Saturday, 15 November 2014

How to Disable SSL V3.0 for Google Chrome (POODLE Attack part 4)

How to Disable SSL V3.0 for Google Chrome 

If you use Google Chrome, here it is how to disable SSL V 3.0. 

  1. Right click at your Chrome's desktop icon
  2. Properties
  3. At the end of the target field enter:
    " --ssl-version-min=tls1"
  4. Apply
  5. Quit Chrome
  6. Double Click on it again to open it
To prevent connections falling back to SSLv3 from being created, Google security engineer Adam Langley said that in Chrome 39, the ability to fallback to SSLv3 will be disabled by default.
"SSLv3-fallback is only needed to support buggy HTTPS servers," Langley said in a post to the Chromium security mailing list. "Servers that correctly support only SSLv3 will continue to work (for now), but some buggy servers may stop working.


Posted by at No comments:

How to Disable SSL V3.0 For Client (Win7) (POODLE attack part 3)

How to Disable SSL V3.0 For Client (Win7)

Don't forget to disable also for all your Windows clients. Through out the network.
Home users please do follow these steps to disable SSL v 3.0 and if you use IE disable it there as well.

You can disable support for the SSL 3.0 protocol on Windows by following these steps:
  1. Click Start, click Run, type regedt32 or type regedit, and then click OK.
  2. In Registry Editor, locate the following registry key:
    HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client
    Note If the complete registry key path does not exist, you can create it by expanding the available keys and using the New -> Key option from the Edit menu.
  3. On the Edit menu, click Add Value.
  4. In the Data Type list, click DWORD.
  5. In the Value Name box, type Enabled, and then click OK
    Note If this value is present, double-click the value to edit its current value.
  6. In the Edit DWORD (32-bit) Value dialog box, type 0 .
  7. Click OK. Restart the computer.

Note This workaround will disable SSL 3.0 for all client software installed on a system.

Note After applying this workaround, client applications on this machine will not be able to communicate with other servers that only support SSL 3.0.

by Renato de Oliveira
Posted by at No comments:

How to Disable SSL V 3.0 for Windows Servers (Protect against POODLE attack) part 2

Disable SSL 3.0 in Windows For Server Software


We have to remember to turn SSL V 3.0 on all servers, especially the ones facing the Internet or hosting IIS and handling HTTPs.

You can disable support for the SSL 3.0 protocol on Windows by following these steps:
  1. Click Start, click Run, type regedt32 or type regedit, and then click OK.
  2. In Registry Editor, locate the following registry key:
    HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server
    Note If the complete registry key path does not exist, you can create it by expanding the available keys and using the New -> Key option from the Edit menu.
  3. On the Edit menu, click Add Value.
  4. In the Data Type list, click DWORD.
  5. In the Value Name box, type Enabled, and then click OK
    Note If this value is present, double-click the value to edit its current value.
  6. In the Edit DWORD (32-bit) Value dialog box, type 0 .
  7. Click OK. Restart the computer.
Note This workaround will disable SSL 3.0 for all server software installed on a system, including IIS.

 You can disable support for the SSL 2.0 protocol on Windows by following these steps:
  1. Click Start, click Run, type regedt32 or type regedit, and then click OK.
  2. In Registry Editor, locate the following registry key:
    HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
    Note If the complete registry key path does not exist, you can create it by expanding the available keys and using the New -> Key option from the Edit menu.
  3. On the Edit menu, click Add Value.
  4. In the Data Type list, click DWORD.
  5. In the Value Name box, type Enabled, and then click OK
    Note If this value is present, double-click the value to edit its current value.
  6. In the Edit DWORD (32-bit) Value dialog box, type 0 .
  7. Click OK. Restart the computer.
 Note This workaround will disable SSL 2.0 for all server software installed on a system, including IIS.

Note After applying this workaround, clients that rely only on SSL 3.0 will not be able to communicate with the server.
Posted by at No comments:

POODLE Attack (which stands for "Padding Oracle On Downgraded Legacy Encryption)

The POODLE attack (which stands for "Padding Oracle On Downgraded Legacy Encryption)

 Recently a lot of security issues have been uncovered. Poodle was discovered back in  September 2014 by the Google security team, this can lead to a Man in the Middle exploit which takes advantage of Internet and security software clients' fallback to SSL 3.0.

POODLE is an example of a vulnerability that succeeds thanks to a mechanism designed for reducing security for the sake of interoperability.

 I am not go into too much details about this vulnerability. if you really want to understand it fully and the ins and outs I suggest you read this article: https://www.us-cert.gov/ncas/alerts/TA14-290A

 We must disable the support for SSL V 3.0 and this is what I will show you. How to disable it for various different OSs and different servers, devices and applications. 
I would like to stress this is a serious vulnerability and it is strongly recommend you do disable SSL V 3.0.

 Let's deal with the easy part. 
How to disable SSL V 3.0 support for Internet Explorer.

  1. Click on "Tools" menu option
  2. Click on "Internet Options"
  3. Click on [Advanced] tab
  4. Scroll the bar on the right, right to the bottom
  5. Dis-Select "Use SSL 3.0"
  6. Dis-Select "Use SSL 2.0"
  7. Select "Use TLS 1.0"
  8. Select "Use TLS 1.1"
  9. Select "Use TLS 1.2"
  10. Click on [OK]
Note  After applying this workaround, Internet Explorer will fail to connect to Web servers that only support SSL up to 3.0 and don’t support TLS 1.0, TLS 1.1, and TLS 1.2. 

Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy

You can disable support for the SSL 3.0 protocol in Internet Explorer via Group Policy by modifying the Turn Off Encryption Support Group Policy Object.
  1. Open Group Policy Management.
  2. Select the group policy object to modify, right click and select Edit.
  3. In the Group Policy Management Editor, browse to the following setting:
    Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Advanced Page -> Turn off encryption support
  4. Double-click the Turn off Encryption Support setting to edit the setting.
  5. Click Enabled.
  6. In the Options window, change the Secure Protocol combinations setting to "Use TLS 1.0, TLS 1.1, and TLS 1.2".
  7. Note It is important to check consecutive versions. Not selecting consecutive versions (e.g. checking TLS 1.0 and 1.2, but not checking 1.1) could result in connection errors.
  8. Click OK.
Let's make a bit more difficult for these people who want to take advantage!

Nets post I'll show how to disable for Windows client and server by editing the registry.

by Renato de Oliveira

Posted by at No comments:

What am I doing here

What am I doing here
I don't believe it
What am I doing here
It goes against my beliefs
What am I doing here
It goes against my principals
What am I doing here
Have I been corrupted by the system?
What I doundn't do
To support my family?
What lengths woudn't I go
to make sure
They are well and sound
It is hard to think
I am not who I was
I've changed so much
I can hardly recognise me
Am I who I was
or just someone else?
Am I doing this for love
Or because society expects?
I don't feel love
I feel pressure, responsibilities
I feel overwhelmed
Insensibility
Life is no joy
Just the sense to provide

by Renato de Oliveira


Posted by at No comments:

Security a long battle

I have been off writing for quite some time. I have been so overwhelmed by work and stress that I neglected something I enjoy.
I like writing my experiences and sharing with everyone, you might benefit from some of the stuff I write here.
If you do benefit, I will be happy at least I've helped someone.

I will be writing a series of posts about security, by no means I am an expert in security and what I will share are just my experiences, opinions and some advice. Once again I hope they will be useful to you in some way.

I understand there are many different reasons why people hack into systems and try to steal data or disrupt system. Companies trying to find out some plans, some projects, financial data market to give edge advantage. Government trying to keep an eye on enemy countries, hackers wannabe to show off, hackers trying to gain advantage and make money by stealing credit cards, steal your identity and many more.

As a whole we need to be alert, as an individual, as an employee and as a citizen. There is an infinite pressure to make services cheaper and 24x7. This means many companies will set up on-line services without considering and assessing the risks involved for the company and for the users of the these potential on-line services.

I believe the responsibility for security is complex, companies need to accept their responsibilities and securing their services and not taking the easy route, assuming and quoting probabilities. I can tell you this: If something has the potential to go wrong, it will go wrong. I have been in this industry for too long to know it is just a question of time, lack of attention and bad intention.

Just to give you an idea, few years ago a 6 characters was considered a strong password, for various reasons: a) Computer power was not that great b) Technology was not that developed c)Internet was limited to Universities pretty much d) Information did not travel so fast.

With every good thing, people twist and make it bad, Is the Internet bad or good, is dissemination of information bad or good? is 24x7 services a good thing or a bad thing? I can go on and on, but for each thing there will be voices in favour and voices against...

But as we connect and interconnect and we adequate to this new style of life 24x7, on-line and available immediately we must be aware of the danger which lives and resides in this new world.
The danger as we perceived has changed, we cannot see or even know our enemies most the time, sometimes we won't be able to even realise our information has been compromised  until it is too late.

While it is hard and difficult to completely eliminate the danger of being hacked or having our sensitive data compromised, or our identity stolen we can certainly make it more difficult, right?!

In the next post I will talk about security awareness.

I hope you enjoy it and see you next

by Renato de Oliveira


Posted by at No comments:

Sunday, 7 September 2014

Quando me vi sozinho

quando vi
quem chegou
fui eu sozinho
na minha solidao
Quando vi
quem partiu
foi minha solidao
me deixou sozinho
viver so
nao e o mesmo de estar so
estar so
nao quer dizer estar sozinho
quando se tem a si mesmo
quando se tem um sonho
quando se tem um desejo
O sonho faz viver
o desejo perseguir
A solidao refletir
sozinho com voce
Quando chegou
nem vi
Se instalou
E nem senti
revirei por dentro
procurando escapar
nao aproveitei o momento
de me conhecer e me encontrar
Quando vi quem chegou
estava me sentindo sozinho
Nem reparei como entrou
se bateu na porta ou invadiu
Lutei contra meu desejo
Sem saber que desejava
estar sozinho comigo mesmo
solidao que eu procurava
descobrir meus sentimentos
aprender a lhe dar com a emocao
Ficar calmo e nao tenso
desvendar meu coracao
Quando me vi sozinho
o medo me bateu
quis correr, nao achei caminho
nao achei o meu eu
Quando estou sozinho estou em paz
uma chance de apreder comigo
O que e ser eu
Sozinho eu me encontro
Me dou uma chance de ser feliz
ainda ta tudo baguncado
Ainda nao me encontri em mim

by Renato de Oliveira
Posted by at No comments:
Subscribe to: Posts (Atom)