More FREE stickers when you ask for your FREE Ubuntu stickers!

As many of you all know I've been giving out FREE Powered By Ubuntu stickers for a few years now. A lot of that has to do with my love of that operating system and Linux in general. I receive requests from all over the world for them. It's nice to know I'm doing my part to spread Ubuntu!

Well, I want to add to that! Now when you get your Ubuntu Stickers you will also be getting both of these stickers as well!

These stickers are 4.25" x 1.38" so they are small enough to fit on the back of your smart phone if you wish. Or if you are like me and you like to put stickers on the back of your laptop, they are perfect for that as well!

Not only am I a big fan of Linux, I am a big fan of privacy and encryption. I'm hoping to spread that love along with my Ubuntu stickers.

What do you think? Let me know in the comments!

Read more »

4 High-Tech Solutions to Keep Tabs on Your Kids

Back when you were a kid, all your parents had to worry about was you sneaking out or speeding when driving. With all of the advancements in technology have also come more worries like cyber-bullying and identity theft. Here are some apps that can act as mother's helpers to make sure the kids aren't getting into trouble.

MamaBear

The MamaBear app is an all-in-one monitoring app that monitors your child's location, social media accounts, check-ins and can even let you know if your kids are speeding when driving or riding. The options available with this app are robust and you can set various parameters and receive alerts when those parameters are broken (like when a curse word is posted on his Facebook page) or met (when your son arrives home from school). The app is free for iOS and Android users and there are paid levels of membership that offer more in-depth monitoring features (pricing ranges from $4-$5 per month). Setup is simple; you just install the MamaBear app on your phone, then install it on your child's phone and then customize the settings to create your monitoring parameters.

This app is ideal for younger kids who are getting their first taste of independence, rather than teens, since it requires the app to be on your child's phone and a rebellious teen could uninstall it to quickly disable monitoring. It's also designed for two-way communication as much as it is monitoring, allowing kids the option to "check in" with you using emoticons or emergency alerts, which is especially helpful for kids who are beginning to walk to or from school on their own.

Lifelock Junior

With clean credit scores and no credit history, children are ripe targets for identity thieves looking to score big. Your innocent child could be unknowingly sharing sensitive personal information online, making him a target for online predators. Instead of taking the alarmist approach and banning social media and Internet usage, instead get proactive and use an identity theft protection service. Identity theft protection giant Lifelock offers a service designed specifically for kids. Lifelock Junior monitors usage of your child's social security number, credit history and regularly searches file-sharing networks for leaks of sensitive personal information. You'll be alerted immediately if the system detects any issues. Lifelock Junior costs around $5 per month per child and is available as an add-on with their adult protection plans.

TeenSafe

If you're looking for a way to monitor your angsty teen in a way that's a bit more covert than a service like MamaBear, TeenSafe is for you. With TeenSafe you can read your teens texts (even the deleted ones), view Internet browsing, search history and monitor location, phone calls and contacts. Best of all, you child doesn't even have to know that you're monitoring his or her phone. TeenSafe uses your child's Apple ID to access all of the information on the phone, so without a visible app, they'll be none the wiser. You can view all activity from your computer by logging into the monitoring portal, which you can access from any computer at any time. This service, a bit more expensive than its competitors at $14.95 per month, it's impossible to put a price tag on the peace of mind that comes with it.

iKeyMonitor

Want to know what your son's doing on his iPad? iKeyMonitor acts as your eyes and ears when your kids think you're not looking. This spy app enables invisible iPad monitoring to give you access to your kids' iMessages, WhatsApp messages, browser history and it even takes periodic screenshots to show you what they are doing. All of this information is sent to you regularly via email in the form of usage logs. Pricing starts as low as $8 per month when you purchase a 12-month license of the iKeyMonitor software.

Read more »

I resurrected my Facebook page

After over a year of being without Facebook I've finally broken down and resurrected my personal Facebook account. I know I promised that I wouldn't do it way back in July last year, but things have changed.

Namely the fact that my wife of 14 years decided she didn't want to be married anymore right after we all moved to a small one-horse town in Cedaredge Colorado where there is NO CHANCE of meeting anyone my age.

