Locations of visitors to this page

only search Wiseman.La

The World NEXT ends 





This seems promising. OK, "promising" is way overselling it.
Really, I guess it's not "promising" when the vendor acknowledges something that customers have been asking about for over 8 years.

But that's not the point:

Re: Poodle SSL vulnerability
Greetings,

We are currently working on statements regarding solutions for our clients with concerns around TLS and SHA-2.

Thanks,

   dave

David Kern | Resident Paranoid
STSM, Global ICS Security Architect

Source




Resident Paranoid

Comments (2)
Craig Wiseman October 16th, 2014 09:51:56 PM

For over 8 years, there's been post after post, PMR after PMR, IdeaJam idea after idea on upgrade Domino's SSL security in order to keep it current.
(Here's a google search for:
Please upgrade Domino SSL )

While they've been very busy apparently doing nothing about this, IBM's also been very quiet about it, although they have acknowledged that IBM's PAYING CUSTOMERS think it's important (
see here).

Now, we expect to hear something about how to fix this. SOON. It's not like IBM hasn't had time to prepare.

Give me details!

Bill Malchisky covers the actual vulnerability very well, so I'll send you his way for the techy detail:
New SSL3 Exploit: The POODLE Is Here and Lifting Its Leg ( http://planetlotus.org/c4db50 )

Update
See the comments for some mitigation options for Domino. UNTIL IBM FIXES THIS.

Comments (2)
Craig Wiseman October 15th, 2014 07:50:22 AM


What do you say when you have bad news or no news... when you really should be saying something?

One corporate take is to say as little as possible. (and hope the issue goes away, I guess).


I've blurred the name of the source for this comment, because I don't want her (or is it him?) blamed  for my extrapolation.






Related to this issue we have an answer from our colleagues from Level 2 that even the future version 10 does not have the support for it yet - and there is an enhancement request even for that version. The enhancement request for SHA-2 is the most needed one in Domino history. The more customers are requesting it, the more chance there is that IBM will put time and money into fixing it. We added your PMR to this very long list. The software problem report number is SPR # ABAI7SASE6 and APAR #LO46492.


If you haven't yet, please call IBM and open a PMR in support of this SPR/APAR.


C'mon, IBM I want to believe you're going to do the right thing here. and soon.
really. I do.

Comments (8)
Craig Wiseman October 6th, 2014 12:04:11 PM

.
One of the great things about Notes and Domino has been the iterative growth of features. Well, that was true until about 4 years ago. Lately, a lot has been said about IBM's poor performance in keeping Domino's security stack up to date:


http://planetlotus.org/c27d79
http://planetlotus.org/c28ea9
http://planetlotus.org/c2841d
http://planetlotus.org/c2af15
http://planetlotus.org/c39b14
http://planetlotus.org/c2af24
http://www.ideajam.net/IdeaJam/P/ij.nsf/0/342557C4307F678D86257833004C527F?OpenDocument
http://www-10.lotus.com/ldd/ndseforum.nsf/xpTopicThread.xsp?documentId=0BBA1D75D92075FC85257D3B006FABB8
http://planetlotus.org/c41a5d
http://planetlotus.org/c3db15
http://planetlotus.org/c40739


Not that we've heard ANYTHING from IBM on this topic, but that's not the point of this post...


The HTTP/2 protocol is rapidly being developed and accepted.


The standardization effort comes as an answer to the rise of SPDY, an HTTP compatible protocol launched by Google[3] and supported in Chrome, Opera, Firefox, Internet Explorer 11 and Amazon Silk browsers.

Full detail:
http://en.wikipedia.org/wiki/HTTP/2


As paying customers of a pretty expensive product, I think we have a fair expectation that we see HTTP/2 support in Domino on the roadmap across all platforms, just as we expect TLS 1.3 and SHA-2+ across all protocols on all platforms.


Update:
...
I have completed the creation of Software Problem Report #ITDL9PMP32 (APAR #LO82258) reporting the issue to the Domino Development team.
....
I have created Software Problem Report asking that the product be enhanced to do this in a future release.


