Category Archives: security

Heartbleed security blow-out aggravated by CloudFlare flub?

Once again, security company, CloudFlare, find themselves embroiled in  a security controversy, this involving the just-revealed Heartbleed OpenSSL security threat.

According to ZDNet, the problem might have been easily contained if it weren’t for several possibly aggravating factors:

This bug [is] not a problem with OpenSSL’s inherent design. It’s an implementation problem. That is to say it the result of a programming mistake. There is already a fix available for the problem for the 1.01 program in OpenSSL 1.0.1g. Work is proceeding rapidly for a pair of the 1.02-beta line.

That’s bad enough. but what really has some operating system and security companies ticked is that OpenSSL and others were hard at work at delivering the patched versions that would have limited the problem’s possible use by blackhat hackers, CloudFlare, a Web security company, revealed in a blog posting details about the security hole and that they’ve fixed the bug. They appear to have used the methods described by OpenSSL. Unfortunately, for everyone else, these methods were not ready for broad deployment.

ZDNet: Heartbleed: Serious OpenSSL zero day vulnerability revealed

CloudFlare: Staying ahead of OpenSSL vulnerabilities

Share

Widespread hacking attack on poorly secured WordPress blogs underway

According to an article in Ars Technica, security experts at several companies are warning of a widespread attempt to compromise and take over WordPress administration accounts. The bad guys are using a separate botnet (presumably one comprised of compromised home machines) to run brute force attacks on WordPress installations across the web.

According to CloudFlare’s Prince, the distributed attacks are attempting to brute force the administrative portals of WordPress servers, employing the username “admin” and 1,000 or so common passwords. He said the attacks are coming from tens of thousands of unique IP addresses, an assessment that squares with the finding of more than 90,000 IP addresses hitting WordPress machines hosted by HostGator.

Because of the relatively basic nature of the attack, those who change the admin name from the default (“admin”) and use secure passwords. (It’s best to follow WordPress’s suggestions on password security, or to use some other relatively rigorus system for deriving your password.*)

And, obviously, this hacking attempt exploits human weakness — not an exploitable weakness in the WordPress content management system, itself.

Still, it’s never too late to check your own password. Hackers halfway around the world probably won’t know your dog’s name or the name of your high school team, but your ex-spouse, co-workers and many more folks just might. And if they want to play a ‘little trick’ on you, if you have obvious user names and passwords, you make that easy.

(Don’t forget the fellow who got federal time for ‘hacking’ Sarah Palin’s email account simply found her email address and then guessed her password, which, if we recall correctly, was something really obvious like a pet or kid name. That it was easy didn’t keep him out of federal prison, though.)

You can be assured that TKM WebWorks will be monitoring this situation and, as always, working to keep your sites working and uncompromised, whether they use the WordPerfect CMS or not.

Ars Technica: Huge attack on WordPress sites could spawn never-before-seen super botnet

* A good, hard to crack, all-but-impossible-to-guess password doesn’t have to be hard to remember. You can use random combinations of letters, numbers, and symbols, but that means you’ll probably have to cut and paste it — unless, perhaps you create a ‘mnemonic’ acronym — a password that ‘stands’ for a phrase. For instance, you could use nitt4agm2c2taotc — almost impossible to guess (or remember) unless you know it stands for now is the time for all good men to come to the aid of the country. (Obviously, you don’t want to use such a phrase that will pop to the lips of the many. You want one that you can remember but that isn’t ‘obvious.’)

Another system for creating quite secure passwords is to simply create a phrase of  four or more unrelated  words. (Of course you can also stick numbers or other characters in such a phrase, making it even harder to guess.) Such pass phrases may not be quite as secure as random strings of characters, numbers, and symbols, but they nonetheless require long periods of dictionary attack to crack. (So-called dictionary attacks, which take valuable resources and considerable processing time and so are typically the province of targeted attacks — not the sort of random, low-hanging fruit collection of the above-referenced WP attack.

Share

Companies should start planning now for the end of Windows XP support in April 2014

This article from the UK’s Telegraph highlights the problem many businesses will face a year from now when Microsoft finally pulls remaining support from Windows XP — which still dominates the computer OS scene almost a dozen years since its release and five years since its intended successor, Windows Vista, was released. (To the sound of one hand clapping.)

Microsoft learned the Vista lesson, delivered a solid, well-liked OS with Windows 7, but came down with a case of institutional amnesia and repeated the Vista fiasco with Windows 8, which has alienated both consumers and, particularly enterprise users, not to mention computer usability experts, who were aghast at its grafting of a simplistic and crippled tablet interface over the top of Windows, obscuring the familiar aspects of the operating system and hobbling multitasking users with a one-thing-at-a-time approach that bizarrely turns its back on the reason Windows was created. (Determined users can find their way to the more familiar legacy aspects of the OS, and, can, indeed, engage in the sort of multitasking, multi-document work that put Windows on the map in the first place — but many users are totally flummoxed by their experiences with Windows 8.)

