Interesting Stuff Security Sys Admin Web Apps

Chrome 70 vs Symantec Certificates

Chrome 70 is about to dis-trust a whole lot of certificates

So you paid lots of money for a “proper” certificate for your HTTPS website after Google gave non-HTTPS sites a hard time? Well, hopefully you aren’t still using an older Symantec issued certificate as Google (and others) is about to stop trusting those certificates.

Chrome version 70 is due for release in September for beta users and will NOT trust certificates issued before December 1 2017 from Symantec, Thawte, GeoTrust and RapidSSL.

This is obviously a big deal and as the Chrome browser release happens before your 12 month (or longer) cert will expire, means there’s work to do. While you’re revisiting the process of procuring another certificate, perhaps also have a think about why you might not be using the free service from Let’s Encrypt. That’s good enough for most websites unless you’re after one of the more fancy looking icons to show up in the browser for things like shopping carts.

Why is this happening?

The Certificate Authorities (aka CAs like Symantec) that are used to issue certificates that secure our web browser traffic MUST be absolutely trusted. Without that trust, the process fails and we might as well just create our own certificates. The reason why we don’t do that is that the browser vendors effectively have a list of those highly trusted CAs and each site’s cert must have a mathematical relationship to one of those.

In 2017 a number of issues were raised about how Symantec had been running one of their CAs (they have a few). Inconsistencies and bad-practice were highlighted such that both Mozilla (who have a list of the issues) and Google decided to implement a change in trust of certs issued by that CA.

Code Security Sys Admin

Permissions Problems with git pull

I’ve started working on Doc5 from a laptop in the last few months and have begun the pull/push process to get my Bitbucket repo and desktop machine all in sync. But when trying to get these sorted I found permissions problems on one of the local repos. When I tried to do a pull I had about eight files that either couldn’t be unlinked or couldn’t be created.

If I looked at the permissions on the files I was the owner, www-data (Apache in Ubuntu) was the group and the permissions where 644 on the files and 755 on the directories in my project folder. So that all seemed fine.

But what you need to watch for is the extra permissions that a process needs in order to unlink. What git is doing is taking these files away and then replacing them in the folder. i.e. it’s not just a modification through a write action to the file.

Interesting Stuff Security

Personal Data at Work

Computer SecurityThere’s plenty of information and talk around about the issues of allowing company data onto a personal device, but what about personal data on a work device? More and more of our personal data is stored in “cloud” services like Gmail and Evernote that we access from work computers and company controlled accounts.

In the time of buzzwords like “BYOD” business is rightly concerned about their data being on that tablet of yours that you managed to connect to the company wireless. They want to make sure that the correct level of security protects their data – especially things like email that almost everyone accesses from their smart phone, tablet or even web kiosk. Personal devices have proliferated the work place since they became cheaper, smarter and cooler to have than the company provided devices. Right now business is just starting to catch on and recognise that things are changing and that not everything can be restricted or dictated like they used to be.

But for much longer than the iPad has been around, we’ve all been accessing web sites and apps at work with personal login information. Some of the time we also click the “Remember Me” option when logging in without a second thought. All this information about our own email, blogs, password managers, Amazon account and other browsing habits are all sitting on that company device, protected by that one password for your company login.

So think about all the people in your company who have the ability to reset your work account’s password. In an enterprise environment that might be fifty or more people. In an environment that’s been poorly managed that might be in the hundreds. So all any of them has to do is reset your password and login to your machine and start up a browser. Whatever sites you jump onto on a Monday morning without logging into, are theirs for the viewing. You may not even know after a long holiday – “Woops, I must have forgotten my password”. None of your personal sites are being “hacked” or even having their passwords changed, you’re already logged into them on your work PC.

What can you do about this? Don’t save your passwords at work and don’t stay logged in to any service you value. If you’re thinking that you don’t care about access to your email, just think what information is in there – personally identifiable information, and it probably receives password resets for most other sites you’ve signed up to. What about bank account info, insurance updates?

Just to take this one step further combine the person with access to reset your password at work with the person who manages your work cell phones, and the fact your bank uses SMS as a two-factor authentication option. They’re a password reset and SIM transfer away from your bank account.