Oct 29, 2014

It's time to re-key your SSL certificates if they're signed with SHA-1

Google announced back in September that they will be the major catalyst for killing off SHA-1 around the world. In their blog post they talk about their plan to gradually "sunset" SHA-1 because of how weak it is.

From their blog:
The SHA-1 cryptographic hash algorithm has been known to be considerably weaker than it was designed to be since at least 2005 — 9 years ago. Collision attacks against SHA-1 are too affordable for us to consider it safe for the public web PKI. We can only expect that attacks will get cheaper.

That’s why Chrome will start the process of sunsetting SHA-1 (as used in certificate signatures for HTTPS) with Chrome 39 in November. HTTPS sites whose certificate chains use SHA-1 and are valid past 1 January 2017 will no longer appear to be fully trustworthy in Chrome’s user interface.
That's right, starting next month if your website is using an SSL certificate that was signed with SHA-1 and is good past January 2017, then users that browse to it with Google Chrome will start getting browser warnings! Thanks Google!

That means you need to have your certificates re-keyed through your SSL provider using a certificate signing request (CSR) with a SHA-256 signing hash if you don't want people to get browser warnings.

If you use IIS, even in Windows 2012 R2, it will still generate a CSR with SHA-1 only. So you need to use OpenSSL to generate your CSR. Linux has it built in, but if you are a Windows server user you can download a Windows version.

To generate your SHA-256 CSR run the following:

openssl req -nodes -sha256 -newkey rsa:4096 -keyout PrivateKey.key -out CertificateRequest.csr

You will prompted for the usual information, and this will create your private key and your CSR to send to your SSL provider. Once your new cert is issued you should be good to go if you have an Apache server or Nginx.

If you are a Windows IIS user you may want to create a p12 file with your certificate and private key all in one file so you can easily import it with the Certificates MMC snap-in. To create the p12 file run the following command:

openssl pkcs12 -export -in SignedKeyFromCA.cer -inkey PrivateKey.key -out SignedKeyPair.p12

You will be asked for a password to protect your key and you'll have to remember that password when importing it into Windows.

That's it, once that is done and installed you can check to make sure you did everything properly with SSL Labs.

Oct 22, 2014

I'm switching back to OpenSSL on my Ubuntu Apache Servers

Many moons ago I posted about how I switched from OpenSSL to GnuTLS. That was because I wanted to mitigate against The BEAST attack, and at that time the version of OpenSSL that came with Ubuntu didn't support TLS 1.1 or TLS 1.2.

Well, in the latest Ubuntu releases OpenSSL does support it, but the funny thing is that something is wrong with GnuTLSPriorities in Ubuntu 14.04. For some reason, the string doesn't work anymore and I can't so simple things like disable SSL 3.0 which you need to do to mitigate against the new POODLE vulnerability.

I decided to switch back to OpenSSL, and in order to be PCI compliant and get an A+ rating on SSLLabs.com I also added the following to my /etc/apache2/sites-enabled/default-ssl.conf file:
SSLCipherSuite AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
Header always set X-Content-Type-Options nosniff
You need to be sure that you have headers enabled for the above to work.

Once all of that is done you should be good to go!
[Code via Cipherli.st]

Oct 1, 2014

Alternative To Truecrypt and Bitlocker For Full Disk Encryption

Cryptographically secure pseudorandom number g...
 (Photo credit: Wikipedia)
We all know that the original creators of Truecrypt jumped ship and instead of passing on the source code decided to make the latest version that will only decrypt, but not create new encrypted volumes. They also spouted some nonsense about how it is no longer safe.

Well, a new group has taken over the project but we don't know when they will have a new release out. Because of that some people don't want to use Truecrypt anymore and are looking for alternatives.

One I'm trying out now looks promising. It is called DiskCryptor. Here are the features from their page:


·         Support for encryption algorithm AES, Twofish, Serpent, including their combinations.
o   Transparent encryption of disk partitions.
o   Full support for dynamic disks.
o   Support for disk devices with large sector size (important for hardware RAID operation).
·         High performance, comparable to efficiency of a non-encrypted systems.
o   Support for hardware AES acceleration:
o   AES-NI instruction set on new Intel CPU;
o   PadLock extensions on VIA processors.
·         Broad choice in configuration of booting an encrypted OS. Support for various multi-boot options.
o   Full compatibility with third party boot loaders (LILO, GRUB, etc.).
o   Encryption of system and bootable partitions with pre-boot authentication.
o   Option to place boot loader on external media and to authenticate using the key media.
o   Support for key files.
·         Full support for external storage devices.
o   Option to create encrypted CD and DVD disks.
o   Full support for encryption of external USB storage devices.
o   Automatic mounting of disk partitions and external storage devices.
·         Support for hotkeys and optional command-line interface (CLI).
·         Open license GNU GPLv3.

The one thing it is missing that I used a lot with Truecrypt is the ability to make encrypted file containers which are great for keeping files encrypted over shared file storage like Google Drive. For full disk encryption though it works like a charm.

