IT Nota

How to Install Cryptomator on macOS

Cryptomator is a free and open-source client-side encryption tool that can be used to encrypt files before uploading them to cloud storage services.

Here are the steps to install Cryptomator:

  1. Go to the Cryptomator website.

  2. Before you install the Cryptomator program, you can install macFUSE.

    Please note that Cryptomator recommended macFuse for Intel and FUSE-T for Apple Silicon but I found that FUSE-T is still buggy. It is still tagged as experimental, so use it at your own risk. It gave me a panic attack when I saw less than half of my folders showed up after upgrading to a newer version of FUSE-T. Only after I switched back to macFUSE could I see the complete folders again.

  3. Open the downloaded file and follow the installation wizard.

    Cryptomator Mac installation

  4. Once the installation is complete, launch Cryptomator.

  5. Create a new vault by clicking on Create New Vault and selecting the location where you want to create it.

  6. Set a password for the vault and click Create Vault.

  7. Your new vault will now be visible in the Cryptomator interface. You can drag and drop files into it to encrypt them.

That’s it! You have successfully installed and set up Cryptomator.

If you find the software useful, you can help supporting it by purchasing a Supporter Certificate or Donation.

Cryptomator - Support Fund

Download

Cryptomator: Download
macFUSE

Further Reading

FUSE-T

Connect New SSRS Server to Old SQL Server with TLS

This was posted just to share an experience of tackling a problem we encountered when we needed to connect an SSRS Server 2016 to an older SQL Server database (Windows Server 2008 R2) and what steps we took to troubleshoot the issue.

After all the reports were migrated to the new SSRS server, upon creating a new Data Source, I got an error message something along the line to enter the user id and password correctly.

A simple way to check the connection to the SQL Server database is by setting up an ODBC connection to test.

Sure enough, even the ODBC Data Source Test failed with this message:

ODBC Data Source Administrator Test Failed

Microsoft SQL Server Login

Connection failed:
SQL State: '01000'
SQL Server Error: 1
[Microsoft][ODBC SQL Server Driver][DBNETLIB]ConnectionOpen
(SECCreateCredentials()).
Connection failed:
SQLState: '08001'
SQL Server Error: 18
[Microsoft][ODBC SQL Server Driver][DBNETLIB]SSL Security error

For the first issue, the resolution was because of the difference of TLS version enabled by default for each server. We know that TLS 1.2 is enabled by default on Windows Server 2016 or later. However, for the Windows 2008 R2 was not set up correctly.

Windows Server 2008 registry with no TLS enabled

No TLS enabled at all!

After following the steps to enable TLS 1.2 on Windows Server 2008, we retried the ODBC connection from the new SSRS server (Windows Server 2016) and it was successful.

ODBC Data Source Administrator Test Successful

With the ODBC connection working, we went back to check the connection from the SSRS itself (the same Windows 2016 Server). But when we clicked on Test connection, we still encountered the following error:

SSRS Data Source Connection SSL/Algorithm/TLS Error

Couldn't connect

The report server couldn't connect to the data source using the information you entered. Make sure you've entered the connection string and any credentials correctly.

Hide error details ^

  A connection was successfully established with the server, but then an error occured during the login process. (provider: SSL Provider, error: 0 - The client and server cannot communicate, because they do not possess a common algorithm.)

Logically, both servers should be able to communicate with each other using TLS 1.2 since both were enabled, but this could be caused by the weak cipher on the old Windows 2008. Since we were pressed on time and the client agreed with the temporary risk, the solution that we opted was to enable both TLS 1.0 and TLS 1.1 on both servers in addition to TLS 1.2.

Windows registry enable TLS 1.0, TLS 1.1 and TLS 1.2

Had these servers reside on the DMZ, we won’t recommend this solution at all. Even for internal servers such as our clients, we don’t recommend this solution as a long-term fix. But in this case, it was good enough.

This was remediated soon after when the client upgraded the database server to a Windows Server 2019, where TLS 1.2 is also enabled by default with strong ciphers being available.

Hopefully, it will help others who are also in the intermediary state of upgrading and trying to troubleshoot a similar issue.

With that, I welcome any input for a better solution (i.e., you have time to test that it only requires TLS 1.1 but not 1.0, or something more secure for that matter).

Further Reading

How to Enable TLS 1.2 as the Default Security Protocol on Windows Servers

Basic Security Practice with Password

After one client was notified that her passwords were found in a data leak and may compromise the accounts from her iPhone:

iPhone warning for compromised passwords

Compromised...

Some of your passwords have appeared in a data leak, putting those accounts at high risk of compromise. iPhone can help...

