Posts Tagged ‘security’

Insecurity by Non-Obscurity

I was a bit shocked and disheartened tonight to discover that my WordPress version was being broadcast to the world without me knowing it. It’s something that I hadn’t ever really given much thought to, mostly because I always assumed that a piece of information like that wasn’t being given out. What was even more disheartening to me was what I discovered as the method for disabling this broadcasting of my version number. The easiest way, by far, was to just install the Secure WordPress extension (or I could dive into a bit of their PHP code and have to make the change with each upgrade, not so much fun). Not so long ago, there was a huge ordeal about a vulnerability in WordPress 2.8.3 that allowed an attacker to reset an admin password very easily. No wonder they urged us to upgrade so quickly – your vulnerability was being broadcast.

The sad part is, broadcasting this version number isn’t something that can be disabled using the built-in settings. I don’t know what the rationale is, but one either has to edit the functions.php file in WordPress directly, or install the plugin mentioned above.

Anyway, this got me thinking about plenty of other open source softwares that I’ve disguised over the years.. For instance, perform a fresh install of Ubuntu 8.04 with the LAMP stack and you’ll see the version listed in the headers as detailed as this:

Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.9 with Suhosin-Patch Server

Yup, there it is, script kiddies. Bust out Metasploit and eat your hearts out. In this case, if one leaves the defaults enabled, the server major version, minor version, PHP version, OS, and WordPress version all are exposed. That leaves a pretty nice little attack vector.

Of course, hiding these things doesn’t mean that anything is secure. On the contrary, one must go far deeper than that. I am just disappointed in so many open source projects that cut down the time needed for any script kiddies to start playing with my public services.

Related Posts Related Websites

Tags: , ,
Filed under Tech Trends : Comments (0) : Jan 18th, 2010

The Business of Full Disclosure

I’ve been enjoying reading an interesting conversation at krebsonsecurity.com surrounding news that a security firm in Russia that is disclosing a number of vulnerabilities to a number of web and database server applications. They are releasing details over this week and the next two.

For as long as I’ve cared, I’ve always considered myself more of a “responsible disclosure” kind of a person. That is, until I heard an interesting argument that I’ve never seen very clearly articulated before. As a sysadmin, when a vulnerability in a web server (for instance) is disclosed, one can monitor for someone trying to exploit that vulnerability and stop it (or at least log what happens). Without that disclosure, one has no idea what software is vulnerable and known only to some black market somewhere. It’s odd, but humans are comforted in that way. It’s kinda like knowing that a $500 repair is coming for one’s car. It’s a lot easier pill to swallow when one knows about it, say a month or so in advance rather than being surprised by it.

However, there’s still a piece of the rationale behind Intevydis’s stance on immediate full disclosure that I still don’t quite grasp. Quoting from their blog:

You – ABCD company, making N millions per year selling your buggy XYZ product all over the world, why are you asking to give the results of the hard work during many years for free? Instead of wasting your and our time would not it be better to allocate resources to enforce good coding practices for all your amateur software developers?

Okay, so the main argument here is that they don’t want to give away their research for nothing. That is absolutely a fair thing to ask for. Knowledge and research isn’t cheap, so it’s not something that many people want to give away for free. I get it. However, I have to ask: How is full disclosure better than “responsible disclosure” (I’m using the quotes because I’m not sure how responsible so-called “responsible disclosure” is anymore) in that respect? Seriously, you don’t get paid for posting a blog entry about the latest exploit in [insert your favorite CMS here] that allows others to break into those CMSs quite easily every time one is found on the web.

And another thing, exactly who’s time are we wasting here? The developers of the software are obviously not wasting their time since they’re drawing in ‘N millions’ of dollars for the software they created. Yet, the research group is the one disclosing that they’ve found a vulnerability in the software, but they won’t tell anyone what exactly the flaw or bug is. Wait. Who’s time have we wasted now? My time for reading the report and yours for researching, finding, and sort of disclosing the vulnerability? Yes, that’s exactly who’s time was wasted. Of course, if one gets to this point in the game and are wanting money, they’re likely going to be written off as a blackmailer, but let’s be real. Either do work for pay or don’t complain about someone wasting your time for wanting you to backup claims with proof.

