The SANS Internet Storm Center has monitored continued problems caused by the Daylight Savings Time change.
visit SANS Internet Storm Center for more updates and info.
A Month of PHP Bugs was launched March 1. If you missed last week’s editorial about this initiative, you can read it on the WindowsIT Pro web site at the URL below. Be sure to also read the related news item “5 Vulnerabilities Kick Off Month of PHP Bugs,” which you can link to from the Security News and Features section below.
http://www.windowsitpro.com/Article/ArticleID/95328
So far, Stefan Esser has posted several interesting vulnerabilities on his Month of PHP Bugs site, some of which you can avoid by specific practices. If you use PHP on your server, then you need to examine its configuration to make sure you’re not overly exposing aspects of the engine, which could in turn expose your entire system and possibly other parts of your network.
If your Web system is closed (i.e., you don’t allow others to upload or create any files), your potential security risks are more limited than if it’s open. Either way, you need to take precautions to ensure that certain functions aren’t usable unless you intend for them to be used.
One example is that PHP can allow the use of the exec and shell_exec functions, which essentially let you run OS commands and retrieve the output. I’ve used the shell-exec function to good advantage. I had an account with a Web hosting company, which had a server that would frequently slow to a crawl, making nearly all access impossible. I grew tired of the support staff’s vague explanations and decided to investigate the problem myself.
With the help of the shell_exec function (and a few others), I could use PHP to look at a lot of the server’s operational characteristics. I discovered the bottleneck, contacted support, and alluded to the problem. I figure the support team members scratched their heads for a couple months wondering how I knew what was happening before they finally wised up and disabled the shell_exec function.
In another example, I signed up for a blog at a popular site, which will remain unnamed here. I wanted specific blog functionality that wasn’t available, so I went to work on a way around the limitations. I discovered that this site too allowed dangerous functions to operate. With a little work, I could navigate nearly the entire server disk subsystem at will, read configuration files, discover path information, and then manipulate my blog to gain the functionality I wanted by using the information I had gathered to enable my custom scripts to run. Eventually, the site staff figured out what was happening and disabled many dangerous functions.
In addition to exec and shell-exec, some dangerous PHP functions are suexec, passthru, proc_open, proc_close, proc_get-status, proc_nice, proc_terminate, system, popen, pclose, dl, ini_set, virtual, set_time_limit, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, and escapeshellarg. Go to this URL for other potentially dangerous functions:
http://www.phpbuilder.com/manual/features.safe-mode.functions.php
You can disable functions by adding (or editing) a line in your php.ini file like this:
disable_functions = “shell_exec, suexec, passthru”
More help for configuring PHP can be found at these URLs:
Ayman Hourieh’s Blog
http://aymanh.com/checklist-for-securing-php-configuration
WEB-DOT-DEV–PHP Configuration
http://www.webdotdev.com/nvd/server-side/php/php-configuration.html
PHP Manual
http://us2.php.net/manual/en/security.php
PHP Security Consortium’s PhpSecInfo
http://phpsec.org/projects/phpsecinfo/
Finally, a good resource with lots of other links (including books) is available at the PHP Security Consortium’s Web site:
http://phpsec.org/library/
Secure PHP Configuration by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
Five Myths About Black Hats
Original article at:
http://www.darkreading.com/document.asp?doc_id=118169&print=true
From Matthew Broderick’s teenage phone phreak in the 1983 movie “WarGames” to today’s Russian mafia don, the image of the computer hacker has undergone some radical changes over the years.
Really, though — just who are these people, and why do they do what they do?
Over the last several weeks, we here at Dark Reading have been asking that very question. But instead of asking security “experts,” we went straight to the horse’s mouths — the black hats themselves. In a survey of 116 individuals who spend at least part of every day trying to break into systems they’re not authorized to access, we received a lot of feedback from people who don’t fit either the image of the pimply-faced script kiddie or the hardened criminal. And, for the most part, they’re anxious to break both stereotypes. “Black hats are not as scary as they get portrayed in movies and at the Defcon convention,” says Caseo, an IT security officer for a regional investment firm. “And most of them aren’t teens or twenty-year-olds living in their parents’ basement.”
At the same time, however, many self-described “black hats” also offer a very different perspective than today’s security experts and IT staffers. In our survey, we had several respondents who said that information should be available to anyone with the skills to access it. Several others suggested that corporations and governments are much greater threats to security than individual black hats. And we even heard from a few individuals who admit to stealing and selling data from their victims. With such a diversity of views and opinions expressed in the survey and in subsequent interviews with respondents, it was difficult to find a simple, comprehensive way to relay all of the data we collected.
Microsoft Baseline Security Analyzer (MBSA) is an easy-to-use tool designed for the IT professional that helps small- and medium-sized businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance.
