Stuff I'm Up To

Technical Ramblings

Owncloud Upgrade and Maintenance Mode — May 22, 2017
HTTPS on the Synology NAS — April 25, 2017

HTTPS on the Synology NAS

I love this Synology NAS. It’s so versatile and immensely capable. I use it for streaming my TV, movies and music. It also acts as my Couchpotato, Sonarr and NZBGet system. I think I’ll definitely get another when the time comes.

But enough glorification.

Using the free certificate services from Let’s Encrypt you can obtain a FREE TLS/SSL certificate that you can use on any of your encryption services with the one caveat that it will expire every 3 months.

Continue reading

HTTPS and SNI — March 9, 2017
IIS HTTP to HTTPS — March 1, 2017

IIS HTTP to HTTPS

In the process of deploying an IIS web server we’d like to ensure that browsers that visit the http unencrypted page, get redirected to the https encrypted page.

By default IIS comes with a “HTTP Redirect” module but this doesn’t really do what we’re after. HTTP Redirect simply takes any request and forwards it to a specific URL. So it doesn’t care about the original host name header, URI or query string that was supplied by the browser, it just takes you to the exact URL that you specify.

To get the behaviour we’re expecting we need to install another module called “URL Rewrite”

Continue reading

Strong Ciphers — February 16, 2017
SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam) – Tomcat — February 3, 2017
SSL 64-bit Block Size Cipher Suites Supported (SWEET32) – Tomcat —

SSL 64-bit Block Size Cipher Suites Supported (SWEET32) – Tomcat

Following on from the Windows vulnerability for SWEET32, Here’s how to resolve the same issue with Tomcat 8. This use the OpenSSL format string for ciphers, so can also be applied to anything using the same cipher list.

ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA:!ECDHE-RSA-DES-CBC3-SHA"

Simply by adding the !ECDHE-RSA-DES-CBC3-SHA to your existing : delimited cipher list disables the cipher on the server. The prefix ! means NOT – which disables the cipher.

Alternatively you can simply disable all ciphers using triple DES using !3DES.

When you encounter some other cipher vulnerability listed in you Nessus scan just copy the cipher name into the list prefixed with !. Be wary that some of your connecting applications may not like this. So keep a log of what you added so you can rollback.

To use the AES 256 bit ciphers, it is necessary to install the JCE Unlimited Strength Jurisdiction Policy Files.

Java Ciphers & Algorithms — February 2, 2017

Java Ciphers & Algorithms

I’ve tasked myself with getting one of our most used vendor apps up to compliance with our security audits. It’s not as easy as I’d hoped. Especially seeing as I seem to have run beyond the encryption export limitations Java distribute.

One of the products uses JDBC to connect to a Microsoft SQL server which is hardened and only supports a limited set of high grade encryption ciphers. This caused me to see connection failures with exception messages such as “failed to generate DH keypair” and “RSA premaster secret error”.

Then I discovered the Bouncy Castle.

Continue reading

Rant by a Complete Java Noob — February 1, 2017

Rant by a Complete Java Noob

I confess, I’m a complete Java noob. In fact slightly worse than that, I’m a Java hater. In principle it’s a great idea, cross platform and all that jazz, but in execution it leaves me frustrated. Seems most vendors I encounter may use Java, but use libraries specific to Windows making it as mobile as Jabba the Hutt. Also vendor installations that require Java seem to only be able to support last years version of Java, not the newest stable, and therefore it has so many vulnerabilities it makes it impossible to pass any kind of security audit.

This month I’ve been trying to buckle down and get stuck in to understand things more. Try to figure out how all of this is strung together and see if anything can be done to satisfy the needs of the application and security.

Continue reading

Tomcat and HTTPS — January 31, 2017

Tomcat and HTTPS

By default Tomcat gets installed with HTTP only and a number of default applications. Previously I linked documents on how to secure Tomcat. But put simply just delete the folders under webapps that you don’t need for your application. So you pretty much get left with host-manager and manager in there.

My next step was to try to figure out how to get the connection changed from HTTP to HTTPS and apply a valid certificate to the connection.

Continue reading

Securing Tomcat —

Securing Tomcat

Following a penetration test a large security weakness was exploited that allowed an attacker to gain local admin rights on a server running Tomcat. This in turn allowed the capture of session passwords from memory which in turn resulted in domain admin level access.

All because of a 3rd party application installed by a vendor who left the underlying Tomcat installation as a vanilla box product with all the softwares default settings.

Lesson: NEVER trust a vendor installation to be secure. Carry out a vulnerability scan whilst they’re still onsite and don’t sign off any installation until all security concerns have been resolved.

References:

http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html

https://www.owasp.org/index.php/Securing_tomcat

https://tomcat.apache.org/tomcat-8.0-doc/security-howto.html

https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html

https://www.upguard.com/articles/15-ways-to-secure-apache-tomcat-8

Node.js & Databases — December 26, 2016