It turns out, other than the password was to easy to guess, it was also due to password reuse. Of course the immediate action you need to take is to follow its recommendations to change all the affected passwords.

iPhone security recommendations for compromised passwords

But what needs to be explored further is why people still use the same password for their accounts although it’s been proven that this cause more damage when they get hacked. This issue stems from the fact that most non-technical people still resort to using memory to store their passwords, so they’re limited to either one short, easy to guess password or a bit more complicated one but then it’s used in every other accounts or even worse short and easy and reused everywhere. It bears repeating that this is a really dangerous practice, so we need to stop using the same password for two or more accounts.

So if we need to have a unique password for each account, it will be overly difficult (if not impossible) to create those passwords, much less memorizing them. That’s where a password manager comes handy.

Although password manager is already in use for a long time, there’s still a big gap between the technical and non-tech people. The latter, even if they have the password manager installed, still hesitate to use it, just because old habit dies hard or maybe they feel intimidated to try something new.

Nobody should feel intimidated using a password manager. If anything, using a password manager can actually make your life easier.

Here’s a simple way to get started. In this post, we’ll use 1Password as our password manager of choice. However, this is not the only one available. You can always choose your own password manager that suits your need. The principle is going to be the same.

By using a password manager, instead of memorizing so many easy-to-guess passwords, you just need to create one long passphrase and use that as your “master key” that you need to guard closely.

To increase the security of the master password, make that a passphrase that is easy to remember and makes sense to you. For example, you can use an unusual sentence such as, “What book do I like? The answer is Romeo and Juliet.” It is really up to you whether you want to use punctuation, capitalization or not. The point is, the more complex it is, the better as long as you can remember it.

Once you decided on the master password, install 1Password app (both on your phone and PC). If you want to make it even easier, don’t forget to install the browser extensions.

One useful shortcut to remember is CTRL + \ for Windows (or Command + \ on Mac) that you can use to enter your user id and password on a login page. But in order to use this feature, you need to have your 1Password unlocked first. Otherwise, 1Password will ask you to type in your master password to open it first.

Further Reading

“This password has appeared in a data leak” notice on iPhone
Get started with 1Password
Copy and fill passwords into apps that don’t work with 1Password

How to Enable Secure HttpOnly Cookies in IIS

Session cookies are often seen as one of the biggest problems for security and privacy with HTTP, yet often times, it’s necessary to utilize it to maintain state in modern web applications. By default, it is insecure and vulnerable to be intercepted by an authorized party.

Cookies typically store session identifiers that may offer full access to an account, therefore if a cookie is intercepted, a session can be hijacked by someone who is not the real user but pretending as that user.

For this reason, it’s very important that we need to set parameters on how the cookies are passed and have it encrypted as they get sent/read between a web server and the browser.

In order to make cookies more secure to use, there are two things we need to pay attention to, they are HttpOnly and Secure flags.

HttpOnly Flag

The first flag we need to set up is HttpOnly flag. By default, when there’s no restriction in place, cookies can be transferred not only by HTTP, but any JavaScript files loaded on a page can also access the cookies. This ability can be dangerous because it makes the page vulnerable to cross-site scripting (XSS) attack.

The only way to restrict this is by setting HttpOnly flag, which means the only way cookies are sent is via HTTP connection, not directly through other means (i.e., JavaScript).

Secure Flag

The second flag we need to pay attention to is Secure flag. This flag highlights the second issue that by default cookies are always sent on both HTTP and HTTPS requests. A malicious attacker who can’t see encrypted traffic with HTTPS connection can easily switch to HTTP connection and access the same cookie because it is not encrypted. Therefore, we need to set the Secure flag to ensure that the cookie in encrypted when it’s created.

Enable HttpOnly Flag in IIS

Edit the web.config file of your web application and add the following:

<system.web>
  ...
  <httpCookies httpOnlyCookies="true" requireSSL="true" />
  ...
</system.web>

Enable Secure Flag in IIS

To enable secure flag in IIS, it is better to use URL Rewrite and add the following to your web.config file:

<system.webServer>
  <rewrite>
    <outboundRules>
      <rule name="Use only secure cookies" preCondition="Unsecured cookie">
        <match serverVariable="RESPONSE_SET_COOKIE" pattern=".*" negate="false" />
        <action type="Rewrite" value="{R:0}; secure" />
      </rule>
      <preConditions>
        <preCondition name="Unsecured cookie">
          <add input="{RESPONSE_SET_COOKIE}" pattern="." />
          <add input="{RESPONSE_SET_COOKIE}" pattern="; secure" negate="true" />
        </preCondition>
      </preConditions>
    </outboundRules>
  </rewrite>
...
</system.webServer>

Check Flags Settings

This example demonstrates an ASP.NET website that has HttpOnly flag set, but not the Secure flag using a professional web scan tool.

Scan result for cookie with missing secure flag

The scanner did not detect secure flag in the HTTP header with the following explanations:

Cookie Missing ‘Secure’ Flag

Description

The session ID does not have the ‘Secure’ attribute set. This attribute prevents cookies from being seen in plaintext. It may be possible for a malicious actor to steal cookie data and perform session theft through man-in-the-middle (MITM) or traffic sniffing attacks. The exploitable condition exists for unencrypted cookies to be passed over the network if a user accesses the site through HTTP instead of HTTPS, or if a link to a resource such as an image file or CSS file within the specified domain uses the HTTP protocol.

