Skip to main content


Showing posts from September, 2011

Every Application and Device Needs a Retirement Plan

Here's a great headline that grabbed my attention this morning: Air traffic control data found on eBayed network gear Turns out this fellow in the UK bought a Cisco switch on Ebay for £20.    When he saw the sticker on the back that said NATS (National Air Traffic Services), he started poking around. He found internal VLAN estate data, information about the SNMP community strings (read and write, named after aircraft funnily enough), some ideas about password composition, VTP Trunk info and password, and details of upstream switching.   Enough that it would allow you to plug it into a port connected to the NATS network and 'become' part of the network, allowing you access to all the network traffic. My first thought after reading this article?    How does the NATS in the UK not have a retirement/decommissioning plan that would have addressed this?    After all, the UK was the country that developed the ITIL framework, and system decommissioning is a core part of the service

Canadian Government Proposes Mandatory Data Breach Reporting

The Canadian Government proposed changes to the Personal Information Protection and Electronic Documents Act (PIPEDA) that would force organizations to report personal information breaches to both the privacy commissioner and the affected individuals. The changes are part of a proposed bill that died on the floor of parliment when Canada went to the polls to elect a new government this past May. "Ensuring trust and confidence through the protection of personal information is essential to the growth of the digital economy.  Our government will continue to help protect consumers and businesses from the misuse of their personal information, thereby increasing confidence in the online marketplace." - Industry Minister Christian Paradis Organizations would be required to inform individuals if there had been a breach that might result in 'significant harm' to an individual.   Significant harm could be defined as identity theft, fraud or risk to a person's reputation. Ot

How To: Mitigate the SSL/TLS Vulnerability for Lotus Domino

I've been doing quite a bit of research into the BEAST (Browser Exploit Against SSL/TLS) vulnerability that security researchers Juliano Rizzo and Thai Duong demonstrated at the ekoparty security conference in Buenos Aires on Friday. The session at ekoparty revealed the technical details about how the exploit works and the vulnerability it exploits.   The vulnerability has been known for quite a while . The vulnerability affects SSL/TLS ciphers that use the Cipher Block Chaining (CBC) mode. These include the popular AES and Triple-DES encryption methods.  The easiest way to mitigate the vulnerablity is to switch to an encryption algorithm that doesn't use CBC, like those based on the RC4 stream cipher . Interestingly enough, Google websites  don't use CBC based encryption .  They use the RC4 encryption cipher instead.   Domino Server BEAST Mitigation - With Internet Site Documents In the Domino Administrator Client, open the 'Configuration' tab and expand &

NIST Releases Guide for Conducting Risk Assessments

National Institute of Standards and Technology (NIST) has released the Guide for Conducting Risk Assessments (NIST Special Publication 800-30, Revision 1). As threats to cyber systems grow more and more complex, risk assessments help companies determine appropriate responses to mitigate risks to their organizations, guide investment strategies and maintain ongoing situational awareness of the state of their systems. Overall guidance for risk assessment for information security can be found in  Managing Information Security Risk: Organization, Mission, and Information System View  (NIST SP 800-39).  

Microsoft Releases a TLS 1.1 Fix Tool for Windows

Microsoft has released a security advisory relating to the SSL/TLS vulnerability previously discussed.   Included in the advisory are a workaround and a tool that can implement a fix on Windows 7 and Windows Server 2008 R2 systems. If you're using a version of Windows prior to version 7 or Server 2008 R2, your system doesn't even support TLS 1.1.   Your only hope is that server admins fix the SSL/TLS problem on their web servers. Interestingly enough, the RC4 cipher suite is unaffected.   Only encryption based on CBC (cipher block chaining) is affected.   RC4 is a streaming cipher, which is not affected.

Ideas 2011-09-21/business/30185263_ 1_data-breaches-data-thieves- data-leaks 2011/09/data-loss-statistics- in-new-zealand/ 205933/data-breach-insurance- offer-shows-how-high-risk-has- grown-smbs?mm_ref=http%3A%2F% Health-Care-IT/Health-Care- Organizations-Underprepared- to-Secure-Patient-Data-PwC- 706770/ SB1000142405311190426550457656 6991567148576.html Misha Glenny: Hire the hackers! titles/id/1221/lang/eng 0,2817,2368484,00.asp story/2011/09/19/passports- cost.html  

Pssst... Want to buy some patient records?

You know, probably not the best words in an article about lost patient records to link ads from if you want your website to look legit. Just saying...

