197 Lotus blogs updated hourly. Who will post next? Home | Blogs | Search | About 
 
Latest 7 Posts
IBM Domino and Docker Support Announced
Wed, Aug 16th 2017 10
Attention IBM Customers and BPs, Be Heard! New IBM Notes/Domino Application Survey
Tue, Aug 15th 2017 8
IBM Think 2018 Session Abstract Submission Date Announced
Mon, Aug 14th 2017 11
MWLUG - Linuxfest DC Guest Speaker Announced
Wed, Aug 2nd 2017 4
"As We Age, Don’t Give Up. Keep Doing." And More Wisdom from George Jedenoff’s "The Powder Philosophy"
Sat, Jul 1st 2017 7
Do You Have An Opinion on the Domino Application Platform Direction? Read This.
Thu, May 18th 2017 5
The ICS on Linux Round Table Session Notes
Mon, May 15th 2017 2
Top 10
New SSL3 Exploit: The POODLE Is Here and Lifting Its Leg
Wed, Oct 15th 2014 12
IBM Think 2018 Session Abstract Submission Date Announced
Mon, Aug 14th 2017 11
IBM Verse On-premises Architecture and Insight
Wed, Aug 3rd 2016 10
IBM Verse On-premises Third Post: Updated Schema, New Features
Thu, Sep 22nd 2016 10
IBM Domino and Docker Support Announced
Wed, Aug 16th 2017 10
Some "Great Train Rides" of the World
Sun, Aug 10th 2014 9
IBM’s Lost Art of Installation is Costing Them Revenue
Mon, Aug 25th 2014 9
Linux Bash Bug - Shellshock - is Real: Get Patched (Mac Too)
Thu, Sep 25th 2014 9
A Conversation with Barry Rosen, at IBM: Part I
Tue, Sep 20th 2016 9
How To Receive Ubuntu 12.04 Kernel Updates After 7 August 2014
Wed, Jul 16th 2014 8


"Let’s Get Ready to Logjam!" -- The Need to Know About This New Exploit
Twitter Google+ Facebook LinkedIn Addthis Email Gmail Flipboard Reddit Tumblr WhatsApp StumbleUpon Yammer Evernote Delicious
Bill Malchisky    

Logjam (CVE-2015-4000) is the latest server exploit hitting the nation (world). In scope are 8.4x10**3 of the top 1x10**6 websites and 14.8% of mail servers in the IPv4 address space as per weakdh.org. The cause is a weakness identified in the Diffie-Hellman key exchange (explained here and here), with the exploit reported early by Ars Technica.

The root cause goes back to the 1990's. Recall when products like Lotus Notes had a North American encryption flavor and an International encryption flavor? That ended when encryption standards were lowered and the two offerings merged, for example. It helped the Feds crack encryption overseas, but now average users have incredible computing power available to them cheaply. Thus, algorithms can be broken with significant ease today, that were nearly impossible to do so 20 years ago. I expect more exploits of this nature in the months ahead.

"Logjam shows us once again why it's a terrible idea to deliberately weaken cryptography" -- J. Alex Halderman, a key scientist behind the exploit's research, posted at https://weakdh.org



Work-around and a Solution

Initially, server administrators should disable support for DHE_EXPORT ciphersuites, as they downgrade connections of the Diffie-Hellman variety.

The solution for Logjam is akin to POODLE in that TLS is the way to go. Companies like Red Hat and IBM offered TLS solutions for POODLE and the Logjam research team provided a document on how to deploy correctly Diffie-Hellman for TLS.

For your browsers, jscher2000 in Silicon Valley, CA, via a mozillaZine Logjam post offers a four step process to Disable insecure ciphers.
"(1) In a new tab, type or paste about:config in the address bar and press Enter. Click the button promising to be careful.
(2) In the search box above the list, type or paste ssl3 and pause while the list is filtered
(3) Double-click the security.ssl3.dhe_rsa_aes_128_sha preference to switch it from true to false (this usually would be the first item on the list)
(4) Double-click the security.ssl3.dhe_rsa_aes_256_sha preference to switch it from true to false (this usually would be the second item on the list)"
Then, test the success with the Qualys SSL Labs test in the next section.

Paul Farris, earlier this week, wrote a blog post on Domino SSL Ciphers, which is located here.


Establishing your Risk

Clients

Web browsers should be updated shortly (as of this writing). Internet Explorer on Windows 10 was the first to have a patch. Firefox and Chrome are in the works. Check here for clarity. As of this morning (21 May 2015), my browsers were still at risk.

