Compass Security Blog

Offensive Defense

Page 2 of 3

Exchange 2013 – Spot the Security Features

Microsoft Exchange 2013, the newest product in the Exchange series, is more and more enrolled in enterprise environments. With the new and enhanced features, for example the integration of SharePoint or Lync, the new Exchange is a well-designed piece of software which in parallel addresses different security concerns. Like Lync 2013 and the whole Microsoft […]

Continue reading

Lync – Missing Security Features

Microsoft has published a list of key security features [1] and also their security framework [2] for the Lync Server 2013. Those documents show how deeply MS integrated their SDL in the Lync products. It also indicates that Lync provides a solid security base out of the box: Encryption enforced for all communication between Lync […]

Continue reading

Lync – Privacy Configuration

We have shortly described the Lync federations in a previous post. With the usage of federations the question comes about the privacy and the security of the user’s information (e.g. presence information). There are scenarios where an employee doesn’t answer the phone but is mentioned as “available” in Lync. This could lead to a misunderstanding […]

Continue reading

Lync – Top 5 Security Issues

Microsoft Lync Server (a combination of “link” and “sync”, see [6]) communications software offers instant messaging (IM), presence, conferencing, and telephony solutions. Lync can be integrated with SharePoint or Exchange to extend its functionalities. Users can e.g. search for specific skills within the Lync client when SharePoint integration is enabled. Exchange is used as a […]

Continue reading

Compass SSL/TLS recommendations

Mozilla created an extensive page [7] concerning the best current choice of SSL/TLS cipher suites, primarily for web servers. Compass Security agrees broadly with the article, but recommends some additional restrictions in order to provide the most resistance against active and passive attacks versus TLS secured connections: Use 3DES cipher instead of RC4 Disable SSLv3 support […]

Continue reading

OpenSSH authentication with SuisseID

SuisseID is the first legally accepted, standardized, electronic identification hardware in Switzerland. Available since 2010 for any person living in Switzerland, it contains two X.509 certificates, one for authentication and one for qualified signatures. ‘Qualified’ in this regard means that is legally treated equally to a manual signature. This is especially interesting for signing contracts, […]

Continue reading

OpenSSH enables true Multi Factor Authentication

Over the past years system administrators had to learn that password authentication has its shortcomings. The protection level of password based authentication methods depends heavily on the password quality as well as the password handling of the users, where the latter is difficult to manage strictly. Public Key based authentication methods came to the rescue, […]

Continue reading

Why does Compass Security recommend HSTS?

Secure web communications using HTTPS isn’t anything fancy anymore these days. It ensures traffic from a user to your web application cannot be eavesdropped or tampered with, given it has been set up securely using SSL/TLS. But, do you trust your web application’s code to entirely disregard unencrypted requests? Are you sure your Apache/IIS is […]

Continue reading

Dangerous Sudoers Entries – PART 5: Recapitulation

The following article describes common security issues regarding misconfigured sudoers’ files. The article focuses on a single entry which contains several security issues: hacker10 ALL= (root) /bin/less /var/log/* The article is split into the following five chapters: PART 1: Command Execution PART 2: Insecure Functionality PART 3: Permissions PART 4: Wildcards PART 5: Recapitulation Define […]

Continue reading

« Older posts Newer posts »