Archive for the ‘security’ Category

Three Oh Five – WordPress Upgrade are out


2011
02.08

The upgrade to 3.0.5 was resleased yesterday. From the release notes:

Two moderate security issues were fixed that could have allowed a Contributor- or Author-level user to gain further access to the site.

One information disclosure issue was addressed that could have allowed an Author-level user to view contents of posts they should not be able to see, such as draft or private posts.

Two security enhancements were added. One improved the security of any plugins which were not properly leveraging our security API. The other offers additional defense in depth against a vulnerability that was fixed in previous release.

Download and upgrade now!

Expire private images to protect privacy on the Internet?


2011
01.11

A new product over at x-pire.net (which redirects to x-pire.de) was unveiled in Germany today, with the aim of embedding expiry times and information into images so that they cannot be viewed after a certain time. In that way there should be a maximum lifespan to digital images on the web to prevent future embarassment, usage etc. At this stage, the prototype is available as plug-in for Firefox (as well as some other browsers in future), and expounds the idea of a ‘forgetful internet’ so that information is not immortal on the web. (more…)

Upgrade to WordPress 3.0.4 – HTML Sanitation bug


2010
12.30

From the WordPress Development Blog:

Version 3.0.4 of WordPress, available immediately through the update page in your dashboard or for download here, is a very important update to apply to your sites as soon as possible because it fixes a core security bug in our HTML sanitation library, called KSES. I would rate this release as “critical.” (more…)

Stuxnet lessons – and resources


2010
11.27

Just a quick grouping of resources relating to Stuxnet resources and analysis after the targeted infections of the frequency converters of the Vaasa, Finland based Vacon (though Vacon publicly denies this) and Iranian company Fararo Paya.

The bottomline takeaway – never use default passwords (partical attack vector of the PLCs and SCADAs), and keep systems patched (4 zero-day Windows-based attacks). And don’t allow USB devices on a production network (the entry point of the 0.5Mb virus written in C and C++)… (more…)

Proxying all Linux Traffic – set web access for Ubuntu behind a proxy


2010
10.22

So that it’s documented… I’m using port 8080 as the default port as the likelyhood of your upstream proxy being on 8080 is high – else, typical proxy ports are, of course, 80, 800 (transpartent), 8000, 3128 (squid)

To force your server to force web traffic via a proxy, just two quick things to set – in /etc/environment, export one (or two) variables: (more…)

MTN Business Data lines crash – down again


2010
08.30

Last time, generator maintenance in Johannesburg took everything offline.

There was just notification with the subject line “unknown” (referring to the categorisation of the issue) at 14h22:

SYMPTOMS EXPERIENCED: Intermittent Degradation in Service
SEVERITY: Critical (more...)

WordPress 3.0.1 – I’m sure you’ve upgraded already


2010
08.09

I’m sure you’ve done it already, but WordPress 3.0.1 (a maintenance release) is out since Friday and you should have upgraded (and updated the database) already by downloading the 3.0.1 version.

List of revised files:

(more…)

Kindle Firmware upgrades


2010
07.25

Remember to upgrade your Kindle from Amazon – there’s a new firmware upgrade available, taking the system to version 2.5.2 (24.3MB – you may want to transfer via USB…) (more…)

Secure SSH Tunneling – at no extra cost


2010
06.19

Assuming you have a Windows machine and you interact with Linux boxen at any stage, chances are high that you have used and interacted with PuTTY at one stage or another. That beautiful, less than 2 sec, 444K download of a tool (currently at version 0.60 beta) allows you to SSH, COM-direct, RSH, Telnet etc from the desktop. Both examples below relate to MySQL port tunneling.

SSH Tunnels using the Bash command line

Running on a proper machine (or even a Windows with Cygwin or a Mac Terminal) allows you to quickly tunnel a session to a remote server: (more…)

Adobe Flash and Adobe PDF zero-day critical vulnerability in the wild.


2010
06.05

From Adobe‘s advisory:

A critical vulnerability exists in Adobe Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh and UNIX operating systems. This vulnerability (CVE-2010-1297) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat. This advisory will be updated once a schedule has been determined for releasing a fix.

