Security

SHA-1 based SSL Certificates are being Phased Out

Hello friends,

The following post is to advice some of you that run public facing websites which use SSL.  Google Chrome  will start giving users Warning messages when accessing sites that use SHA-1 based SSL Certificates.

By the way – This is scheduled to start happening in under a month form now. And if you are like me and test SSL on sites you manage and visit you would notice that many are now flagging SHA-1 is insecure and lowering your sites ratings on security.

What is SHA-1

The SHA-1 cryptographic hash algorithm has been known to be considerably weaker than it was designed to be since at least 2005 — 9 years ago.

Why change it now?

Well its not that its new news. SHA-1’s use on the Internet has been deprecated since 2011. However change across the world takes a bit more time.  And with the advancement of computing technology the ability to create  Collision Attacks. So companies such a Google and Projects such as Firefox, oh and Microsoft are all Sunsetting SHA-1.

What do this mean for me?

This means you need to have your certificates re-keyed through your SSL provider using a certificate signing request (CSR) with a SHA-256 signing hash if you don’t want people to get browser warnings.

But IIS doesn’t offer this?

You are correct it doesn’t.  If you are using  IIS,  regardless of what version of Windows OS (2003-2012) you only can generate SHA-1 certificates. So its time to embrace the power of Linux or simply OpenSSL to get the job done.

So my advice is that you start making the change, so that you don’t have to deal with the embarrassment of your customers and site visitors asking you why your SSL enabled site is reporting warnings.

- Jermal

Ref Links:

https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/

https://blog.digicert.com/what-is-sha-2-and-how-it-affects-you/

Online Tool(s)

Check your SSL Sites – https://www.digicert.com/sha1-sunset/

Using built in Windows tool to secure wipe free disk space

So your working and had to make a backup copy of the CEO’s outlook data file onto your local computer. After your work on his or her mailbox you delete the backup.  So you think!

Now  we know this isn’t the true.

There is where CIPHER comes in.

Cipher is a command-line tool (included with Windows) that you can use to manage encrypted data. It can also be used to clean the white space (unused space) on your hard drive.

Let’s get to using this shall we

First open an command prompt as Administrator.

Type cipher /? to list the optial syntax for the command.  As you can see there is a lot this little tool can do.  More on this at another time.

So in my case I wanted to wipe all the free space in volume d:\ of my Windows system.  By typing cipher.exe /w:d <press enter> and I am now able to wipe the free space and any trace of my CEO’s backed up mailbox.

Now just sit back and wait until completed and your done.  Simple and effective.

Let’s recap

I wanted to delete the free disk space on my computer to remove the ability of data being recovered.

To do this I opened a command prompt (as administrator)
While in the command prompt typed in cipher /w:d (d being my drive)

Ref: http://support.microsoft.com/kb/298009

Man-in-the-Middle (MITM)

You are on vacation or spending the weekend at the beach. Like normal your using your laptop or smartphone.  You may be computer savvy; so you don’t allow onlookers view you typing your secure passwords.

But its not those that you can see you need to worry about.

Its the person watching your network activity; logging every site you visit, logging you bank credentials,  email, home address , contacts (friend lists), and anything else s/he can obtain. The ultimate eavesdropper.

This persons mission; to steal data from you, about you. This is the man(or woman) in the middle (MITM).

The man-in-the-middle will use many tools and security vulnerabilities which are exploited to allow them to see your data as clear as looking at it on your screen.  More so they can see your passwords even when they are all dotted out from the naked eye.

The MITM can inject code into your session to redirect you to fake sites, they can even see what you are viewing in real time.

Attackers use non-secured log-ins to apps on your phone and web sites you visit to obtain data about you.

So how do I protect myself from this?

There are many solutions; the best methods are to always use applications (apps) on your phone that use secure connections to the services it connects to.  This may be a shock to you; many do not, and this is part of the problem.

Always use sites that are secured with HTTPS from start to finish.  Again, many do not, and this leaves you exposed.

If and when possible use a VPN (virtual private network) solution.

This is another form of protection as your communication is sent encrypted threw a network you trust to be more secure than the one you are presently on.

So best advice I can offer you is

  • Be aware of the sites you visit
  • Ensure the sites you use , are using SSL
  • Be sure the apps you choose to use, are using SSL
  • Get a VPN Solution
  • And change your passwords often
  • And don’t use the same password for everything

 

 

How to submit malware / virus to antivirus and malware companies

So you got yourself infected with a virus and hopefully you got rid of it before it did any serious damage.  If it had you may wish you had something like “CrashPlan” to get your files back.