If you wish, please open PMR in support of this SPR/APAR

Comments (1)
Craig Wiseman October 6th, 2014 07:21:39 AM

There's been a justifiable bit of a hullabaloo about security and IBM Domino (nee Lotus Domino).

The biggest point lately concerning Domino's shameful lack of general support for modern Web security has hinged around Domino's support for only the
SHA1 hash. What's sad about this is that "The first signs of weaknesses in SHA1 appeared (almost) ten years ago. - Qualys Blog". Ten years ago... back when IBM gave the appearance of caring about Domino's future.

Now Google has announced (bolding is mine):

The use of SHA-1 within TLS certificates is no longer sufficiently secure. This is an intent to phase them out (in 2-3 years). In order to make such a phase-out execute smoothly, rather than be an Internet flag day, we will be degrading the experience when these certificates are used in the wild.

Google's full proposal, "Intent to Deprecate: SHA-1 certificates"

ZDnet discussion, "Google accelerates end of SHA-1 support; certificate authorities nervous"

This apparently means that in Google Chrome, your "secure" Domino websites will get a user interface indicator that there's something wrong, or not up to snuff with your site.


Just to remind you, as of 09/11/2014, here's IBM's official stance on SHA2 support:
click to see on IBM's site
Problem

When trying to import the root CA, with a key length of 4096 and SHA-256, the following error appears:

"Certificate signature does not match contents."

Is it possible to use a CA with a key length of 4096 and SHA-256 with Domino 8.x or 9.0.x?

Resolving the problem

No, Domino does not support SHA-2; only MD5, SHA-1, and DSA are currently supported. SPR # ABAI7SASE6 (APAR LO48388) has been submitted to Quality Engineering to request support for SHA-2 in future releases.


IMPORTANT: This SHA1 discussion is only a small piece of this issue.
Traditionally, Lotus, then IBM has been a good steward and added new features and security to Domino as things evolved. Before v4.6, Domino didn't even have a web server (actually, it was called the Notes server before v4.6), and SMTP was originally a separate piece that hooked into the Notes server. LDAP, POP3, XML, RSS, etc... all were added and melded into the product over time. We need TLS 1.2+, DKIM, DMARC, etc.

Very simply and clearly, it's time for IBM to continue this process and add full TLS 1.3 support for all Domino services (HTTPS, SMTP, POP3, LDAP, IMAP, etc) on all platforms.

Otherwise, better hope Rose has some room on the plank for you.


.
Titantic hitting the iceberg



Comments (4)
Craig Wiseman September 11th, 2014 11:25:15 AM

I posted about this here in 2011. Other good folks have been posting about this as well, here, here, here, here, etc.

Simply put, Domino needs proper, modern TLS 1.3 support across all protocols, including SMTP, LDAP, HTTP, POP, IMAP, etc.
What kind of shocks me is that there's any discussion about making this happen. If I had a product in this situation, the only meetings I'd be having is about WHEN the enhancements will be finished.

IBM is all about security, except... when it isn't?

and, please... let's not hear anyone at IBM say, "We've not head that our customers want this."

What can be done?
+ Call in to IBM support and get them to create a PMR and add it to
"
APAR LO48388: ENHANCEMENT REQUEST: SUPPORT SHA-2 ALGORITHM FOR SSL ON DOMINO"
Apparently "APAR LO67453 SPR #YDEN8RNH22 for Enhancement " has disappeared.

+ Comment here at what used to be Notes.net:
http://www-10.lotus.com/ldd/ndseforum.nsf/xpTopicThread.xsp?documentId=0BBA1D75D92075FC85257D3B006FABB8

Comments (0)
Craig Wiseman August 25th, 2014 11:51:58 AM

Here's a subtle thing for IT folks. This check box was added in the very latest Java release.
See anything useful about it?

Java Control Panel

Comments (0)
Craig Wiseman August 21st, 2014 05:13:14 PM

I've been sending versions of this email out for years and years (I had to update it when the term "phishing" came along), so I thought I'd put it up here as well.


