Edgewater Consulting blog

Technical How-to: Redirecting SSLv3 Users to a POODLE warning page using Apache2 mod_rewrite

The Padding Oracle On Downgraded Legacy Encryption (POODLE) vulnerability has been making headlines since September 2014. There are a few options for mitigating the risk, but our infrastructure team has found that not all organizations are able and willing to implement them. Disabling SSLv3 entirely can cut users off from secure websites they rely on, and Google’s TLS_FALLBACK_SCSV mechanism requires support from the web browser, and has not been implemented server-side by all distributions, especially on older and unsupported versions. Further, TLS_FALLBACK_SCSV does not address the issue of SSLv3 support itself, rather it prevents devices which support TLS from downgrading connections to SSLv3. It does not help in cases where the browser is Internet Explorer Versions 1 through 6 (although Internet Explorer versions 4 through 6 can be configured to enable TLS.)

A more elegant solution is not to block SSLv3, but to instead warn users that their current browser is vulnerable to known attacks and instruct them on how to upgrade. With Apache2 and mod_rewrite, it is possible to redirect SSLv3 connections to such a warning page and advise users of the issue and how to resolve it. Here are the steps to do so:

  1. Prepare or find an explanation page you wish to redirect insecure SSL sessions to and note the URL.
  2. If you run a reverse proxy, load balancer, or other session layer device between your apache server(s) and the Internet, please be aware that those devices may be vulnerable to POODLE even though they support TLS: http://www.computerworld.com.au/article/561828/poodle-flaw-returns-time-hitting-tls-security-protocol/
    To be sure that your entire chain of TLS implementations is secure, temporarily disable SSLv3 in apache2 and head over to SSL Labs to test your site. If your TLS chain is vulnerable you should receive a grade of “F” with a warning (emphasis ours:) “This server is vulnerable to the POODLE attack against TLS servers.” If you receive this warning, you should contact your vendors and request patches.
  3. Make sure that Apache2’s mod_rewrite has been installed on your system. Apache2 runs on a variety of architectures and operating systems, so installing individual Apache2 modules is beyond the scope of this article.
  4. Make sure that Apache2’s mod_rewrite is enabled. To do this, run the following as root/administrator:
    a2enmod rewrite
  5. Add the following lines, without the line numbers, to your Apache2 HTTPS site configurations, changing http://yourwebsite.com/yourexplanationpage.html to the explanation page you wish to redirect users to:
    2. SSLOptions +StdEnvVars
    3. RewriteEngine On
    4. RewriteCond %{ENV:SSL_PROTOCOL} ^SSLv[2-3]$ [NC]
    5. RewriteRule ^.*$                    http://yourwebsite.com/yourexplanationpage.html
  6. If you have disabled SSLv3 already, undo the configuration disabling it.
  7. Restart Apache2
  8. Now test, test, and then test some more! You can use Firefox and enable/disable SSLv3. To force an SSLv3 connection set both security.tls.version.min & security.tls.version.max to 0. To disable SSLv3 in Firefox set security.tls.version.min to 1 or higher and set security.tls.version.max greater than or equal to security.tls.version.min

Assessing an Acquisition’s IT Capabilities: “What’s in Your Portfolio”

Why do I need to think about assessing the IT capabilities of an acquisition?

sherlockSo you just acquired a company as part of your growth, diversification, or some other strategy. The new company along with its LOB (line of business) expertise comes with an entire IT infrastructure that was thus far responsible for supporting the acquired company’s information needs only. While a great deal of due diligence goes into understanding the viability of the business and its value the same level of rigor is typically not applied to evaluating its IT infrastructure and support staff. In order for the two companies to work together well it is important to understand the capabilities of the two IT infrastructures and how to best integrate or not integrate them. If a detailed and careful plan is not put together to understand the capabilities and assets of the new acquisition you risk inheriting a vulnerability that can spread throughout the larger organization or risk stifling a capability that really should be promoted to the larger organization.

Why you need an independent perspective?

Sometimes companies use their own internal staff to assess the target or recent acquisition. The problem with this approach is that these assessments can be tainted by hidden agendas, lack of impartiality, and departmental politics. Entrenched interests can also slant information one way or the other as it passes up and down various departmental hierarchies.  I was part of a software company which wanted to acquire another software company with similar technology. Our own internal research and development department was tasked with the assessment of the company’s technology. Quite understandably the leaders in the R&D group thought it was inferior to what was developed in-house even though that was far from the reality. The key decision makers involved in the deal, including the CEO and the board of directors, were getting conflicting accounts of the reality and did not know whose version of truth to trust. This is where an independent perspective from external consultants can come in handy. They often face less resistance when digging around and are able to see beyond the personal bias and the “ugly baby” syndrome. A fresh perspective can also help see the forest from the trees which can sometimes be missed by the people who are working on the trees on daily basis. I came across another post acquisition assessment where the management was told that acquired company’s technology and custom developed software was topnotch. Upon further investigation we discovered that the most of the custom software was developed in a little known RAD development environment and less than a handful of people in the company knew how to maintain it. While this creates tremendous job security for some it creates a significant risk for the company. In another situation credit card numbers and all other consumer related information was stored in a database unencrypted!  Stories like these are all too common and point to the need for an independent perspective.

