Databases, Systems & Networks

How to Protect Yourself from NSA Attacks on 1024-bit DH

27/08/2023 Comments off

When NSA gets you worrying

In a post on Wednesday, researchers Alex Halderman and Nadia Heninger presented compelling research suggesting that the NSA has developed the capability to decrypt a large number of HTTPS, SSH, and VPN connections using an attack on common implementations of the Diffie-Hellman key exchange algorithm with 1024-bit primes. Earlier in the year, they were part of a research group that published a study of the Logjam attack, which leveraged overlooked and outdated code to enforce “export-grade” (downgraded, 512-bit) parameters for Diffie-Hellman. By performing a cost analysis of the algorithm with stronger 1024-bit parameters and comparing that with what we know of the NSA “black budget” (and reading between the lines of several leaked documents about NSA interception capabilities) they concluded that it’s likely NSA has been breaking 1024-bit Diffie-Hellman for some time now.

The good news is, in the time since this research was originally published, the major browser vendors (IE, Chrome, and Firefox) have removed support for 512-bit Diffie-Hellman, addressing the biggest vulnerability. However, 1024-bit Diffie-Hellman remains supported for the forseeable future despite its vulnerability to NSA surveillance. In this post, we present some practical tips to protect yourself from the surveillance machine, whether you’re using a web browser, an SSH client, or VPN software.

Disclaimer: This is not a complete guide, and not all software is covered.

Web Browser

To make sure you’re using the strongest crypto, you have to look at the encryption algorithms (or cipher suites) that your browser supports. There’s an excellent tool, How’s My SSL?, that will test your browser’s cipher suite support. The relevant area of the page is the bottom, Given Cipher Suites. You want to make sure that you don’t see the text “_DHE_” in the list of ciphersuites – although the Elliptic Curve variant of Diffie-Hellman, represented by suites with “_ECDHE_” is okay. It is important to note that there is a trade-off here: removing your clients support for “_DHE_” ciphers will eliminate the risk of this attack, but it may also remove Forward Secrecy support altogether for some sites. Here’s how to remove those “_DHE_” cipher suites if you still have them:

Firefox

(tested with 40.0.3)

Open a new tab, enter “about:config” into the location bar and hit the “Enter” key. If you get a warning page, click “I’ll be careful, I promise!” This will bring you to the Firefox configuration settings. In the search bar up top, type “.dhe_” and hit the “Enter” key. This should result in two settings being displayed: “security.ssl3.dhe_rsa_aes_128_sha” and “security.ssl3.dhe_rsa_aes_256_sha”. Double-click both of them to change the value from “true” to “false”.

Now, if you refresh the How’s My SSL page, the “_DHE_” ciphersuites should be gone!

Categories: Logiciel, Réseau Tags: attacks, Firefox, Mac OS X, navigateur, OpenVPN, securite, ssh, ssl, VPN, Windows

Set a Custom New Tab Page in Firefox

21/07/2023 Comments off

Source: lifehacker.com

Firefox: If you’re not a big fan of the new speed dial tab in the newest version of Firefox, Mozilla blog Mozilla Links shows how you can customize the page to load any site of your choosing with a simple edit to the about:config file.

Categories: Logiciel Tags: Firefox, Mac OS X, navigateur, Windows

Aria2 – L’outil de téléchargement ultra rapide

14/05/2023 Comments off

Source: korben.info

Les barbus du Linux le connaissent depuis longtemps, mais pour les autres, je vous explique rapidement. Tout d’abord Aria2 est sous licence GPL et tourne sans aucun souci sous Mac, Linux, Windows et même Android. L’outil est léger (il consomme peu de CPU et de mémoire), mais surtout très puissant puisqu’il gère en plus des liens classiques, les Metalink, ce qui lui permet de télécharger des fichiers en exploitant plusieurs connexions simultanées utilisant plusieurs sources et/ou protocoles différents.

Oui c’est fou ! Cela permet d’exploiter au maximum la bande passante que vous avez à votre disposition.

Aria2 supporte donc le HTTP, FTP, mais aussi Bittorrent avec toutes ses fonctionnalités (DHT, chiffrement PEX, URI magnétique, Web-Seeding, téléchargement sélectif, tracker UDP et le protocole Local Peer Discovery). Aria2 est aussi pilotable à distance (support RPC) et gère sans souci ce qui est droit d’accès, cookies, proxys…etc.

