Apr 10, 2014

How To Enable HTTP Strict Transport Security in Apache on Ubuntu

So you have all heard of the new Heartbleed exploit in OpenSSL right? It's all the buzz at work since my company works with a lot of banks. All of the banking security people are contacting their vendors to make sure we are not vulnerable. if you haven't heard Heartbleed is:
...is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
So I checked all of our web servers using SSL Labs, and luckily none of our sites are vulnerable. However, since I did the checking I noticed that my Apache web servers, although they had A or A- ratings on SSL Labs, I could improve my SSL implementation and security by enabling HTTP Strict Transport Security (HSTS) which according to Wikipedia is:
...a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL[1]). HSTS is an IETF standards track protocol and is specified in RFC 6797.

The HSTS Policy[2] is communicated by the server to the user agent via a HTTP response header field named "Strict-Transport-Security". HSTS Policy specifies a period of time during which the user agent shall access the server in only secure fashion.
To implement it just do the following in Ubuntu:
  • Run sudo a2enmod headers to enable headers
  • Edit your ssl config in /etc/apache2/sites-enabled and add the following line under <VirtualHost *:443>:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
  • Restart Apache by running sudo service apache2 restart
After doing that you can run a test against SSL Labs again and you will see that your rating has gone up! Here is a screen shot from my personal email server with an A+ rating!


Incidentally 3153600 is the equivalent of 12 months which should be good enough, however you can adjust that number however you want!

Enhanced by Zemanta

Apr 7, 2014

How Secure is The IRS's SSL Implementation? Not very

I write posts like this periodically. Mainly because implementing SSL is one of my duties at my day job. Not only that, I have to implement it and make sure it follows best practices for PCI Compliance.

Every time I use a site that uses SSL, I always look at their certificate information then I also go a step further and run a server test against the site using the SSL Labs tool. It spits out a report of which ciphers and protocols are implemented, and what kind of attacks can be used against that server to compromise security.

Well I happened to be on the IRS site to request old tax transcripts and I decided to run a test. The IRS received an F rating!


As you can see the IRS site is vulnerabe to man in the middle attacks, and if you scroll down further on the report page you see they are vulnerable to The BEAST. Kind of pathetic for a government website if you ask me. However they aren't the only government agency with poor SSL implementation.
Enhanced by Zemanta

Apr 4, 2014

Securing Ubuntu: Use UFW Firewall

A lot of you probably already know this, then again some of you might not of thought about it too much. I mean, you're using Linux right? Nobody is going to be able to hack it right? Not necessarily.

I got to thinking about this because I use Ubuntu exclusively for work and for home, and the other day I was working remotely from a coffee shop in Grand Junction Colorado. I had just recently re-built my laptop with Ubuntu and hadn't installed a firewall yet. Mainly because I usually work from home and I'm behind an appliance firewall there.

So anyway, not wanting to be hacked by some guy in a coffee shop I installed my favorite firewall for Ubuntu, gufw. It is the gui front end to the ufw firewall.

To install it is easy, just run:
sudo apt-get update && sudo apt-get install gufw
Once installed setup is super easy. Just turning it on will block all incoming connections and allow all outbound connections.


Having that installed and running, especially in a place with shared wifi, it makes me feel a little bit better.

Do you use a different firewall in Ubuntu? Which one do you use? Let us know in the comments!
Enhanced by Zemanta

Mar 27, 2014

Automate Your Small Business Accounting and Save

Accountants, financial managers and chief financial officers don't come cheap. In 2012, the American Institute of CPAs reported an average CFO salary of $150,000, a heavy burden for young companies. While any company aiming to expand will eventually need to hire a financial staff to balance the books, a variety of software solutions now make it easier than ever for businesses to handle these tasks on their own. Here are some reasons your business should think about cutting costs and increasing efficiency using accounting software:

Save On Personnel Expenses

The obvious benefit of small business accounting software is the personnel resources it saves. But these benefits work in two ways: first, companies save by not having to hire personnel, reducing overhead. But even when you choose to manage financial and accounting matters on your own, the tasks still take time. Time and manpower are crucial for young, lean businesses. When you choose to handle financial matters on your own, it can have negative consequences in other areas of the operation.

