Nexevi

18/01/2017

You've probably heard the term "Big Data" before, but do you know what it means? We used some Legos to help explain what it is and how companies are using it...

05/12/2016

There’s a famous saying: Culture will eat strategy for breakfast. That’s probably true in many ways, especially in the context of businesses. Culture is intrinsic to a company. So, people know how to

25/02/2016

Glibc bug

Google experts reported few days ago that they have discovered a security flaw, which potentially puts at risk thousands of devices and apps – including Linux servers. Known as the “Glibc bug” it could allow hackers to insert code into a device’s memory, enabling hacking attacks – including remote access attacks on devices such as a computer.

Google engineers, in collaboration with security experts at Red Hat were quick to release a “patch” in order to fix the problem – which affects servers running on the Linux operating system. Windows or OS X are unaffected.

06/05/2014

Nexevi has joined the Rackspace® Partner Network to provide you with a portfolio of Hybrid Cloud solutions. Rackspace is a leading provider of hybrid clouds, which enable businesses to run their workloads where they run most effectively — whether on the public cloud, a private cloud, dedicated servers, or a combination of these platforms. Since Nexevi is a Rackspace Reseller Partner, you can take advantage on your next hybrid cloud solution from Rackspace. Contact us to start saving now.

06/05/2014

WHAT IS HOSTED EXCHANGE?

Microsoft Exchange Server is the leading business-grade messaging system employed in North America and is currently used by 170+ million people worldwide. Exchange offers a number of capabilities, including email, calendaring, task management, address lists, and access to shared document repositories, and other functions. Exchange was originally introduced in June 1996 and has been upgraded several times since to include additional and enhanced features. The current version is Exchange 2013, released in late 2012.

10/04/2014

Am I affected by the bug?

You are likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company's site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL. Many of online services use TLS to both to identify themselves to you and to protect your privacy and transactions. You might have networked appliances with logins secured by this buggy implementation of the TLS. Furthermore you might have client side software on your computer that could expose the data from your computer if you connect to compromised services.

10/04/2014

How to stop the leak?

As long as the vulnerable version of OpenSSL is in use it can be abused. Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.

10/04/2014

Google and Heartbleed.
Has been announced that main services like Apps, App Engine, Gmail, Play, Search, Wallet and YouTube are already patched.
Changing your passwords is essential.

10/04/2014

What is Heartbleed?
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows an unprivileged attacker to steal vital information without a trace. Use our tester to check if your site is vulnerable.

10/04/2014

In short, Heartbleed is a bug that allows anyone on the internet to read the memory from any site protected by popular OpenSSL cryptographic software library. That means that information across a number of sites and services, including email and instant messaging.
In theory, an attacker could use the vulnerability — which lay undetected for two years — to gain access to all the details usually kept safe by, for instance, banking and ecommerce sites including passwords, password hints and email addresses.

10/04/2014

OpenSSL and Heartbleed

Recently the OpenSSL group released an advisory about a critical bug in the OpenSSL software that could "reveal up to 64k of memory to a connected client or server". This was puzzling at first but it quickly came in to light of how serious an issue this is.

OpenSSL is a framework used for securing a large part of the internet by providing SSL services to a server. This helps secure a connection from peeping eyes online. So obviously a problem with this software can be disastrous from a security standpoint, and this particular problem has proven that. Memory on a server is essentially where everything happens. Keys are stored there, certificates, even user data is stored there while the server is using it. So a bug in security software that can allow up to 64k of that to be revealed undermines the whole point of securing the connection. Further testing from individuals online has shown that the 64k of memory they can get isn't just a one-time deal. They were able to get 64k per request sent to a server. And this isn't a man in the middle attack or anything, this is an attack that can be sent directly to a server.

A quick summary is that a heartbeat request consists of sending data to a server and having that server reply back with the same data. It's used to keep an ssl connection open even though data may not be getting transmitted. The inital heartbeat data sent to the server has a specified size in it for how large the data is. This is where the main problem lies. An attacker could send a 1k piece of data to a server and say it's 64k. The vulnerable implementation of OpenSSL does not verify this size specified. So when the server goes to reply to the heartbeat using the data in memory, it will reply back with 64k of memory from the starting point of the initial saved data. So if only 1k was sent and the server replies back with 64k, that means that 63k of that data was pulled from the memory and could contain almost anything.

While they may only get bits and pieces of server memory, a large amount of requests could be used to start gathering a large amount of data. Furthermore this collection of data is not recorded in logs. This is a major concern with the bug since the listed version that is vulnerable (1.0.1) shows it has been released since March 2012.

There's no way to tell for sure but it's very possible this vulnerability has already been exploited on servers prior to its heads up release to the public. This essentially means that there could be many servers that have had their certificates stolen or user data mined from memory, and there isn't a way to tell who has been effected. A scary part for an end user is that they may not be aware of what servers they communicated with that were vulnerable and there's not really anything a user could have done to prevent an issue like this.

Heartbleed is a big blow to internet security in general given how widely used OpenSSL is. One of the larger providers that was noted as being vulnerable was yahoo.com. With the millions of users they have, that could be a very large leak in user data if anyone attacked with the Heartbleed method. Fortunately most companies, including Yahoo, seem to have reacted very quickly to this incident by changing the software version used or disabling the heartbeat functions altogether until they can permanently fix it. Many providers are also taking steps in getting new certificates issued since it's possible the old ones may have been compromised.

If you want to play it safe, it can't hurt to change any passwords at secure sites you frequent as well. This can help you stay safe just in case there are servers out there that have been compromised.
By: JF

29/03/2014

New Website Launch!

We are very excited to have finally launched our new website design! You’ll see things are looking pretty spiffy around here and it’s all been completely re-coded from the ground up.

Nexevi Intl. Inc.was established in 2004 and we offer flexible, scalable solutions designed to help you and your business to succeed.
We integrate the industry's best technologies and solutions for each customer's specific need.
We offer solutions, support, services and training to help ensure you...