Image:"Let’s Get Ready to Logjam!" -- The Need to Know About This New Exploit
For checking browsers beyond Logjam, Qualys SSL Labs has a browser check here which checks three key vulnerabilities, the protocol support and features plus cipher suites utilized

Servers

The TLS deployment document has a Server Test, which is easy and free to use. Here is the link. Just scroll down to the Server Test section. I tested many known sites and found that many were safe from Logjam style attacks, (which is on-par with the sub-ten percent of sites in scope), they could be further secured with Elliptic-Curve Diffie-Hellman (ECDHE).

Image:"Let’s Get Ready to Logjam!" -- The Need to Know About This New Exploit

They also offer two suggestions for many common application server programs (e.g. Apache, OpenSSH). The researchers also suggest that all your TLS libraries are patched and set to reject D-H Groups < 1024-bit in size.

Checking Servers

More detailed results are available from these two free resources
1. An open source site entitled SSL Decoder is available to decode well as you surmised a site's SSL connection. The output is robust and the licensing allows for use internally, so start testing;
2. Qualys SSL Labs' SSL Server Test - which provides links to additional information on each exploit tested, with several linked resources on each information page.

A side point to know is that DSA-1024 bit signing keys are quite insecure and should be at 2048 or higher, with 4096 recommended where possible. If your keyrings are light on the encryption bits, make a plan to get them upgraded this year.

Notation: Know that the client fix may block some websites lacking current updates. Thus, it is a good idea to ensure that your company site is current on web security patches.



Red Hat to the Rescue

Upon learning of the threat, Red Hat did their own research with threat assessment and published their security bulletin on this exploit. The good news is that RHEL 6.6+ and 7 are NOT vulnerable to Logjam, but if you are running early RHEL6 versions (get them patched -- see advisory RHBA-2014:1525) or RHEL 5, then you are vulnerable. Specifically, RHEL 7 omitted by design export-grade cipher suites in their initial release--offering piece of mind to those that upgraded early.

To their credit, Red Hat made it clear early that they will not update the default cipher list in RHEL 5, so you need to upgrade to at least RHEL 6.6 to be safe. I do like a vendor that gets to the point quickly in an unambiguous manner. Everybody wins with this type of communication, from my perspective.

SUSE has a security bulletin with some information on resolutions, located here.


Additional Reading

Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice -- outlining specific attacks and how the researchers broke the 512-bit DH group
Logjam Attack Proof of Concept Demonstrations -- which lists the susceptibility to each of the three attack styles
Guide to Deploying Diffie-Hellman for TLS
Logjam: TLS vulnerabilities (CVE-2015-4000) by Red Hat
MITRE CVE's Logjam dictionary definition
NIST NVD's entry (National Vulnerability Database)
"Logjam TLS Attack (Weak Diffie-Hellman) and Novell Products"

---------------------
http://www.BillMal.com/billmal/billmal.nsf/dx/logjam.htm
May 22, 2015
7 hits



