Blog

Vulnerability Management for Dummies - free ebook offer

My readers have the opportunity to get Vulnerability Management for Dummies for free.  With all the current talks of POODLE, this came along at the right time.  Over 60 pages of entry level information.
Vulnerability Management for Dummies

Vulnerability Management for Dummies  covers a lot of ground quickly
As someone responsible for network security within your organization, you need to understand how to prevent attacks and eliminate network weaknesses that leave your business exposed and at risk.

Vulnerability Management for Dummies
 arms you with the facts and shows you how to implement a successful Vulnerability Management program. Whether your network consists of just a handful of computers or thousands of servers distributed around the world, this 5-part book will help:
  • Explain the critical need for Vulnerability Management (VM)
  • Detail the essential best-practice steps of a successful VM Program
  • Outline the various VM Solutions - including the pros & cons of each
  • Highlight the award-winning QualysGuard VM solution
  • Provide a 10-point checklist for removing vulnerabilities from your key resources
Get you hands on Vulnerability Management for Dummies right now. It is yours free for a limited time.
    for this posting

    On Thursday, October 23rd, 2014   by Chris Miller        

What is the POODLE vulnerability - back to basics

As we fight to fix the POODLE vulnerability in all systems, we should know what it is. POODLE stands for Padding Oracle on Downgraded Legacy Encryption . In simpler terms it exploits an older form of encryption your browser may use to communicate with servers.
As long as both the server and the client (web browser) support SSL 3.0, the attacker can force a downgrade in the protocol, so even if your browser tries to use TLS, it ends up being forced to use SSL instead. The only answer is for either side or both sides to remove support for SSL, removing the possibility of being downgraded.

So if an attacker can force your browser down to the older SSL 3.0 then they could cause some problems.  While vendors are hurriedly trying to patch their software, pretty much everyone was still supporting SSL 3.0 on their servers and of course your browsers do too. The only true solution is for both the web servers and the browsers to remove support for SSL 3.0 and force everything to TLS (transport layer security).

You can temporarily disable SSL 3.0 (and prior) in your own browsers for the time being.  Just be warned that if a site you frequentdoe not for some reason support TLS then you cannot get a secure connection once you do this.  Firefox will be making an update in late November under version 34 that removes SSL 3.0.  For now you can manually add a SSL Version Control extension to assist.

Google Chrome can be adjusted by simply changing your shortcut to force TLS as the minimal SSL connectivity.  They will have a Chrome update soon that will address it for the end users.

Lastly Internet Explorer (IE) has a manual way fix you can do today. I could not find a date yet on when they will update to fix the problem but in your Advanced tab and the Security section you can simply click to disable older SSL and make sure TLS is enabled for connections.
    for this posting

    On Thursday, October 23rd, 2014   by Chris Miller        

IBM addresses Poodle and SHA-2 issues in new technotes

IBM has addressed SHA-2 support and the Poodle vulnerability for IBM Domino in new technotes that were released. Here are the links and info.
Technote #1418982 titled Planned SHA-2 deliveries for IBM Domino 9.1
SHA-2 support for Domino 9.x is planned to be delivered over the next several weeks via an Interim Fix.

Technote #1687167 titled How is IBM Domino impacted by the Poodle attack?
IBM intends to release Domino server Interim Fixes over the next several weeks that implement TLS 1.0 with TLS_FALLBACK_SCSV for HTTP to mitigate against POODLE. Implementing TLS 1.0 will allow browsers to still connect to Domino after they have been changed to address the POODLE attack, and Domino will protect against browsers that have been compromised by POODLE. 
IBM will provide Interim Fixes

As you can see IBM will be making interim fixes that will need to be applied to your infrastructure. This includes HTTP traffic for XPages, Traveler, IBM Connections and everything else.  Many bloggers have info on what the impacts are unpatched.
    for this posting

    On Tuesday, October 21st, 2014   by Chris Miller        

CliMate Environment Tracker by Rooti review


CliMate, by Rooti, is your personal environment tracking device. It syncs via bluetooth and provides information on temperature, humidity, UV indexes and more. It can be worn and attached to bags and clothes via a flexible lanyard or mounted on the included stand.
Rooti CliMate Environment Tracker
In the free application, a plant symbolizes you in relation to your surrounding climate. When you're protected, the plant flourishes. When you're exposed, it withers away.
  • The app parses all your data into daily, weekly and monthly charts with simple averages. This way you can gain visual insights into the long-term ramifications of your actual environment.
  • Red Alert +Pro-active Weather Tips and Warnings. Based on your pre-entered information and the readings it receives, It will send you alerts that tell you when to put on sunscreen if you are outdoors.

Packaging of CliMate was very sleek and cool. It was easy to assemble even if the instructions were written in incredibly small font for no reason. We downloaded the application and paired the CliMate very easily. Registration worked on the first try and it instantly began collecting data. The graphs and trends were interesting but not really valuable. The UV index was valuable. You get to enter an approximate skin tone which then helps the app let you know when the device sense strong UV rays and you are getting too much sun. You can even enter the SPF of any sunblock you have on.

It functioned well but had the tendency to be easily turned off by the button. The indicator light on it is very hard to see in bright light. But the app worked great and the data seemed valid that it collected.

The CliMate also acts a a remote shutter control for your camera and a locator for your mobile device.  Overall I can see this being helpful, mainly for those with skin conditions. I am guessing the next version may adjust the button placement or sensitivity. Until then just make sure it is on and collecting data.

You can get in many colors at http://idonot.es/climaterooti  As a favor, even if you are not buying, click Yes while there on Amazon to at least let them know the review is helpful.

Please see all the product reviews here on IdoNotes and subscribe to the SpikedStudio channel or product review playlist  on YouTube
    for this posting

    On Monday, October 20th, 2014   by Chris Miller        

Skype 6.21.104 is consuming way too much memory

I am an avid user of Skype and have let it update itself pretty regularly. Even automatically.  However the Skype 6.21.104 update this week is consuming tons of machine memory. And it continued to grow
Skype 6.2 memory usage



So I uninstalled Skype 6.21.104 to go back to an older version.  My choice was the last Skype 5 version I could find of 5.10.0.116 and ran into a new issue
Since yesterday, all versions of Skype below Skype 6.13 for Windows and Skype 6.14 for OS X are blocked and do not allow you to sign in.

There are all sorts of hacks and workarounds to get old versions to go but that was not what I needed.  I wanted to go back at least a few point releases to lower the memory usage again. So this got troublesome.  Skype has the newest version plus the very slick looking beta.  By the way the beta used even more memory as shown here
Skype beta memory usage


So I dug around for sites with the older version listed. I was lucky to find the whole list on Soft32.  I went back to 6.14.132.104 and got the following memory results
Skype 6.1 memory usage

So for now I will stay on an older version of Skype, even though the new beta was much nicer looking.
    for this posting

    On Thursday, October 16th, 2014   by Chris Miller