Work in Education? Share your opinion for the chance to win an iPad!

No Comments

Teacher writing on blackboard

 

At Bloxx we love a challenge, that’s why our products are innovative and developed on the back of needs and requirements of our existing customers, and of course the industry trends and advances in tech.

In order to keep up-to-date with the madness that is the Web security market, sometimes we’ve gotta get a helping hand. This time we need it from one of the most intensely scrutinized sectors – where e-safety is concerned – Education.

Last year we surveyed over 200 educational professionals to identify how Anonymous Proxies had changed, the impact they have upon educational organisations and how much staff really knew about these pesky filter-avoiding-Facebook-accessing-sites.

Get a quick run-down on last year’s survey with our Anonymous Proxies – 5-key facts doc OR if you want the full whack you can download the survey results report.

So what do we want from you now?

Web and email filtering requirements change from one company to the next (even within the same industry) all organisations come with their own challenges, and the teaching bodies of the world are CERTAINLY no different!

News headlines have been cropping up left, right and centre spotlighting Social Media and the risks it can bring, although a lot of it is good press. Social media can enable us to communicate more effectively, connect with old/new friends and let’s not forget, to share the odd ‘no filter’ picture.

However, bearing in mind all the amazing-couldn’t-live-without features that come with social networks, in certain environments all of these are merely distractions. Distractions that can become incredibly detrimental to both the user and organisation. Especially if that organisation is of an educational nature, the duty of care to protect students and staff may come under inspection by Ofsted, The US department of Education, or the likes.

To give us another security hurdle to fling ourselves over, students and staff can now use their own devices on campus networks. This concept is referred to as, Bring Your Own Device (BYOD), or BYOT (T = Tech.) as it is now known – ‘device’ was just too specific to categorize watches, glasses, clothes and whatever else. This mobility opens up new areas of concerns for SysAdmins everywhere. Especially those concerned with younger, more impressionable users in a controlled learning environment.

If you are a teaching professional or in a techy position in an education environment we need to hear from you, and your opinions could land you a new iPad! Click here for the survey, and please share to your relevant contacts.

Start Survey button

 

 

 

 

Bloxx Introduces New Version of its Web Filter and Secure Web Gateway

No Comments

Bloxx Introduces New Version of its Web Filter and Secure Web Gateway

Dateline September 10th, 2014 – Bloxx, a leader in Web content filtering and security, today announced the release of the latest version of its Web Filter and Secure Web Gateway products. The new release enables organizations to proactively manage social media, real-time flash file categorization to manage access to flash games and search alert reports that provides real-time email notification of search terms.

“Social media has fundamentally shaped how we now communicate. Companies have opened up these platforms more broadly to users to enable them to engage customers, prospects and increase brand awareness. But they need to be sure that by doing so they are not increasing business risk,” said Charles Sweeney, CEO, Bloxx. “The latest version of the Bloxx Web Filter and Secure Web Gateway seeks to understand how users are interacting with social media and the wider web so that companies can realize all of the benefits of social media and proactively mitigate the risks.”

Additional new features of the Bloxx Web Filter and Secure Web Gateway include:

  • Google Authentication that allows education organizations to deliver single sign on for Chromebooks
  • Flexible Reports that expands the extensive reporting capability already available by providing direct access to traffic and user, groups and policy databases

The new versions of the Bloxx Web Filter and Secure Web Gateway will be available in late September as hardware appliances or software appliances for VMware Esxi and Microsoft Hyper-V.

More information available here.

Bloxx & the SSL 3.0 “Poodle” vulnerability – CVE-2014-3566

No Comments

SSL 3.0 “Poodle” vulnerability – CVE-2014-3566

What is poodle?

On Tuesday 14 October 2014, Google published details of a vulnerabilty in the design of SSL version 3.0, which allows the plaintext of secure connections to be calculated by a network attacker, this has been dubbed “Poodle” (Padding Oracle on Downloaded Legacy Encryption).

You can read the full advisory here.

What steps should I take to secure against the vulnerability?

The most critical action is to upgrade client browsers to their latest versions.