Risk

Data may be exposed to unauthorized parties during cookie transmission and increases the risk of session theft via man-in-the-middle (MITM) or traffic sniffing attacks.

Recommendation

Change the default ‘Secure’ attribute from FALSE to TRUE to ensure cookies are sent only via HTTPS. The ‘Secure’ attribute should be set on each cookie to prevent cookies from being observed by malicious actors. Implement the ‘Secure’ attribute when using the Set-Cookie parameter during authenticated sessions.

After applying the recommended configuration mentioned above, the scan result is good as shown below.

Scan result after secure flag is activated for cookie

As you may have noticed, in this particular example, the Session Cookie Missing ‘HttpOnly’ Flag was already fixed.

Checking the header using cURL:

$ curl -I https://www.itnota.com

Before

HTTP/1.1 200 OK
Cache-Control: private, no-store, max-age=0, s-maxage=0
Content-Type: text/html; charset=utf-8
Content-Encoding: gzip
Vary: Accept-Encoding
Server: Microsoft-IIS/8.5
Set-Cookie: ASP.NET_SessionId=o42zbtr1rzzje3wlvwwcnjmv; path=/; HttpOnly
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Frame-Options: SAMEORIGIN
Date: Tue, 10 Jul 2018 20:42:03 GMT
Content-Length: 6722

After

HTTP/1.1 200 OK
Cache-Control: private, no-store, max-age=0, s-maxage=0
Content-Type: text/html; charset=utf-8
Content-Encoding: gzip
Vary: Accept-Encoding
Server: Microsoft-IIS/8.5
Set-Cookie: ASP.NET_SessionId=bhn5qcmggcxdy34g5d4kp3hk; path=/; HttpOnly; secure
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Frame-Options: SAMEORIGIN
Date: Tue, 10 Jul 2018 20:46:38 GMT
Content-Length: 6722

Notice the word secure after the HttpOnly at the end of the line of Set-Cookie HTTP header.

Emphasis

Set-Cookie: ASP.NET_SessionId=bhn5qcmggcxdy34g5d4kp3hk; path=/; HttpOnly; secure

Buy me a coffee?

Buy me a coffee If you find this post helpful and would like to buy me a coffee to support the work here, you’ll have our big thanks!
Support IT Nota: Buy me a Coffee

Download

URL Rewrite

Further Reading

HTTP/2 in Action
The Secure Attribute
The HttpOnly Attribute
httpCookies Element (ASP.NET Settings Schema)
Ensuring secure cookies with URL Rewrite
How to Setup HTTP Strict Transport Security (HSTS) on IIS

How to Setup HTTP Strict Transport Security (HSTS) on IIS

HTTP Strict-Transport-Security (HSTS) response header is used to tell browsers that the particular website should only be accessed solely over HTTPS. This is a powerful feature that is easy to implement to mitigate the risks for the communication to be intercepted by hackers and keep your website visitors safe.

Enabling HTTP Strict Transport Security on IIS

See the steps below to enable HSTS on IIS:

  1. Launch IIS Manager.
  2. On the left pane of the window, click on the website you want to add the HTTP header and double-click on HTTP Response Headers.IIS HTTP Response Headers Setting
  3. In HTTP Response Headers window, click on Add… on the right pane and type in Strict-Transport-Security for Name and max-age=63072000; includeSubDomains; preload for Value and click OK.The max-age value 63072000 is the number of seconds for the duration of two years. You need to enter a value of at least one year.IIS HTTP Response Headers Strict Transport Security Setting

Now you can verify if the header is delivered correctly by running a curl command.

curl -I https://www.itnota.com

You should see that very header listed among other entries:

Strict-Transport-Security: max-age=63072000; includeSubdomains; preload

That’s all there is to utilize HSTS on IIS.

Buy me a coffee?

Buy me a coffee If you find this post helpful and would like to buy me a coffee to support the work here, you’ll have our big thanks!
Support IT Nota: Buy me a Coffee

Further Reading

Strict-Transport-Security
How to Use cURL HTTP/2 on macOS
How to Enable Secure HttpOnly Cookies in IIS

Recent Posts

Tags

.NET .NET Core AdSense ASP.NET Cdonts Dll Classic ASP Code Editor ETL FSharp Genesis Framework Git Google HP Asset Manager HTML5 Hugo IIS Information Security Internet Internet Information Services iOS JAMStack Linux macOS Microsoft Microsoft SQL Server MVC PHP PowerShell Python Simple Mail Transfer Protocol Smtp Server SQL SQL Server SSIS SSMS SSRS Sublime Text Visual Studio Visual Studio Code VPN Windows Windows 8 Windows 10 Windows 2012 Windows Server