Microsoft had announced earlier support cut-offs, but was forced to push them back when enterprise and consumer customers stayed away from Vista in droves. Windows 7 went over considerably better — power users and geeks loved it — but the onus of the disastrous Vista release lingered. And then, with the MS board of directors obviously demanding more “Apple-like” customer lock-in and exploitation, MS dove headfirst into the sea of self-destruction that is Windows 8.

So where does that leave you?

Good question.

The Telepgraph: Windows XP putting businesses at risk

CNET: How to make Windows 8 look like Windows 7

ZDNet: Where can you find a PC running Windows 7?

ZDNet: How to skip Windows 8 and continue using Windows 7

ZDNet: From Windows 8 to Windows 7: why I downgraded

Share

Oracle finally releases a patch after months of inaction — but is it time to kill Java once and for all? Forbes Magazines says yes.

Oracle, the company that bought Java inventors Sun Computing in order to gain control of Java and other software developed in large part by the Open Source community, has been an exceptionally poor steward of those important franchises.

Last year, an unfixed vulnerability in the version of Java that Apple’s Mac operating system uses led to the deepest botnet penetration of any computer platform in history. After that, Apple wised up and found a way to quickly add Java to the blacklist of malware and insecure programs that the Mac OS won’t allow to run. And they needed it.

Unfortunately, while Apple was able to throw the kill switch on Java for the duration of the security problem, the rest of the computing world that uses Java has remained vulnerable for months since Oracle was notified of the latest zero-day vulnerability.

It’s become so bad the Department of Homeland Security has had to issue a warning to computer users around the world to not use Java because its unfixed vulnerabilities made their computers a knockover for a takeover.

Oracle had finally announced the fix would be available on Tuesday but rushed its release forward to today.

But many industry observers — including Forbes Magazine — think it’s one too many security lapses by Oracle. Their recommendation: nuke Java before it is used to nuke you.

Forbes Magazine: Forget Oracle’s Latest Java Patch. Just Kill The Program In Your Browser For Good

From Forbes: “Russian security firm Kaspersky reported in its third quarter analysis of security threats that Java was exploited in fully 56% of all known attacks that took advantage of vulnerabilities in software.”

That’s 56% of ALL known attacks from a software utility used by only a tiny, tiny minority of websites.

Share

New Mac trojan hot on heels of the massive Flashback Mac malware infection and botnet

A new Mac trojan is threatening Macintoshes — even before the massive Flashback-created Mac botnet and the malware that created it has been completely neutralized.

New targeted Mac OS X Trojan requires no user interaction

First, don’t panic.

But… it is cause for concern that there is yet another ‘drive-by’ malware attack on the Macintosh’s OS X operating system — fresh on the heels of the massive Flashback infestation that created a ‘botnet’ (robot network or zombie-net) of over 550,000 Macintoshes that had been taken over by that Java-related malware. Particularly troubling in that case was the fact that even though Java publishers Oracle released a fix for the vulnerability in January, it took Apple more than two months to implement the fix and patch the OS X system.

(Apple elects to handle updates to their Java engine themselves. Which, obviously, created a long window during which the malware was able to spread to over a half million Macs — the greatest penetration — as measured by percentage of a given computer platform — ever.)

Part of the problem for Apple is that they coasted on what they claimed were their laurels with regard to security for so long. OS X, they insisted, had almost never been the target of a large, succesful attack — even stretching so far as to claim that was because of ‘superior security’ on the Mac’s OS X. Sadly, that last  is simply not true, as MacWorld’s own Rich Mogull pointed out last year when he stated that Windows 7 was more secure than OS X — to the predictable howls of Mac evangelists.

Now, of course, with Flash back — the most ‘successful’ penetration (measured by percentage) of any modern OS ever — there’s little rational argument that OS X seriously needs the kind of security overhaul that Microsoft performed on Windows — in particular the ‘anonymization’ of critical OS code libraries. Windows now uses what amounts to a dynamic naming system to ‘hide’ critical OS components from malware, which has proved very successful. Mac security specialists like Mogull have been urging Apple to do the same and it appears that they have, indeed been working to bring OS X up to contemporary security standards.

