Current Stories
PermaLink [RHSA-2015:2636-01] Important: kernel security and bug fix update01/23/2016 07:59 PM

RHSA-2015:2636-1 - Red Hat Customer Portal
Advisory:   RHSA-2015:2636-1
Type:       Security Advisory
Severity:   Important
Issued on:  2015-12-15
Issue date: 2015-12-15
CVE Names:  CVE-2015-2925 CVE-2015-5307 CVE-2015-7613 CVE-2015-7872 CVE-2015-8104


The Badkey Team

PermaLink WebRTC IP address revealed11/14/2015 11:24 PM
WebRTC Network Limiter

If you click this link and you see a local IP please continue reading .. take action !

What is WebRTC? IP address revealed
There is a special interface (program) in most Internet browsers (Chrome, Firefox, etc.) called Web Real Time Communication, or WebRTC, and that's where the so-called flaw is.

However, WebRTC isn't a flaw at all. It's actually a special facet of your Web browser. WebRTC allows computers on different networks to perform special browser-to-browser applications, such as voice calling, video chats, file sharing and more.But as it turns out, in the hands of a technically savvy person, WebRTC can be tricked into revealing your actual IP address, even if you're actively using a VPN! That's certainly not what you would expect or want. To check if your browser is affected by this issue, please perform the following test:

Use WebRTC Network Limiter for Chrome.
Configures how WebRTC's network traffic is routed by changing Chrome's privacy.

The test is passed if you see only your local IPs or no IP at all.
More from the source

At the moment, there is no way to completely  Block WebRTC in Google Chrome.

WebRTC (Web Real-Time Communication)
What is WebRTC?
Is your local IP visible ?

IP Leak:
To our beloved customers and all VPN users everywhere,
In order to test our application's strength, we have long used internal tools run under different circumstances/environments.  
We would like to make all of these tools available to all netizens, everywhere:

DNS Leak
Test to ensure that your DNS requests are not leaking out of the VPN tunnel.

IPv6 Leak
Test to ensure that your machine is not able to submit requests to IPv6 Networks.

E-Mail IP Leak
Test to ensure that your e-mail client is not including your local IP address on send.

The Badkey Team

PermaLink Sophos UTM Up2Date 9.351003 package and Sophos UTM Home Edition11/10/2015
Firmware version: 9.351003

We just did the upgrade in the OTAP.

Image:Badkey Corner - Sophos UTM Up2Date 9.351003 package and Sophos UTM Home Edition

Sophos (and Astaro before them) did a nice thing in allowing Home Users to run the product for up to 50 internal IP addresses for free.  
You can download the home version of the product here, including a VMware Appliance, which is what I use.

Sophos Blog on up2date:

Up2Date 9.351003 package description:

 System will be rebooted
 Configuration will be upgraded
 Connected Wifi APs will perform firmware upgrade

