DHS ALERT OpenSSL ‘Heartbleed’ vulnerability (CVE-2014-0160)

 

Original release date: April 08, 2014

 

Systems Affected
  • OpenSSL 1.0.1 through 1.0.1f
  • OpenSSL 1.0.2-beta

Overview

A vulnerability in OpenSSL could allow a remote attacker to expose sensitive data, possibly including user authentication credentials and secret keys, through incorrect memory handling in the TLS heartbeat extension.

Description

OpenSSL versions 1.0.1 through 1.0.1f contain a flaw in its implementation of the TLS/DTLS heartbeat functionality. This flaw allows an attacker to retrieve private memory of an application that uses the vulnerable OpenSSL library in chunks of 64k at a time. Note that an attacker can repeatedly leverage the vulnerability to retrieve as many 64k chunks of memory as are necessary to retrieve the intended secrets. The sensitive information that may be retrieved using this vulnerability include:

  • Primary key material (secret keys)
  • Secondary key material (user names and passwords used by vulnerable services)
  • Protected content (sensitive data used by vulnerable services)
  • Collateral (memory addresses and content that can be leveraged to bypass exploit mitigations)

Exploit code is publicly available for this vulnerability.  Additional details may be found in CERT/CC Vulnerability Note VU#720951.

Impact

This flaw allows a remote attacker to retrieve private memory of an application that uses the vulnerable OpenSSL library in chunks of 64k at a time.

Solution

OpenSSL 1.0.1g has been released to address this vulnerability.  Any keys generated with a vulnerable version of OpenSSL should be considered compromised and regenerated and deployed after the patch has been applied.

US-CERT recommends system administrators consider implementing Perfect Forward Secrecy to mitigate the damage that may be caused by future private key disclosures.

References

Revisions
  • Initial Publication

This is copied from the DHS Site as a public service

Free eBook from Microsoft on Microsoft SQL Server 2014

MVA-Introducing-Microsoft-SQL-Server-2014-108x132

Introducing Microsoft SQL Server 2014

In this book, the authors explain how SQL Server 2014 incorporates in-memory technology to boost performance in online transactional processing (OLTP) and data-warehouse solutions. They also describe how it eases the transition from on-premises solutions to the cloud with added support for hybrid environments.

 Download the PDF

Free E-books from Microsoft

Microsoft System Center: Network Virtualization and Cloud Computing
MVA-MSC-Network_Virtualization_Cloud

This brief book identifies some key usage and deployment scenarios for cloud computing to provide some deep technical background on the Microsoft SDN solution, enabling IT professionals to quickly learn the internals of HNV, how it works from end to end, and where and how it should be used.

 Download the PDF (4.52 MB)

 Download the EPUB file (4.2 MB)

 Download the Mobi for Kindle file (6.56 MB)

————————————————————————————————

Introducing Windows Server 2012 R2
MVA-Intro%20Win%20Serv%202012%20R2

Get a head start evaluating Windows Server 2012 R2—with technical insights from a Microsoft MVP and members of the Windows Server product team. Based on final Windows Server 2012 R2 release-to-manufacturing (RTM) software, this guide introduces new features and capabilities, with scenario-based advice on how the platform can meet the needs of your business. Get the high-level overview you need to begin preparing your deployment now.

 Download the PDF (8.0 MB)

 Download the EPUB file (22.5 MB)

 Download the Mobi for Kindle file (40.3 MB)

————————————————————————————————

Introducing Windows 8.1 for IT Professionals

MVA-Intro-Win8-%20IT-Pros

Get a head start evaluating Windows 8.1—with early technical insights from award-winning journalist and Windows expert Ed Bott. This guide introduces new features and capabilities, providing a practical, high-level overview for IT professionals ready to begin deployment planning now.

 Download the PDF (8.0 MB)

 Download the EPUB file (22.5 MB)

 Download the Mobi for Kindle file (40.3 MB)

Security or lack of in the cloud

This is how Google handles cloud security !

1.2 From Customer to Google. By submitting, posting, generating, or displaying any Application and/or Customer Data on or through the Services, Customer gives Google a worldwide, non-sublicensable, non-transferable, non-exclusive, terminable, limited license to use any Application and/or Customer Data for the sole purpose of enabling Google to provide, maintain, protect, and improve the Services in accordance with the Agreement.

This is from Google Cloud Platform TOS: https://developers.google.com/cloud/terms/.

 

Who wants to host with GOOGLE now…

 

ROUTER WORM… CHECK YOUR ROUTERS!

Do you have Linksys brand router E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000,E900 you may be at risk!

There is a there’s a worm out there exploiting an authentication bug in the Cisco firmware that, If you have enabled remote administration on port 8080 — even with a good password you could be at risk. The WORM rewrites the firmware to infect the router, and then -sets the router to scan zillions of other IP addresses looking for other systems to infect.