I don't want this post to sound bitter, because I'm not really. I've had over ten months to come to terms with my situation. So the reason I reactivated my account comes down to two things really:

• Nobody uses websites out here for their businesses, they all use Facebook
• I thought it would be nice to connect with old friends again since I have very few in this small country town

Now, my initial concerns with privacy are still valid, so I've decided I'll go ahead and just change how I use Facebook. I won't post a minute-by-minute play-by-play of my life. I'll merely use it to keep in touch with people. I've also decided to lock it down a bit. Simple right?

Anyway, if you follow Bauer-Power and used to be friends with me on Facebook look me up and let's be friends again!

Read more »

Protect your employees from POODLE with this simple Group Policy

By now you have probably heard about POODLE which looks like it will kill SSL 3.0. If you haven't here is a description from US-CERT:

The SSL 3.0 vulnerability stems from the way blocks of data are encrypted under a specific type of encryption algorithm within the SSL protocol. The POODLE attack takes advantage of the protocol version negotiation feature built into SSL/TLS to force the use of SSL 3.0 and then leverages this new vulnerability to decrypt select content within the SSL session. The decryption is done byte by byte and will generate a large number of connections between the client and server.

Microsoft has announced that they will be making a hotfix available that disables SSL 3.0 for Internet Explorer in the registry. You can do that yourself though via group policy be making the following setting:

• In Group Policy Manager create a new Group Policy Object called TLS Settings
• Browse to Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Explorer Control Panel > Advanced Page > Turn Off Encryption Support
• In the Secure Protocols Combinations drop down box select: Use TLS 1.0, TLS 1.1 and TLS 1.2 and click Apply

After making that change, your clients will only be able to use TLS 1.0 and above and will be secured from any type of downgrade attacks that take advantage of protocols less than TLS 1.0.

Related articles

• SSL - New Exploits Take a Bite
• Google's POODLE affects oodles
• Apple's Push Notification Service to Drop Support for Buggy SSL 3.0
• POODLE attack digs up downgrade flaw in TLS

Read more »

It's time to re-key your SSL certificates if they're signed with SHA-1

Google announced back in September that they will be the major catalyst for killing off SHA-1 around the world. In their blog post they talk about their plan to gradually "sunset" SHA-1 because of how weak it is.

From their blog:

The SHA-1 cryptographic hash algorithm has been known to be considerably weaker than it was designed to be since at least 2005 — 9 years ago. Collision attacks against SHA-1 are too affordable for us to consider it safe for the public web PKI. We can only expect that attacks will get cheaper.

That’s why Chrome will start the process of sunsetting SHA-1 (as used in certificate signatures for HTTPS) with Chrome 39 in November. HTTPS sites whose certificate chains use SHA-1 and are valid past 1 January 2017 will no longer appear to be fully trustworthy in Chrome’s user interface.

That's right, starting next month if your website is using an SSL certificate that was signed with SHA-1 and is good past January 2017, then users that browse to it with Google Chrome will start getting browser warnings! Thanks Google!

That means you need to have your certificates re-keyed through your SSL provider using a certificate signing request (CSR) with a SHA-256 signing hash if you don't want people to get browser warnings.

If you use IIS, even in Windows 2012 R2, it will still generate a CSR with SHA-1 only. So you need to use OpenSSL to generate your CSR. Linux has it built in, but if you are a Windows server user you can download a Windows version.

To generate your SHA-256 CSR run the following:

openssl req -nodes -sha256 -newkey rsa:4096 -keyout PrivateKey.key -out CertificateRequest.csr

You will prompted for the usual information, and this will create your private key and your CSR to send to your SSL provider. Once your new cert is issued you should be good to go if you have an Apache server or Nginx.

If you are a Windows IIS user you may want to create a p12 file with your certificate and private key all in one file so you can easily import it with the Certificates MMC snap-in. To create the p12 file run the following command:

openssl pkcs12 -export -in SignedKeyFromCA.cer -inkey PrivateKey.key -out SignedKeyPair.p12

You will be asked for a password to protect your key and you'll have to remember that password when importing it into Windows.