Don't let the bad guys get you: How to Prevent Email Worms, Viruses, and Trojans


We have the best anti-spam and Anti-virus software. We have great firewalls, encrypted VPNs, secure servers... but it's not enough to save us from every "Day 0 Attack"*. An email worm*/virus*/trojan* can go worldwide in just minutes or even seconds, but it can take hours for antivirus vendors to analyze, create, and upload signature updates. It takes a bit longer for us to download and deploy them to our servers and PCs. Happily, there are some easy things we can all do to help limit that window of vulnerability and help keep the bad guys out of our systems.


#1: Understand
- Knowing what an attachment really is and what it can do is the first step. Any executable* file attached to an email has the potential to be infected, and to infect your PC in turn. This covers a wide range of file types - basically it means any file that can be attached to an email.


#1b: Understand
- Know what kind of emails to expect from what senders. For example - UPS, LinkedIn, Amazon.com, and the Better Business Bureau do not send unsolicited emails with ZIP files attached (or any attachments for that matter). If you receive an email from an entity with an attachment you were not expecting - be very suspicious of it.


#2: Purpose
- We shouldn't open ANY attachment unless they were specifically requested or expected. Email viruses/worms are sent to email addresses found on infected users' PCs, so just knowing the sender does not protect you - they may be infected. Actually, the most likely person to send you an infected email is someone you know, and they most likely won't even know they are infected and that emails are going out in their name. To make things more complicated, viri & worms today falsify (spoof) the FROM email address, so the message may not even be from it appears to be from. If if you have any question or doubt, see #3.


#3: Is it REQUIRED?
- Probably the simplest, but most ignored idea: You don't need to click that greeting card link or open that "kardashian_pics.zip" at work. So, DON'T.


#4: Get Secure
- Most viri/worms are written to take advantage of problems with in Microsoft Outlook and Outlook Express. Since we use Lotus Notes, we are somewhat protected in that area. However, take the time daily to make sure your antivirus client is up-to-date. Symantec issues new signatures pretty much daily, so check your antivirus and make sure it shows a date from the last few days.


#5: Patch your PC
- Microsoft releases updates frequently and we push them out to our PCs. However, in order to not interfere with your work, we allow you to choose when to install them. When you are notified of new updates, please take the time to install them on the day you're notified of new one



______________

* Wikipeida says:


Day 0 Attack
: A zero-day (or zero-hour or day zero) attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others or undisclosed to the software developer. Zero-day exploits (actual code that can use a security hole to carry out an attack) are used or shared by attackers before the software developer knows about the vulnerability.

The term derives from the age of the exploit. When a developer becomes aware of a security hole, there is a race to close it before attackers discover it or the vulnerability becomes public. A "zero day" attack occurs on or before the first or "zeroth" day of developer awareness, meaning the developer has not had any opportunity to distribute a security fix to users of the software. (
http://en.wikipedia.org/wiki/Zero-day_attack)

Worm
: A computer worm is a self-replicating malware computer program. It uses a computer network to send copies of itself to other nodes (computers on the network) and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a virus, it does not need to attach itself to an existing program. Worms almost always cause at least some harm to the network, if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer. (
http://en.wikipedia.org/wiki/Computer_worm)

Phishing
: The act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing emails may contain links to websites that are infected with malware. Phishing is typically carried out by e-mail spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Phishing is an example of social engineering techniques used to deceive users, and exploits the poor usability of current web security technologies. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures. (
http://en.wikipedia.org/wiki/Phishing)

Computer Virus
: A computer virus is a computer program that can copy itself[1] and infect a computer. The term "virus" is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability. A true virus can spread from one computer to another (in some form of executable code) when its host is taken to the target computer; for instance because a user sent it over a network or the Internet, or carried it on a removable medium such as a floppy disk, CD, DVD, or USB drive. (http://en.wikipedia.org/wiki/Computer_virus)


Trojan Horse
: A Trojan horse, or Trojan, is malware that appears to perform a desirable function for the user prior to run or install but instead facilitates unauthorized access of the user's computer system. "It is a harmful piece of software that looks legitimate. Users are typically tricked into loading and executing it on their systems", as Cisco describes. The term is derived from the Trojan Horse story in Greek mythology. (
http://en.wikipedia.org/wiki/Trojan_horse_virus)

Executable
: In computing, an executable file causes a computer "to perform indicated tasks according to encoded instructions,"as opposed to a data file that must be parsed by a program to be meaningful. These instructions are traditionally machine code instructions for a physical CPU. However, in a more general sense, a file containing instructions (such as bytecode) for a software interpreter may also be considered executable; even a scripting language source file may therefore be considered executable in this sense. (
http://en.wikipedia.org/wiki/Executable)

Comments (6)
Craig Wiseman November 28th, 2012 09:28:43 AM


This just needs to be here.