The solution lies in using software specific to managing small business finances. Accounting software solutions are designed to provide the full spectrum of accounting services small businesses need. More importantly, these tools allow for accounting processes to be taken care of quickly, and in some cases automatically, without any personnel required.

Tracking Payables, Receivables, and Delinquencies

Managing invoices and receivables is critical for any business. If you aren't keeping track of the bills you are owed, you're losing money. Once again, this is where automated accounting software can pay off. If you choose a solution that offers online payment management, you can set up the software to receive payments on invoices from your clientele, Business2Community notes.
One of the most helpful features of accounting programs is the automatic updates to the status of outstanding invoices. When you pull up the software to check on your outstanding invoices, everything you need is readily available.

The Big Decision: When to Hire a CFO

While software solutions are a great way to save money on financial personnel, particularly in the early stages of a small business, any significant growth will inevitably mean you need to hire a chief financial officer.

There are a few internal indications that it might be time to hire a CFO, notes Forbes. If big financial decisions need to be made, and the company lacks a professional to offer information, insight and guidance on these matters, it might be time to hire. Depending on your industry, a CFO may also be instrumental in a variety of key growth areas, such as acquiring additional capital, managing government regulations and tax implications, and taking care of control cost measures, particularly as costs and financial matters change and grow more complex.

The good news is, when the time comes to make such a hire, you'll have the financial resources to facilitate such a move. And you can thank your accounting software for helping you reach this point.
Enhanced by Zemanta

Mar 26, 2014

My New Favorite Twitter Client For Ubuntu: Birdie

For those of you who have been following the blog for a while know, I used to be heavily into social media. I was addicted! In fact, for a while when making Bauer-Puntu I made it based around social media. I would pre-install Twhirl when it was still around, then I switched over to Gwibber when it was still being updated.

Last year I got rid of all my personal social media accounts, but recently I decided to revive my personal Twitter account since I'm going through a divorce and feeling more social; and decided to install a Twitter client on my Ubuntu laptop again. Since my two favorite clients are no longer around I went hunting, and found one I like. It's called Birdie!

To install it in Ubuntu you first must be running at least Ubuntu 3.10. If you are at 3.10, run the following from the terminal to install:
$ sudo add-apt-repository ppa:birdie-team/stable
$ sudo apt-get update
$ sudo apt-get install birdie -y
After you install, Birdie is pretty straight forward. The only drawback I see is that it won't minimize to the system tray. I'd like to see that feature implemented if possible. Despite that, it is a pretty cool little Twitter client!

What do you use on Ubuntu for a Twitter client? Why do you like it? Let us know in the comments.

Mar 25, 2014

osTicket Core 1.8.1.2 Review

I have written about osTicket in the past. It is a very simple, and easy to use help desk ticketing system that runs on a LAMP server. The first time I wrote about it was because I developed a way to integrate it with Active Directory and the second time I wrote about it, was because I found an easier way to integrate it with Active Directory. Both of those were hacks.

In this latest version, the developers of osTicket have given the system the ability to add plugins! Guess which plugin is available right out of the gates? That's right, an Active Directory authentication plugin! No more hacking PHP!

The next feature that I thought was awesome is the built in stats! They never had stats before which was a problem for management at my last two companies. They had no way of checking how well help desk and customer support personnel were performing. Well, now they can. Here is a screen shot from a server I recently setup:

 

Here is a list of features in the latest version:
  • Custom Fields
  • Rich Text HTML
  • Ticket Filters
  • Help Topics
  • Agent Collision Avoidance
  • Assign and Transfer
  • Auto-Responder
  • Internal Notes
  • Service Level Agreements
  • Customer Portal
  • Dashboard Reports
If you are familiar with osTicket, you will find the latest version just as easy and intuitive to use, but the built in stats and the Active Directory plugin really make this the best version yet!