A thing that I liked about Truecrypt was you could easily install it on a Linux Live CD so you could perform offline maintenance if you needed to with an encrypted volume. Well you can't create a Linux Live CD for DiskCryptor, but you can create a WinPE live disk with it!

So far it looks good, and I boot up time doesn't appear any more impacted than it did with Truecrypt. For now, I think this one might be my choice for the best alternative.

What are you using for full disk encryption since Truecrypt went belly up for the time being? Let us know in the comments.

Sep 30, 2014

No Renewal? No Problem: 3 Ways to Keep Your iPhone Fresh

After a long wait amid considerable rumors, on Sept. 9 Apple announced the new iPhone 6 and its first-ever phablet, the iPhone 6 Plus. Mashable reports that the iPhone 6 will have a 4.7-inch screen and the Plus will have a 5.5-inch screen. They both will have the same internal specs, but the Plus will have a higher resolution of 1920 x 1080.

The iPhone 6 came out Sept. 19 for $199, $299 or $399, depending on the amount of GB, which is great for any of us hanging onto our carrier's upgrade renewal. But, for late purchasers of the iPhone 5S or 5C, there isn't much hope for a new iPhone 6 on launch day, unless you're willing to pay the hefty non-subsidized price.
For all those living in contractual limbo: Don't fret. Sure, maybe you can't have the iPhone 6 with the rest of the Apple fanatics on day one, but you can take a few tips and tricks to keep your current iPhone kicking until your next upgrade.

A Clean Start

If your phone is slow or unresponsive, there's a good chance nothing is wrong with the hardware. Think about all the pictures, emails, texts and apps that build up on your phone over the months. Even a device as new as the iPhone 5 can get bogged down by an overabundance of content (and let's face it, do you really need all those pictures of your cat in that weird Christmas sweater?).
Take a leap of faith and wipe that phone clean. It's time for your phone to look and act like it came right out of the box. Of course, save your important pictures and emails to your desktop first. And don't worry about your paid apps, because they are 100 percent re-downloadable for free. Follow these step-by-step instructions from Apple's support forum (but don't restore your iCloud backup—remember, this is all about new beginnings).

The iPhone's New Clothes

Now that your phone is fresh on the inside, it's time for a fresh look on the outside with a new case and screen protector. The best thing about iPhone cases is there are thousands of designs to choose from. Some are just plain protective shells, and others double as wallets or battery packs. Think about getting a matte screen protector, too, as they reduce glare and hide fingerprints.

Go the Distance

Clean on the inside, clean on the outside—your old iPhone isn't looking so old anymore. But remember, it still needs to last until your next upgrade. There are a couple final details to ensure your phone will go the distance.

First, get yourself a protection plan in case your iPhone decides to take a fall. Even the best cases can only do so much to protect against cracked screens and water damage, and just the right angle can destroy any phone. Protection plans are typically about six dollars a month and ensure you don't pay full price for a replacement.

The second method is to purchase a decent cleaning kit to keep all the dirt and grime off your phone. iKlear makes a decent kit and will give your phone that polished look you see in the Apple Store.
After that, just ride out the contract wave with your "new" phone, and the iPhone 6 will be in your hands in no time.

Sep 25, 2014

How To Stop Your Computer From Locking When it is Controlled By Group Policy

I work remotely for my day job and have been doing that for a little over a year now. It's pretty great and generally gives me some flexibility. My company benefits from it too because I am always at the office and ready to jump on an issue at a moments notice.

One of the very few issues I have with working remotely is that my laptop is still controlled by Group Policy, and one of the policies I have in place is to lock workstations with ten minutes of inactivity for security purposes. This sort of thing is very important in an office environment where there are a number of people that could potentially access your computer if you step away and forget to lock it.

I'm at home though, and the only other creature with me during working hours is my dog. She's pretty smart, but lacks the opposable thumbs to hack anything off of my company laptop. Because of that fact, I feel that my laptop is pretty secure if I step away without locking it all the time. The problem is that I can't disable that on my laptop.

No problem, I found a cool little utility that works in this instance. It is called Don't Sleep. It is actually designed to prevent your computer from doing the following:
  • Standby / Hybrid Sleep / Hibernation
  • Shutdown
  • Log off
  • Screensaver / Turn off monitor
It is a light app, so you don't have to install it to use it. Just download it and double click it to start. You can set your options and just leave it in your system tray.


I have mine set on a timer during working hours so it automatically closes and my computer can lock and turn off the monitors at the end of the day on it's own. During the day though, my computer keeps me logged in and unlocked so if I have to run to the kitchen or anything else longer than ten minutes I don't have to worry about logging back in when I return.

Do you have something like this running that essentially does the same thing? Is it free? Let us know in the comments.

Sep 18, 2014

New Tech for New Babies: Top Gadgets for New Parents

A new baby, new joy, new worries. After the little one comes, there is oh, so much happiness. With that happiness comes oh, so many worries. Is the baby sleeping okay? Has she had enough to eat? Does he need to be changed? Does she have a fever?