Microsoft recommends you disable SSL 3.0 and enable TLS 1.0, TLS 1.1 and TLS 1.2 in Internet Explorer. (Read more)

Firefox and Chrome have anounced plans to drop SSL 3.0 over the coming months: (Read more here and here )

Firefox have also released an SSL version control add-on available here.

How does this affect The Bloxx product range?

This vulnerability primarily affects clients, so as described above, using secure client software is the most efficient immediate way of protecting against this. Server admins should also consider phasing out long term support for SSL 3.0.

Bloxx web filter products

Traditionally for HTTPS requests, the web filter allows the client to negotiate the SSL/TLS handshake directly with the secure web server, the appliance is not directly involved with this negotiation.

The exception to this is if you use SSL intercept to perform SSL decryption. In this scenario, the client negotiates the SSL handshake with SSL Intercept and then SSL intercept negotiates the SSL handshake to the upstream secure webserver.  More secure protcols (TLSv1.2/TLSv1.1/TLSv1.0) are preferred by SSL intercept by default.

Our research & development team are working on looking to allow you to disable clients or servers negotiating SSL 3.0 in a future firmware release.

Bloxx email filter

The bloxx email filter supports STARTTLS for secure transmission of email messages. SSL 3.0 negotiation is currently allowed, but restricted to a very strict cipher set which doesn’t include any changing block cyphers. Our R&D team are looking into dropping support for this by default, whilst having the possibility of re-enabling support on request if still required for compatibility with older systems.

Additional note

The Bloxx Web filter and Email filter ranges currently support SSL 3.0 connections to access the admin web user interface of the products. We recommend the use of secure client browsers when accessing the interface and our R&D teams will be looking into the impact of dropping support for this protocol in future versions.

Bash Bug/Shellshock Vulnerability

No Comments

Bash Bug/Shellshock Vulnerability and Bloxx Products
 
In light  of the vulnerability in Bash shell (CVE-2014-6271 and CVE-2014-7169) we have now reviewed our products to understand if they are at risk from the exploits.
 
We can confirm that we have no known vulnerability within any of our products (Bloxx Web Filter, Bloxx Secure Web Gateway and Bloxx Email Filter) that are a result if the vulnerability.
 
However, in line with best security practices, we will update Bloxx products once a stable and effective patch is available.

The Internet of Things – or Everything’s on the Internet?

No Comments

Another – now not so – new term circulating over the past year or so is the phenomenon known as the, ‘Internet of Things’ or IoT. An expression many of us have become accustomed to which refers to objects, household items, appliances and – as they say – THINGS, which are connected to the internet.

Many cyber security experts have been pointing out concerns over the IoT and how we can keep ourselves protected as our fridges, TVs, light bulbs and the surprising list goes on, have the ability to fire out data and information, where no command from the user is required.

A vulnerability in LIFX smart LED light bulbs was reported via the BBC, the concern lay in the messages being transmitted between bulbs and the network. Within the light bulb – to – light bulb conversation WIFI passwords, and credentials were being passed potentially putting control of the lights into hacker’s hands. Luckily this flaw was identified by Context Security and manufacturer, Kickstarter-based brand LIFX has now patched up the issue.

If you didn’t think it could get much stranger than online lightbulbs, in a recent article I read just had to squeeze in this last item which really shows the diversity of IoT – Chopsticks! Yes, chopsticks, the kind which flash a blue light if the food it touches is fresh and safe to eat, or red if the meal is a no go! With this idea I can see the practicality, developed by the ‘Chinese Google’ – Baidu, the sensor-attached chopsticks can identify contamination levels, temperature and calories of your meal. The ‘smart-chopsticks’ come with an app to display these findings, Business Insider reported the product is not yet ready for public release but has had great results so far. Check out the YouTube video to see them in action. Although I have to say, if I was ready to tuck into my favourite meal and the little blighters flashed up red… I may find myself just reaching for a fork?!

