Security – Page 6 – Will Chatham's Blog

May 8, 2012

PHP-CGI Exploit is in the wild. Get protected ASAP.

The vulnerability that sat undetected for 7 years was disclosed last week, but today it has been announced that exploits have been seen in the wild. They are working on releasing a new patch. This is pretty bad as it’s not exploiting one particular web application, rather, it is exploiting web servers running PHP in general.

The quick fix is to add this to the .htaccess file on your website(s):

RewriteEngine on
RewriteCond %{QUERY_STRING} ^[^=]*$
RewriteCond %{QUERY_STRING} %2d|- [NC]
RewriteRule .? – [F,L]

Unless you have compiled PHP from source on your web server, you will need to wait for your vendor (Cpanel, WHM, RedHat, CentOS, etc) to release the updated version. I suggest you implement the above .htaccess fix in the meantime.

Edit 5/9/12 12:19PM Eastern:

Most cPanel configurations are protected by default: http://www.cpanel.net/2012/05/cpanel-protects-against-php-vulnerability.html

May 6, 2012

Hide Yourself From Social Networks (and others)

Did you know that Facebook gets a report every time you visit a site with a Facebook “Like” button, even if you never click the button, are not a Facebook user, or are not logged in?

That, and more you should be aware of here in this Consumer Reports article.

Priv3 for Firefox will silently prevent the cookies from Facebook, Twitter, LinkedIn, and Google+ from being installed in your browser, thus protecting you from being tracked everywhere you go online.

Take it a step further and install CSFire to block not only the big four social networks, but any site that surreptitiously makes requests to third parties without your knowing it. It takes a little more management to unblock sites you want to function this way, but it will greatly increase your overall online privacy (and safety).

One of the above, paired with AdBlock Plus and NoScript will go a long way toward keeping you safe online.

April 30, 2012

Better WP Security

I have been cleaning up a lot of hacked websites/malware and doing security updates and hardening for WordPress websites lately. Ideally I’d be able to lock down a client’s server more thoroughly, implement a good firewall, and run some intrusion detection software, but since many people can’t afford this sort of thing and are on shared hosting environments, I have to lock down what I can.

For hardening WordPress I have traditionally been a fan of Secure WordPress, but lately it has seemed a little too simplistic and not proactive enough. Malware infestation on websites has been spreading like wildfire lately for whatever reason, so staying on top of things is a must.

WordPress Firewall 2 seemed to work pretty well in the past, but it would often kick back false positives which caused issues with plugins and prevented things from working that should otherwise not have a problem. Not to mention it hasn’t been updated in a while.

I was happy to see that Sucuri made their premium plugin free recently. It is pretty slick and has some cool features, and I really like what Sucuri does for web security. But with this plugin they are trying to walk the line between simplicity for the end user and comprehensiveness for being secure. It’s kinda weird to use for that reason, as you don’t really get a good understanding of what is being done behind the scenes.

I tried this a few weeks ago and orginally gave it up, but I have since returned to Better WP Security, especially now that I can specify an email address to send notifications to and can disable warnings in the WP admin area. These are things that mattered a lot to me, as they would inevitably lead to clients or bosses emailing me asking what all these warnings were. The recent update to the plugin fixed all that, and I’m a happy camper.

I really like that the plugin shows you what needs to be done, makes it easy to do it, and keeps you well informed about what is going on behind the scenes. There is intrusion detection, there are logs, there are password strength policies, there are database tweaks, there are database backups, and there are many other ways to tighten up security. You don’t find so many useful tools in one place with any other plugin.

You should try it – Better WP Security (website) – Plugin Download

March 31, 2012

Massive Credit Card Security Breach

Well, this doesn’t look good. Perhaps most disturbing is all the secrecy surrounding the issue on behalf MC and Visa. Security breaches require transparency, not secrecy.

Warning over ‘massive’ MasterCard, Visa security breach

December 4, 2011

SNORT Subscriptions for the rest of us!

Just wanted to point out that SourceFire allows us common folks to purchase official SNORT VRT licenses on the cheap. At the tune of $29.00 a year, yeah, I’m game.

http://www.snort.org/

Have fun!

May 31, 2010

Encrypted Google Search

This seems to have flown under the radar in recent weeks, but Google has launched a Beta site for using their search services over SSL. I have it set to my default Google search page now.

Google SSL

Same URL as usual, just use https instead of http.

May 3, 2010

Practical Security Round-up

We here at Geekamongus care about you, the visitor, so we offer some news and tips about staying secure:

iPhone
Here’s a good reason to set your iPhone to *not* auto-join Wifi networks, especially those AT&T Wifi Hotspots.

Antivirus Software
There is no need to pay for antivirus/security software for your Windows computer. Save your money. As cnet suggests, use one of the many free programs available. Personally, I prefer MSE or Avast.

Facebook
Considering there may be 1.5 million Facebook accounts up for sale on the black market, now would be a good time to rid your computer of malware and then change your Facebook password.

While you are at it, you may want to learn about (and restrict) all the personal data Facebook has unilaterally decided to share about you.

Microsoft SharePoint Security Warning
SharePoint administrators and users, beware: Serious XSS flaw haunts Microsoft SharePoint

The Google Overlords
Afraid of Google? Here’s a good way to anonymize yourself when doing Google searches or using many of their services:

Read more on the project page. Download the Firefox plugin here.

March 8, 2010

Energizer battery charger contains backdoor

This is pretty crazy.

“An attacker is able to remotely control a system, including the ability to list directories, send and receive files, and execute programs. The backdoor operates with the privileges of the logged-on user.”

When you buy off-the-shelf peripherals such as this, it’s easy to assume they have been tested and are safe, and wouldn’t normally pose much of a security risk to your computer. Remember, however, that Humans made them, and so they are still subject to the same flaws (or subterfuge) that something you download from the Internet is.

November 5, 2009

Credit Cards: Fees, Minimum Amounts, and Your Rights

After eating lunch at a local restaurant yesterday, I noticed that when I was signing my receipt they had printed my whole credit card number on there. I hadn’t seen that happen in years, and I immediately scratched it out. I happened to be with a group of cyber security guys, and they were all in disbelief as well.

It would be very easy for a thief to pick up your receipt just after you leave, then go home and have an online shopping spree. The server or anyone else handling your receipt could do the same thing. Continue reading “Credit Cards: Fees, Minimum Amounts, and Your Rights”

October 14, 2009

Avoid Microsoft Windows When Banking Online

Detective Inspector Bruce van der Graaf from the Computer Crime Investigation Unit of the NSW Police says, “”If you are using the internet for a commercial transaction, use a Linux boot up disk – such as Ubuntu or some of the other flavours…It gives you an operating system which is perfectly clean and operates only in the memory of the computer and is a perfectly safe way of doing internet banking,”

Sounds like a good plan to me, but then, I’m sure most of you reading this are already in agreement. It’s just good to see this sort of thing hitting major news sites.