Opportunistic TLS

We had to upgrade our mail gateway/anti-spam software on Sunday because one of our vendors requires us to use encryption when exchanging emails with them.  The easiest solution is to use opportunistic TLS, where the server will always try to connect to the other server using the TLS protocol.  If the other server supports TLS, then traffic is encrypted.  If not, then the email is sent using just regular SMTP without encryption.

This is actually the first time I’ve even heard of opportunistic TLS, I’m used to seeing S/MIME and PGP when reading about email encryption.  What I like about this is encryption/decryption is done on the server side so the users don’t have to do anything different when sending emails and we don’t have to issue a certificate to each user and manage the keys.

If you’re using Exchange Server 2007, opportunistic TLS is already enabled by default.  You can check this by entering Get-SendConnector “Send Connector Name” | Format-List in the Exchange Management Shell.  Look for the IgnoreStartTLS parameter, if it’s set to false then opportunistic TLS is enabled.

To check whether a server supports TLS, telnet to the server on port 25 and check if the server supports the STARTTLS command, for example:

telnet mail.global.frontbridge.com 25

This server supports TLS

Here’s an example of the header of an email that was delivered with TLS enabled (I modified the IP addresses and names for privacy reasons):

Received: from mailgateway01 (1.2.3.4) by mailserver01.domain.com (1.2.3.5)
with Microsoft SMTP Server (TLS) id 8.1.263.0; Mon, 16 Mar 2009 18:05:18
-0400
Received: from mail.global.frontbridge.com ([65.55.88.22]) by mail.somedomain.com
([1.2.3.4]) with ESMTP (TREND IMSS SMTP Service 7.0; TLS:
TLSv1/SSLv3,128bits,AES128-SHA) id 06456c96000057da for <jdoe@microsoft.com>;
Mon, 16 Mar 2009 18:05:16 -0500

RSA SecurID 3.0.2 for BlackBerry

My colleague informed me earlier that RSA just released this new version of their SecurID software for BlackBerry sometime last month.  I installed it right away on my BlackBerry 8330 with OS v4.5.0.131 and it finally worked!!!  I’ve been trying to get their software to work on my BlackBerry since last year but my OS wasn’t supported.

This new version also now supports RIM OS version 4.7, so if you have a BlackBerry Storm this should work.

You can download the software from here: http://www.rsa.com/node.aspx?id=1165

Untangle 6.1 Beta Now Available

The biggest change in 6.1 is it’s now based on Debian Lenny (kernel 2.6.26).  Here’s the full changelog.  You can download the beta here.

IIS Security Scan: The remote service supports the use of weak SSL ciphers

Synopsis: The remote service supports the use of weak SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. See also : http://www.openssl.org/docs/apps/ciphers.html Solution: Reconfigure the affected application if possible to avoid use of weak ciphers. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : Here is the list of weak SSL ciphers supported by the remote server : Low Strength Ciphers ( 56-bit key) SSLv3 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

Our ISA 2006 server failed the SecurityMetrics PCI scan yesterday with this reason.  We fixed the security issue by doing the following:

1. Open Registry Editor.
2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\ SCHANNEL\Ciphers (I recommend that you create a backup of this section of the registry before continuing).
3. Select a cipher that has a number less than 128/128 (examples: DES 56/56, RC2 40/128, RC4 40/128, RC4 56/128) and add a DWORD value with the name “Enabled” and Value Data: 0.
4. Repeat Step 3 for all ciphers less than 128/128.

After doing the above, we ran the SecurityMetrics scan again and it didn’t find any vulnerabilities this time.

You might also want to disable SSL 2.0 support while you’re here as this is another security issue (we had to do this last year to pass).  To do so, simply add the same DWORD value to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\ SCHANNEL\Protocols\SSL 2.0\Server.

Credit goes to this website for this solution: http://www.curtis-lamasters.com/2008/06/21/windows-iis-ssl-restrict-weak-ciphers/

More on Downadup/Conficker worm…

“It has the potential to infect about 30% of Windows systems online, a potential 300 to 350 million PCs,” says Don Jackson, director of threat intelligence in the counter threat unit at SecureWorks. The worm, first identified in November and suspected to have originated in the Ukraine, is quickly ramping up, and while Downadup today is not malicious in the sense of destroying files — its main trick is to block users from accessing antivirus sites to obtain updates to protect against it — the worm is capable of downloading second-stage code for darker purposes. Many experts anticipate that could occur soon.

