http://technet.microsoft.com/en-us/security/bulletin/ms11-100
Please deploy.
Critical Microsoft Patch for December 2011
Microsoft has released an emergency out-of-band (meaning done on a day other than Patch Tuesday, because of how important it is) on Thursday, December 29th.
Tax Savings with Selected Year End Purchases
Small businesses only have a limited number of days left in 2011 to realize significant tax savings on purchases of “eligible property” under Section 179 of the US Tax Code. Section 179 allows you to accelerate deprecation yielding substantial taxes savings for 2011. Of importance for the technology sector - special provisions for 2011 include certain software purchases!What should I do? Buy and deploy your AccessEnforcer before January 1, 2012 and you may be eligible for huge tax savings this year. Ask us how to purchase a multi-year subscription plan and save even more.
Does this apply to me? To be certain, consult with your tax advisor and review the controlling guidance from the IRS. In general, you may be eligible for tax savings if your business meets the following criteria:
Profitable operations in 2011
Purchase “eligible property for business use” in 2011
Acquired the eligible equipment by purchase
Placed the equipment in service in 2011
The Basics of Section 179. For 2011 the IRS increased the amount allowed for Section 179 accelerated depreciation deduction to $ 500,000 and also included purchases on software. This means that your business could deduct the total cost of certain purchases on equipment one time rather than having to depreciate it over time. This can have huge tax advantages that could significantly reduce your tax obligation for 2011. Please note, this tax planning strategy may not be available to you in 2012 as the amount and composition of eligible purchases changes every year. In the past, Section 179 was referred to as the "SUV Tax Loophole" or the "Hummer Deduction" because many businesses have used this tax code to write-off the purchase of qualifying vehicles at the time (like SUV's and Hummers) - but that particular benefit of Section 179 has been severely reduced in recent years.
What is “eligible property”? To qualify for the section 179 deduction, your property must be one of the specified types of depreciable property approved by the IRS which includes tangible personal property and off-the-shelf computer software.
How Much Can You Deduct? Your section 179 deduction is generally the cost of the qualifying property. However, the total amount you can elect to deduct under section 179 is subject to a dollar limit and a business income limit. These limits apply to each taxpayer, not to each business. If you deduct only part of the cost of qualifying property as a section 179 deduction, you can generally depreciate the cost you do not deduct.
Where can I get more information? The IRS will publish guidance in early 2012. Until then, consult with your tax advisor and you can also review IRS guidance from 2010 and information from www.Section179.org.
What's wrong with SSL and TLS
Recently, we were asked what our response would be to the BEAST Exploit,
a new attack that takes advantage of a vulnerability found by security researchers in the way CBC block
ciphers are handled in TLS 1.0 and earlier. Our AccessEnforcer is administered via web interface, and our desktop VPN client, CalyptixVPN, is TLS-based, so it's a legitimate question. The basic answer is this: CalyptixVPN is not vulnerable, and the AccessEnforcer's web
interface can be vulnerable in some instances (for example, when a browser doesn't
support the RC4 stream cipher), but not when accessed over a
VPN connection (either IPSEC or the CalyptixVPN client). Even
without a VPN connection, however, the exploit is almost a moot point. Here's why.
First, some background. Most people refer to a secure http session (https) as SSL. As security-focused individuals know, SSL has been insecure for years due to various exploits. In order to maintain compatibility with older browsers, the AccessEnforcer supports this protocol, as well as TLS 1.0, the most recent version of TLS that is widely-supported by browsers. Although TLS is generally more secure than SSL, we now know that in some instances, it can be vulnerable to a CBC block cipher attack (incorporated into BEAST). So if TLS can be broken, why is the exploit a moot point?
First of all, a man-in-the-middle attacker could still proxy the session, break the certificate chain and snoop on the data. If the user doesn't notice the certificate warning, or they are used to accessing sites that use self-signed certificates, they could be the victim of a MITM attack without realizing it.
Secondly, if a country or business deploys their own root CA to every PC, and monitors the internet connection with an edge device that can proxy every secure connection (such as this one from Packet Forensics), they can dynamically generate a certificate for any domain of their choosing, and log (and possibly inject data into) the entire session, all without the user even noticing. In fact, the only clue to the user that she's not communicating directly with the site would only be visible by examining the certificate. But since it still appears to be a secure session and the browser doesn't present a certificate warning, most users wouldn't even think to inspect the cert.