Patch you system with the latest Firmware, and disable remote management.

You can go here. on the SANS Site to learn more about this.

 

SCU 2014 (Simulcast)

JOIN US IN THE CENTER….OF THE UNIVERSE

Join us for the third annual System Center Universe, a one-day globally available technical event featuring Microsoft product gurus and community experts. This year’s event will include breakout sessions to allow for more topics and content!

Couldn’t find a user group or simulcast event in your area? No worries! 

View the live simulcast and participate in the conversation from your own personal computer! Register for the virtual simulcast and you will be provided with details on how to access the live simulcast event online as the event nears! Also, be sure to follow all of our updates on twitter (@scu2014)

The list of MVP’s presenting includes:

  • Johan Arwidmark
  • Kent Agerlund
  • Cameron Fuller
  • Maarten Goet
  • Jason Sandys
  • Pete Zerger
  • Mike Resseler

And from Microsoft: Wally Mead, Anders Bengtsson

Join us for this globally-available interactive experience spanning 6 continents. Hear from an all-star cast of presenters including Microsoft technical visionaries and MVPs while interacting with worldwide user group communities such as myITforum during the live event. At SCU2014, gain insider knowledge around System Center, Windows Azure IaaS, Windows Intune, Windows Server and more! Post event, continue your worldwide engagement with SCU-sponsored communities and user groups as well as SCU Network broadcasts. Don’t miss your chance to get in on the action!

See you online on Thursday, 1/30!

You can also attend at  Register for live event

Register now! for online here

See more here

 

Get 20% off your initial exam + a free Second Shot

Do you want to prove what you know? Get ahead of the pack and be ready for the technology hiring boom by earning a certification. Get started today by requesting a voucher and get 20% off your initial exam plus a free second chance to retake the exam should you need it.

This offer is valid on any one of the following exams:

-Windows Server 2012 exams: 410, 411,412

-SQL Server 2012 exams: 461, 462,463

-Windows 8 exams: 687, 688

With Second Shot, if you fail your exam the first time you take it, you can use the same voucher for your retake exam.

The 20% off + Second Shot offer is available until May 31, 2014. Both initial and free retake exams must be scheduled and completed by May 31, 2014.

Review the offer Terms and Conditions.

get you voucher here

 

Free ebook: .NET Technology Guide for Business Applications

8463_image_thumb_52304ABF

1. Key takeaways

Select your architecture approaches and development technology based on your specific application’s priorities and requirements.

A single architecture and approach won’t work for every type of application. The Microsoft development stack and .NET are extremely flexible and offer many possibilities, but it’s essential that you choose specific approaches and technologies based on the kind of application—or even subsystem—you build. Each application will have very different priorities and tradeoffs that must be taken on different paths.

Business application modernization goes further than simply building mobile apps. Mobile applications must rely on and extend your foundational business applications.

To be successful, mobile apps must be built with deep integration into your current foundational business applications. Mobile business apps should be part of the larger enterprise ecosystem and substantially extend foundational business applications, whether the foundational systems are established legacy applications or new, large, mission-critical applications built with innovative, scalable, and elastic services.

Positioning your application or subsystem within a global patterns segmentation will help you to choose the right approaches and technologies.

It is fundamental to position your application/subsystem in the right segmentation area. The right approaches and technologies for each of the following application types could potentially be very different:

  • Emerging application patterns
    – Devices and services
  • Established application patterns
    – Small and medium-sized business applications
    – Large, mission-critical business applications

2. Purpose of this guide

This guide will help you effectively select the right Microsoft development technologies and approaches for your .NET custom application development, depending on the priorities you have for your application and for your business domain.

2625_image_26EBB3B8

Download here

Free ebook: Microsoft System Center: Optimizing Service Manager

7206_System-Center-Optimizing-Service-Manager_thumb_1B48AF02

Microsoft System Center 2012 Service Manager is the only product that can integrate across most of the System Center suite and Active Directory. Service Manager is a fast and reliable product that can create and maintain a dynamic service management database to enable interaction across the organization, both inside and outside the IT department, making it a very compelling product to many organizations.

This book is written with three different roles in mind: business and technical decision makers; IT architects; and Service Manager administrators. You can either read this book in its entirety from A to Z, or you can follow one of the learning paths below depending on your role:

Business and technical decision makers:
 Chapter 1 Business reasons to choose Service Manager
 Chapter 2 Deployment costs and non-IT usage

IT architects
 Chapter 3 How to plan for Service Manager
 Chapter 4 How to prepare for a Service Manager installation

Service Manager administrators
 Chapter 5 Management packs
 Chapter 6 Optimizing the Service Manager environment
 Chapter 7 Service Manager configuration and customization

Down Load here