Tag Archives: security

Automatically Renew SSL Cert with LetsEncrypt and getssl

Let's Encrypt Logo

With the recent federal government shutdown, it’s quite apparent their IT administrators still renew SSL certificates manually since many government websites went offline after the certs expired. Politics aside, since having secured connection and valid certificates are important these days, it should be a point for administrators to start automating the process. At the very least, have a project or plan in place to anticipate the shutdown and go through all of the important websites for possible cert renewals, 1-2 months in advance. As an Enterprise administrator, it’s also essential to have alerts or calendar reminders to renew an expiring cert. However, the best solution is to setup an automated job.

This is where tools out there like getssl and certbot can help. For this website, getssl is used to automate the SSL renewal process. The key processes are as follows:

Ensure Apache web server is setup. Since getssl relies on obtaining the proper “ACME” code from the target website to confirm the correct URL host, a regular port 80 HTTP connection must be made available first.

Per getssl documentation, run the inital setup to create the proper folders and files in $HOME/.getssl

getssl -c yourdomain.com

Edit the getssl.cfg in $HOME/.getssl/yourdomain.com folder with the correct directory for Apache web server’s doc-root and configuration files. Note, package installed Apache HTTPD uses /etc/apache2 as the default config directory.

When getssl is all setup, create a crontab to run getssl twice every month, for timely renewal (within 30 days). Be sure to restart Apache HTTPD to make sure the web server reloads the latest cert files.

0 9 1,15 * * $HOME/getssl/getssl -u -a > $HOME/getssl/getssl.out.txt 2>&1

Heartbleed: A Scrambled Egg with Lots of Ham

CVE-2014-0160The sensational headline news this week was “Heartbleed” security flaw, which was covered by most mainstream and tech sites.  It was an old bug that was accidentally introduced, and just discovered recently ((Introduced in 2011 and found out in February 2014)). The report got IT professionals scrambling to fix their systems.

At first glance, the bug is benign enough, with chances of hacking the passwords or SSL keys rather slim. However, like any other hacking issues, if someone is determined (and clever) enough to exploit this bug, they may just get a bunch of useful data. Whether or not they can use the hacked data to steal client information, or use it for a phishing site, it’s unclear. Just the thought of the potential leak scares the daylights out of everyone! It’s also proof that the marketing behind this bug was very effective.

Regardless, the actions need to be taken are as follows:

  1. Check with Qualys SSL Analyzer to determine if your site is vulnerable.
  2. If vulnerable, upgrade OpenSSL to version 1.0.1g, or alternatively recompile OpenSSL without the “heartbeat” option (-DOPENSSL_NO_HEARTBEATS).
  3. Recompile or restart the web server to reload the latest OpenSSL libraries.
  4. Test the site(s) with the Qualys SSL Analyzer again.  Also check if site is functional.
  5. With the new OpenSSL, generate a new SSL key, and re-key a new certificate.  Install the new key/certificate in the web server(s).
  6. Urge the users to change their passwords – which they occasionally have to do, anyway.  This step is tricky considering the PR scare that it’s going to generate when admitting the site is vulnerable.  However, the notification is the responsible thing to do.

When the dust settles, we can look back and use this as an important reminder how fragile the Internet is.  Customers are expected to be cautious of their data being transmitted over the Internet, no matter how secure a company claim they’re being kept.

BYOD: Why It Should Be The New Normal

Smartphone UseThere’s been a lot of talk lately about Bringing Your Own Device (BYOD) to work. It’s not a new concept. People love their smartphones, tablets, or laptops. They prefer using a particular brand for personal and work. They bring it to work because it’s convenient to carry just one device, and they can be productive with their own.

Traditionally, companies provide their own “certified” devices to retrieve secured Enterprise data. However, it’s difficult to stop employees from transmitting those data somewhere else, either via E-mail, USB drives, or Cloud Storage, potentially enabling others to see them. A strong privacy policy may be enough deterrent – at least in the beginning. As time goes by, employees will get complacent and too comfortable in taking their data everywhere, not realizing the confidential data may be leaked.

As an IT leader, one can imagine the complexity of supporting multiple devices and worries about zero control over securing protected data. Case in point, the biggest early adopter of BYOD was IBM. They learned valuable (and painful) lessons from it. Employees were not aware of insecure apps, not using secure channels to transmit data, and losing their unprotected/unencrypted devices. These security breaches could potentially cost them, or anyone else for that matter, millions of dollars to repair.

So, why is there growing trend to adopt BYOD? In this tough economic condition, company expenses have to be cut aggressively. The most obvious is to stop allocating budget for productivity machines. Having the cost shifted to the employees, it eliminates the need for company’s machines to be stocked, upgraded, and re-stocked.

Employees have also voiced their concern about the lack of productivity using company issued devices, such as a Blackberry, instead of their favorite iPhone or Android phones. It doesn’t make any sense to have a dedicated, company issued, device just to receive e-mails or phone calls for work, and another for personal use. It certainly becomes challenging to carry two devices, especially when an iPhone, for example, is more than enough to handle all of those tasks and be just as productive.

IT leaders are starting to embrace this BYOD trend because solutions are starting to appear, as the concept become widely accepted. Android and iPhone devices are now equipped with additional security to deter data theft or loss. Both Google and Apple are serious about Enterprise adoption and have updated their OS to be more secure. Now, it’s up to the IT leaders to trickle down the information to users on how to secure their devices, according to the companies’ need.  Instead of preventing employees to bring their own devices, educate them on how to secure the content of their own devices. As Ronald Reagan would say: “Trust, but verify.” There is a level of trust on both sides, but both must remain vigilant.

It is time to stop believing the myths of bringing-your-own-device to work. BYOD is happening, whether or not IT is ready. It is the “new normal”.