N’allez pas croire que Aria2 est un outil compliqué à prendre en main. Taratata, c’est au contraire très simple à piger, comme vous allez voir dans les exemples ci-dessous :

Pour télécharger simplement un fichier :

aria2c http://example.org/mylinux.iso

Pour télécharger un fichier à partir de 2 sources différentes (HTTP, FTP) :

aria2c http://a/f.iso ftp://b/f.iso

Pour télécharger un fichier à partir de 3 connexions de source différente (Torrent, FTP, HTTP) :

aria2c -Ttest.torrent "http://host1/file" "ftp://host2/file"

Si ça vous branche d’explorer un peu plus ses possibilités, la documentation est ici. Autrement, sachez aussi qu’il existe des interfaces graphiques pour Aria2 comme :

webui-aria2: Interface navigateur
uGet: Gestionnaire de téléchargement Linux

Aria2 est téléchargeable ici.

Categories: Réseau, Système Tags: Mac OS X, shell, Windows

Five reliable Windows Server backup solutions

03/04/2023 Comments off

When disaster strikes (and it will), you can put the pieces back together if you’ve got a solid backup solution in place.

If you have a Windows server and you’re not backing it up, you are tempting fate. It’s only a matter of time before something tragic will happen: a hardware failure, a hacker, or a corrupted Windows update. Something will bring that server down and do everything it can to take your data with it.

Luckily, several reliable backup solutions are available for the Windows Server environment. They aren’t perfect. But the five solutions discussed here have their strengths and can be depended upon to keep your data safe. Now, before I reveal the big five, I want to make sure you understand how critical it is to be backing up that data to an external drive and to rotate that drive offsite. If you’re backing up drives and leaving everything onsite, should a fire (or some other catastrophe) occur, that data will be lost.

Note: This list is also available as a photo gallery.

1: Acronis Backup and Restore (with Universal Restore)

Acronis Backup and Restore (Figure A) is the backup tool I use the most. It’s costly but well worth it. The newer version of Acronis does a great job of ensuring that there is room on your external drive for your latest backup. You can overwrite the old backup or go by the traditional cleanup rules established in Acronis Echo. But if you go the Acronis route, you should also purchase the Universal Restore feature. With this tool, you can take a full image of a backup and restore it to any hardware — so long as it meets the requirements of your platform. That way, you don’t need an exact duplicate of your server hardware sitting around waiting to have an image restored onto it. Acronis also has add-ons for Exchange and SQL Servers.

Figure A

Acronis Backup and Restore

2: Symantec Backup Exec

Symantec Backup Exec (Figure B) is a powerful backup solution that does a great job of “just working.” And with its at-a-glance calendar, it’s easy to know when your backup has succeeded and when it has worked. If you’re using Symantec Backup Exec across a network (to back up clients/hosts), you can feel safe because it uses SSL for all network backup connections. Like Acronis, Symantec offers solutions for Exchange and SQL. Also, the ability to manage Vaults (backup destinations) is superb with Symantec. Just make sure that if a Vault is physically (and permanently) removed, you remove it from within the backup software. Otherwise, it will cause problems.

Figure B

Symantec Backup Exec

3: Carbonite

Carbonite (Figure C) is primarily an online backup (although the Business and BusinessPremier plans allow you to back up to an external drive). It’s meant to back up data only. Carbonite is probably one of the most reliable online backup tools and can back up email, documents, POS files, financial data, pictures and other multimedia, and more. But to use Carbonite for Windows Server, you must use the BusinessPremier Plan ($229.00 per year), which will allow you to include as many servers running Window Server 2003/2008/2011 as you like. Unlike Acronis, you won’t be backing up an image of your server with Carbonite — it’s a data-only backup tool. But it’s an excellent addition to any onsite backup solution.

Figure C

Carbonite

4: Windows NT Backup

Windows NT Backup (Figure D) is the free backup solution that comes with any Windows Server. Why do I include it here? Although it just does data backup and doesn’t offer many of the bells and whistles of the other tools, it is one of the only truly reliable backup solutions that will clear the Exchange logs for you. I always set up an NT Backup to run once a week (or month, depending upon the needs), just to have it clear the Exchange logs. Otherwise, you’ll be including a lot of unnecessary data in your backups, causing their size to get out of hand.