Read the full article.

Worm Infects 9 Million Windows PCs

Make sure you have KB958644 installed.

Early Friday, the Finnish firm revised its estimate of the number of computers that had fallen victim to the worm, and explained how it came to the figure. “The number of Downadup infections [is] skyrocketing,” Toni Koivunen, an F-Secure researcher, said in an entry to the company’s Security Lab blog . “From an estimated 2.4 million infected machines to over 8.9 million during the last four days. That’s just amazing.”

On Tuesday, Koivunen put the number of infected systems at 2.4 million, then updated the estimate Wednesday to 3.5 million, an increase of 1.1 million in just 24 hours .

Read the full article here.

Untangle Network Gateway

Another great open source software. 

Untangle is basically a Unified Threat Management (UTM) solution designed for SMBs (up to about 300 users, although there are people who have successfully deployed it in much bigger environments, like this one, for example, with 1600+ users).  Untangle packaged all these great open source security software together and then provided a really nice and very intuitive user interface for them simplifying installation and management.  They also have commercial add-ons and provide live support for a fee.

Here’s the product overview.

Open Source and Free

• Firewall - Just like most firewalls, nothing really special.  You can add a description to each rule (yes, I had to mention this because our current SonicWALL firewall at work doesn’t have this option!!!).
• Web Filter - 14 categories.  Uses a local database with data downloaded from URLBlacklist.com.  I asked in the forums how often it gets updated and someone mentioned he thinks it’s every 6 hours but I haven’t confirmed it.
• Spam Blocker - Uses SpamAssassin.  Gets updated every hour.
• Phish Blocker - Based on ClamAV engine and phish signature database which gets updated every hour.
• Spyware Blocker - I really like this one.  Seems to be blocking a lot of stuff.  Sometimes you’ll see websites with just a big white section somewhere where an ad used to be :).
• Virus Blocker - Based on ClamAV.  Signature gets updated every hour.
• Protocol Control - Uses “L7-Filter Netfilters to classify protocols based on OSI layer 7 data, regardless of port or port-hopping.”  Let’s say you want to block AIM, but AIM has the option use a different port, like port 80 for example, so blocking just the default AIM port on the firewall won’t work.  With Protocol Control, it doesn’t matter which port AIM is using, it can detect it based on its signature.
• Intrusion Prevention System - Uses Snort signatures.
• Attack Blocker - Blocks attacks :).  This prevents DoS attacks.
• OpenVPN - Well, just like what the name says, it uses OpenVPN.  They made it really easy to set up.  You can also control which network to give a user access to and override DNS settings.
• Untangle Reports - I love this one.  Gives you  a nice summarized and detailed report (Daily, Weekly, and Monthly).

Commercial Add-ons

• Active Directory Connector - Uses a logon script that tells the server what IP a user is using.
• Policy Manager - Lets you create multiple custom racks and assign them to certain users or IP addresses.
• Branding Manager - Lets you change the look of the block pages.
• eSoft Web Filter - A better web filter with 53 categories.  It also allows you to block https.  It’s a bit pricey though.
• Kaspersky Virus Blocker - Adds another layer of protection.
• PC Remote
• Remote Access Portal

You can deploy Untangle as a router, a transparent bridge, or a re-router.  I’ve been using it at home in router mode (virtual machine) for over a month now (I started with v5.4 and I just upgraded today to v6.0.2) and it’s great so far.  Very stable and seems to be doing its job.  You can manage everything using the web interface (Java is no longer required starting with v6.0).

We’re actually planning on using this at work to replace our old SonicWALL firewall (which we’ve been planning on replacing since last year but kept getting pushed back due to budget cuts) and this would save us thousands of dollars from buying a commercial UTM appliance.

Internet Explorer Emergency Patch

Microsoft just released this patch early today.  It’s supposed to patch a very serious vulnerability in IE and some security analysts are even suggesting to use a different browser until the vulnerability is completely patched.

If you’re using WSUS it should already be available, we synchronized our WSUS server early this afternoon and set a deadline for it to get it installed on all our computers as soon as possible.

Read more about it here.