TCP injection

The latest Security Now! podcast (37 MB) is pretty interesting. They cover the Flame malware, and its use of a previously unknown way to inject malicious data into TCP connections, which will shortly be coming to an app near you.

Topic


Re: cPanel vulnerability alert

If your host runs cPanel, best to check which version he is providing you then. If it's a vulnerable version, I wouldn't hesitate to ask when the upgrade is scheduled for your specific server.

Good hosts (like the one we encountered at CMSExpo) are security-conscious and will make sure they get this kind of upgrades deployed as soon as possible. Also, good hosts will not rush into deploying this kind of update without doing some tests themselves so it can take a few days.

Thanks for sharing!

Topic


cPanel vulnerability alert

From my hosting company:

-------------------------

cPanel has recently disclosed that a security vulnerability has been patched in all current versions of cPanel and WHM. The details of the vulnerability were not disclosed, however they have indicated that upgrading as soon as possible is strongly recommended. cPanel indicated that they do not believe any publicly available exploits exist.

The following cPanel & WHM versions address all known vulnerabilities:

11.32.3.19 for EDGE and CURRENT update tier
11.32.2.28 for RELEASE, STABLE, and 11.32 LTS update tier
11.30.6.8 for 11.30 LTS update tier

The latest public releases of cPanel & WHM for all update tiers is published at http://httpupdate.cpanel.net.

To update cPanel and WHM, take ONE of the following actions:

- Log into WHM and click on the option "Upgrade to Latest Version", then click the "Click to Upgrade" button.
- Log in to your server using SSH and run /usr/local/cpanel/scripts/upcp

Further information may be found here:

http://docs.cpanel.net/twiki/bin/view/11_30/WHMDocs/UpgradeVersion

Please see the following article for further information:

http://www.cpanel.net/2012/05/targeted-security-release-20120531-announcement.html



Re: Yubikey nano

They look very interesting. I'm thinking of getting a few of these to the impresscms site administrators, to add another layer of security.



Yubikey nano

Yubico have released a new kind of Yubikey hardware token, the nano. This one is basically a plug for a USB port, you leave it in the computer and it has a small ridge you can touch to generate the one time password.

It also supports continuous challenge/response authentication, ie a site can ping the key to demand reauthentication whenever it wants.

They're a bit more expensive though, $40.



Re: Protector and blocking Bad IPs (proxy)

Sorry, my mistake, but adding these IPs to the htaccess file didn't help either. This was one of my first attempts to stop these IPs.

The above code seems to work when added to mainfile. Tried also by adding the code to index.php instead (before the line where mainfile is included), but this didn't work.



Re: Protector and blocking Bad IPs (proxy)

I might suggest adding those IP addresses to your htaccess file, instead.



Protector and blocking Bad IPs (proxy)

On my ICMS 1.2.x website I use PHP-Stats as a counter. This is an old but still a good PHP counter which logs IP addresses, visiting time, visited pages, countries, etc.

For a long time I saw an IP address (109.173.122.122 from Russia) in PHP-Stats which visited my website a few times a day. In the server log files this IP couldn't be found, but instead I found other IPs which weren't any good according to sites as Stop Forum Spam and Honeypot.

Unfortunately, adding the above IP address to Protector's Bad IP list didn't work.

PHP-Stats uses HTTP_X_FORWARDED_FOR to determine the IP address of a visitor and assume Protector uses another method. Correct?

At the moment I use the following 'solution' to stop this kind of bad IPs from visiting my website. At the beginning of mainfile.php I've added these lines:

$ip = $_SERVER['HTTP_X_FORWARDED_FOR'] ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR']; $banned_ip = array('93.80.182.49','95.28.138.245','109.173.122.122','128.68.87.46'); if(in_array($ip,$banned_ip)) { echo "<html><head><meta http-equiv=\"Refresh\" content=\"0; URL=http://www.projecthoneypot.org\"></meta></head><body></body></html>"; exit(); }


Questions:
a) Is this a correct way of stopping IPs in cases where Protector doesn't seem to work?
b) If not, what's the correct way to do so?