Adobe Flash Player 10.0.45.2, 9.0.262, and earlier 10.0.x and 9.0.x versions on Windows, Macintosh, Linux and Solaris are affected, as well as Adobe Reader and Acrobat 9.3.2 and earlier 9.x versions for Windows, Macintosh and UNIX. So it’s kinda big. What to do? (more…)

Symlinks (symbolic links) in Samba Ubuntu for Windows


2010
06.04

To enable symlinks in Samba for filesharing across platforms inWindows, modify

/etc/smb/samba.conf

and add in the [global] section:

follow symlinks = yes
unix extensions = no

There has been some discussion about

wide symlinks = yes

However, due to the attack vector on Samba servers from Windows allowing file traversion, back in February 2010, you may want to force-set wide symlinks to no– it works without that declaration and is set to no by default.

Security Summit 2010 Wrap-Up


2010
05.14

So the Security Summit 2010 has come to an end. Featuring speakers such as Moxie Marlinspike, Joe Grand and Jeremiah Grossman (again), it’s a pity to say that there wasn’t much new that was presented. With repeated concerns about input- and output-validation, as the OWASP Top 10 for 2010 highlight and were used as a repeated example, and a call for a holistic approach to a company’s security posture, the idea of making the thought (and practice) of security part of the organisation’s culture came through over and over again. (more…)

Security Summit 2010


2010
05.09

So, it’s that time of the year again – Security Summit 2010 in Sandton, Johannesburg. Items on the agenda include:

  • The business of security – Threat horizon 2010 and beyond, legislation (PPI), risk, compliance, standards (PCI), security metrics, social networking, web application security, web services, web 2.0 and more.
  • Technical/operational security – Top 10 hacks, botnets, trojans, smartphone security, cloud computing, virtualisation, SaaS, practical return-oriented programming techniques, web application server attacks, defeating SSL, exploiting Microsoft DEP and more. (more…)

clamav 0.94 finally reaches end of life


2010
04.16

clamav finally sent the end-of-life payload yesterday evening – 0.96 is the current version, so it’s been a good run :)

Possible symptons you experienced:

  • Repeated notifications:WARNING: getpatch: Can't download daily-
  • All freshclam mirrors are ignored
  • Your mailq fills up with detailed MAILER-DAEMON messages referring to the End-of-Life nature of clamav 0.94
  • (… add your own here…)

But they warned they’d do this in October 2009:

Starting from 15 April 2010 our CVD will contain a special signature which disables all clamd installations older than 0.95 – that is to say older than 1 year.

This move is needed to push more people to upgrade to 0.95 .
We would like to keep on supporting all old versions of our engine, but unfortunately this is no longer possible without causing a disservice to people running a recent release of ClamAV.
The traffic generated by a full CVD download, as opposed to an incremental update, cannot be sustained by our mirrors. (more…)

Clamav errors on upgrade to 0.96 clamd and clamav-milter


2010
04.03

Some updates to the yum-sent clamav-milter.conf and (to a lesser extent) clamd.conf may be necessary.

After an automatic yum-update of the clamd family on RHEL, there’s a disparity in the way clamav-milter listens and clamd services the socket or port connection — clamav-milter doesn’t know what to go with (local socket on unix:/tmp/clamav.socket or tcp:127.0.0.1) – so you need to tell it. Otherwise, you get messages such as the below in you clamav-milter.log:

clamav-milter[5149]: No clamd server appears to be available
ERROR: Failed to initiate streaming/fdpassing

So make sure the ClamdSocket in clamav-milter.conf points to the LocalSocket that clamd.conf says it’s broadcasting on. So if clamd.conf is

LocalSocket /tmp/clamd.socket

clamav-milter.conf should have

ClamdSocket unix:/tmp/clamd.socket

Else, if you’re on LocalSocket on 127.0.0.1 on the default port, just set ClamdSocket as below:

ClamdSocket tcp:127.0.0.1

Also, be sure to do an sa-update

Simple, eh? But you knew that already! :)

Step-by-step virus disassembly


2010
03.30

Over at SkullSecurity they’ve done a great job of a step-by-step disassembly of the Energizer Trojan using IDA. Using a sterile/insight environment, they go through the code to give you an insight into the workings of “obfuscation” (or lack thereof), backdoor management (on port 7777) and more.

Good beginner’s intro with pretty pictures :)