News items for tag work - Koos van den Hout

2016-03-14 VirtualBox 5 host-only network looks too much like a bridging adapter
Ever since I upgraded VirtualBox to a version 5 on my work laptop I can't start virtual machines which want to use the VirtualBox host-only network. For some communication I'd like to use that host-only network. Diving deep into the possible reasons found me VirtualBox can't find host-only adapters on Windows 10 which tells:
Oh and please double check that when you go to "Network Connections" and open the Properties dialog of the "VirtualBox Host-Only Network" connection, you see "VirtualBox NDIS6 Bridged Networking Driver" in the "This connection uses the following items" list.
This is indeed the case on my work laptop, and the use of the NDIS6 driver is an upgrade compared to VirtualBox 4. But I know the windows policy at work includes "you cannot use bridged networking" so I think I found the reason.

So now the solution is to use the main NAT network device. I was using the host-only network for some communication between the virtual machine and the host system or other virtual machines which should not be influenced by the 'outside world'. Now I seem to be using NAT as a firewall for that, which is wrong.

Tags: , ,
2015-08-18 I'm a CISSPĀ© now
After taking the course in April and doing the exam in June I am now a Certified Information Systems Security Professional. As part of my job in computer security it is good to have this knowledge, it really helps me understand things.

Tags: , ,
2015-06-20 A fast-changing security world
At work I reviewed something about TLS security I wrote in May 2014 and noticed I had to make some serious adjustments for the May 2015 state. SSLv3 is no longer accepted, SHA1 is no longer an accepted hashing algorithm and other changes.

This week on the home server greenblatt I had two different impacts from the latest OpenSSL update: SSL communications with the Fritz!Box was failing and SSL in sendmail was failing, both due to the latest insights into the security of the Diffie-Hellman key exchange.

These insights are very very new: in April I did a course in the Certified Information Systems Security Professional (CISSP) common body of knowledge and I learned the default Diffie-Hellman parameters were safe. Now we learn to generate them for each individual system at the same strength as the private key. Knowledge of cryptographic quality ages fast at the moment.

Tags: , , , ,
2014-09-22 (#)
So work made a laptop with the standard Windows 7 software image available to me and I noticed when I took it home it doesn't do any IPv6. Which is not what I want. Some searching found How to disable IPv6 or its components in Windows - Microsoft Support which has the right answers which were used by the people creating this software image. I changed the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisabledComponents registry key to 0x01 so I don't get the Isatap/Teredo tunnels.

Interesting remark in that support article:
We do not recommend that you disable IPv6 or its components, or some Windows components may not function. Additionally, system startup will be delayed for 5 seconds if IPv6 is disabled.
I guess I'll have to find another way to disable the Isatap/Teredo tunnels to make the system boot faster. I want IPv6 to work when it's available native or not at all. Some aspects of the work network make things slow when tunneling protocols are tried. Which is probably the reason of disabling it in the first place.

Update 2014-10-01: It seems this setting gets reset somehow: I am at the Surfnet Relatiedagen 2014 and just noticed the laptop has no IPv6 on the network here, which surprised me. But a check of the settings showed no IPv6 addresses at all, not even link-local. A check on my Android phone shows globally routable IPv6 addresses.

Tags: , ,
2014-09-03 (#)
I had an appointment today at a to me new address. I have an Android phone so I use the car navigation available from google. The 'Car' application has the (extra?) option to navigate to my next appointment, which made the fact the invitation had the right address information very useful. I used that and found the location fine. After I arrived people asked me if I had any trouble finding it since it is in a somewhat unusual location. I would have had more problems with a map!

HTC One Tip: How to use Car mode video explaining HTC Car mode and navigating to appointments.

Tags: ,
2014-07-25 (#)
A clear sign this week I am not a system administrator anymore: I had no easy answer to "where can we find some Torx screwdrivers to open the dishwasher".

Using contacts that were from when I was a system administrator helped find the right screwdrivers and the dishwasher was opened and repaired.

Tags: ,
2013-12-18 (#)
Using SSL should secure your services, but it needs to be configured correctly to avoid several attacks and keep the chances low that third parties can decrypt the traffic. With the SSL Server test from Qualys SSL Labs you can check the intimate details of your https SSL configuration.

And when you wonder what to use to improve your score when using Apache mod_ssl, here is a configuration snippet shared by the right people at Tilburg University:
SSLEngine on
SSLProtocol all -SSLv2
# advies Wessel Dankers kub
SSLHonorCipherOrder on
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:AES256-GCM-SHA384:AES256-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:AES256-SHA:AES128-SHA:DES-CBC3-SHA

Tags: , , ,
2013-11-05 (#)
I heard today about Windows 2012 R2 "desired state configuration" which made me think a bit of puppet. The general idea is to get systems configured to a desired state with whichever changes are needed to get to that state. Desired State Configuration in Windows Server 2012 R2 PowerShell - YouTube for a presentation.

But when I see a bit of configuration sample in the above video it makes me think a lot of puppet:
Configuration FourthCoffeeWebsite
{
	Node ("WebServer1","WebServer2")
	{
		# Install the IIS role
		WindowsFeature IIS
		{
			Ensure  = "Present"
			Name    = "Web-Server"
		}
		
		# Install the ASP .NET 4.5 role
		WindowsFeature AspNet45
		{
			Ensure  = "Present"
			Name	= "Web-Server"
		}
	}
}
Funny how system administration in the Windows and Linux/Unix world is converging. Just like Windows PowerShell makes me think of scripting languages and the unix commandline.

Tags: , , ,
2013-08-28 (#)
Found out a neat option in a modern-ish libc6 getent: you can use services different from those configured in /etc/nsswitch.conf simply by using the -s switch. It took a bit of searching to find the actual way to use ldap and be able to resolve the ldap server:
$ getent -s 'dns ldap' passwd
There are no users in dns in our config, but this enables finding the ldap servers via dns.

Tags: , ,
2013-08-21 (#)
The person(s) whose malvertising network got taken down due to the exposure on malekal.com blog is getting desperate. I'm not only getting the malekal joe-job spam myself but it's now also showing up at the computer security contact address at work.

Tags: , , ,

IPv6 check

Running test...
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

RSS
Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated by $Id: newstag.cgi,v 1.35 2021/11/09 13:09:49 koos Exp $ in 0.022806 seconds.