Information Security, SHA1, TLS, Windows

Challenges for 2015

I think that for the rest of this year and early next year we are going to see quite a few challenges that will cause shifts in our platforms and user computing base.  Some of these, such as the end of support for Windows XP and Server 2003, we have seen coming for quite a while and knew we had a deadline.  Others were more  along the lines of ‘yeah, thats bad and we will fix it some day’.  Over the last two years these slow burning ‘some day’ issues have been fully ignited due to the Snowden releases and several SSL/TLS vulnerabilities turning the theoretical risk into practical and operational problems.

I don’t plan on going into too much detail here but what I want to do is to provide a list of  some challenges that I think many of us will be facing over the next 12 months or so.

Continue reading

Information Security, TLS, Windows

Challenges for 2015: End of support for Windows XP

If you provide support for an organization or an external customer user base then you are likely still having to support machines running Windows XP. Microsoft mainstream support for Windows XP ended on April 14, 2009 and extended support ended on April 8, 2014 [1].  This presented an immediate impact in that you could no longer contact Microsoft for support, paid or otherwise. The long term impacts will compound over time as security and operational needs require that we implement technologies that Windows XP does not support.

Unfortunately, so long as the OS is still working today it can be difficult to convince management and customers to upgrade.  The intent of this post is to help make a business case for upgrading to a newer operating system by highlighting some of the challenges that XP users and those that support them will experience in 2015 and early 2016.

Continue reading

Information Security

Cisco UCSM Information Disclosure / Privilege Elevation

When I find or read about software vulnerabilities I often chalk the root cause of the flaw up to human error or ignorance.  Occasionally I see something that makes me scratch my head and really wish I knew what stream of logic and events caused something to occur.  The topic of this post is one of those.

The TLDR version of the story can be found on the Full Disclosure list.

Continue reading