Do you use osTicket? Are you thinking about upgrading? Do you use some other open source ticketing system? If so, which one? Let us know in the comments!

Mar 24, 2014

Unlock Domain Users and More From Your Android Device Remotely

I may have mentioned sometime last year that my current company (that shall remain nameless) allowed me to move to Colorado from California and work remotely. It was probably the coolest move any employer has ever done for me.

Now that I work remotely from home it gives me a lot of flexibility that I didn't have before, but because of that flexibility it also causes some grief. For instance, If I decide to run out and visit Walmart real quick, it almost never fails that I get a call from someone who has locked their account out in Active Directory because of fat fingers. Before I would sigh, and tell them they would have to wait until I got back to my computer. Well not anymore!

I've been using a tool in my company for a long time called ADManager Plus Free Edition. I've pretty much only used it for Active Directory cleanup and running reports, but I figured out another use for it. You can enable SSL on it, open it up to the public and use the free AD Manager Android app to connect to it and unlock users, reset passwords, disable accounts etc.

And you can do it all remotely!

The free edition comes with all the same features as standard edition with the limitation of managing 100 domain objects at a time. If your company is small like mine, that is not an issue. If you are a larger company, you might want to fork over the cash for their standard or pro versions.

So now if I have to run down to Walmart, and one of my frequent customers calls to have me unlock their account, I can do it using just a few swipes on my Android device!

Do you use something to help manage AD users remotely? What do you use? Let us know in the comments.

Mar 21, 2014

Powershell Script To Email Alerts When A Domain Account Gets Locked Out

At my previous company we had a script that would get triggered on a domain controller if an Active Directory account got locked out because of too many login attempts. It was really helpful in being proactive when someone got locked out.

I decided my current company needed something like that too, and I found a really easy Powershell script that did the trick. You can download that script here (AD Lockout Alert Script) then do the following on your domain controller to send out the alerts:

  • Open Powershell on your domain controller and run the following to allow the execution of scripts: Set-ExecutionPolicy RemoteSigned
  • Save the Alert Script to c:\lockouts
  • Modify the To, From and SMTP server information in the script for your environment and save it.
  • Create a new basic task and use "When Specific Event is Logged" as the trigger.
  • Use the following settings for the trigger:

    Log: Security
    Source: Microsoft Windows security auditing
    Event ID: 4740
  • Select "Start a Program" for the action and use the following settings:

    Program/Script: powershell.exe
    Add arguments: -nologo -File "C:\lockouts\Lockoutalert.ps1"
  •  
  • When finished setting this up, set this task to be ran as System.
That's it! Now when a user gets locked out, whatever email address you used in the To field in the script will get an alert when any user account in your domain gets locked out. I recommend testing it with a test account.

Do you use a similer method for lockout alerts in your company? Do you do it differently? If so, let us know in the comments!

[Via SW]

Mar 17, 2014

How To Get LDAP Working in TeamPass With Windows 2008 R2

I mentioned last week that I setup a new password vault server at my day job called TeamPass. I also mentioned that it allows authentication with Active Directory using LDAP. I then proceeded to mention that there is a trick to getting it work.

Well, here is my post about how to do it.

Once you login to your TeamPass server with an administrator account you will want to do the following:
  • Go to Settings > LDAP Options
  • Set Enable users authentification through LDAP server to Yes
  • Select Windows / Active Directory from the drop Down
  • Click Save
  • Go back to Settings > LDAP Options
  • Under LDAP account suffix for your domain, they give you an example to use the @ symbol with a DN for your domain, like @dc=bauer-power,dc=net. Well that doesn't work. You need to just put in @bauer-power.net (Or whatever your domain is)
  • The rest you fill out using their examples.
  • When finished click Save.
Here is a screen shot of how mine looks:


You're probably wondering how I figured that out. Well I didn't actually. I found an obscure page on Google Code where someone had the same issue and that's what they did to get it to work.

Anyway, it works like a charm now and I can use my AD credentials to access passwords in our TeamPass password manager server!