And while a backup solution is always the best tool to recovery today we are going to talk about what to do once you have identified a suspected virus  or malware component that you want to share so others are free from such an issue.

This fight isn’t just on you, there is a large community made up of experts and everyday people who wan’t to help one another get rid of malware and computer viruses.

Here are a few sites I often submit the little bugs to for review:

For additional tools in scanning and verifying an infected file I often use VirSCAN.org

VirSCAN.org is a FREE on-line scan service, which checks uploaded files for malware, using antivirus engines, indicated in the VirSCAN list. On uploading files you want to be checked, you can see the result of scanning and how dangerous and harmful/harmless for your computer those files are.

Another Online Scan Tool: https://www.virustotal.com/
By the way VirusTotal is owned by Google

Best of luck to you all, and stay safe

 

Set SharePoint Content Database in Read-Only Mode

This weekend I am working on a SharePoint 2010 to 2013 upgrade.

One of the steps; the beginning steps I will do is set the databases I am upgrading into read only mode to prevent users or automated process from upgrading the database during the upgrade window.

Now I could have taken the system offline for this; but that would be simple and inconvenient for anyone looking for information.  And in IT its all about the Information now isn’t it. You can find my steps below.

SharePoint Application Server

  • I first logged into my central administration of my SharePoint Server (SharePoint 2010).
  • Under Application Management, Select Manage content databases
  • Chose your web application  and select the database
  • You will notice that there isn’t a location to set this database into read only mode; however you do see that its status indicates its not in read only mode.
  • Keep this page open, as we will reload it later.

SharePoing SQL Database Server

  • Log into your Microsoft SQL Database Server (Or use SSMS).
  • Launch SQL Server Management Studio (SSMS)
  • Connect to the SQL Database Server instance
  • Select the database in question
  • Right click and select Properties
  • Under properties select Options
  • Scroll down to the area that reads “State”
  • You will see Database Read-Only
  • Change the value from False to True, then click OK
  • You will see a notification that it will momentary kick active users.
  • Click OK to continue.

Now you can revisit the SharePoint Application Server and reload the page and you will now notice that the status has changed and is in read only mode.

Congrats, if you followed these steps you did it right.

Tech Short: CryptoLocker

CryptoLocker is a type of “ransomware” that encrypts the data on an infected computer so that it can’t be read and then demands payment to decrypt it.

A CryptoLocker attack may come from various sources; one such is disguised as a legitimate email attachment. When activated, the malware encrypts certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware’s control servers.

After the initial infection a message is normally displayed to the computer user informing them to pay to gain access to their files.

At this point your files; Normally the target files are office document files and photos as they are deemed very important to individuals.

It targets files with the following extensions:

*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c

When it finds a file matching that extension, it encrypts the file using a public key and then makes a record of the file in the Windows registry under HKEY_CURRENT_USER\Software\CryptoLocker\Files

CryptoLocker typically propagates as an attachment or, it is uploaded to a computer already recruited to a botnet by a previous trojan infection.

To protect yourself you should always keep your systems up to date, be vigilant when opening email attachments and when dealing with sites that attempt to download these infections to your computer.

Most CryptoLocker infection do not require a user to have elevated rights on the machines as it targets anything the local users has access to.

The only way to recover form being infected is to restore the machine and its files from a clean backup.

I suggest using a real-time backup solution such as CrashPlan for something such as this as it supports version controls and point of time backup restoration.

I also suggest using Malwarebytes : Free Anti-Malware to aid in cleanup of the infection; however this does not give you access to files that have already become compromised.

Additional Notes:

CryptoLocker does not need Administrator privileges to run so don’t think you’re safe just because none of your users are domain/local admins. The CryptoLocker.exe is placed in the user’s %appdata% and/or %localappdata% folders which runs under the user’s context and doesn’t require privilege escalation.

What could be done here is to add restrictive policies on the %appdata% and/or %localappdata% folders.

To do this

  • Open the Group Policy Editor
  • Computer configuration
  • Windows settings
  • Security settings
  • Software Restriction Policies
  • Right click and create new
  • Go tin click additional rules

Create new path rules for the following

%appdata%\*.exe – Security Disallowed
%localappdata%\*.exe – Security Disallowed

Also message to my fellow systems admin’s:

If you are smart you will also block all executable attachments along with zips that are in emails. This will effectively reduce the footprint of possible infections, via email.