Is it too late to do an assessment after the deal has been signed?

During my days as a consultant I have primarily come across two types of assessments: pre-acquisition and post-acquisition. Pre-acquisition assessments are important where IT infrastructure is a primary part of the value of the business being acquired (software companies, online businesses, etc.). The focus of a pre-acquisition IT due diligence assessment is primarily on ensuring that the IT assets are as good as they have been portrayed,  that they are capable of supporting the business objectives associated with the acquisition, and that there are no hidden risks that will require significant expense to remedy after the buyer takes ownership. For example can a wildly successful but local online service be introduced in a new geographic region with a new language, currency, tax and privacy laws, etc? Post-acquisition assessments are important when the prime value of the acquisition is derived from the LOB (e.g. selling insurance policies, financial management, etc.). The focus of this type of assessment is typically ensuring that IT infrastructure is solid enough to continue to support the business; there are no vulnerabilities that can jeopardize the combined entity, finding areas of excellence to propagate, finding redundancies, and figuring out an integration plan. It is always good to get an outside assessment done before the deal is inked however, if that doesn’t happen it is still very important to at least get the post-acquisition assessment and planning done.

What kind of acquisitions can benefit from an assessment?

These days even small companies whose business does not directly intersect with information technology rely on some sort of back-office IT infrastructure to run their day to day operations. A back-office infrastructure may contain email servers, phone/fax servers, internet gateways, website servers, database servers, LOB applications, etc. A front-office infrastructure may contain client facing applications, online portals, CRM applications, LOB applications, etc. As the number of servers and employees grow the need for proper management and use of sound practices to manage them become more important. If access to IT infrastructure such as LOB applications, databases, email, website, etc. is essential to the daily operations of your business it is vital to ensure that proper assessment of the potential risks is done and the IT assets are managed properly.

What are some of the key aspects that should be examined during an assessment?

Start with creating an overall blueprint of the IT assets and how they interact with each. You would be surprised to learn how often such a fundamental document does not exist. Look at the hardware/software redundancy needs to provide the needed uptime to the business. Determine what disaster recovery plans exist, when they were last tested, and what kind of situations they can handle. Examine the security risks and ensure that the security practices match or exceed the required level of protection warrant by the business. Does the infrastructure have the capacity meet or exceed the demands placed by the peak loads and growth in the business? Examine the hosting environment for security, redundant power, redundant internet, redundant cooling, proper fire suppression, etc. Ensure that hardware and software assets are not so old that they are longer supported and can’t be upgraded. Is the technology stack compatible with the umbrella company’s technology stack? Are they any strange or esoteric practices or standards that could introduce risk? And never forget to identify practices, technology, and people (centers of excellence) that can benefit the entire organization and should be propagated to the entire company.

Reviewing security policies and procedures is another key aspect of the assessment. The risks associated with a weak security structure are obvious and too numerous to describe here. You need to not only think about electronic and online security (firewalls, virus and spam filters, internet intrusion attacks, etc.) but also about physical security. Most companies tend to neglect one or the other and sometimes both. In today’s environment the physical as well the data security should be considered a top priority for any IT assessment. The risks are high no matter what business it is, including legal consequences and public embarrassment.    At a fortune 500 company where I once had the privilege to work became a victim when half the office noticed that there computers were running slower than usual. Upon further examination it was discovered that each computer was missing half the memory chips that they had. Someone had simply walked in after hours before the lock-down, removed memory, and walked away. At another client site we discovered that they have neatly documented their security policies and key passwords but the passwords for all the accounts were exactly the same!

Depending on the industry you work in you may also have to worry about compliance and regulatory issues. For health care industry you have to worry about HIPAA compliance. All personal information and medical records have to be protected according to the guidelines of the HIPAA act. All publicly traded companies have to be in compliance with Sarbanes-Oxley act (SOX). Even though the SOX act never mentions the word software the audit trails and record keeping required by the act ensures sizeable investment in IT infrastructure and processes to manage it. There are various other acts and standards like the Patriot act, DOD 5015.2, SEC regulations, ISO standards (9000, 15489), etc. that may apply based on the industry and business practices. Sometimes the process may be even more confusing and harder when acquiring companies in different countries or different states where the local laws are not the same. All of this means that you must ensure that your new acquisition does not expose you to compliance issues that you didn’t have to worry about before.

How do we plan for the joint future?

Now that you have good handle on what you just acquired you need to plan how you are going to move forward. You need to think about cost saving opportunities by consolidating sites, hardware, and other resources. You need to think about standardization of software, hardware, and operational practices. You will have to decide how want to handle common branding and identification issues such as email domain names, website, central call-in numbers, etc. You will need to examine what support contracts and license agreements exist and how they need to be modified as part of the larger organization. The integration with the umbrella organization needs to phased in and timing needs to be planned carefully to minimize impact to the business. A combined successful and seamless existence doesn’t happen on its own it needs to be planned and carefully executed. If your company is planning to grow through acquisitions you may want to create a process for assessing and integrating new acquisitions based on your current experience.

If the business you are acquiring is being carved out of a larger parent company, you also need to plan for a migration plan off of the services that the parent company is offering during the transition period.  There are further complications if you intend for your new acquisition to be platform company to which you will add other newly-acquired companies over time.