[aklug] Re: [NUGA] Re: If you are still running SSLv2, you should disable it ASAP

From: Royce Williams <royce@tycho.org>
Date: Wed Mar 02 2016 - 10:56:15 AKST

Yep, been meaning to harvest from here, when I get enough Round Tuits:

https://dev.maxmind.com/geoip/geoip2/geolite2/

Royce

On Wed, Mar 2, 2016 at 10:54 AM, macdonald.org <jim@macdonald.org> wrote:

> Royce,
>
> you need a geloc DB…
>
> :)
>
>
> On Mar 2, 2016, at 10:32 AM, Royce Williams <royce@tycho.org> wrote:
>
> Obscurity is fine -- as a layer. As long as it's not the only layer. :)
>
> And your domains may just be ones that I don't know about yet -- feel free
> to submit updates. :)
>
> http://www.techsolvency.com/alaskan-domains-list/
>
> Royce
>
> On Wed, Mar 2, 2016 at 10:15 AM, kris laubenstein <
> krislaubenstein@gmail.com> wrote:
>
>> For what it's worth, I agree with Royce. We all know security through
>> obscurity is no security at all. Also, it feels good to not see any of my
>> domains on a truly "external" scan!
>>
>> If you're running IIS, a super easy tool for quick cryptography configs
>> is a tool called IIScrypto. Sure, you can do it all easier through CLI, but
>> there's something to be said about being able to hand off some security and
>> crypto config to the help desk.
>>
>> https://www.nartac.com/Products/IISCrypto
>>
>> Kris
>> On Mar 2, 2016 10:05 AM, "Royce Williams" <royce@tycho.org> wrote:
>>
>>> Of the five off-list responses I've gotten so far, four have been "yikes
>>> -- thanks, on it!", and one has expressed concern about posting these scan
>>> results publicly. This last is a fair question, and deserves a public
>>> answer.
>>>
>>> I try to walk the disclosure line responsibly. For example, for the
>>> Alaskan HTTPS Qualys results that I cache [1], I limit access to Alaskan IP
>>> space, which mitigates this concern for overall Alaskan SSL/TLS health.
>>>
>>> But, in my opinion, SSLv2 is an entirely different animal.
>>>
>>> Relying solely on obscurity -- and not upgrading/patching/mitigating --
>>> to address issues with SSLv2 (a protocol that has been deprecated *by RFC*
>>> for five years! [2] ) was never a good idea, and now officially borders on
>>> negligence. Any downstream clients who have heartburn from a public list
>>> of SSLv2-exposed hosts need to start asking hard questions from their
>>> providers -- about why the boxes in question are so insecure, and have been
>>> exposed to the public Internet for so long.
>>>
>>> In this modern era of masscan, Shodan, Qualys SSL Labs, and even good
>>> old nmap ... anyone can search in a second, or scan in five minutes. And
>>> Google's Project Zero [3] now automatically discloses major vulnerabilities
>>> after a hard 90-day timer [4].
>>>
>>> We must take steps to see the world from the attackers' eyes.
>>>
>>> Royce
>>>
>>> 1. http://www.techsolvency.com/tls/
>>> 2. https://tools.ietf.org/html/rfc6176
>>> 3. https://en.wikipedia.org/wiki/Project_Zero_(Google)
>>> 4. https://code.google.com/p/google-security-research/issues/list?can=1
>>>
>>>
>>> On Tue, Mar 1, 2016 at 9:00 PM, Royce Williams <royce@tycho.org> wrote:
>>>
>>>> Did a fresh scan against known Alaskan hosts - attached are those that
>>>> still offer SSLv2 and should be adjusted ASAP. Sorted by TLD, then domain,
>>>> then host (so that hosts in the same domain are grouped together).
>>>>
>>>> Royce
>>>> ​
>>>>
>>>
>>>
>
>

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Wed Mar 2 09:14:26 2016

This archive was generated by hypermail 2.1.8 : Wed Mar 02 2016 - 09:14:26 AKST