Communicate this with your management;

If they choose not to entertain alternative ways for transfer files then you can rest that you know you’ve taken the proactive and security measures you know, and are confident are best.

Links:

Ransomware Information Guide

CryptorBit Ransomware Guide

 

Tech Short: Data Encryption

Data Encryption is the intentional scrambling of information into unreadable form – until it is later converted back into its original form by the intended recipient.

Looking for data encryption tools or info have a look below:

GNU Privacy Guard – GNU Privacy Guard (GnuPG) is an open-source implementation of the famed Pretty Good Privacy (PGP) encryption

TrueCrypt - TrueCrypt is a free, powerful, and on-the-fly disk encryption tool. This happens to be my very favorite tool.

Pidgin-Encryption – Pidgin-Encryption transparently encrypts your instant messages with RSA encryption. Its simple and very secure.

SharePoint 2013: Upgrade to Claims Based Authentication

Claims-based authentication is an essential component to enable the advanced functionality of SharePoint 2013.

To move classic-mode web applications from SharePoint 2010 Products to SharePoint 2013, you can convert them to claims-based web applications within SharePoint 2010 Products, and then migrate them to SharePoint 2013.

The procedures in this post will address the issue I had faced after upgrading to SharePoint 2013 from 2010.

Due to classic mode authentication being officially depreciated by Microsoft, the database needed to be updated to claims based authentication.

During my testing; I noticed many (if not all) users accounts had issued logging into sites which worked prior to the upgrade.  I was removing and re adding them to work around this issue ; which was very tedious.

Using the Convert-SPWebApplication PowerShell command simplified this task.

Here are the steps I took

Launched SharePoint 2013 Management Shell as Administrator

Enter the following commands

Convert-SPWebApplication -Identity <URL> -To Claims -RetainPermissions

Please note the <URL> is the http://address to your SharePoint 2013 site application. Example: http://corp.jermsmit.com

For more info check out: http://technet.microsoft.com/en-us/library/gg251985.aspx

Firefox: Add a Trusted Certificate Authority

By default Firefox has its own certificate store from well-know and trusted commercial Certificate Authorities. So today when I pushed out an internal self signed certificate; Firefox did not reconcile it as valid.

To correct this issue I did the following:

  • Launched Firefox
  • Opened the options panel and selected Advanced
  • Selected View Certificates to access the Certificate Manager
  • Then by clicking Import and browsing to your exported CA Cert you can import the internal certificate.

I hope this helps.

 

 

 

Chat with no central authority using BitTorrent Chat

With the many communication platforms out today it’s a hard for I or anyone else for that matter to recommend one that is best for you. One this is similar about many of them today. They all relay on some centralized server to route and store all of your communication. They also store what you have talked about on their servers.

Whoa!  Seriously, I kid you not. They do!

This means that at any time they could pull up your chat logs, photos you have sent via chat and one day use them. Now if you are not doing anything via chat that you wouldn’t do in public that isn’t’ a concern to you now is it.

Well!!! Is it?

The point I am making is, all it takes is the wrong person(s) to gain access to your communication platforms servers, databases and your perceived privacy is no more.

So how do we solve such an issue?

Well we have private chat programs that work using peer to peer, but that is complex for the simply day to day user to setup and maintain.

Then we have BitTorrent Chat.

BitTorrent Chat uses public key encryption to protect your privacy. There aren’t “usernames”. You are not required to login to a central server. Instead, your identity is a cryptographic key pair. What does this mean? Well to other users you are simply a public key, meaning you do not need to tell anyone who you are. All you need to do is exchange your public keys with another user so you can communicate.

Benefits:

Using public key encryption provides us with a number of benefits. The most obvious is the ability to encrypt messages to your sender using your private key and their public key. Every time you begin a conversation with one of your contacts, a temporary encryption key will be generated. Using each of your keypairs, this key will be generated for this one conversation and that conversation only, and then deleted forever. So even if someone was able to gain access to your computer to take your private key. The history is gone, gone forever.

All of this is using what is known as BitTorrent encrypted DHT, which is a method used to translate a public key to an IP address, similar to how BitTorrent clients work

So if you are interested sign up for the Private Alpha and let’s start communicating online the way it should be.

Here are some links you might be interest in:

Wikipedia article on BitTorrent’s version of the DHT

Wikipedia article on DHT technology in general

Wikipedia article on public key encryption

Wikipedia article on forward secrecy

 

I hope you enjoyed this post, please visit me on Facebook @ http://www.facebook.com/jermsmitcom & via twitter: #jermsmit