Announcement concerning recently discovered vulnerabilities in the SolarWinds Orion platform

 Accounting & Taxation, Current Events, Current Events, IT Consulting  Comments Off on Announcement concerning recently discovered vulnerabilities in the SolarWinds Orion platform
Dec 152020
 

There have been multiple news reports about the US Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) confirming that malicious threat actors have been and are actively exploiting vulnerabilities in SolarWinds Orion products, primarily by leveraging the SUNBURST malware.

SolarWinds Orion is an IT monitoring solution.

Rosenthal & Rosenthal does not now, nor have we ever used any SolarWinds products. As a result, our clients’ information is not vulnerable to these exploits.

We strongly advise our enterprise clients who may be using the Orion platform to review available firewall updates to keep your internal systems secure. As always, we stand ready to assist in assessing the overall security of your network infrastructure.

More information (including CVE links) may be found on the CISA page.

OpenSSL Upgrade – October, 2014

 General  Comments Off on OpenSSL Upgrade – October, 2014
Oct 172014
 

Upon reading Qualys’ entry regarding SSLv3 and POODLE, we have once again upgraded our web server and hardened its security.. We are currently running the latest available version of OpenSSL (1.0.1j), and have completely disabled the SSLv3 protocol. The net effect of this for visitors is that upon accessing either our client login page or our contact page, anyone still using Internet Explorer 6 will be unable to continue. Frankly, if anyone is still using IE6 in 2014, it really is time to upgrade to something more secure (for that matter, anyone using any Internet Explorer version should switch ASAP).

We again invite you to test our security rating on the well-respected Qualys SSL Labs site.

Shellshock is a concern for older servers – we have some help

 Current Events, IT Consulting  Comments Off on Shellshock is a concern for older servers – we have some help
Oct 082014
 

Linux vendors have been scrambling to patch the now-famous <a title="Wikipedia: Shellshock (software bug)" href="http://en singulair dosage.wikipedia.org/wiki/Shellshock_%28software_bug%29″ target=”_blank”>Shellshock bash vulnerability since it came to light late last month. However, most vendors have no real idea how many of their older distributions are still in production, and still in need of security fixes.

If you have any older CentOS systems (3.9 or 4.8/4.9, the final releases of each of those versions), it might be a good idea to check out Lewis’ binary rpm releases of patched bash 2.05b (for CentOS 3.9) and/or 3.0 (for CentOS 4.8), available from the Rosenthal & Rosenthal FTP server.

More news may be found on Lewis’ blog, here.

OpenSSL Upgrade

 General  Comments Off on OpenSSL Upgrade
Jun 122014
 

Following <a title="SSL/TLS MITM vulnerability (CVE-2014-0224)" href="http://www.openssl singulair medication.org/news/secadv_20140605.txt” target=”_blank”>OpenSSL’s security advisory concerning several flaws in versions of the popular encryption toolkit prior to 1.0.1h, we have upgraded our web server again. We are currently running the latest available version of OpenSSL to ensure your privacy and security while logged onto our site.

We again invite you to test our security rating on the well-respected Qualys SSL Labs site.

Heartbleed Issues

 General  Comments Off on Heartbleed Issues
Apr 232014
 

By now, many of you have likely heard of the so-called “Heartbleed” bug in the popular OpenSSL encryption library. Essentially, this vulnerability allows an attacker (either a malicious client – web browser or other local application – accessing a server or a malicious server communicating with a client) to read a small segment of memory on the afflicted machine. This memory may contain sensitive information or it may contain nothing of much use to anyone.

While the vulnerability was apparently in the code for some time, it did not become common knowledge until earlier this month. You should know that we immediately took steps to correct our affected systems, and have continued our analysis of the situation to ensure that all of our publicly-accessible (and publicly-accessing) systems are secure.

We invite you to test our security rating on the well-respected Qualsys SSL Labs site.

We want you to know that we take the privacy and security of your information very seriously, and will continue to monitor and make every effort to maintain the integrity of our systems.

Site security

 General  Comments Off on Site security
Feb 152014
 

Part of the site redesign plan is to incorporate client portal services, providing a facility for clients to securely upload ans download files, and get other information, uniquely tailored for them. Of course, without some form of encryption, this would not be possible. While we are still in the testing phase of our portal services, all portal pages are encrypted via SSL (Secure Sockets Layer) and our security testing has been most successful.