Thirdly, there have been three high-profile hacks this year of certificate authorities: Comodo, DigiNotar, and CA Security, with the hacker claiming that he has now breached even more CAs. At this point, one can only assume that there is at least one hacker out there who can generate a certificate for any domain he chooses, and if he gets between you and your destination, he can snoop on your session. The most promising solution to this problem is called certificate pinning, available via Firefox add-on as well as for Chromium/Chrome, but the majority of internet users are not using these. Even if a security-conscious user attempts to enable certificate pinning, the process is still prone to user error. A browser can't verify that a certificate isn't forged without an authority for it to check against, and there currently is none, so the process is left to the user. Google has hard-coded Chrome to only accept certs from its trusted CAs (incidentally, this is how the fake *.google.com certificate from DigiNotar was discovered), but every other domain is left to the user.
Fourthly, most browsers still support SSL, since some older web servers haven't been updated to support TLS. It turns out that a man-in-the-middle attacker can trigger a fallback to SSL, where TLS would have otherwise been negotiated between the browser and server. This is called a version rollback attack, and an attacker is much more likely to do this, and then utilize an SSL exploit, than attempt to accomplish the more difficult TLS BEAST exploit.
Although browser manufacturers are currently rolling out patches to protect against BEAST, from our perspective, as long as any browser supports fallback to SSL 3.0 or even 2.0, it is vulnerable, regardless of the status of the block cipher bug.
It should be noted that complete details of the BEAST exploit have not been made public, and as far as anyone knows, is not yet in the wild. It's also worth nothing that as most browsers do not yet support TLS 1.1, we cannot yet force it, and therefore must rely on TLS 1.0 until newer versions are widely supported.
As mentioned earlier, a security-conscious administrator could connect his CalyptixVPN client to the remote AccessEnforcer first (or keep up a persistent IPSEC connection), then connect to the AE via one of its LAN IPs, to ensure that the traffic is routed over the VPN connection. Our VPN uses TLS 1.0, but a workaround prevents it from being vulnerable to this exploit.
Regardless of any vulnerabilities in the protocols themselves, most security researchers believe the "web of trust" certificate system is broken. For now, all we can recommend is to use a browser that is up to date, avoid insecure wifi connections, use a VPN wherever possible, familiarize yourself with certificate pinning, and start getting used to inspecting those certificate chains.
First, some background. Most people refer to a secure http session (https) as SSL. As security-focused individuals know, SSL has been insecure for years due to various exploits. In order to maintain compatibility with older browsers, the AccessEnforcer supports this protocol, as well as TLS 1.0, the most recent version of TLS that is widely-supported by browsers. Although TLS is generally more secure than SSL, we now know that in some instances, it can be vulnerable to a CBC block cipher attack (incorporated into BEAST). So if TLS can be broken, why is the exploit a moot point?
First of all, a man-in-the-middle attacker could still proxy the session, break the certificate chain and snoop on the data. If the user doesn't notice the certificate warning, or they are used to accessing sites that use self-signed certificates, they could be the victim of a MITM attack without realizing it.
Secondly, if a country or business deploys their own root CA to every PC, and monitors the internet connection with an edge device that can proxy every secure connection (such as this one from Packet Forensics), they can dynamically generate a certificate for any domain of their choosing, and log (and possibly inject data into) the entire session, all without the user even noticing. In fact, the only clue to the user that she's not communicating directly with the site would only be visible by examining the certificate. But since it still appears to be a secure session and the browser doesn't present a certificate warning, most users wouldn't even think to inspect the cert.
Thirdly, there have been three high-profile hacks this year of certificate authorities: Comodo, DigiNotar, and CA Security, with the hacker claiming that he has now breached even more CAs. At this point, one can only assume that there is at least one hacker out there who can generate a certificate for any domain he chooses, and if he gets between you and your destination, he can snoop on your session. The most promising solution to this problem is called certificate pinning, available via Firefox add-on as well as for Chromium/Chrome, but the majority of internet users are not using these. Even if a security-conscious user attempts to enable certificate pinning, the process is still prone to user error. A browser can't verify that a certificate isn't forged without an authority for it to check against, and there currently is none, so the process is left to the user. Google has hard-coded Chrome to only accept certs from its trusted CAs (incidentally, this is how the fake *.google.com certificate from DigiNotar was discovered), but every other domain is left to the user.