Mar 14, 2014

Awesome Web Based Password Manager For Your Team

A long time ago at my previous company we wanted a central place where we could store passwords that were shared within the IT department. I setup Web Keepass at that time, but I'll admit it was kind of hokie because it was Java based.

At my current company (That shall remain nameless) we are currently using regular Keepass with a database file stored on a file share. This method works, but I much prefer having it on a central server like we did with Web Keepass, but this time I didn't want to use Web Keepass.

I also didn't want to fork over any cash for something like Secret Server when I knew that there would be just as good, or even better open source alternatives available.

Well I found an even better solution with TeamPass! It is not Java based, and runs on an Ubuntu LAMP server! From their page:
TeamPass is a Passwords Manager dedicated for managing passwords in a collaborative way on any server Apache, MySQL and PHP. It is especially designed to provide passwords access security for allowed people. This makes TeamPass really usefull in a Buisiness/Enterprise environment and will provide to IT or Team Manager a powerfull and easy tool for customizing passwords access depending on the user’s role.
TeamPass also has the ability to authenticate with Active Directory using LDAP. I'll be writing about how to set that up in Monday's post. It's pretty simple, but you have to know a trick to make it work.

What do you use for password management at your company? Why do you use it? Let us know in the comments!

Mar 11, 2014

Stay Sane on the Road with These Car Apps

The average commuter sits in traffic 38 hours a year, according to Texas A&M's annual mobility study. Those hours add up to $120 billion, or $820 for every commuter in the U.S. A study by AAA shows we spend $8,946 annually on owning and operating our vehicles. With so much time and money spent on our cars and driving each year, it's easy to feel overwhelmed just getting on the road. Eliminate some of your auto stress with apps that tackle commute times and figure out car repair costs.

Daily Commute

Daily Commute records your route to figure out when you'll arrive at your destination. Although you can use it the first time you launch the app, it can take a few commutes for it to hone in on the intricate details of your driving patterns and average traffic. Daily Commute can also tell you when you should leave the house and tell you how to avoid traffic at specific times and places.

DriveTime

The newly mobile optimized DriveTime site gives car shoppers a chance to browse through used inventory from any smartphone. Instead of taking copious notes at the dealers and heading back to your laptop at home, get info on the go to search for comparable vehicles. Search through Drive Time's inventory, get locations to find nearby cars and secure financing online all in one place.

Repair Pal

Recommended by the guys from "Car Talk," Repair Pal helps you find the best mechanics in your area. It can also figure out an estimated price for your repair so you know approximately what you should pay. The app cross references data from articles, reports and repair experts to pool together their info and resources in one easy to access app.

TomTom

TomTom has been making vehicle navigation systems for years, and now has a smartphone and tablet app to take on the go. Daily map changes update dynamically to show speed limit changes or blocked roads. Hook into Facebook or Foursquare through your app to see where your friends have checked in and navigate the route to meet up. There's also a free speed camera alert to tell you when to slow down and watch for speed traps.

Twist

Twist doesn't tell you how to combat your traffic woes, but it does make sure everyone else knows when you're arriving if you're late. The app tracks your location, gets directions and helps you find your friends' physical location if they're also on Twist.

While you can track the location of your friends or colleagues on the app, it can also tell them where you are. Instead of trying to text and drive to tell your coworkers you're running late for a meeting, it updates your party and gives your estimated arrival time. And because it does the work for you, there's no awkward exchange with your boss on why you're running late.

Mar 5, 2014

Xubuntu Stuck in A Login Loop

penguin Tux, the Linux Mascot
(Photo credit: Wikipedia)
The other day my son was playing some games on my Xubuntu desktop PC when everything froze up. I'm not sure exactly what he did, but it was unresponsive.

Because of that I decided to reboot the computer and when it came back up I was presented with the Lightdm login screen. The only issue was that when I tried to login, the computer would think for a bit then just refresh the login screen. WTF?