Thankfully technology has really come through for parents of new babies. Here are a few gadgets you can use that are really convenient and might help you not worry quite as much.

Pacifier Thermometer

The absolutely perfect reason for a baby to have a pacifier. Pacifier Thermometer is a gadget that takes a baby’s temperature without disturbing her. Its Fever Alert function glows and allows parents to read her temperature at night without waking the baby up. It comes with a protective cover for the diaper bag.

Smart Swaddling Blanket

Babies love to be swaddled, and now we have smart swaddling. Babies don't come with instructions, but SwaddleDesigns blankets do! SwaddleDesigns has come out with a smart swaddling blanket with swaddling instructions sewn to the blanket and a scannable QR code on a label that makes it super easy to use on your smartphone. Help is there when you need it.

By scanning that code with the QR reader in your smartphone, you have access to short instructional videos such as, how to swaddle a baby, newborn care tips, and free white noise to help calm baby.
When babies cry, swaddling can help to calm them. The smart swaddling blanket will help you learn to swaddle, and the full-length white noise are proven to help calm and relax baby. Babies sleep better and longer when swaddled, especially with the addition of white noise, which means parents get more sleep, too.

Lorex Live Connect Monitor

Baby monitors have come a long way. Standard baby monitors come with video now. There are smart monitors that will allow you to turn on the nightlight in your baby’s room or play music, all from your smartphone.

However, if you want a monitor that will monitor your baby in CIA like-fashion, check this out. The only thing this baby monitor can’t do is hold the baby, but he’s got you for that. Features include the following:
  • Automatic night vision: You can see the baby clearly at all times of the night.
  • Audio-triggered video recording: When the baby starts to cry, the monitor automatically starts recording the baby so you can see why she started to cry.
  • Multi-camera monitoring: Yes, one camera is enough, but imagine being able to monitor not just the baby, but your toddler’s room and the front door. It can accommodate up to four cameras. Each monitor starts you out with one.
  • Two-way audio: Instead of the standard one-way-you-can-hear-the-baby-crying monitor, this feature lets your baby hear you. If you want to sing to her or just tell her you’re on your way, the sound of your voice will be a comfort.
  • Video recording: This is not a baby monitor standard, but you can get Lorex to add motion-activated wireless video cam surveillance (told you it was CIA-like) for your baby monitor as part of the system.
The technological gadgets that have been designed for new babies and their parents are incredibly helpful to a parent with a new baby. By providing brilliant tech baby aids, manufacturers have made it possible for you to know that your baby is safe, warm, comfortable, well-fed, and healthy so that you can maybe worry just a teensy bit less.

Sep 16, 2014

How To Make Top Ramen in The Microwave

This post isn't technical, but I thought I would share it with you anyway and hopefully you might find it useful. I'm sure you college kids certainly will anyway...

So I'm a bachelor again, and one of the things I find myself eating at lunch time because it is quick, easy and cheap is Top Ramen. Most of the time I actually go for cup of noodles, but Top Ramen is usually cheaper. The problem with Top Ramen besides its utter lack of nutritional value is that it doesn't come with microwave instructions, so here is what I do:

  • In a regular sized bowl, break the noodle brick in half and place the two halves sideways in the bowl so they can fit, then fill the bowl about half way with water.
  • Place the bowl in the microwave and microwave it on high for two minutes.
  • Take out the bowl and stir in the remaining noodles, then place the bowl back in the microwave and nuke them for another two minutes.
  • Take the bowl out of the microwave and stir in your flavor packet. Bam! Microwaved Top Ramen!

There you have it, my super secret microwave Top Ramen recipe. Do you do it differently? I'm curious to know how you do it. Let us know in the comments.

Sep 15, 2014

How To Add Barcodes To Envelopes in Microsoft Word

For years I've used Microsoft Word to prepare envelopes for mailing. It is pretty easy to do, and generally gives your letters a little more of a professional polish than handwriting addresses, or even using rubber stamps.

Before Office 2007, you used to be able to type in an address and easily add a POSTNET barcode to your labels, but according to Microsoft's KB897290 that codes is now obsolete, and so they stopped including it in the Microsoft Office Suite. This doesn't mean you can't still do add it, it just means you need to do it slightly differently.

The following was tested in Microsoft Office 2010, and I'm sure the process is similar in Microsoft Office2013 (If it isn't, let us know in the comments).

  • Download and install uspsEncoderMsOffice-1.3.1.zip
  • In Microsoft Word go to Mailings > Envelopes and enter your delivery and return addresses like usual, then click Add to Document.
  •  Set your cursor under the delivery address, and go to Insert > Quick Parts > Field
  •  Select BarCode and check the Bar code is US zip code check box, then enter in the delivery zip code then click OK.

  • A new barcode will now be shown beneath your delivery address, and you can print like usual.
  • Here is a picture of mine, of course it looks jacked up because my printer's envelope feed is poorly designed, but what can you do right?

Did this help you out in your mailing tasks? Let us know in the comments!



Twitter Delicious Facebook Digg Stumbleupon Favorites More

 
Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | spam filter in the cloud