Tag Archives: Security

GDPR privacy and security for everybody

If you have or haven’t heard of GDPR (General Data Protection Regulation) that is a European Union law that will be in effect on the 25:th of May 2018. This regulation will affect all companies working with citizens of EU, do many companies will be affected not only Companies with offices within the EU.

So if your company is within EU or work with EU citizens this affects your company.

Why should you bother, well the board of directors of your company will. Because the company can get a fine of 4% of your total revenue and your company can be stopped from handling personal information about European citizens. And that includes information about customers, partners and suppliers.

Why is this implemented

We send out more and more information about our personal information and companies has forgotten that they have only borrowed this information and they can’t do what they want with this.
And with all data breaches in mind a better knowledge and understanding about security would probably have prevented many of them.

I will continue to monitor this area and write about this

Feel free to give your comment about GDPR or contact me if you have any other questions

The new keylogger function in ios8

Yes, if you install a third party keyboard one of the new features in IOS8 and give it full access. You also agree to send everything you write to a third party. Not only do you agree that the developers of the keyword can read anything you write, they are also allowed to send the information to their own servers for processing and once what you have written is there. You have no chance of knowing what they will do with your written passwords, credit card numbers and all other personal information. And even if they don’t do anything bad with your information, you always have the risk of them being hacked.

Stealpassword

 

 

 

 

 

So if you care about not getting your passwords and credit card numbers spread across the globe I suggest not allowing any third party keyboards to have full access.

Apple say that they will switch to the native keyboard when you are about to write sensitive information but can they garantee that?

Setting up your Domino server to prevent password attacks

There as been some writing around attacks against WordPress based sites and a lot of them has been taken over and malicious code was injected on these sites. How was most of these attacks done? Well I think that this was probably done thru so called brute force attacks. The hacker have a software that is posting in attempts on the login page and they know that the default admin account is “admin” on WordPress, alot of sites haven’t removed this account. This type of Brute Force attacks can be done against your Domino environment also. But there are several ways to prevent it and one way is “Password Lockout”. It’s very easy to implement on your server so if you haven’t I suggest you do.

This is how you add this to your Domino Site.

In your Name and address book for the server goto Configurations

Snap169 

Open up the corresponding document for your server, Some times there is only a entry like thisSnap171

Then I take a copy of this document and open it you need to change to it affects you server you need to uncheck the “Use these settings as the default . . . .” checkbox

 Snap173

When this is done the new field where you specify your Server name is revealed write the name of you server.

Snap176

Go to the second tab “Security”

Snap179

Change “Enforce Internet Password Lockout” to Yes and a checkbox to log “Failures” and save the configuration and restart the http service on the server the “Password Lockout” database (inetlockout.nsf) is created the first time a password failure occurs so I suggest your try with your own login so the database is created and you can adjust the acl as you like it.

UPDATE: make your SMTP server from leaking passwords

Check out this guide on disable authentication on smtp turn off smtp authentication

Now your Domino sever a bit more secure.

How to prevent databaseName to change datasource

Sven HasselBach blogged (Link) about that you could change the datasource of any XPage using a url parameter called databaseName. Doesn’t ACL apply you might ask. Yes it does so that isn’t a problem.
OK, isn’t there a setting to ignore url parameters, yes there are but If you use this you will get problems with the built in controls. They use url parameters.

Is this a problem then ACL apply shouldn’t that be enought?
No because there might be some databases where the user should be able to create documents in.
and this could create documents of a certain type in a database were they shouldn’t be.  

To prevent the use of the databaseName parameter I have created this code that you can place in the onClientLoad event in a customcontrol or directly in an XPage

if(context.getUrl().hasParameter("databaseName")){
 var url=context.getUrl()
 url.removeParameter("databaseName")
 context.redirectToPage(url.toString(),true)
}