 Maintenance Update

 Fix [35866]: Customized web templates, problems with Block All mode
 Fix [35867]: Typo on QoS status tab in German webadmin
 Fix [35868]: HTTP Proxy freezes after config change
 Fix [35869]: SSL VPN text for Windows in User Portal is always English
 Fix [35870]: Mail Manager POP3 Quarantine global actions do not work
 Fix [35871]: POP3 Proxy passes read receipt header for blocked messages
 Fix [35872]: "AV Scanner unreachable" mails should be moved to error queue instead of quarantine.
 Fix [35873]: HTTP Proxy core dump during ATP Reload
 Fix [35874]: ctasd permanently segfaults on slave node
 Fix [35875]: Sessions for SSL VPN are not listed in reporting if the username consists of numbers only
 Fix [35876]: Access control in site path routing didn't work as written in the online help
 Fix [35877]: Number of concurrent connections is rising constantly.
 Fix [35878]: Allow to set cipher list and protocols for WebAdmin
 Fix [35879]: Firmware-Updates triggered via SUM are not installed on the UTM
 Fix [35880]: Encoding errors for japanese words on Terms of Use
 Fix [35881]: awed and confd consume a lot of CPU time
 Fix [35882]: Improve process scaling for SMTP Proxy
 Fix [35883]: Remote Log File Archive: Notification was not sent "File too large"
 Fix [35884]: Update from 9.2 to 9.3 with deactived REDs as part of a bridge will prevent opening of interfaces-tab in webadmin
 Fix [35885]: DLP slows down mail delivery drasticly
 Fix [35886]: undefined error message on DHCP-Relay activation when interface is used by DHCP server
 Fix [35887]: Dashboard is not displayed if you use "Asia/Beijing" as timezone
 Fix [35888]: Bridge to LAN network on both Internal WiFi & External AP not accessible via External AP
 Fix [35889]: disabled shortcuts in webadmin will be displayed as "OFF +X"
 Fix [35890]: QR Code is missing on voucher in customer template
 Fix [35891]: Scoreboard is full message in reverse proxy log
 Fix [35892]: Sorting websites by tag doesn't work
 Fix [35893]: Temp files not removed from /var/log/tmp on slave node after remote logfile archive
 Fix [35894]: Pop-up disappears if you want to save CSV/PDF report with right click
 Fix [35895]: Typo in default Subject line for SMTP Data Protection end-user messages
 Fix [35896]: SPX: 404 if recipients are only in bcc
 Fix [35897]: Reporting show blocks from AFC from networks which are in the exception list
 Fix [35898]: adbs-maintenance running indefinitely
 Fix [35899]: 125w r2 Internal Wifi adapter Spurious quick kickout
 Fix [35900]: Endpoint antivirus policy won't be displayed correctly in German webadmin
 Fix [35901]: Avscan notice while trying to transfer data with a AS2 connection via WAF
 Fix [35902]: "cannot create socket" AV error messages for sites behind the WAF
 Fix [35903]: Authentication pop-up when warned extensions are proceeded on HTTPS sites
 Fix [35904]: SMTP scanner timeout/deadlock if DLP enabled
 Fix [35905]: Network monitor daemon segfault / coredump (again)
 Fix [35906]: Kernel: enable x2apic
 Fix [35907]: Facebook does not work properly in IPv6 mode when transparent proxy is used
 Fix [35908]: Swap space change via confd to AWS UTM instance doesn't survive reboot
 Fix [35909]: Coredumps from httpd after update to v9.314
 Fix [35910]: Email encryption: causes mdw to die
 Fix [35911]: Winbindd: Exceeding 16.000 client connections
 Fix [35912]: Uploading a modified template in hotspot results in Webadmin warning
 Fix [35913]: ad-sync script failing due to invalid credentials
 Fix [35914]: DHCP option 234 for APs to connect to another UTM than the main UTM
 Fix [35915]: SSO password parsing error with & character
 Fix [35916]: VoIP Telephone can't connect to new AP model
 Fix [35917]: packetfilter rule will not apply automatically if services are in groups
 Fix [35918]: Webadmin: searching in the logfiles with "-c" will print a count of matching lines instead of "searchresult"
 Fix [35919]: Webadmin alternating displays "cff_profile_name" and "name" attribute on Web Filter Profiles tab
 Fix [35920]: Connection to is not working properly through HTTP Proxy
 Fix [35921]: HTTP Proxy locking up intermittently
 Fix [35922]: HA/Cluster Up2Date doesn't complete if BIOS time is not UTC and TZ is < GMT

RPM packages contained:

The Badkey Team

PermaLink Sophos UTM Up2Date 9.350012 package09/28/2015 11:11 PM
Firmware version: 9.350012

We just did the upgrade in the OTAP.

Image:Badkey Corner - Sophos UTM Up2Date 9.350012 package

Up2Date 9.350012 package description:

Add support for new RED15 devices
Mesh support for AP15, AP55, AP100 in 2.4GHz
Update AppCtrl engine

Fix [34890]: REDs disconnected when connecting more than 270 concurrent RED tunnels
Fix [35338]: Bridge with RED: No warning that RED-interface will be removed from bridge when RED will be deactivated

RPM packages contained:

The Badkey Team

PermaLink Badkey deactivate robots.txt on Domino / Lotus Notes09/28/2015 11:36 PM
Today I have disabled the 'robots.txt' on,
just to get the information on the web.
also have a look at my personal Google+ Page

Google Status:

About /robots.txt

IBM Redbooks:
Best Practices for Domino Web Application Development. link

Image:Badkey Corner - Badkey deactivate robots.txt on Domino / Lotus Notes

The Badkey Team
my personal Google+ Page

PermaLink CentOS Linux Kernel Update 2.6.32-504.30.3 Released07/30/2015 01:55 PM
CentOS Linux Kernel Update 2.6.32-504.30.3 Released
We just upgraded OTAP to Centos Kernel 2.6.32-504.30.3

Resolved CVEs:

Full details can be found

The Badkey Team

PermaLink Sophos UTM Up2Date 9.314013 package.07/30/2015 01:09 PM

Sophos UTM Home Edition
Home Free Use Firewall is a fully equipped software version of the Sophos UTM firewall, available at no cost for home users – no strings attached.
It features full Network, Web, Mail and Web Application Security with VPN functionality and protects up to 50 IP addresses.