The issue was that somehow the permissions got changed on the .Xauthority file in my profile. So this is how I fixed it:
  • Pressed Ctrl + Alt + F3 to drop into a terminal and log in.
  • Ran ls -alh to show all files and folders under my profile. The permissions for .Xauthority were something like
     
    -rw-------  1 root root   53 Mar 02 10:19 .Xauthority
     
  • Next I ran sudo chown username:username .Xauthority then rebooted
  • When the computer came back up I was able to login again.
Again, I'm not sure what caused this. If you know what would cause it please let me know in the comments.
[Via Ask Ubuntu]

Mar 3, 2014

OMG! I Can't Login To TimeTrex!

The other day my company hired a new office manager. This position handles payroll. The previous office manager was on maternity leave, and in her absence she had a temp running the show. Well now the original office manager and the temp are leaving, so there is a mad scramble to get the new office manager setup with accounts so she can do stuff like process payroll.

One of the tools we use for hourly employees is TimeTrex, which is an open source time card management program that runs on Linux. Well for some reason the previous office manager couldn't login to setup the new office manager with payroll administrator access.

No problem I thought, I'll just login and do it. Well shit! I couldn't login either! WTF!?!

Well I tried the password reset link, and it said it couldn't locate my email in the database. I decided to check the database and sure enough my account was there,  and so was my email.

I found this FAQ on the TimeTrex that tells you to create an override password. That didn't work either (Which I'll explain in a minute). Again, WTF?!?

At first I thought that maybe the database was corrupt. So I asked some of the hourly employees if they could login. They all could, so that gave me an idea!

I found this thread on the TimeTrex forums that talk about elevating a user's permissions to administrator. All you have to do is run the following command from the terminal from within your TimeTrex directory on the server:
sudo php5 tools/set_admin_permissions.php username
After that the username you used above is made an administrator. You can then borrow that user's password and login to fix stuff!

The issue was the temp office manager marked me and the old office manager as terminated in TimeTrex for some unknown reason. Because of that our logins were suspended, which is also why the password reset didn't work, and the password override didn't work.

After I made my account active again, I logged out, and was able to login again with my account. I then removed the administrator permissions from the user account I borrowed.

Feb 26, 2014

How To Remove Encryption on Your Android Device

Android ... 'Apple's nightmare' (7 September 2...
(Photo credit: marsmet474)
I wrote a while back how I had been using encryption on my Samsung Galaxy S3 (Sprint) Android device, but after a while it proved to be more trouble than it was worth. I am currently running CyanogenMOD 10.2.1 and I finally decided it was time to remove the encryption.

Before I go any further, it is important to note that I don't know of any way of doing this that won't wipe your device and remove any customizations. Therefore I STRONGLY recommend that you backup anything important before proceeding.

So first off, if you boot into recovery by holding the up volume + home + power when you start the device, you will notice that if you select the option to format data and cache it will error out with the encryption. That is fine for now, because we need it to error out so we can find the mount point in the log.

Second, you are going to need to have adb installed. You can find out how to do that here for Windows, or if you are using Ubuntu like me just run the folowing to install it:
# sudo add-apt-repository ppa:nilarimogard/webupd8
# sudo apt-get update
# sudo apt-get install android-tools-adb android-tools-fastboot
After that, do the following:
  • Boot into recovery
  • Select Wipe Data/Factory Reset
  • Let it error out, then select Advanced > Show Log
  • You should see something like failed to mount /dev/block/mmcblk0p12. Note: Your mount point may be different, use whatever the log says
  • Plug your phone into your computer with the USB data cable
  • From a terminal (or command prompt) run adb shell and you should get a prompt with a # symbol
  • Next run mke2fs -t ext4 /dev/block/mmcblk0p12. Note: Be sure to replace the path with the one you got from the log!
  • After that is complete you can now reboot your phone.
Encryption will now be gone, and your phone will be factory reset.

Do you know of a way to remove encryption without wiping your device? If so, let us know in the comments!



Twitter Delicious Facebook Digg Stumbleupon Favorites More

 
Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | spam filter in the cloud