Fourthly, most browsers still support SSL, since some older web servers haven't been updated to support TLS. It turns out that a man-in-the-middle attacker can trigger a fallback to SSL, where TLS would have otherwise been negotiated between the browser and server. This is called a version rollback attack, and an attacker is much more likely to do this, and then utilize an SSL exploit, than attempt to accomplish the more difficult TLS BEAST exploit.
Although browser manufacturers are currently rolling out patches to protect against BEAST, from our perspective, as long as any browser supports fallback to SSL 3.0 or even 2.0, it is vulnerable, regardless of the status of the block cipher bug.
It should be noted that complete details of the BEAST exploit have not been made public, and as far as anyone knows, is not yet in the wild. It's also worth nothing that as most browsers do not yet support TLS 1.1, we cannot yet force it, and therefore must rely on TLS 1.0 until newer versions are widely supported.
As mentioned earlier, a security-conscious administrator could connect his CalyptixVPN client to the remote AccessEnforcer first (or keep up a persistent IPSEC connection), then connect to the AE via one of its LAN IPs, to ensure that the traffic is routed over the VPN connection. Our VPN uses TLS 1.0, but a workaround prevents it from being vulnerable to this exploit.
Regardless of any vulnerabilities in the protocols themselves, most security researchers believe the "web of trust" certificate system is broken. For now, all we can recommend is to use a browser that is up to date, avoid insecure wifi connections, use a VPN wherever possible, familiarize yourself with certificate pinning, and start getting used to inspecting those certificate chains.
Calyptix participates in World IPv6 Day
We're excited to announce that on June 8, Calyptix Security will participate in World IPv6 Day by providing our website at www.calyptix.com in dual stack IPv6 and IPv4. If you visit our website via IPv6 on that day, you will see a gold banner at the top of the front page showing your IPv6 address.
The website will be hosted behind an AccessEnforcer with upcoming IPv6 code.
With the exhaustion of IPv4 addresses, IPv6 provides numerous opportunities for the future. We are committed to building the best IPv6-enabled firewall for small businesses, as demonstrated by our participation in World IPv6 Day. Stay connected with us as we proceed on this exciting journey ahead!
How do you know your code is secure?
How do you know your code is secure?
The short answer is that you don't, and you can't.
Software engineering is really hard, and security software engineering even more so.
Part of what makes accusations like the kind made against BSD so insidious is that they are just about impossible to disprove. For anything but the most basic program, it's impossible to prove that isn't doing anything you think it shouldn't be doing. And even if you trust the code completely, do you trust your compiler? Or the people who wrote the compiler for your compiler? It's compilers all the way down.
Open source is neither necessary or sufficient for secure code. In some ways it may make you more vulnerable, and in some ways it may make you less vulnerable.
But in the ways that tightly-controlled open source makes you safer, it is precisely this: it is hard for an outsider to put a backdoor into it without other people noticing. In fact, the OpenBSD crypto codebase is probably the most difficult place in the world to do it. If you suspect backdoor code here, you have to suspect backdoor code everywhere.
(Some projects are very loosely controlled, and rightly so, because they aren't that popular or aren't used in environments where security matters.)
The short answer is that you don't, and you can't.
Software engineering is really hard, and security software engineering even more so.
Part of what makes accusations like the kind made against BSD so insidious is that they are just about impossible to disprove. For anything but the most basic program, it's impossible to prove that isn't doing anything you think it shouldn't be doing. And even if you trust the code completely, do you trust your compiler? Or the people who wrote the compiler for your compiler? It's compilers all the way down.
Open source is neither necessary or sufficient for secure code. In some ways it may make you more vulnerable, and in some ways it may make you less vulnerable.