Firmware version: 9.314013

Image:Badkey Corner - Sophos UTM Up2Date 9.314013 package.

We just did the upgrade in the OTAP

UTM Up2Date 9.314 Released

The Badkey Team

PermaLink Badkey migration to Google Apps02/20/2015

During Q1 2015 Badkey started Domino 9, now Badkey is running IBM Notes and Domino 9 64 bit.

Image:Badkey Corner - Badkey migration to Google Apps

We have to move to the next stage "Go to Google Apps".
Image:Badkey Corner - Badkey migration to Google Apps

I still have 2 mailboxes that I have to move to Google.

Yep 2 NSF files ,
Image:Badkey Corner - Badkey migration to Google AppsandImage:Badkey Corner - Badkey migration to Google Apps

What migration can I use ?  Please e-mail me for a solution at:

The Badkey Team

PermaLink Sophos UTM 9.3 firewall and Sophos AP30 access point11/29/2014 01:04 PM
Free firewall for home usage.
Sophos UTM Home Edition

We just did the upgrade to Version: 9.301002
Image:Badkey Corner - Sophos UTM 9.3 firewall and Sophos AP30 access pointImage:Badkey Corner - Sophos UTM 9.3 firewall and Sophos AP30 access point

We also installed an AP30 on the network:

Technical Specifications AP 30

Simplify your wireless networking by using Sophos UTM as a wireless controller to centralize your Wi-Fi management and security. Our access points are automatically set up and configured by the UTM. That means all your wireless clients get complete threat protection too.

  • Centrally controlled wireless from your UTM
  • No local configuration of access points required
  • Complete UTM protection for wireless clients
  • Quick voucher-based guest access
  • Choose from a range of access-point models
  • Uses high capacity 802.11n for reliable access
  • Installs fast with automatic setup and configuration
  • You can set up multiple wireless Access Points (APs) within minutes. They require no local configuration and will simply find the controller, retrieve their IP address via DHCP, and import the configuration. Devices automatically appear in the UTM interface where you can manually activate them.
  • Creates reliable mesh networks
  • Our range of access points support different deployment scenarios. They include the ceiling-mount design AP 30 and the dual-band/dual-radio AP 50 which acts as a repeater and/or bridge to extend coverage to hard to wire areas.
  • Provides guest Wi-Fi and BYOD access
  • We give you secure, easy-to-manage guest access out-of-the-box – without extra appliances, licenses or complex configuration. Customizable splash pages, bandwidth limits, on-the-fly guest logins and content filtering allow you to customize your guest experience.
  • Secure wireless and integrated UTM protection
  • To prevent unauthorized access we use the most advanced encryption and authentication standards available, including WPA2-Enterprise in combination with IEEE 802.1X (RADIUS authentication). And, our APs forward wireless traffic to the UTM, giving wireless clients the same level of security as if they were physically connected to the LAN.

Sophos UTM Advantage (9.3) is coming soon – find out what’s new!

Major New Things:

Live AV Lookups in E-Mail Protection
Introduced in UTM 9.2 for Web Protection, Live AV lookups now come to the E-Mail Protection to further increase the protection surface of UTM. This option will improve the malware detection rates by consulting the cloud infrastructure from SophosLabs for possible threat matches.

SPX Self-Registration
With the self-registration feature, recipients of an SPX encrypted email now are offered the option to register themselves through an online-portal where they will be able to create, reset and recover passwords to access their encrypted emails. This will eliminate the need to manually communicate passwords to recipients of encrypted email.

SPX – Support Attachments on Reply Portal
When replying to an SPX-encrypted email, now recipients can add attachments to their message so that the full communication now can be encrypted in both ways.

