SECURITY MATTERS A BLOG BY SECURITY EXPERT MARK JOSEPH EDWARDS

[9/9/2009]

Wordpress 2.8.4 Fixes A Big Security Hole
POST A COMMENT

Time to upgrade your Wordpress sites. A vulnerability in versions prior to 2.8.4 could let the bad guys reset passwords. This particular problem might only be a nuisance since it doesn't necessarily let someone commandeer your user account. But, there's a nasty worm infiltrating sites based on an older vulnerability in the code. So if you're running an older version of Wordpress - something prior to version 2.8.3 - then you might find your site has been taken over. The worm takes advantage of a problem with the "permalink structure" (URL rewriting technology) used by Wordpress to infiltrate the system. It can then gain admin-level access to the blog and begin taking other actions, such as modifying post content, adding new comments, and so on. Cleaning up after the worm isn't exactly simple in all cases either. It's much easier to keep the software up to date to avoid these kinds of problems. You can get the latest Wordpress code at the site's download page.
- posted by Mark Joseph Edwards

[8/13/2009]

How To Help Secure HTTP Data Without SSL
(1 Comment)
POST A COMMENT

If you don't have SSL available to transmit data via HTTP you can still help protect that data during transit using a little jQuery magic. Check out the jCryption library. It uses RSA public key technology along with jQuery to help obscure data. You can use key lengths up to 2048 bits, and the library also supports using Ajax to send the data. Pretty slick stuff, and very handy for sites that don't have SSL enabled!
- posted by Mark Joseph Edwards

[8/12/2009]

SecureTweets for Twitter
POST A COMMENT

As you probably know Twitter is hugely popular and countless numbers of tweets (micro blog posts) contain links to other sites. One problem with embedding URLs at Twitter is that at some point Twitter will convert URLs using URL shortening services, such as http://bit.ly When URLs are altered by such services a lot of commonly used URLs scanners can't detect potentially malicious sites. So it makes sense that someone would create a tool to help protect users from malicious URLs embedded into tweets. Finjan now offers SecureTweets for Firefox and Internet Explorer. It's a browser add-on that offers a "look ahead" feature that can peek into the site behind a shortened URL to see if it might be dangerous before you decide to click on it.
- posted by Mark Joseph Edwards

[8/12/2009]

Sometimes The Cookie Doesn't Crumble
POST A COMMENT

Ever heard of Flash cookies? They're often used to track your activity. And sometimes even if you delete them they reappear, complete with session state data preserved. According to a new whitepaper by researchers at the University of California, "We find that more than 50% of the sites in our sample are using Flash cookies to store information about the user. Some are using it to “respawn” or re-instantiate HTTP cookies deleted by the user. Flash cookies often share the same values as HTTP cookies, and are even used on government websites to assign unique values to users. Privacy policies rarely disclose the presence of Flash cookies, and user controls for effectuating privacy preferences are lacking." To arrive at their results the researchers analyzed "HTTP and Flash cookies from the top 100 domains ranked by QuantCast results of July 1, 2009" and gathered their results on July 27. You can (and should!) read the full report by downloading the PDF file.
- posted by Mark Joseph Edwards

[7/23/2009]

Making Data "Vanish" Automatically
POST A COMMENT

University of Washington researchers have a created a way to automate encryption key expiration, which means data can become inaccessible over a given period of time. The technology prototype, called Vanish, basically works like this in relation to email content:

For each message that it sends, Vanish creates a secret key, which it never reveals to the user, and then encrypts the message with that key. It then divides the key into dozens of pieces and sprinkles those pieces on random computers that belong to worldwide [P2P] file-sharing networks, the same ones often used to share music or movie files. The file-sharing system constantly changes as computers join or leave the network, meaning that over time parts of the key become permanently inaccessible. Once enough key parts are lost, the original message can no longer be deciphered.