Recent Blog Posts
10
IBM Domino and Docker Support Announced
Wed, Aug 16th 2017 2:00a   Bill Malchisky Jr.
During Barry Rosen's Future directions on Notes/Domino session and again during our Linuxfest DC session last week at MWLUG, IBM announced that they will support Domino on Docker with Domino 9.0.1 FP10. Originally, this support would be announced in 2018, but due to the success of the IBM Application Insights Survey announced at Engage, IBM changed their task priorities and accelerated Docker support based upon your input. FP10 is scheduled to be released by EOY 2017. The next question is,
8
Attention IBM Customers and BPs, Be Heard! New IBM Notes/Domino Application Survey
Tue, Aug 15th 2017 2:00a   Bill Malchisky Jr.
After the success of the first IBM survey announced at our IBM Engage session in May (see link to post)---which helped to re-prioritize new capabilities like Docker---Barry Rosen announced a new survey at MWLUG. I completed it and am pleased with this survey's focus on APIs, app modernization, along with creating a new feeling that IBM is serious about Domino as an application development platform. The first survey results really had an impact and moved up significantly Docker support (more
11
IBM Think 2018 Session Abstract Submission Date Announced
Mon, Aug 14th 2017 2:00a   Bill Malchisky Jr.
IBM announced that commencing on 21 Aug 2017, you can submit abstracts for IBM Think 2018. As of this writing, there does not appear to be information on session tracks, other than a pop-up informing prospective presenters to be creative. As I've watched the conference site frequently over the past few weeks, no additional information being available on tracks, implies to me we will learn this on Monday, 21 Aug. Thus, if you are considering submitting a session, you can start thinking about wha
4
MWLUG - Linuxfest DC Guest Speaker Announced
Wed, Aug 2nd 2017 9:31a   Bill Malchisky Jr.
On Thursday, 10 Aug 2017, I will be presenting Linuxfest DC at this year's MWLUG located in DC. In order to provide an informative experience for attendees, I sought a special guest speaker to join me. Today, I am pleased to announce Barry Rosen will be co-presenting with me for an extended special breakfast session. We will be covering IBM's current Linux strategy, plus provide technical information to ensure that all session attendees gain knowledge they can use immediately upon returning fr
7
"As We Age, Don’t Give Up. Keep Doing." And More Wisdom from George Jedenoff’s "The Powder Philosophy"
Sat, Jul 1st 2017 3:40a   Bill Malchisky Jr.
Well, I inadvertently held this post, so let's publish it now. In early 2016---in his then 56th consecutive year of skiing at Alta and Snowbird in Utah---Mr. George Jedenoff at the age of 98 took a few minutes to discuss his Powder Philosophy. A positive uplifting message that will leave you with a smile. Worth a few minutes to view and learn a bit from his years of wisdom. He still rips groomers and fresh powder, while also enjoying tree skiing--again at 98 years old. Stay healthy, believe
5
Do You Have An Opinion on the Domino Application Platform Direction? Read This.
Thu, May 18th 2017 6:15a   Bill Malchisky Jr.
As Barry Rosen mentioned during our Engage session last week, ICS Offering Management is seeking feedback around the Domino application platform. This opportunity is significant enough that I felt it appropriate to author a separate post. Currently, IBM is looking for feedback in the areas of APIs, XPages, Domino on Bluemix, Docker, and well, anything else you want to add in the development space. I took the survey and found it to be straight forward with plenty of opportunity to provide you
2
The ICS on Linux Round Table Session Notes
Mon, May 15th 2017 6:00a   Bill Malchisky Jr.
Great session last Monday. We filled the table with overflow and discussed many good topics raised by the attendees. Below are the notes and some of the URLs cited during the event. Please feel free to comment and keep the discussion going. IBM Notes FP7 is the last update for the Linux client;, no further feature packs will be offered for the Linux client Support will be best effort from here and will continued to be support up to 9.0.1 FP7 on thee then current set of operating systems.
1
"Why the Largest Companies in the World Count on Linux Servers"
Tue, May 9th 2017 3:00a   Bill Malchisky Jr.
I read this morning a great piece in Linux Journal by Petros Koutoupis. The author's name being new to me, I read the article with an open mind. What I found is this introductory level article offered a decent dissection of this important topic. As I've covered over the years in my Lotus on Linux Report presentation series, more companies outside of Microsoft use Linux for their edge servers than any other operating system. That data point continues to this day. Additionally, despite recent de
2
Join Barry Rose, Daniel Nash, and Myself for the ICS on Linux Round Table on Monday at Engage!
Sun, May 7th 2017 4:30p   Bill Malchisky Jr.
This year at Engage in Antwerp, Belgium, I am speaking with Barry Rosen of IBM and Daniel Nash. We are covering all things ICS related on Linux. Happy to have the opportunity to present with both Barry and Daniel on such a topic. A lot has changed in the past six months with IBM's support for Linux. This is the session to learn about those changes and provide input directly to IBM. Looking forward to a great discussion and learning experience. See you on Monday! Date: Monday, May 8 Time: 11
2
Join Serdar Basegmez and Myself on Tuesday’s TLCC XPages Webinar Series
Mon, May 1st 2017 4:43p   Bill Malchisky Jr.
On Tuesday, May 2, Back from the Dead goes live via the TLCC's XPages Webinar Series, sponsored by Teamstudio! Time: 10:30 AM EDT / 9:30 AM CDT / 7:30 AM PDT / 3:30 PM BST / 4:30 PM CEDT Register Here! It's free! Back from the Dead: When Bad Code Kills a Good Server It's Friday and a new customer calls. Their mission critical app is taking :05 to open documents and the users are quite concerned. Where do you start when handed a 20 year old application you have never seen, on a serv




Created and Maintained by Yancy Lent - About - Planet Lotus Blog - Advertising - Mobile Edition