Comments (1)
Craig Wiseman December 16th, 2011 08:09:17 AM


A simple, uncomplicated campaign we can rally behind. And it's not the first time we've had a puppet as President.


Comments (3)
Craig Wiseman December 14th, 2011 08:26:40 AM


If you're mad at Carrier IQ, then you are doing exactly what the carriers want you to.


The surprising thing is that the ire has been directed at Carrier IQ themselves. Why? If someone runs you over in their car, you don't write a stern letter to Ford. Carrier IQ made and sold an invasive piece of software, certainly. But they didn't install it on your phone. Sprint [and AT&T] did. Full Story

Comments (1)
Craig Wiseman December 4th, 2011 09:17:05 AM

So, we've waited for years for IBM to update Domino's SSL/TLS implementation. There have been other ideas on this expressed.

Now, it seems that the
implementation is vulnerable... and since we don't have current TLS options, we have no native Domino solution. It realllly looks like neglect, but perhaps there's a better expression.

Update:
John James has something useful to say about the SSL/TLS vulnerability
here.





Comments (2)
Craig Wiseman September 21st, 2011 11:46:25 AM

For you folks in Irene's path, I certainly "feel your pain". Yep, that lil red dot was me in 2008 when Gustav hit. In the northeastern quadrant of the storm (always the worst part of the storm).
I was a bit further away from Ike (2008), Katrina, and Rita( 2005), so all we got then was heavy rain & moderate winds.

The best thing to do in a hurricane is NOT be in its path. You can always rebuild a building, but people ... not so much. That's one reason I like hurricanes better than earthquakes, tornados, etc. You can see them and get the $*$)# away. I urge you to do so. Follow Monty Python's advice and
run away.

Hurricane Gustav, 2008

Image:Be careful, folks in Irene’s path. Better than careful - run away.

Comments (2)
Craig Wiseman August 26th, 2011 11:33:46 AM

From AndroidCentral.com:

A video walkthrough of the unholy marriage of BlackBerry and Android
BlackBerry fans everywhere were astonished Thursday when an early version of the Android Player for the PlayBook leaked out and their little tablets suddenly became usable. Usable as in once you've got Android running on the PlayBook, you suddenly have an e-mail app. Craziness!

Pretty cool stuff, especially since it's running Android 2.3.3, and there's a good chance your phone doesn't even that yet. Glad we could help you out there, RIM.





Comments (1)
Craig Wiseman July 22nd, 2011 04:56:07 PM


Image:Create your own caption

Comments (5)
Craig Wiseman July 22nd, 2011 08:24:49 AM

Will Work For Ride To Space

Comments (2)
Craig Wiseman July 15th, 2011 08:12:53 AM

This is a simple little tip, but since it's a new(erish) thing, I thought I'd post on it.

Problem:
I have two emails I want to have open at the same time so I can compare or work with them.



Solution:
Find the first email in whatever folder it might be, and right click on it.

Choose "Open in New Window"

Image:Lotus Notes 8.5: How to open two emails at the same time






Find the second email in whatever folder it might be, and right click on it.

Choose "Open in New Window"
Image:Lotus Notes 8.5: How to open two emails at the same time








You now have each email opened in it's own window. Feel free to arrange them any way you choose:



Image:Lotus Notes 8.5: How to open two emails at the same time

Comments (1)
Craig Wiseman May 6th, 2011 01:49:15 PM

Google translate (http://translate.google.com ) is pretty spiffy, and they have added the ability to translate from English to/from Latin.

Do you see something fishy in their translation?


Image:Maybe Google’s a little evil?

Comments (3)
Craig Wiseman April 5th, 2011 08:59:47 AM

Seems like a topical thing to vote on.


Comments (3)
Craig Wiseman February 11th, 2011 11:07:24 AM
Previous Ramblings