These connected devices have been created to make our lives that little bit easier, tell us we’re out of milk, allow us to stick the heating on while in Starbucks, pop the sprinkler on, and even monitor your home surveillance from your smartphone, including the baby monitor! So, at what point in this joyful my-life-is-so-much-easier mood do we stop and think about how secure all of this data being catapulted into the network or cloud actually is?

The tale to make you STOP and think!

Well one story I read a couple of months ago on Forbes.com which should shock the blissful ignorance out of some IoT users is the story of Foscam, a global IP camera producer based in China. Foscam was also at the centre of a security story that involves two concerned (and pretty damn techie) fathers testing the operating system of the baby monitor Foscam camera. With some pretty worrying results.

Sergey Shekyan and Artem Harutyunyan, both studied software engineering at university together, before becoming neighbors (for a second time) and then Shekyan became a father and purchased a cheap baby monitor for $40. It was this low price-tag that caused him to become suspicious, a camera which could send texts and emails could not possibly be doing so correctly/safely for the low price. So the investigation began.

As I said these guys were software engineers, not security researchers or the likes. They sent requests to the operating systems to find out how easy the devices were to hack remotely, “If someone has physical access to your devices, you’re pwned,” says Harutyunyan. They made connection requests to see if they could force the camera to perform software updates, which should be refused when the devices identifies the incorrect /non-existent signature cryptographically assigned to the update. “You can’t force an update on an iPhone, for example. We figured out the Foscam will accept just about anything. But it’ll brick” Serygey told Kashmir Hill of Forbes.com. And they did ‘brick’, all ten of them

All of the above being said, they also found a French security researcher, on a Foscam forum, who had identified that any Foscam could be logged into, simply using the password, admin. Yes, really, it still happens!

With the IoT is appears the functionality, useful-ness (for lack of a better word) and promotional tactics came before the consideration of security, surprising in today’s world with 400 serious data breaches this year, as at July 2014. However, the key concern with these devices is the simplicity of configuration, including (VERY) poor passwords applied, with no real request to users to change these to more complex options.

This is just a selection of some more recent (or indeed, more shocking) examples of the security and privacy risks surrounding the connectivity being integrated into day-to-day things. Analyst group IDC predicts the growth of this market will continue resulting in an estimated 212 billion devices making up the Internet of Things by 2020.

Over hyped?

Yes, according to the Guardian article reporting that Gartner have identified IoT alongside wearable tech, consumer 3D printing and autonomous vehicles, as all being at the “peak of the Hype-Cycle”. So as the IoT hype is ‘peaks’ so will the interest of cybercriminals, ready to adapt attacks for the latest devices. It just happens to be a fridge for example as opposed to the latest iPhone device, they will find a way, as it seems they have already found a way.

HP conducted a study on 10 of the most popular devices, here’s a quick run-down of the figures;

· 60% did not use encryption when downloading software updates

· 70% of devices used unencrypted network services

· 70% of cloud/mobile devices allow attackers to view user accounts

· 80% of cloud/mobile devices failed the requirement of a sufficiently complex password

· 90% of devices gathered at least one piece of personal info (…if you ask me one is enough!)

Is there anything we can do?

Taking all of the above into account, this concept is one we are going to have to get our heads around and start planning the security landscape around the collective of online devices vastly taking over society. Hence the aim from the Open Interconnect Consortium (OIC) to boost the development of IoT, while creating a communications framework reflecting the industry standards to control the information exchanged between IoT devices.

The OIC encompasses Dell, Intel, Samsung, Amtel and others to collaborate security on devices which transmit information through an internet connection. As stated on the OIC website the benefits of having an ‘interoperable’ approach which is scalable, will become apparent for companies, developers, right down to the end users (well the end users concerned with consistent security and privacy levels).

So there is optimism with the IoT growth booming to 26bn by 2020, and with this optimism comes concern, however keep an eye on the OIC’s progress in placing industry standards. Finally if at minimum I can give you this as a basic rule, don’t cheap out on anything that is connecting to the Internet – even down to a lightbulb, well so long as you care about your personal privacy and online security.

Which I hope ya’ll do…or you’re reading the wrong blog.