Friday, January 05, 2018

Meltdown and Spectre - what to do

This week we have seen two major processor flaws one dubbed "Meltdown" (which is intel only) the other called "Spectre".

The Details.

Meltdown (CVE-2017-5754)  

This is an Intel only security flaw and it affects intel's branch prediction technology. This means that someone figured out how to get the processor to get what they want from your active memory in what was suppose to be a clear and secure separated memory space between the user memory and the Kernel.  This fix could cause a performance hit in some cases up to 30%

Spectre (CVE-2017-5753, CVE-2017-5715)  

This flaw affects most modern processors made by a variety of manufacturers, including Intel, AMD and those designed by ARM.  The flaw potentially allows hackers to trick otherwise error-free applications into giving up secret information. Spectre is harder for hackers to take advantage of but is also harder to fix and would be a bigger problem in the long term.  This could be the source for multiple problems in the years to come.


What you can do to protect yourself.

Update to the latest version of Chrome (version 64 or later on January 23rd). You can also enable Strict Site Isolation which will use 10 - 20% more memory, and cross-site iframes will not work properly when printing.  FireFox is patched in version 57.0.4 and later.  Firefox has a feature called enable First-Party Isolation which you can enable for additional privacy protection.  The Strict Site Isolation in chrome and the First Party Isolation in FireFox may break functions that some sites use on the internet.  Enabling these features is a good idea but not necessary.

Windows:

Check Windows Update and ensure KB4056892 is installed for Windows 10, Windows 7 and 8 patches are expected by Patch Tuesday.  If your having difficulty installing the patch you may have to disable your anti-virus software before you install.  The patch may have issues with third party anti-viruses although some AV vendors have already issued fixes. Kaspersky issued its fix Dec. 29 in anticipation of a Microsoft fix to be issued Jan. 9 on the regular Patch Tuesday. McAfee has a page with products tested so far that are compatible. ESET said it has released Antivirus and antispyware scanner module 1533.3 for all consumer and business users that is compatible with the Microsoft patches.

Be sure to check your PC OEM website for support information and firmware updates and apply any immediately.

Apple: 

Is working on a patch and is expected to release one soon.  Mac OS 10.13.2/10.13.3 and iOS 11.2 with have patches for these flaws - There are no known exploits at this time.

Apple Watch OS is unaffected.  

Android: 

Users running the most recent version released on January 5 as part of the Android January security patch update are protected according to Google.  So, if you own a Google-branded phone, like Nexus or Pixel, your phone will either automatically download the update, or you'll simply need to install it. However, other users will have to wait for their device manufacturers to release a compatible security update.

Please note that at this time there is no known successful exploitation of either Meltdown or Spectre on ARM-based Android devices.

Linux:
Kernel fixes are out depending on which version of linux you are using so patch! - Ubuntu will be patched by January 9th!

Cloud:

Google, Amazon, Microsoft, and others are working on and implementing patches for these issues.

The only real fix for these flaws are new computers (silicon) but there won't be any fix in this or the next generation of processors.  The actual fix requires an architectural redesign in the processor hardware which is now at 10nm.  Most likely your looking at least 3 computer generations from now before these issues might be fixed properly.

Sources:

https://www.itworldcanada.com/article/microsoft-warns-patches-for-meltdown-spectre-may-clash-with-av/400394
https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-heres-what-intel-apple-microsoft-others-are-doing-about-it/
https://www.theverge.com/2018/1/4/16848976/how-to-protect-windows-pc-meltdown-security-flaw
https://support.microsoft.com/en-us/help/4056892/windows-10-update-kb4056892?ranMID=24542&ranEAID=nOD%2FrLJHOac&ranSiteID=nOD_rLJHOac-rHBsEiLKiJeizUaBQunMbw&tduid=(a75271ab760fabc657cfb32450f17075)(256380)(2459594)(nOD_rLJHOac-rHBsEiLKiJeizUaBQunMbw)()

http://www.zdnet.com/article/windows-meltdown-spectre-fix-how-to-check-if-your-av-is-blocking-microsoft-patch/


https://www.theguardian.com/technology/2018/jan/05/apple-mac-spectre-meltdown-iphone-ipad-hackers

http://www.zdnet.com/article/how-linux-is-dealing-with-meltdown-and-spectre/

https://www.cyberciti.biz/faq/patch-spectre-vulnerability-cve-2017-5753-cve-2017-5715-linux/

http://www.creativebloq.com/news/should-you-be-worried-about-meltdown-and-spectre

