Thursday 24 November 2011

Happy Thanksgiving!

Just a quick note to wish all of my American friends a happy thanksgiving.

(Even though they didn't wish me one on my thanksgiving.)

Friday 18 November 2011

Domino Disk Performance

So, today marks the first day that I've had a chance to play with our new Domino server.   Most of the hardware is pretty standard.   IBM 3650M2 hardware, 12GB of RAM and 2 quad core CPUs.

Usually, the performance bottleneck I run into is disk access.   Today, I'm trying some new hardware to see if we can eliminate that bottleneck.

Here are my first results:

This spike was the result of starting a compact -C on a database with a size of 1.6GB and 150,000 documents.  It took 2 minutes to complete.

I'll let you know how performance continues.

Thursday 17 November 2011

RCMP Camera Gaffe and Security Policies

I read about the RCMP's gaffe with leaving images from past investigations on a camera used for surveillance of a suspected graffiti artist, and immediately thought of this article entitled "IT Security policies Widely Ignored, Survey Suggests".

Is that what happened?   Was it a process issue, or a policy issue?

I wonder if we'll ever know?

Wednesday 16 November 2011

Anonymous and the City of Toronto

Toronto Mayor Rob Ford is confident that City of Toronto systems are secure after a threat from hacking group Anonymous.

I read that in an article from SC Magazine.  He really couldn't say anything else, but I wonder if he really believes it.   I also wonder what City of Toronto CIO David Wallace is thinking...   After large takedowns of Sony and the like by Anonymous, he's probably not as confident.

Tuesday 15 November 2011

Help: Domino ACLs and Email Address as User Login

It's not often I resort to the LazyWeb method of looking for information, but I haven't had any luck finding what I was looking for otherwise.

I have a client who wants to use their email address to log in to a Domino web application.

My memory tells me that there is/was an issue with this and using Groups in the ACL of the Domino database.

Can anyone point me to any resources on how to do this, or that it can't be done, or anything along those lines?


Friday 4 November 2011

Security Notice: THC-SSL-DOS, Lotus Domino and SSL Regegotiation

A group called released a tool called THC-SSL-DOS.  Here's a clip from their site:

THC-SSL-DOS is a tool to verify the performance of SSL.

Establishing a secure SSL connection requires 15x more processing
power on the server than on the client.

THC-SSL-DOS exploits this asymmetric property by overloading the server and knocking it off the Internet.

This problem affects all SSL implementations today. The vendors are aware
of this problem since 2003 and the topic has been widely discussed.

This attack further exploits the SSL secure Renegotiation feature
to trigger thousands of renegotiations via single TCP connection.

Its also been covered in various places on the web, like here or here.

While it doesn't look like there is much that can be done to mitigate it, you may get some relief for your Lotus Domino servers (and other software that uses Domino as a platform) by disabling SSL Renegotiation.

It's an option available in the following releases of Lotus Domino:

  • Lotus Domino 8.0.2 Fix Pack 6 +

  • Lotus Domino 8.5.1 Fix Pack 4 +

  • Lotus Domino 8.5.2 +

  • Lotus Domino 8.5.3 +

The fix is the Notes.ini parameter below.


This Notes.ini parameter was originally released in response to CVE-2009-3555 which detailed a Man-In-The-Middle attack that would allow the attacker to insert data in HTTPS sessions, and possibly other sessions secured by SSL.   (I'm looking at you LDAP, SMTP, and POP3)

Wednesday 2 November 2011

National IT Day in Canada

Today is National IT Day in Canada.

I guess this is the day I get some respect...

Hmm. Nothing yet. Guess I'll keep waiting.

Tuesday 1 November 2011

Greece, a Referendum and Security

About now, some people will be pontificating that if Greek citizens vote down austerity measures, Greece will run out of money in a matter of days, and that the world/European economy will go into a tailspin shortly thereafter.

I suspect that if that occurs, there will be a rather public hack of Greece's infrastructure, taking advantage while they are down.   Quite possibly, it will be an inside job, by someone disgruntled that they are broke.


Spoofing a Cell Tower

It's interesting that a little more than a year after a security researcher proved at DefCon that he could spoof a cell tower, the UK police have purchased a system to do the same thing.

Keyloggers 101

Great video post from the Ethical Hacker Network on Keyloggers.

Shows the basics about keyloggers, how hidden they are, and how to detect them.