A weak VPN isn’t necessarily better than no VPN

A Slashdot story last week discussed how 90% of all SSL VPNs use weak, obsolete encryption. And one comment said, “So? A weak VPN is better than no VPN.”

Not necessarily.

Read more

Why hiding your SSID makes your security worse

I got a couple of questions about my recommended DD-WRT settings, but I’m going to start with the question about why not to hide the SSID. It actually turns out that hiding your SSID is bad for you, and makes your security worse. I’ll explain.

Read more

What the NSA can crack, and how to protect against it

Ever since the Snowden leaks, there’s been considerable speculation about what cryptography the NSA could break, and why. Finally, there’s a study that goes into deep detail about what it is the NSA probably can break, and why, plus how to protect against it.

Read more

Worried about the wrong things? It’s always the wrong thing.

Guy Wright’s piece titled Internet Security: We were worried about the wrong things is a bit old but it’s an important point. Security is a moving target. It’s always a moving target.

I disagree, however, with the assertion that SSL (and its successor, TLS) were a waste of time.

Read more

How to use the lock in your web browser’s location bar

How to use the lock in your web browser’s location bar

A commenter asked me last week if I really believe the lock in a web browser means something.

I’ve configured and tested and reviewed hundreds of web servers over the years, so I certainly hope it does. I spend a lot more time looking at these connections from the server side, but it means I understand what I’m seeing when I look at it from the web browser too.

So here’s how to use it to verify your web connections are secure, if you want to go beyond the lock-good, broken-lock-bad mantra.

Read more

Port 2381: What it is and how to manage it

I was doing some scanning with a new vulnerability scanner at work. It found something listening on a lot of servers, described only as Apache and OpenSSL listening on TCP port 2381. The versions varied.

Luckily I also had Qualys at my disposal, and scanning with Qualys solved the mystery for me quickly. It turned out to be the HP System Management Homepage, a remote administration/diagnostic tool that, as the title says, lets you manage HP server hardware. It runs on Windows, Linux, and HP-UX. Read more

What is Winshock?

So the other day I got blindsided with a question at work: What are we doing about Winshock. Winshock, I asked? I had to go look it up, and I found that’s what they dubbed what I’ve been calling MS14-066, the vulnerability in Schannel, which is Microsoft’s implementation of SSL/TLS for Windows.

Based on that, I’d argue it has more in common with Heartbleed than Shellshock, but I guess “Winshock” is catchier than “Winbleed.”

Then the lead of another team asked me to brief his team on Winshock. I actually managed to anticipate all but three of the questions they asked, too, which was better than I expected. Some of what I shared with them is probably worth sharing further.

Read more

More encryption = more safety

Mozilla, Akamai, Cisco, the EFF, and Identrust are teaming up for Let’s Encrypt, an effort to make SSL encryption free and easy.

This is important, because it means mundane stuff will get encrypted. When SSL/TLS traffic are no longer flagged as special, security will increase. Read more

Takeaways from Patrick Gray’s AusCERT coverage

I’ve been listening to Patrick Gray’s coverage of the AusCERT security conference, and I walked away with two major takeaways, one for security professionals and one for everyone.

Everyone first: Use SSL (https) everywhere you possibly can. Generate superfluous https traffic if you can.

Network professionals: Block as much UDP at the firewall as you can.

Read on for more. Read more

It’s 6:21 PM. Do you know what the current version of Firefox is?

Veteran blogger John Dominik reported yesterday that upgrading to Firefox 13 fixed some problems for him. So of course he’ll be thrilled to know that Firefox released a new version the very next day. The. Very. Next. Day.

From a security standpoint, there are two things to like about the new version.

Read more