Flashback removal info: http://www.macworld.com/article/1160098/macdefender.html

MacWorld doesn’t have news of this newest Mac trojan, currently known by the euphonically challenged names, Backdoor.OSX.SabPub.a and  SX/Sabpab-A — but ZDNet is on the tip with this article on the latest set of threats (same as linked at top of article)…

http://www.zdnet.com/blog/security/new-targeted-mac-os-x-trojan-requires-no-user-interaction/11545

From the article…

The remote C&C website appears to be hosted on the free dynamic DNS service onedumb.com. Interestingly, the IP address in question has been used in other targeted attacks (known as Luckycat) in the past. This particular attack may been launched through e-mails containing a URL pointing to two websites hosting the exploit, located in Germany and the U.S.

The Trojan may have been created on March 16, 2012. It was compiled with debug information, meaning analyzing it wasn’t hard, but more importantly this seems to suggest it is not the final version. You can check for infection by looking for the following files:

/Library/Preferences/com.apple.PubSabAgent.pfile
/Library/LaunchAgents/com.apple.PubSabAGent.plist

The Java exploits appear to be pretty standard, but have been obfuscated using ZelixKlassMasterto avoid detection by anti-malware products. The low number of infections and its backdoor functionality indicates that it is most likely used in targeted attacks.

UPDATE on FLASHBACK:

Despite Apple’s release of a removal tool and OS patch last month, there are still about 270,000 Macs in the Flashback botnet: http://www.zdnet.com/blog/bott/apple-releases-flashback-removal-tool-infections-drop-to-270000/4775?tag=content;siu-container

Share

Protecting your online image assets…

Here’s a very informative article that covers some of the issues facing those who want to display images of their own creation online — but want to minimize their unauthorized use by others.

From DWUser, who publish the XML Flash Slideshow and Easy Rotator tools:

Stop the Thieves! Strategies to Protect Your Images

Share

Oracle makes improvements to open source MySQL database engine…

MySQL… It’s the open source database that runs much of the web. From WordPress blogs (like this one) to hundreds of thousands of e-commerce and other sites, MySQL has proved to be not just a solid performer that could compete with expensive alternatives like MS SQL Server or Oracle’s own database system, but a much desired — and even loved — icon of the Open Source movement.

So, when Oracle bought Sun Microsystems in 2010 to acquire their open source projects, Java and MySQL, many in the developer community — and particularly the Open Source community — were gut-sick with worry that Oracle — not known for their lovability by a long stretch — would either destroy the project or proprietize it, removing it from the Open Source community’s loving embrace and charging big bucks for it. Indeed, Oracle did add several proprietary — and quite expensive extensions not long after.

Still, all in all  – and so far — things aren’t looking too disastrous.

In fact, recent changes announced by Oracle suggest that MySQL’s performance will be boosted substantially by changes Oracle’s developer’s have made to its codebase.

Wire: Oracle Turbocharges MySQL Database

Share

Critical Safari, IE, and Windows Updates


Watch those links and ads folks — more trojan malware lurking on Bing and elsewhere…

More malware from Russia, more malware-loaded ads and a fake Flash installer trojan targeting Mac users:

From the Ed Bott Report on ZDNet:

Summary: Malware authors will do just about anything to fool you into installing their software. A popular target is search engine advertising, which one gang is using on Microsoft’s search results. In a separate attack, Mac users are being targeted by a Trojan that mimics a Flash installer.

Yesterday, I showed you details of an ad on Microsoft’s Bing search engine that led unwary visitors to a site serving up malware.

Several hours after I reported that ad to Microsoft, it was removed, and a spokesperson told me that Bing’s ad network will “continue to directly work with our agency media partners to verify and confirm any suspicious orders.”

Looks like there’s more work to do.

This morning, I’ve found multiple ads on Bing that go through seemingly innocent intermediary sites to the same malicious server in Russia…

More… http://www.zdnet.com/blog/bott/bing-…02?tag=nl.e539

UPDATE: this just in… more Beast-of-Redmond targeting eploits, this time targeting the not-so-grand old lady of browsers…

Microsoft expecting exploits for critical IE vulnerabilities

http://www.zdnet.com/blog/security/m…44?tag=nl.e589

But the bad guys no longer play favorites — there are a new round of drive-by attacks that can infect Safari on both OS X and Windows — just by tricking you into visiting a malware serving site — time to UPDATE!

58 Safari Bugs Patched To Prevent Drive By Attacks

( http://www.favbrowser.com/58-safari-…ve-by-attacks/ )

Share

Where did the Cloud come from?

Cloud storage and cloud computing will increasingly be a fact of life. While I still create plenty of so-called static web pages for clients (which means I develop the content more or less on the desktop and then upload it to the web), back in 2004, I took my first web database driven e-commerce client — I guess I should call that cloud-commerce, eh?

Of course, I still developed the code that would control and direct the database interactions on my desktop — but that code allowed my clients to add and remove content from the virtual catalog component of their site without intervention from me and, of course, allowed their customers to shop and manage their own transactions.