[7/23/2009]

Chrome OS - Who Would've Guessed?
POST A COMMENT

About 9 months ago Google released its Chrome browser. At that time I speculated that sooner or later Google would release an entire desktop operating system. Turns out the wait wasn't very long. Google has now announced Chrome OS, which will initially be targeted at netbooks, which of course is a way of saying the operating system will run on nearly any reasonably modern hardware - including all x86 and ARM architectures. As stated by Google, Chrome OS will build on top of a Linux kernel and will be aimed squarely at getting people connected to the Internet in a matter of seconds after powering up a system. It'll support modern Web apps, which means that all the slick Ajax-enabled type stuff you see out there now - including Google Apps. Somewhere along the line I fully expect Google to take a keen interest in Wine development too. In case you aren't aware of Wine, it free software that lets you run Windows app on a Linux desktop. Loosely translated, the phrase "Chrome OS" could possibly mean "Microsoft you're toast" - or maybe not. That depends on whether you're looking into the future with rose colored glasses or a magnifying glass. According to Google over 30 million people already use Chrome browser - which in my opinion is only useful if you want a browser that is stripped to the bone and has minimal functionality, and whose major claim to fame is that "it runs Javascript really fast". Ok, Chrome browser will be important later, right now it's not. My point is that if 30 million people already use a no-frills browser then a lot more are going to use a no-frills OS. Particularly if it requires almost no maintenance. Anyone who truly thinks Chrome OS won't be any competition for Windows probably ought to rethink their logic a bit more carefully. After all, when Google's search engine came out relatively few people thought it was any big deal. Now Google basically owns the search industry and no other competitor is anywhere close to threatening their dominance. And, maybe some of you remember how Microsoft basically (and subtly) freaked out when Sun released Java over a decade ago, because it could have easily become an entire desktop operating system environment and the folks at Redmond clearly saw that potential. So, regardless of how Microsoft executives might attempt to make jokes about Chrome OS, they are without a doubt nervous about it. In closing this blog article I will add that I don't see Chrome OS as a threat to any other Linux distributions and frankly I don't see how anyone else could either. There are already a long list of Linux platforms that all play together in the market space just fine. In fact, the more the merrier. That's a big part of what open source is all about anyway - freedom of choice, freedom of innovation, and diversity. Microsoft on the other hand is definitely facing a threat - they could easily be pigeon holed by Google when Chrome OS takes off. Note: Chrome is slated to be opened up for development "later this year" according to Google.
- posted by Mark Joseph Edwards

[7/13/2009]

Firefox's Future Content Security Policy
POST A COMMENT

It appears that Firefox will gain some much-needed Content Security Policy (CSP) that will help defend against XSS attacks, Clickjacking, and packet sniffing. I'm not sure when CSP will be implemented, but so far the specs look pretty good. And, Web site operators and administrators will want to become aware of how this technology works so as to make sure their Web pages take full advantage of it - particular in instances where users can provide input via the Web (e.g. comments, contact forms, order forms, etc). You can read up on Content Security Policy right now over at Mozilla's Web site.
- posted by Mark Joseph Edwards

[7/8/2009]

SANS Reports Internet Explorer 0-Day Exploit
POST A COMMENT

SANS reports (via CSIS) that a new 0-day exploit against Microsoft DirectShow is loose on the net. The attack affects Internet Explorer and the fix for this issue is to set the killbit in the registry as follows: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}] "Compatibility Flags"=dword:00000400 Also note that Microsoft published a security advisory regarding this issue.
- posted by Mark Joseph Edwards

[7/8/2009]

Kon-Boot Lets You Bypass Logon for Windows and Linux
(6 Comments)
POST A COMMENT

Kon-Boot looks like a very interesting tool since it can get you into a system without having to logon first. According to the description at the tool's site, Kon-Boot alters a Linux or Windows kernel on the fly during boot up. The result is that you can login to a system as 'root' or 'administrator' without having to know the associated account password. The tool reportedly works with Windows Vista, XP, Server 2008, Server 2003, Windows 7, Gentoo, Ubuntu, Debian, and Fedora. All of you admins out there might want to give this tool a whirl to see how it works against your systems - before one of your users does!
- posted by Mark Joseph Edwards

[1]  2  3  4  5  6  7  8  9  10  11  12  13  14  15  16  17  18  19  20  21  22  23  24  25  26  27  28  29  30  31  32  33  34  35  36  37  38  39  40  41  42  43  44  45  46  47  48  49  50  51  52  53  54  55  56   next page