Made to Order Software Corporation Logo

secure

PHP eFax requires "ssl://" on RedHat EL7 and Ubuntu

We found out today that RedHat LE7 requires the use of the "ssl://" protocol instead of the default "tls://". The error we are getting from PHP looks like this:

PHP Warning:  stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages:
error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version in .../lib/http_request.php on line 294
PHP Warning:  stream_socket_client(): Failed to enable crypto in .../lib/http_request.php on line 294
PHP Warning:  stream_socket_client(): unable to connect to tls://secure.efaxdeveloper.com:443 ...

No more excuses! Protect your passwords on your computer with strong encryption.

More and more, we hear talks about hackers entering personal accounts on systems such as Facebook, Twitter, Instagram and many others. There are many reasons why someone's account will be hacked. One of them is the lack of imagination for their password. Plus, some people use the same password for all of their accounts.

So, if you do it right, you will end up with many passwords. On my end, I have one password per account and that means about 400 passwords... That's totally unmanageable in a fairly standard human brain. For this reason, you end up writing down all your passwords on ...

Massive Bug in Intel, AMD, ARM and other Processors in Handling VM Memory

In the last few days, we started hearing about a massive bug in the implementation of the VM memory handling.

Intel has been frantically working on fixing host machines kernels in order to prevent one VM from accessing the memory of other VMs that run on the same machine.

Of course, most users are not going to attempt to read someone else memory so in that sense, most of us are relatively safe. But all of those who are not so lucky and have uninvited guests on their systems are running at very high risk. The information available from Intel says the memory is accessible only in Read mode. ...

PHP e-Fax requires valid SSL certificates (failed with code 1)

As e-Fax is updating their systems further to be compliant with various security systems, some new problems may arise on your servers.

The main one is an SSL error that is quite unclear.

Warning: stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed in /path-to-php-efax/http_request.php on line 294

As we can see, the error mentions a server certificate function and says it could not verify a certificate.

If your server is not 100% up to date with newest SSL versions or your web ...

Make sure your Thunderbird does not use SSL to avoid POODLE attack

A few days ago the news that SSLv3 was no good came out. The protocol allows for patterns that can be used by a hacker to decipher an encrypted message without the need for the private key. In other words, encryption using SSLv3 is no good (anymore--it never was, but we know this only now.)

We fixed our Apache2 settings, for those interested, you just have to turn off SSLv3 with the following setting:

SSLProtocol all -SSLv2 -SSLv3

Although to really remove all the encryption methods that are not that secure (can easily be cracked) you also want to change the list of ciphers with:

 ...

Bad Google Indexing "Secure" Pages...

About a week ago I got a customer who started having their website appear in Google with HTTPS (the secure version of the site.) The pages are served securily, but it uses our website certificate so you get a big bad error saying that everything is broken and if you proceed you'll know what hell is like.

"This Connection is Untrusted" by FireFoxThe fact is that this customer never had a secure certificate. In other words, there is no reason for the site to have been referenced with HTTPS unless someone typed a link to their site and inadvertendly entered https://... instead of http://...

I checked a few of the pages where there ...

Security Issue in many mail systems

It always amazes me when one finds a security issue that looks like something that should never have happened in the first place.

This one was found earlier this year by Wietse Venema who first discovered the issue in Postfix.

He fixed the Postfix server quickly, however, he went further. He actually tested many other servers sending commands that bypass that very security measure and to his surprised he found out that Postfix wasn't the only system affected by the problem.

For those interested, all the details of the problem can be found on the Postfix website as CVE-2011-411.

A ...

Protected Node Global Settings

The protected node module has global settings found under:

Administer » Site configuration » Protected node

Protected node Statistics

The page starts with statistics to let you know how pages are protected on your website. All the counts include published and unpublished content.

  • Total nodes — the total number of nodes on your website
  • Unprotected nodes — number of nodes that do not have a password
  • Protected nodes — number of nodes that are current protected by a password
    • Showing title — number of nodes showing their title
    • ...

How to bypass Drupal strong security?

Interestingly enough, today I received a Security Advisory from Drupal saying that users received an email from a hacker asking them to install a Trojan module on their Drupal system.

I find it quite interesting since, if Drupal wasn't secure, the hackers would not have to ask you to make it unsecure, would they?

However, this shows how many CMS systems introduce a security issue problem to your web server installation since it is required to let your web server execute any one PHP file...

All the files installed on your web server and that are directly accessible from the outside (i.e. ...

jsMath Security Issue

Security Issue

A security issue was found in all versions of jsMath before 2.x-dev for Drupal 6.x of Jul 29, 2010.

You may still securely use older versions of jsMath on private websites and websites were you are the only user (as in, the only one who can log in.)

The Drupal Security Advisory issue is here: https://www.drupal.org/node/854402

Other Problem

There is another problem: jsMath offers a JavaScript function that parses entire web pages (although there are ways to circumvent that problem, the module does not currently make use of those.) The jsMath Drupal module uses the ...