But in the ways that tightly-controlled open source makes you safer, it is precisely this: it is hard for an outsider to put a backdoor into it without other people noticing. In fact, the OpenBSD crypto codebase is probably the most difficult place in the world to do it. If you suspect backdoor code here, you have to suspect backdoor code everywhere.
(Some projects are very loosely controlled, and rightly so, because they aren't that popular or aren't used in environments where security matters.)
Calyptix pledges $1000 bounty for OpenBSD IPsec backdoor bug
There have been unsubstantiated claims that the FBI implemented backdoors and key-leaking bugs into the OpenBSD cryptographic framework.
Calyptix is pledging $1000 to the first person who newly finds such a bug in the IPsec implementation of the 4.7 or 4.8 release of OpenBSD before March 31, 2011. If it is not claimed by then, the $1000 will be contributed directly to the OpenBSD team.
Members of the OpenBSD team are eligible. :)
Other parties have made similar pledges, although obviously we cannot speak for them.
We are working on a formal definition of what would count as a bug.
Calyptix is pledging $1000 to the first person who newly finds such a bug in the IPsec implementation of the 4.7 or 4.8 release of OpenBSD before March 31, 2011. If it is not claimed by then, the $1000 will be contributed directly to the OpenBSD team.
Members of the OpenBSD team are eligible. :)
Other parties have made similar pledges, although obviously we cannot speak for them.
We are working on a formal definition of what would count as a bug.
Cyber Monday Special: Control your network for only $1.22 per day
Small business owners: How will Cyber Monday impact your organization today? Over 106.9 million Americans plan to shop online on Cyber Monday, up from 96.5 million last year, according to the National Retail Foundation. Most will be doing so from work. The NRF said about 70 million Americans will shop from their jobs this year. How will you respond?
At only $1.22 per day (for a limited time), maybe its time for you to make your team more productive, stop unwanted web surfing and get control of your network. AccessEnforcer provides easier and more effective security for smaller organizations. At $1.22 per day, it’s a no brainer. With AccessEnforcer you can –
Contact us today at 704-971-8982 to see if AccessEnforcer can help your organization and save 30% for a limited time!
At only $1.22 per day (for a limited time), maybe its time for you to make your team more productive, stop unwanted web surfing and get control of your network. AccessEnforcer provides easier and more effective security for smaller organizations. At $1.22 per day, it’s a no brainer. With AccessEnforcer you can –
- Monitor or stop unproductive web surfing
- Get easy to read reports showing who is surfing where
- Prevent spam from clogging your inbox or smartphone
- Securely connect to your network from anywhere
- Stop hackers at the door
- …more!
Contact us today at 704-971-8982 to see if AccessEnforcer can help your organization and save 30% for a limited time!
Big Time Security for an Apple a Day
For as little as an apple a day, you can take a huge slice out of your internet security exposure. We have launched a very short promotional sale (ends August 31) for you to capture huge savings (beginning at 30%) when you migrate to Easier, More Effective Security (as noted by Microsoft Pinpoint).
If your small business, nonprofit or other organization has ever questioned the value proposition of upgrading your security - now is the time to talk it through. The package includes everything - Instant Cash Savings, Integration Support, Ongoing Live Service, robust hardware and automatically updated and maintained software.
Incredible security has never been so easy, effective or affordable. Check it out for a limited time only.
Subscribe to:
Posts (Atom)
Who We Are
AccessEnforcer Series
Contributors
Blogs We Read
Our Feeds
Blog Archive
-
►
2009
(37)
-
►
October
(7)
- Part III: Small Businesses under Attack from Organ...
- Top 10 things I learned from US Government Trusted...
- Part II: Small Businesses under Attack from Organi...
- Part I: Small Businesses under Attack from Organiz...
- Email malware leverages Conflicker & Microsoft bra...
- Third Tier Webinar: Behind the SBS 2008 Wizards
- FBI hauling in Phishing ring
-
►
August
(7)
- Data centers to target SMB market with new "Cloud ...
- "Patch Tuesday" reinforces role of managed service...
- Third Tier partnership expands expertise
- Ready Set Patch! Microsoft Patches Flaws.
- Fortinet Launches IPO pointing to positive growth ...
- NC Approves Sales Tax on Digital Downloads
- Using Twitter to see if Twitter is down
-
►
October
(7)