Tuesday, January 02, 2018

How to setup Horizon Web Services

This post will go over the setup and install of Horizon Web Services software by SirsiDynix, and it will be connecting to a Microsoft SQL based Database.  There are few things you will need before we begin.
  1. A SQL database user, with proper permissions
  2. A windows based OS (2012 or better recommended) for the software installation
  3. The Java Development Kit (I'm using Java SE Development Kit 8u151)
  4. I recommend a third party browser (I'm using firefox)
  5. The SirsiDynix Horizon Web Services Software (you need an account to download it)
Horizon Web Services requires a connection to the ILS database for access to Tomcat access.  So before I began with the software install on the Windows 2012 Essentials I created a new SQL database user with the proper permissions based on one that we were using for a different web service that SirsiDynix created.  

Create a database User to access the database for Horizon Web Services

Login to the database -> Security -> Logins | Right Click and select New Login

Here is where you will fill out all the information for connecting to the SQL Database.  Proper permissions are required otherwise Horizon Web Services will give you 404 errors.

Be sure to make the default database your ILS or Training Database, otherwise you will have issues connecting

Here is where you specify any specific roles for the SQL User.  All that is required is the public server role.



For the User Mapping select what database you want the user to login to.  Typically this would be your primary ILS database, but it could also be your training database


Note the required security group that is required.  This is not visible until you edit the user and default schema  This will have been setup by SirsiDynix.  Make sure it is enabled or you won't have sufficient permissions.
Make sure you grant permission to the database and login access to the user.





PLEASE NOTE - If you create a user or use an existing one with not enough permissions on the database you will get a 404 Error.

When you get your SQL user configured you can go a head and get all the software required for Horizon Web Services (HWS)

You can view my video of the install on my YouTube Channel

The Horizon Web Services Software (SirsiDynix Account Required)
Java SDK (I'm using version 8u151)
A third party browser FireFox or Chrome (not required but recommended)

I'm going to recommend that all files be downloaded first, based on this we will go thought the install process.

Step 1 - Install the Java SDK



When installing Java, I just used the default settings, though the installation of java here is not as important but must come first as we have to specify the path for the Java Virtual Machine.

Step 2 - Install Horizon Web Services


Select the Path to the JAVA.EXE


Specify The Horizon Web Services Instance Name


The Location for Apache Tomcat
Here is where we can specify settings for the Tomcat Software.  

The defaults are

  • Service Name - tomcat7
  • http port - 8080
  • https port - 8443
  • tomcat shutdown port 8009

Tomcat Configuration Settings
Now comes the configuration for connecting to the ILS.  This is typically an IP address such as 192.168.x.x or something like that with a predefined port like 4400.  This would have been setup by SirsiDynix when the ILS was installed.



Everything you see below is pretty much default.  Allow Patron Search and you DO NOT allow access to the administrator settings, unless you want that in my case I don't.





Log File Prefixes and Location




Timezone


This is optional.  You DO NOT need to add the hip server if you don't want to.  If you choose to not use the hip server with your Horizon Web Services just leave the fields blank.





Now if you already have Horizon web services you can move your settings and licence file by simply copy/pasting from your old Web Services directory.  If you want to set it up fresh you will need to move your .lic file into the Horizon Web Services Install directory and save it in 


webapps\"YourHorizonWebServicesInstanceName"\WEB-INF\classes

You can also edit all your ILS connection settings by editing the hz-spring.properties file.


Horizon Web Services Classes Directory


I also recommend changing the default startup for your tomcat server from manual to automatic or delayed automatic.


Change the startup type from manual to automatic or automatic (delayed)


You can change the startup type by getting the properties of the service
Now that everything is configured and your Database user is correctly configured with the proper permissions you will see this page when you go to login to Horizon Web Services.


Horizon Web Services Admin Login Page

Here you can see what a successful login looks like.  


Horizon Web Services Status after a successful login

How to fix CURL call imporitng an RSS feed on a site blocking CURL calls

There is a 3rd party service provider that my organization uses called bibliocommons.  They have these nice book carousels.  However the car...