Re: New attacks on CAPTCHAs

We need a simple mechanism for assigning trust to people. I quite like the idea of letting people post comments if they submit their email address. The first time they post, their comments are withheld pending moderation. But if approved, their email address gets added to a 'trusted' list where they can comment without moderation in future. This will catch the majority of spammers but also let people contribute without having to open an account or formally sign in.

The idea of forcing people to sign up for an account before they can post probably needs another look, at least for comments. It discourages casual passers-by from contributing, but it doesn't discourage the spammers.



Re: New attacks on CAPTCHAs

I believe that CAPTCHA will be useless within the next year. For a long time, people have been employed, very cheaply, to circumvent captcha systems. Who needs an automated system, when you can pay to have a person enter the information for you, for pennies an entry?

This is something we do need to consider - how do we authenticate new members? Should we do it ourselves? Should we rely on an authentication service? What about linking authentication to other very public entities, like Facebook and Twitter? What about a physical authentication, through a controlled asset, like Yubikey? But, even that is a bearer type of authentication - if you have the key, you can get in.

More to the question - what responsibility does a CMS have for authentication?



Re: New attacks on CAPTCHAs

Citaat:


Madfish wrote:

In more positive news, the US Predator and Reaper drone fleets are riddled with keylogging viruses, so we might find new and interesting ways to deal with our spammer friends.


The Washington Post: Military says computer virus that hit drone program was designed to go after gaming passwords



New attacks on CAPTCHAs

It's official - CAPTCHAs are now harder for humans to read than for machines.

In more positive news, the US Predator and Reaper drone fleets are riddled with keylogging viruses, so we might find new and interesting ways to deal with our spammer friends.



Re: UPnP security issue (home routers)

This is not about ImpressCMS sato-san

the german icms website : www.impresscms.de


Re: UPnP security issue (home routers)

I don't think so, it's usually just called UPnP. There are automated scanning tools already available and in use to locate vulnerable routers.



Re: UPnP security issue (home routers)

You speak about "stop-spam" function?



UPnP security issue (home routers)

There's been a rather nasty security problem found in many common consumer routers where universal plug and play is enabled on the WAN side.

It allows people to reconfigure your router settings. If that seems like a bad idea to you, check your routers and if you have UPnP enabled...turn it off!!!



Re: Strong, memorable passwords

Creating a pass phrase instead of a pass word is a very good practice. Another level of complexity to add is something unique to each instance of the passphrase - don't just use the same passphrase on every site.

Add part of the URL or site name to your passphrase and now you've got a unique passphrase for every website, but it's still easy to remember.

iCmS/50BdStSyCdDeUdKm@123456.com
or 50BdStSyCdDeUdKm@123456.com[impresscms]

and there you have it!



Re: Strong, memorable passwords

A very nice idea! You should write a blog about it.



Re: Strong, memorable passwords

people choose easy passwords for mainly 2 reasons;

1. they don't understand the impact of security & how easily passwords can be cracked or guessed or the tricks crackers use to gain access.
2. because an easy password is easy to remember:

password is easier to remember than 1Rthg&6FW

but why should a password be hard to remember? because people over-think them, and because of reason 1 above.

so how would you go about making a password that seems random, but is easy to remember & contains all the neccessary requirements?

think about it logically. 1 way of producing a memorable random password that contains no words and makes no sense whatsoever but is easy to remember to yourself.

take your address for example

199 Bond Street,
Staveley
Chesterfield
Derbyshire
United Kingdom

everyone knows their own address & phone number.

so a password derived from your address that is easy to remember.

199BdStSyCdDeUdKm

strengthen that by turning it into an email like address

199BdStSyCdDeUdKm@123456.com

where 123456 is your phone number.

and there you have a very long password, easy for you to remember. i took the 1st & last letter of each word of the address.

it could be your mothers address, friends work address. the point is, you derived your password from something that you can easily remember & turned it into a phrase that can be easily recounted by yourself.

that is 1 way of producing a good strong password. it doesn't need to be random, but it does need to be remembered.

[edit]
the above address is fictional btw. it does not exist, i'm not that dumb. (for those spammers that think i might be) just thought i'd mention that!!!!

Live as if you were to die tomorrow, Learn as if you were to live forever

The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together!


Re: Strong, memorable passwords

How about a simple link to some password tips on the Wiki?