fbpx

Schannel Again in 2024

Getting loads of schannel errors in my log server every day, I decided to hunt them down.

Turns out that under Internet Options a GPO was misconfigured to allow sslv3 traffic.

Disabling this SSLv3 as shown below with a GPO or individually solves this log entry spam.

HTTPS Security Settings for Apache

Well I got into some interesting spaces when I found this site :

https://securityheaders.com

and https://hstspreload.org

In order to get an A+ rating for my blog, I went through all the suggested routines and while I won’t detail them, below is what I have landed on for what works on my WordPress site.

Inject this into your .htaccess file on your Apache webserver

Header set Content-Security-Policy “upgrade-insecure-requests”

Header set Strict-Transport-Security “max-age=31536000; includeSubDomains; preload”

Header set X-Xss-Protection “1; mode=block”

Header set Referrer-Policy “strict-origin”

Header set Permissions-Policy “geolocation=self”

Header set Access-Control-Allow-Origin “https://*yoursite.com*”

Header set Cross-Origin-Embedder-Policy “unsafe-none”

Header set Cross-Origin-Opener-Policy “unsafe-none”

Header set Cross-Origin-Resource-Policy “same-site”

Phishing Events and CyberSecurity

I can’t tell you guys how important it is to be vigilant over the next few months, you will be distracted with holiday events and other social engagements.

If not already, you will be bombarded with scam phone calls and emails. Please! DO. NOT. RESPOND. to those emails and phone calls. Mark them as SPAM and/or phishing and delete them.

The most recent examples relating to phone calls are for people looking to get your social security number, Medicaid, and credit card information. It will be a foreign sounding individual with a “normal” sounding name, like “Robin” or “John” – Hang up on that person immediately!

The most recent examples relating to scam emails is someone “responding” to an email and BCC’ing you with a “what’s this” or  “what is this” and below will be an invoice looking for payment. Mark as SPAM and DELETE THIS EMAIL!!!

There will be variations of this theme, but it is all the same, they want your money and your personal information so that they can trick other individuals to give them their money!

IF you use a password manager like LastPass, I strongly urge you to change all your passwords and keep them in either a different password manager or in a notebook in a safe place in your home.

Hacking is serious business, with serious consequences for those not careful to avoid from being hacked.

It is up to everyone here to keep your organization safe.

Vulnerability in SSL 3.0 Could Allow Information Disclosure

  • Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 in Group Policy You can disable the SSL 3.0 protocol that is affected by this vulnerability. You can do this by modifying the Turn Off Encryption Support Group Policy Object.
    1. Open Group Policy Management.
    2. Select the group policy object to modify, right click and select Edit.
    3. In the Group Policy Management Editor, browse to the following setting:Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Explorer Control Panel -> Advanced Page -> Turn Off Encryption Support
    4. Double-click the Turn off Encryption Support setting to edit the setting.
    5. Click Enabled.
    6. In the Options window, change the Secure Protocol combinations setting to “Use TLS 1.0, TLS 1.1, and TLS 1.2“.
    7. Click OK.
  • Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 in Internet Explorer You can disable the SSL 3.0 protocol that is affected by this vulnerability. You can do this by modifying the Advanced Security settings in Internet Explorer.To change the default protocol version to be used for HTTPS requests, perform the following steps:
    1. On the Internet Explorer Tools menu, click Internet Options.
    2. In the Internet Options dialog box, click the Advanced tab.
    3. In the Security category, uncheck Use SSL 3.0 and check Use TLS 1.0Use TLS 1.1, and Use TLS 1.2 (if available).
    4. Click OK.
    5. Exit and restart Internet Explorer.

Disable OTP Sophos UTM 9.2 via Shell

Dang it! I also locked myself out of the webadmin on Sophos UTM 9.2 while trying out their OTP function with Google Authenticator.

Here’s how I fixed this problem:

Login to the Firewall Console Interface as root
at the / type
cc
then auth and press enter,
it will list out:
ad_sso
auto_add_to_facility@
auto_add_users$
block
cache_lifetime$
edir_sso
otp
servers@

Type otp and press enter,
it will list out:
auto_create_token$
default_timestep$
facilities@
require_all_users$
required_users@
status$

Type facilities@ and press enter,
finally listing:
0 webadmin
1 portal
2 ipsec
3 openvpn

Type -0 and press enter, where it will redisplay (in this case)
0 portal
1 ipsec
3 openvpn

Login as admin to your firewall via the webadmin!!!