I really can’t grasp why full, immediate disclosure of vulnerabilities helps the problem of a revenue stream for this security company over “responsible disclosure”. There are a few indirect ways that these kinds of things can help their revenue such as consulting jobs due to exposure for finding a vulnerability. Of the ways that I can think of, though, there’s still room for a bit more of a “responsible disclosure” strategy than they are acknowledging. Not only that, but they’ve essentially burned a bridge with any software company that might hire them to do a penetration test on their network when they piss off said company.

There a ton more angles to this discussion that I simply don’t have time, nor do I suspect anyone would read much of it. However, I would like to hear from anyone who disagrees or has more to add to the discussion in the comments below.

Related Posts Related Websites

Tags:
Filed under Tech Trends : Comments (0) : Jan 12th, 2010

Once Again, Social Engineering Proves Much Easier Than Real Engineering

Whatever Twittercut was or wasn’t, it does seem to have proved an already-known fact once again surrounding computer security: sometimes it’s easier to just ask someone for their username/passwords than to try to steal them. Twittercut was a service that has been called a worm by several blogs and other methods because of its use of viral social techniques for spreading its popularity. The service was supposed to help one receive a large amount of Twitter followers after you entered your Twitter username and password into their service. This is no different than a lot of services out there for Twitter. However, when it started posting tweets in accounts, people got a little freaked out. Right or wrong, that’s what happened.

What’s important here, though, is the lessons learned. People, for some reason, seem to be all loosey goosey about their credentials to services such as Twitter. This is okay as long as one isn’t terribly concerned about those credentials being stolen. However, if one maintains a single password for all (or even a majority of accounts online) this can be a devastating problem. Once inside your Twitter account, a “thief” can get your email information. Once again, not a huge deal unless you share your password with your email account. If that is the case then things get interesting. Access to one’s email can potentially be key to breaking into other accounts that you hold. Why? Most online services allow you to fill in your username and send a password reset link to your email address.

Okay, so I took that much further than it was taken in this case, but often some of the most devastating worms are just that simple. Hopefully people who found themselves caught up in handing out usernames and passwords like they’re candy can get a little reality check after this scare.

Related Posts Related Websites

Tags: ,
Filed under Tech Trends : Comments (0) : May 27th, 2009

Adobe Confirms 0-Day Vulnerability With No Patch

Yesterday SecurityFocus posted a piece of code that could exploit the current and a couple of older versions of Adobe Reader. Today, Adobe has acknowledged the 0-day vulnerability and advises users to disable JavaScript in the PDF viewer. The vulnerability exists in the Windows, Mac, and Linux versions of the reader and allows code execution with the privileges of the user running the application. Since the problem lies in Adobe’s implementation of JavaScript, Adobe has recommended disabling JavaScript in the application until a patch has been released.

According to ComputerWorld, some security researchers have gone so far as to tell users to switch PDF viewers. Personally, I don’t have a need for Adobe Reader since OS X has Preview and Ubuntu comes with Document Viewer “out of the box”. If you must continue to use Adobe Reader, the option can be found here once in the Preferences (you access it from multiple places in the menu in each OS, but the window looks the same once in):
adobe-disable-javascript

Related Posts Related Websites

Tags: ,
Filed under News : Comments (0) : Apr 29th, 2009

Conflicker is Alive

The makers of Conflicker or no longer April-foolin’ around. The virus spread around for months using a Microsoft vulnerability in Windows that was patched in October, but was idle until April 1. On that April 1 date, the virus started retrieving instructions from the makers, turning any machine infected into member of a giant botnet. It has been estimated that over 12 million PCs have been infected so far. At first, the virus did nothing. Now, it’s been reported that the virus is active and downloading payloads.

A lot of speculation went into what the makers’ intent for the virus was. It appears that we know their intent – for now. The virus is spreading fake pay-for software tricking users into buying fake antivirus software and other assorted fake to make money.

Related Posts Related Websites

Tags: , , ,
Filed under News : Comments (0) : Apr 12th, 2009

« Older Entries