Improve your security management process by using MBSA to detect common security misconfigurations and missing security updates on your computer systems.
MBSA is currently in v2.1 Beta. Version 2.0 is the stable version; Version 2.1 includes support for Windows Vista.
This guide is specifically written for top level security/info management (CSOs, CIOs etc). It addresses the requirements of various security policies and laws, such as Clinger-Cohen Act (CCA) and FISMA.
Grab a copy from: http://csrc.nist.gov/publications/nistpubs/800-100/sp800-100.pdf
Executive Order No. 573 was issued by President Arroyo last October 26, 2006. E) 573 is meant to form an Anti-Fraud Task Force composed of the National Bureau of Investigation and the Philippine National Police and will be headed by Justice Secretary Raul Gonzalez.
The task force’s main objective is to strengthen Republic Act 8484, or the Access Device Regulation Act of 1998.
“The occurrence of credit card fraud is increasing and acquiring banks incur huge losses and suffer stunted credit card sales, ultimately threatening the survival of the credit card industry, including the negative repercussions in the domestic economy,” the President said.
This comes after the Credit Card Association of the Philippines (CCAP) appealed to Malacañang to give more teeth to its laws against fraudsters using illegally obtained information from credit cards.
The CCAP complained that most of credit card fraudsters were able to walk away and disappear after being caught because of the absence of guidelines to govern the implementation of the country’s anti-fraud laws.
Although credit card fraud is not as widespread in the Philippines as in other countries — constituting less than one percent of credit card transactions here — the CCAP said there was a need for safeguards because of the inadequate security features of most credit cards in the country.
The National Institute of Standards and Technologies released three new drafts of security-related special publications today. They cover e-mail security, intrusion detection and prevention, and securing Web services and applications.
The first is called “Guidelines on Electronic Mail Security,” an update to SP 800-45 released in 2002. The guide includes policy suggestions for deploying and configuring e-mail servers, training employees on security, and applying encryption. NIST will accept public comments on this publication at sp800-45a@nist.gov until Oct. 6.
The second publication is titled “Guide to Intrusion Detection and Prevention Systems.” It provides assistance to agencies for designing, implementing, configuring, securing, monitoring and maintaining IDP systems for an entire enterprise and smaller divisions. It also provides guidance for different network-based IDP systems. NIST will take comments at 800-94comments@nist.gov until Oct. 20.
The third publication, “Guide to Secure Web Services,” deals with Web services security, specifically in applications. It also details security features in Extensible Markup Language; Simple Object Access Protocol; and the Universal Description, Discovery and Integration protocol and related open standards. NIST will accept comments at 800-95comments@nist.gov until Oct. 30.
Since July of 2005, attrition.org has been tracking data loss and data theft incidents not just from the United States, but across the world.
Attrition.org’s archives go back to the year 2000, and with over 142 MILLION records compromised in over 300 incidents across six years, we would finally like to introduce a very basic and rudimentiary database that will assist others in tracking these incidents.
DLDOS (Data Loss Database - Open Source) is a simple flat comma seperated value file that can be imported into your database of choice, whether it be MySQL, Microsoft Access, or Oracle (good luck). We provide the date, the company that reported the breach, the type of data impacted, the number of records impacted, third party companies involved, and a few other sortable items that may be of interest. At this point, attrition.org is not hosting an actual database itself, but the raw data is free and available for use as long as attrition.org is credited for the use of said data. Really, we’re not trying to be jerks, but if you’re going to use our data in your research, be it a web site or paper written for a commercial entity, just give us a shout out please.
Phishers have begun using SMS messages as an attack vector. Users have reported receiving SMS messages purporting to confirm that they have signed up for a dating service and notifying them they will be charged US$2 a day until they cancel the order at a certain web site. That site downloads a Trojan horse program onto their phones, allowing it to be controlled by the attackers. The practice has been dubbed SMiShing.
(more…)
Following the directions that come with mobile devices, such as phones and PDAs, to remove data before selling or recycling them is not enough to ensure the next person who holds the device will not be able to see your private information.
Data can still be retrieved from phones that have been reset. A security software company that purchased 10 used smartphones and PDAs on eBay found sensitive, personally identifiable information on nearly all of them.
The company plans to return all the phones to their original owners and has kept all the data it retrieved from the phones on a computer not connected to its corporate network.
Some companies have provided stronger data wiping functions in their newer devices.
http://www.theage.com.au/news/Technology/Software-Can-Resurrect-Cell-Phone-Info/2006/08/31/1156816976190.html
http://software.silicon.com/security/0,39024888,39161863,00.htm
http://www.vnunet.com/vnunet/news/2163176/pdas-sold-ebay-loaded-sensitive