********************************************************************
Title: Microsoft Security Bulletin Summary for March 2007
Issued: March 13, 2007 Version Number: 1.0 Bulletin Summary: http://go.microsoft.com/fwlink/?LinkId=85543 ********************************************************************
Summary:
========
Microsoft has not released any security bulletins on March 13, 2007.
Imagine a world without hackers.
For the past decade, corporations around the world have been hemorrhaging data to online criminal syndicates. These organized hackers no longer attack for fun, but now exploit vulnerabilities for financial gain. This Web seminar discusses 5 key gaps in cyber security that hackers are able to consistently and repeatedly exploit and shows you how to prepare your company to defend against evolving cyber threats.
Attend this Web seminar and join Tom Kellermann, former head of cyber intelligence and policy management within the World Bank Treasury Security team, as he discusses five key gaps in cyber security, how you can better manage cyber security risks and how the world has changed in the face of emerging threats.
The SANS Internet Storm Center has monitored continued problems caused by the Daylight Savings Time change.
visit SANS Internet Storm Center for more updates and info.
A Month of PHP Bugs was launched March 1. If you missed last week’s editorial about this initiative, you can read it on the WindowsIT Pro web site at the URL below. Be sure to also read the related news item “5 Vulnerabilities Kick Off Month of PHP Bugs,” which you can link to from the Security News and Features section below.
http://www.windowsitpro.com/Article/ArticleID/95328
So far, Stefan Esser has posted several interesting vulnerabilities on his Month of PHP Bugs site, some of which you can avoid by specific practices. If you use PHP on your server, then you need to examine its configuration to make sure you’re not overly exposing aspects of the engine, which could in turn expose your entire system and possibly other parts of your network.
If your Web system is closed (i.e., you don’t allow others to upload or create any files), your potential security risks are more limited than if it’s open. Either way, you need to take precautions to ensure that certain functions aren’t usable unless you intend for them to be used.
One example is that PHP can allow the use of the exec and shell_exec functions, which essentially let you run OS commands and retrieve the output. I’ve used the shell-exec function to good advantage. I had an account with a Web hosting company, which had a server that would frequently slow to a crawl, making nearly all access impossible. I grew tired of the support staff’s vague explanations and decided to investigate the problem myself.
With the help of the shell_exec function (and a few others), I could use PHP to look at a lot of the server’s operational characteristics. I discovered the bottleneck, contacted support, and alluded to the problem. I figure the support team members scratched their heads for a couple months wondering how I knew what was happening before they finally wised up and disabled the shell_exec function.
In another example, I signed up for a blog at a popular site, which will remain unnamed here. I wanted specific blog functionality that wasn’t available, so I went to work on a way around the limitations. I discovered that this site too allowed dangerous functions to operate. With a little work, I could navigate nearly the entire server disk subsystem at will, read configuration files, discover path information, and then manipulate my blog to gain the functionality I wanted by using the information I had gathered to enable my custom scripts to run. Eventually, the site staff figured out what was happening and disabled many dangerous functions.
In addition to exec and shell-exec, some dangerous PHP functions are suexec, passthru, proc_open, proc_close, proc_get-status, proc_nice, proc_terminate, system, popen, pclose, dl, ini_set, virtual, set_time_limit, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, and escapeshellarg. Go to this URL for other potentially dangerous functions:
http://www.phpbuilder.com/manual/features.safe-mode.functions.php
You can disable functions by adding (or editing) a line in your php.ini file like this:
disable_functions = “shell_exec, suexec, passthru”
More help for configuring PHP can be found at these URLs:
Ayman Hourieh’s Blog
http://aymanh.com/checklist-for-securing-php-configuration
WEB-DOT-DEV–PHP Configuration
http://www.webdotdev.com/nvd/server-side/php/php-configuration.html
PHP Manual
http://us2.php.net/manual/en/security.php
PHP Security Consortium’s PhpSecInfo
http://phpsec.org/projects/phpsecinfo/
Finally, a good resource with lots of other links (including books) is available at the PHP Security Consortium’s Web site:
http://phpsec.org/library/
Secure PHP Configuration by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
Kisgearth is a small perl script that gives you the possibility to convert your kismet xml logfiles to google earth kml files. You can apply a lot of filters and use sorting/ordering functions in order to get the best results.
Grab a copy of Kisgearth at: http://e-axe.mytty.org/kisgearth/
Five Myths About Black Hats
Original article at:
http://www.darkreading.com/document.asp?doc_id=118169&print=true
From Matthew Broderick’s teenage phone phreak in the 1983 movie “WarGames” to today’s Russian mafia don, the image of the computer hacker has undergone some radical changes over the years.
Really, though — just who are these people, and why do they do what they do?
Over the last several weeks, we here at Dark Reading have been asking that very question. But instead of asking security “experts,” we went straight to the horse’s mouths — the black hats themselves. In a survey of 116 individuals who spend at least part of every day trying to break into systems they’re not authorized to access, we received a lot of feedback from people who don’t fit either the image of the pimply-faced script kiddie or the hardened criminal. And, for the most part, they’re anxious to break both stereotypes. “Black hats are not as scary as they get portrayed in movies and at the Defcon convention,” says Caseo, an IT security officer for a regional investment firm. “And most of them aren’t teens or twenty-year-olds living in their parents’ basement.”
At the same time, however, many self-described “black hats” also offer a very different perspective than today’s security experts and IT staffers. In our survey, we had several respondents who said that information should be available to anyone with the skills to access it. Several others suggested that corporations and governments are much greater threats to security than individual black hats. And we even heard from a few individuals who admit to stealing and selling data from their victims. With such a diversity of views and opinions expressed in the survey and in subsequent interviews with respondents, it was difficult to find a simple, comprehensive way to relay all of the data we collected.
Microsoft Baseline Security Analyzer (MBSA) is an easy-to-use tool designed for the IT professional that helps small- and medium-sized businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance.
Improve your security management process by using MBSA to detect common security misconfigurations and missing security updates on your computer systems.
MBSA is currently in v2.1 Beta. Version 2.0 is the stable version; Version 2.1 includes support for Windows Vista.
This guide is specifically written for top level security/info management (CSOs, CIOs etc). It addresses the requirements of various security policies and laws, such as Clinger-Cohen Act (CCA) and FISMA.
Grab a copy from: http://csrc.nist.gov/publications/nistpubs/800-100/sp800-100.pdf
I’ve been scouring through my old notes for resources on some audit and security related resources and I bumped into these:
Auditnet Security Management
http://www.auditnet.org/SecurityMgmt.htm
Ask the Auditor: Who is Responsible for Information Security?
http://www.itcinstitute.com/display.aspx?ID=1823
Security Benchmark
http://www.securitybenchmark.com/
Dan Swanson’s latest white paper is now available at ITCI.
The IT Audit Checklist for Risk Management offers:
You can grab a copy @
http://www.itcinstitute.com/display.aspx?id=2499
Note: A brief registration is required to download the “free” paper.