Swedish Computer System Crash; 50 000 lost medical records

A computer system crash in Region Skåne, Sweden have resulted in the loss of appointment and prescription records, but may have resulted in the loss of over 50 000 medical records. The affected hard drives have been shipped to a Norwegian company to attempt to recover the information lost in the crash that occurred on August 22, 2011.  (Almost a month ago as of the publication of this post.) The cause of the crash is still under investigation, and the extent of the data loss is still unknown. ”We have never before lost so much information,” Mette Marklund, director of the National Board of Health and Welfare’s Southern Region, told DN. ”It can be a great risk to patient safety whe n we do not have access to adequate information. But, we do not know yet what to rebuild.” Interestingly enough, Region Skåne is scheduled to launch a centra l medical record system fo r the entire nation in 2012. Ed. Note:  I'm not certain how a health organization in a first world country could have st

My ATM is running Windows 98?

Picture this, you walk up to an ATM belonging to your bank and find the error below on the screen. Do you change banks?    

(IN)SECURE Magazine number 31 is available

If you work in IT security, and you don't read (IN)SECURE Magazine, you should take a look at it. Here is the article list for issue 31: The changing face of hacking Review: [hiddn] Crypto Adapter A tech theory coming of age SecurityByte 2011: Cyber conflicts, cloud computing and printer hacking The need for foundational controls in cloud computing A new approach to data centric security The future of identity verification through keystroke dynamics Visiting Bitdefender's headquarters Rebuilding walls in the clouds Testing Domino applications Report: Black Hat 2011 USA Safeguarding user access in the cloud with identity governance You can download it here:

IBM Lotus Domino and the SSL/TLS known vulnerability

Based on this article , I started thinking about how the fallout from the SSL/TLS vulnerability may affect me. I wasn't ready for what I found. As it turns out, as detailed in this IBM tech note , there is no support for TLS 1.0, TLS 1.1 or TLS 1.2 for Domino's http server.   There is only support for SMTP (through STARTTLS) and SIP (for Sametime) within Domino.   All other Lotus Domino Internet based protocols (HTTP, LDAP, POP3, IMAP) support SSL up to 3.0. So...    As for a plan, it looks like you can probably put your Domino servers behind a Websphere Edge Server doing reverse proxy.   Much like you would have to do if you were looking to make Domino FIPS 140-2 compliant .          

Looking for a Lotus job?

If you are looking for a job revolving around one of the IBM/Lotus technologies, make sure you take a look at Tom Duff's website.   He posts daily on the new jobs that surface in the Lotus world. Duffbert's Lotus Jobs  

Known Vulnerability in SSL/TLS is now a Problem

In case you didn't read it here , or here , there has been a successful exploit for a long known vulnerability in all versions of SSL and TLS 1.0 . Although the vulnerability has been known since the early iterations of SSL, up until now, it was thought to be un-exploitable. Thanks to the work of Juliano Rizzo and Thai Duong (who previously brought an issue to light with ASP.NET that caused Microsoft to release an 'out-of-band' patch), the vulnerability has been exploited through a web browser. What does this mean for us, the security practitioners?   It may be time to implement and enforce the use of TLS 1.1 or TLS 1.2 soon.  Attacks against SSL / TLS 1.0 have yet to show up in the wild, but it is only a matter of time. Still unsure about what SSL/TLS is?   Here's a good reference . (Note: I didn't like the spin used by the news article  entitled "Online banking encryption broken" on the CBC's website about the exploit.  It harkens to fear mongeri

Cybersecurity Awareness Month

The Department of Homeland Security (DHS) in the United States has set October as Nati0nal Cybersecurity Awareness month . Despite choosing one month to bring public awareness to cybersecurity,  most security professionals recommend practicing cybersecurity year round, not just in October. You'll probably want to think about things on the list below during October. Anti-Virus Firewalls Backups Software Updates You should also review the list of what to do when things go wrong (as most things eventually will).   You can find that resource here:

Great Cryptography Reference

Do you know some of the basics of cryptography, like what a Caeser cipher is?   How about a Vignere table?  Are you looking for an easy reference on what data encryption is? Check it out!

Securing The Human

Part of SANS security awareness program is a site called 'Securing The Human'. Every month they publish a newsletter directed at the typical web user.  Not those of us with a heightened awareness of security, but people like your office manger, mail room clerk or parents. This month's newletter, appropriately called 'OUCH!', deals with privacy and security surrounding social networking. I encourage you to take a look, and disseminate it to your staff.   In fact, they even encourage you to do that. It is available in English, French, Arabic, Italian, Korean, Malaysian, Polish, Portuguese, Spanish, and both Simple and Traditional Chinese.