Figure D

Windows NT Backup

5: ShadowProtect 4 (Server)

ShadowProtect 4 (Figure E) is probably the least-known product in this list. But it falls into place next to Acronis as a feature-rich tool that can do everything — including recover to dissimilar hardware. ShadowProtect 4 also includes an easy-to-use tool that allows you to consolidate backup image files and convert the backups to either .VHD or .VMDK virtual machines. Another outstanding feature is its granular recovery, which allows for the quick recovery of individual files from within a backup. Unique to ShadowProtect is the Virtual Boot technology, which provides for automatic failover to a virtual server.

Figure E

ShadowProtect 4

Which backup?

Every company needs a backup plan. How far you go with your backup depends upon the size of the company, your needs, and your budget. But any of the above solutions will serve as a great place to start — or stop — for your Windows Server backup needs. Do you have a different backup solution to add to the list? Share your recommendations with fellow TechRepublic members.

Source: Jack Wallen – TechRepublic

Categories: Logiciel Tags: commands, sauvegarde, Windows

Disable NetBIOS and SMB to protect public Web servers

01/04/2023 Comments off

As the connection between your internal network and the rest of the world, public Web servers always deserve an extra measure of protection. Find out one way to lock down these servers.

Windows10logo Serving data to users outside of an internal network, public Web servers are typically the first point of contact for an external attack. In addition, internal networking ports are the most revealing and most often attacked ports on a server. That’s why you need to make sure you’ve disabled the services that are specifically for intranets.

The two biggest culprits that you need to worry about are the Server Message Block (SMB) protocol and NetBIOS over TCP/IP. Both services can reveal a wealth of security information and are reoccurring vectors for hacks and attacks. They’re unnecessary for the operation of a public Web server, and you should take steps to shut down both services on these servers.

Disable NetBIOS

NetBIOS was once a useful protocol developed for nonroutable LANs. In this case, it acts as a session-layer protocol transported over TCP/IP to provide name resolution to a computer and shared folders. NetBIOS uses these ports:

UDP 137: NetBIOS name service
UDP 138: NetBIOS datagram service
TCP 139: NetBIOS session service

Since external users — or hackers — don’t need access to shared internal folders, you should turn off this protocol. To disable NetBIOS over TCP/IP, follow these steps:

Got to Start | Control Panel, and double-click the System applet.
On the Hardware tab, click the Device Manager button.
Select Show Hidden Devices from the View menu.
Expand Non-Plug And Play Drivers.
Right-click NetBios Over Tcpip, and select Disable.
Close all dialog boxes and applets.

This disables the Nbt.sys driver, which stops NetBIOS from listening to or initiating sessions over TCP 139. While SMB normally uses this port for communication, it will now switch to TCP 445 — also known as the Common Internet File System (CIFS) port. That’s why you need to disable SMB next.

Uninstall SMB

SMB uses TCP 139 or TCP 445 — depending on which port is available. There’s one way to disable SMB on a non-domain controller. However, I recommend completely uninstalling this service to prevent some well-meaning individual (or program) from re-enabling the service.

To uninstall SMB, follow these steps:

Go to Start | Control Panel, and double-click the Network Connections applet.
Right-click Local Area Connection (i.e., the Internet-facing connection), and select Properties.
Select Client For Microsoft Networks, and click the Uninstall button.
After the uninstall finishes, select File And Printer Sharing For Microsoft Networks, and click the Uninstall button.
Close all dialog boxes and applets.

Understand the ramifications

You’ve now disabled both SMB and NetBIOS. If an attacker manages to compromise your Web server, he or she won’t be able to use NetBIOS or SMB to further explore and exploit your network.

Of course, security measures are often a balancing act of functionality and security. In this case, disabling these services takes away your ability to remotely manage Web servers through Active Directory’s Computer Management console. However, you can still connect to and manage these servers through the Remote Desktop Client.

Final thoughts

While it’s a common practice to block these ports at security boundaries, nothing beats disabling them on the machines themselves. Remember, as the connection between your internal network and the rest of the world, Web servers always deserve an extra measure of protection.

Categories: Réseau Tags: Windows

Anciennes entrées