That's it, once that is done and installed you can check to make sure you did everything properly with SSL Labs.

Read more »

I'm switching back to OpenSSL on my Ubuntu Apache Servers

Many moons ago I posted about how I switched from OpenSSL to GnuTLS. That was because I wanted to mitigate against The BEAST attack, and at that time the version of OpenSSL that came with Ubuntu didn't support TLS 1.1 or TLS 1.2.

Well, in the latest Ubuntu releases OpenSSL does support it, but the funny thing is that something is wrong with GnuTLSPriorities in Ubuntu 14.04. For some reason, the string doesn't work anymore and I can't so simple things like disable SSL 3.0 which you need to do to mitigate against the new POODLE vulnerability.

I decided to switch back to OpenSSL, and in order to be PCI compliant and get an A+ rating on SSLLabs.com I also added the following to my /etc/apache2/sites-enabled/default-ssl.conf file:

SSLCipherSuite AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
Header always set X-Content-Type-Options nosniff

You need to be sure that you have headers enabled for the above to work.

Once all of that is done you should be good to go!

[Code via Cipherli.st]

Related articles

• Disable SSLv3 in Apache, Nginx and IIS against POODLE Vulnerability
• Security/Server Side TLS
• Easy SSLv3 "poodle" vulnerability test (and the fix for Jboss/Tomcat)
• POODLE - An SSL 3.0 Vulnerability (CVE-2014-3566)

Read more »

Alternative To Truecrypt and Bitlocker For Full Disk Encryption

 (Photo credit: Wikipedia)

We all know that the original creators of Truecrypt jumped ship and instead of passing on the source code decided to make the latest version that will only decrypt, but not create new encrypted volumes. They also spouted some nonsense about how it is no longer safe.

Well, a new group has taken over the project but we don't know when they will have a new release out. Because of that some people don't want to use Truecrypt anymore and are looking for alternatives.

One I'm trying out now looks promising. It is called DiskCryptor. Here are the features from their page:

·         Support for encryption algorithm AES, Twofish, Serpent, including their combinations.

o   Transparent encryption of disk partitions.

o   Full support for dynamic disks.

o   Support for disk devices with large sector size (important for hardware RAID operation).

·         High performance, comparable to efficiency of a non-encrypted systems.

o   Support for hardware AES acceleration:

o   AES-NI instruction set on new Intel CPU;

o   PadLock extensions on VIA processors.

·         Broad choice in configuration of booting an encrypted OS. Support for various multi-boot options.

o   Full compatibility with third party boot loaders (LILO, GRUB, etc.).

o   Encryption of system and bootable partitions with pre-boot authentication.

o   Option to place boot loader on external media and to authenticate using the key media.

o   Support for key files.

·         Full support for external storage devices.

o   Option to create encrypted CD and DVD disks.

o   Full support for encryption of external USB storage devices.

o   Automatic mounting of disk partitions and external storage devices.

·         Support for hotkeys and optional command-line interface (CLI).

·         Open license GNU GPLv3.

The one thing it is missing that I used a lot with Truecrypt is the ability to make encrypted file containers which are great for keeping files encrypted over shared file storage like Google Drive. For full disk encryption though it works like a charm.

A thing that I liked about Truecrypt was you could easily install it on a Linux Live CD so you could perform offline maintenance if you needed to with an encrypted volume. Well you can't create a Linux Live CD for DiskCryptor, but you can create a WinPE live disk with it!

So far it looks good, and I boot up time doesn't appear any more impacted than it did with Truecrypt. For now, I think this one might be my choice for the best alternative.

What are you using for full disk encryption since Truecrypt went belly up for the time being? Let us know in the comments.

Related articles

• So Long, TrueCrypt: 5 Alternative Encryption Tools That Can Lock Down Your Data
• 5 Best TrueCrypt Alternatives to Safeguard Your Data
• List of TrueCrypt encryption alternatives
• Password managers prevents need for password recovery tools

Read more »