Naturally, we’re all pretty familiar with the e-commerce model that began developing in the mid and late 90s with the rise of large online retailers who needed methods of managing their online catalogs that didn’t rely on coders creating a separate page for each item. (Indeed, the e-commerce client I took on back in 2004 had had such a system, with hundreds of items ‘locked’ to the ‘hard-code’ of individual web pages. It had become a nightmare to maintain, as you might imagine.)

Two developments signaled an evolutionary trend that would eventually allow just plain folks to develop content in the cloud — although, of course, back in the late 90s, the coders and geeks who developed and implemented the bright new ideas of the web had little use for the buzz-word factories of the marketing departments and PR flacks.

The first of those were social or community websites that encouraged users to contribute their own content. In fact, the social aspect of the internet was one of the first trends to evolve as the internet increasingly connected computers in different locations, starting when the first two nodes were connected on September 29, 1969, forming ARPANET.

At first the evolving Internet was the province of academic and government.

But with the rise of personal computers and transmission of data over phone lines (which itself had its roots in the wire photo — first successfully accomplished in 1921 by Western Union), new, less formal collaborative and social forms developed in the form of message lists and then user interfaces that wrapped around simple group messaging, presenting those messages in formats soon dubbed bulletin boards. [Hello, vBulletin! ]

For a long time, of course, limited by early technologies and bandwidth restrictions of voice telephone lines appropriated for data transmission via modems that translated ones and zeros into blips and bleeps.

The public internet as we know it more or less began in 1988-89, but online communities like the old Compuserve had existed for many years by then, the parent company founded in 1969 as Compu-Serv Network, Inc. The web interconnection system using the internet backbone was developed in 1989 by Tim Berners-Lee. Over the next years, web browsers evolved rapidly, adding the capability of incorporating image and other multimedia content early on — but bandwidth restrictions usually kept images low resolution and tiny for some years.

Still, the ability to create more than simple web content was limited for internet end-users, unless they were willing to become coders. But the ability granted by early community sites to upload images and later audio files were important milestones.

One of the most revolutionary sites of the 90s, in many ways, was the original Mp3.com, which used the sort of data-driven interfaces originally growing out of early community sites to allow musicians to upload their work as well as to create and restyle their own individual web pages hosted within the site. One of the most popular features of Mp3.com was its conjoining of a basic bulletin board with the content pages, forming a set of community forums that was used for self-promotion as well as music discussions — and a whole lot of socializing — and, of course, as the Mp3.com veterans among us here at HC probably well remember, lots of flame wars.

The other cloud precursor was blogging software.

Blogs (web logs) had been around since early in the 90s, originally conceived as a way of pointing others to interesting content on the evolving web. But for much of the 90s, they were the province of those who had enough of a grasp of web coding to create their own static (hard-coded) web pages. Conventions evolved rapidly, including chronological internal linking systems, at first simply links to previous entries, typically at the bottom of each new entry.

But it didn’t take long for bloggers to realize that there must be a good way of automating and standardizing the conventions of their individual blogs.

The first blogging softwares were desktop applications, basically special purpose web editors that allowed simple automation of format and linking. But as online database technologies rapidly matured, the merits of taking that content creation up onto the web itself, quickly became apparent.

With increasingly user friendly user interfaces, blogging took off. Of course, much of the content was standard Me2 Generation stuff, what cute thing my cat did today, idle thoughts, and, of course political rants — but the original purpose of blogs — pointing to other content, thrived as well.

In the 2000s, we saw a conjoining of social/community sites with blog features and content, forming the nascent social media scene.

Once the desktop (or laptop — and now smartphone) became merely a portal to the web (a thin client in geek speak) instead of the engine of content which would then be uploaded — we were pretty much dealing with the cloud.

So online content creation and online storage of that content — as well as other data — have been around for a pretty long time.

But it took some marketing guy — just who is subject to fairly intense debate — to come up with a buzz phrase name that would stick. Probably the earliest use goes back to 1997, when NetCentric attempted to trademark the phrase “cloud computing.” By 1999, they had abandoned the term. Still, it had been introduced into the sea of geek mind.

In 2006, Eric Schmidt of Google used the phrase cloud computing to describe their approach to SaaS (Software as a Service). [see John Willis' Who Coined The Phrase Cloud Computing?']

The rest is history.

 

http://en.wikipedia.org/wiki/Internet#History

http://en.wikipedia.org/wiki/Compuserve

http://en.wikipedia.org/wiki/MP3.com#Original_version

http://en.wikipedia.org/wiki/Blog#Origins

http://en.wikipedia.org/wiki/Cloud_computing

Share