of the basics of cryptography, like what a Caeser cipher is?   How about a Vignere table?  Are you looking for an easy reference on what data encryption is?

Check it out!

Securing The Human

Part of SANS security awareness program is a site called 'Securing The Human'.

Every month they publish a newsletter directed at the typical web user.  Not those of us with a heightened awareness of security, but people like your office manger, mail room clerk or parents.

This month's newletter, appropriately called 'OUCH!', deals with privacy and security surrounding social networking.

I encourage you to take a look, and disseminate it to your staff.   In fact, they even encourage you to do that.

It is available in English, French, Arabic, Italian, Korean, Malaysian, Polish, Portuguese, Spanish, and both Simple and Traditional Chinese.