Policy Tagging
With UTM 9.2 we introduced the ‘Website List’ feature where customers can add URLs and override the category. URL tagging extends this feature by allowing customers to apply zero or more custom tags, or labels to URLs. They can then use these tags in Web Policy to fine tune actions for specific sites. For example, if a customer has a restrictive policy but needs to access customer websites that would otherwise be blocked, they can add their customer sites to the Website List, tag them as ‘Customer Sites’ and then modify the policy to enable access to the 'Customer Sites’ tag.

Time Quotas
For many web gateway use cases it makes sense to offer ways to allow users access to personal websites for a limited time period. With the new feature in Web Protection, administrators can now set up time quotas allocations that can be assigned to specific sites, categories or groups of categories for specific users or groups. Users will be warned that they're using their quota. When a quota expires, they'll be informed accordingly.

Selective HTTPS filtering
To allow more flexibility and provide better performance we have implemented an option to allow selective HTTPS filtering. This will help security-conscious organizations to perform the important scans in HTTPS like (a) the ability to detect malicious content, (b) the ability to identify search terms and enforce safe search for Google and other search engines, and (c) the scanning webmail traffic for DLP only for specific sites.

Support for new hardware SG1xx, SG5xx and SG6xx
This release will add support for new hardware we are going to introduce later this year and will further extend our hardware product line. The support added includes SG1xx, SG5xx, SG6xx appliances as well as the new access points AP15 and AP100.

Hotspot improvements
We built an interface to communicate with Micros Fidelio hotel management software via the FIAS protocol. In addition, we have implemented support for HTTPS and the possibility to set up hotspots in a more multi-tenant fashion.

Multiple bridge support
For many advanced firewall configurations – especially when the UTM is not the main gateway – can be solved more easily by simply allowing multiple bridges. With introduction of this feature we at the same time cleared up the configuration options in the UTM Webadmin by moving the bridge configuration directly into the interfaces pane.

Minor Things:

VLAN DHCP & Tagging
We removed some restrictions around VLANs to make live of an admin easier. First we now allow DHCP on VLAN interfaces. Secondly we now allow tagged and untagged interfaces on the same hardware.

True File Type Detection
In our web and mail proxy we now allow detection of file types inside a downloaded archive file (zip, rar, …). This allows blocking based on file types included in those archives – rather than blocking archive files in general.

Sophos Customer Support secure access to UTM
With increasing number of global support sites with different IP ranges, it is also increasingly complex for customers to allow Sophos Support teams access to their UTM via Webadmin and SSH. Therefore we implemented a function inside Webadmin that allows simple and secure access by Sophos Support on request and under control of the customer.

WAF allow /block lists
For the Web Application Firewall we now added lists to allow and block IP's, which now is possible in the sitepaths.

WAF wildcard extension
Exceptions for internal servers now allow wildcards also in the middle of the server path. This allows admins to easily add exceptions for multiple servers effectively eliminating the need to maintain long lists in Webadmin.

WAF prefix/suffix option
Some environments, most notably Microsoft servers like Exchange and Sharepoint, require UPN/domain-style user names for log in. By adding an option to append a prefix or suffix to usernames customers now are able to add e.g. a default domain to facilitate the use in such environments.

HyperV 3.5 Support
The UTM 9.3 now fully supports Microsoft Hyper-V Server 2012 R2. We are incorporating MS Integration Tools v3.5 for Hyper-V which include the latest drivers and additional capabilities like high availability and load balancing.

Other New Things:
[Web] We have enhanced the https performance by several proxy improvements.
[Mail] Added fonts for Greek, Japanese, Chinese, Cyrillic PDF documents generated by SPX-encrypted emails.
[Mail] Added header manipulation possibilities in emails, in order to give customers the option to add/delete multiple headers to the message envelope.
[WiFi] Added Automatic Channel Selection (ACS), utilizing background scanning.
[AppCtrl] Updated Application Control Engine added better support for ATP and broader application coverage as well as IPv6 support.
[WAF] Added a setting to change WAF performance parameters
[WAF] Ability to upload custom rules (backend enablement required)
[WAF] Added scan size limit configuration

The Badkey Team

Locations of visitors to this page
My World Travel (21%)
47 countries World66 Member
Domino Social Edition
StatCounter Statistics

View My Stats
Visitor Activity
StatCounter Came From