Subjects:
Identity Theft
People fear identity theft. And those concerned and responsible are negligent as never before. Just today we see:
- a new massive wave of SQL injections
- remotely installed trojans because of yet another hole in Adobe's Flash player
- the resignation of the German Minister for the Interior - although it only takes place in the browser, because those responsible for his site are clueless or disinterested - or both.
Some entities seem to have real problems grasping the concept of security. And anyone who highlights the issue, gets fired.
How secure is your Server?
Peter Gabriel's Server has been nicked from the provider's premises. The Register mentions Rednet Ltd, owned by Opal Telecom owned by Carphone Warehouse. Rednet had very poor connectivity some years back. Carphone Warehouse staff have been accused of confusing customers in order to get them pay extra cash for insurance last year.
Insecurity Rules
If you're selling online you will be familiar with the increasing complexity of the Payment Card Industry Data Security Standard, a set of rules and regulations aiming to increase the security of online systems. Many of these are specifically designed with Windows PCs in mind and don't apply to other systems, but others, such as those governing the construction and length of validity of passwords for payment interfaces, apply to most merchants.
It's obvious they have been created by people who do not have to implement these rules, nor do they have to remember the passwords created according to these. Because there are almost a dozen limitations concerning which letter combinations are prohibited, it boils down to a genuine limit of the number of possible passwords. And because these need to be changed regularly, and can't be "similar" to the last ten passwords used, in the end people will jot them down somewhere, defeating the object of the exercise.
But as can be seen here, some people in the so called security industry are totally clueless.
Feeling Secure is Expensive
So called Extended Validation certificates are supposed to suggest that a site sporting such a certificate is more reliable and secure than ordinary SSL sites. That's why starting with Microsoft's Internet Explorer more and more browsers render the address bar with a green background when encountering an EV Cert.
Unfortunately these certificates just certify that the identity of the site owner has been checked somewhat more thorough. It does nothing for the real security, or lack thereof, of the actual web site.
Site's been hacked - What Now?
Claiming it happens to a lot of people despite the hard work you devote to prevent this type of thing from happening Google's Webmaster Central Blog presents some first aid on how to salvage a bad situation.
The main aspect elaborated is that of the site and how to prevent Google and users to reach pages as long as the server is not known to be clean. What's missing are recommendations on how to prevent this thing from happening in the first place. Considering that those confronted with the problem normally are interested only in damage limitation instead of proactive prevention it's as well Google doesn't repeat advice that's always been out there.
Browser Trick
Remote controlled FTP commands through a bug in Internet Explorer is what I call really creative.
Google Positioning
You do know that Google bought Postini, don't you. They're now positioning it as another band aid to patch up enterprise buck passing: "Companies can lower the cost of deploying anti-spam and anti-malware software to offload the burden and cost of keeping the defenses updated, Swidler said. He also wrote that all applications launched from a Web browser must be updated to current patch levels."
In this day and age I believe it would be a lot safer not to launch any applications from within the browser. What happens on your desktop should be controlled by people in the wild.
Malicious Intent
Google just published an interim report on the security of the web, emphasising that a lot of malicious code is installed on users' PCs via drive-by downloads. While experienced users find it strange that the rest don't even know the fact that browser settings can be adjusted to avoid all of these infections, Slashdotters have highlighted two issues discussing Google's finding:
The WWW and HTML was never meant to be something that runs active code on the client. Period. Most of us realise there is no way this problem can ever be solved without revising exactly what a browser is supposed to be, as long as browsers will run code instead of interpreting data there will always be malicious sites set up to exploit this.
And then someone pointed at a very interesting tidbit in Google's publication:
The underlying problem is that advertising space is often syndicated to other parties who are not known to the web site owner.
Time Bomb CMS
Because CMS are often targeted at "Management", a lot of advice on problems with files and folders suggests to chmod 777 the lot to make life easy. That makes it easy for everybody, including people you have never heard of. Because setting the permissions of a file or directory so that everybody can do anything is asking for trouble. And it is despite the fact that Wikipedia gives such an example.
Safe Delegation
More and more commercial sites seem to sport a "Hacker Safe" logo, proclaiming to be tested for holes by some authority which claims to know it all. Apart from the fact that it's utter rubbish - they would have to check the complete code running on your server under the microscope - it demonstrates once more, that it's aimed at those who either don't know better or don't care. Unless you know your code is correct and your server is locked down you'd be a fool to say your site is safe.
As an aside: most people still don't know the difference between a hacker and a cracker, and that's why they sign up to silly schemes like this. Some people call it washing their hands.
Government pwned
Using unsanitised data on the web is as dangerous as executing unknown code from unknown sources. You get an even fiercer mix when pairing the two. Even Governments can't help then. In fact, nobody can.
http://www.heise.de/newsticker/meldung/100630
Being in Control
Just because something is free and Open Source doesn't mean it's automatically good or safe. Unless you fully understand what you're doing you shouldn't really be surprised if reality doesn't match expectations. Many a CMS has not been designed with security in mind. If the installation instructions, FAQ or other documents suggest you chmod 777 some files or directories [I think younger people call these folders now], you're allowing anyone [!] to modify or replace files or directory contents at their leisure. Not necessarily a wise career move.
Adobe web server wide open
I thought it strange when I noticed that lots of Photoshop files were installed with mode 0777 on my Powerbook [for non geeks that means everyone on your system has permission to mess with those files]. That was fixed easily enough with a recursive chmod go-w.
When Photoshop CS3 was published, there were warnings that the installer actually turns off the firewall on the system, something unheard of. Now Heise Security reports that Adobe's web server is abusable. They don't really understand a lot about security, do they?
http://www.heise-security.co.uk/news/96605
© Copyright 1998 - 2008 Klaus Schallhorn.