Modsecurity 2.5.7 for Apache was released today, and its another maintenance release. The last update we saw for Modsecurity was back in July which was also a maintenance release. Check out the 8 issues that have been fixed and the one that will never be fixed but has been “resolved” in the changelog: https://www.modsecurity.org/tracker/browse/MODSEC/fixforversion/10011
Thanks http://www.modsecurity.org/ guys!
Add comment September 30th, 2008
In this article posted at information week the author writes that
“Some of the largest ISPs in the United States have vowed not to monitor Internet users’ activities without permission.”
Verizon, AT&T and Time Warner may have said this which is good, but Google on the other hand
“Google (NSDQ: GOOG) has also indicated a willingness to allow consumers the choice to opt out of data collection.”
There is a big difference with letting people opt out of a service, and opt into a service. I guess the main thing is, nobody is going to OPT in for this, at least without incentives. But when you sign a contract with your ISP, this in effect would release them, giving your permission for them to monitor your activities. This isn’t a problem if it is easy to opt out, but the problem is many people do not even read contracts.
It brings up many questions, and the what they could do with this mined data just blows my mind.
(more…)
Add comment September 29th, 2008
A look back in history today as we enter the world of old exploits. I was rummaging around Google when I found this rather long list of exploits http://www.hoobie.net/security/exploits/index.html from back in the day. It appears that some of the files I was interested in 404 but some of them still have text files. It is a great read for any one interested, a lot of different types of exploits, some that are still common. You will find no SQL injections or PHP Code injection in this list and certainly no cross site scripting. I don’t know how long the site is going to be up, so I may download the files for reference, but my guess is that if its been up since 2002 (last page updated) then its probably going to be up for a while longer.
Add comment September 22nd, 2008
Every one has heard about Palin’s email getting hacked. Well, whats all over the news right now is who the script kiddie might be. Turns out that the handle of the poster has been linked to the 20-year-old son of Tennessee Democrat Mike Kernell. How interesting. Now, this is all speculation but if it was him I wonder if he used his scriptoicious leetness was used to “do something awesome” or whether it was instigated. What I do want to see is justice, if the claims are true: he hacked an e-mail account for malicious intent, published private content of another individual and generally caused mischief. I mean, think of the man hours that were lost because of people looking at wikileaks.org. What a hit to the economy.
I was watching the seclists.org mailing list while this was going on and thought it was funny that they were dissecting it before the proxy owner even said they were going to cooperate.
Now, even though David Kernell may have “hacked” yahoo’s password reset feature, do you really think that it was a hack? I mean, kids in high school and college do this all the time to their friends. I bet her password recovery question was easily guessable.
What I find really funny about this got caught, this is funny because if it was him he may have jeopardized his future, and perhaps the reputation of his father. If he did to it he and his father should be further investigated to make sure that David did this of his own will. All computer equipment should be seized and logs collected.
If David Kernell Didn’t do it you have to give credit to who ever pulled this off. I mean, if they never get caught and this was their plan then bravo. bravo. Use a script kiddie technique to obtain your information, post it under some one else’s name and then divert attention to the media blaming some one else. If the proxy had been gamed then that adds even more points.
Here is more information from seclists on the case:
(more…)
Add comment September 19th, 2008
http://www.securityfocus.com/bid/31212/info
My Favorite Vulnerability from this week is the Apple QuickTime/iTunes QuickTime Type Remote Buffer Overflow found by securfrog. This vulnerability has concept Perl code which can cause a remote crash on firefox, IE or any browser using the Quicktime plugin. No shell code execution has been confirmed yet. I wonder when Apple is going to patch this one.
Add comment September 19th, 2008
The internet is so much a part of life and business these days that desktop applications are still a target. It is easy for a malicious user to exploit a desktop application via social engineering, man in the middle attacks, phishing and other means. In my opinion graphic designers are (more…)
Add comment September 18th, 2008
In the world of security a lot can happen in three days. Lets take the popular web content management system Drupal. Over the past three days both Secunia and Security Focus have published a total of five Drupal vulnerabilities. (more…)
Add comment September 18th, 2008
According to a post from Out-Law.com The US court rules an employee has no privacy on company computers.
Basically the man was convicted of stealing $650,000 from his employer while working as a book keeper. The story notes his desktop and laptop were searched without warrants, and there was confusion that the laptop was his personal property and that he abandoned the laptop. The court relied on a previous case whose ruling said that someone who abandons property no longer has an expectation of privacy in relation to it.
But what about the personal property? The man claimed that he paid for the laptop himself but is some one that has stolen money from a company (especially $650,000) really entitled to say that they paid $500 for a laptop from that very company? To add more confusion it turns out that the laptop was paid for once on a company card also. This is some shady accounting going on, and the man probably was guilty. As for privacy at work, he wasn’t really at work when the searches were done. Do you have a right to privacy after you leave? What if you format your hard drive.. you could serve some time for a sabotage. This is exactly why companies should have clear privacy policies and computer usage policies governing the use of computers, data and communications. If the company needs information off of their own property, they should be entitled to that information, but what came first the chicken or the egg?
Add comment September 16th, 2008
I’ve been subscribed to the IDG Connect mailing list for a while now, while I don’t read all of the content they sent me this one caught my attention. I’m not going to be viewing this web cast since I have prior arrangements, but any one else is welcome to sign up for it. If your looking for a web application security primer this might be a good one. I’ll check it out once its finished if they put it online. It starts at 1PM EDT so, you’ve got about an hour and 10 minutes.
In the movies, getting past high-tech security is no joke. Like that scene in Minority Report when Tom Cruise has trouble hanging onto the squishy eyeball he needs to trick the retinal scanner. Or in Resident Evil, when the infiltration team meets up with those unfriendly lasers… Thankfully, in the real world, we’re not there yet. So it’s probably best to keep your eyes looking inwards, on the network. Learn the vulnerabilities of Web applications and how they put your organization at risk.
For a detailed overview of how you can test for vulnerabilities and the tools you need, register for the complimentary online presentation “Learn how to protect your corporate web application now! Web Application Security: Causes, Discovery and Remediation.”
This presentation, courtesy of eEye Digital Security and IDG Connect, will take place tomorrow, Tuesday, September 16, 2008 at 10:00 AM PDT/ 1:00 PM EDT. Register now, join your colleagues and have your questions answered live by expert presenters, all from the comfort of your PC.
We think you’ll find it both interesting and beneficial.
Best regards,
IDG Connect
Add comment September 16th, 2008
http://secunia.com/Advisories/31884/
http://fd.the-wildcat.de/pma_e36a091q11.php
Proof of concept code has been released for the phpMyAdmin vulnerability and all versions prior to 2.11.9.1 need to be updated. The RC release of 3.0.0 is reportedly vulnerable also. RC2 was released this morning, I can not tell from the “Notes” section if RC2 fixes this problem. http://www.phpmyadmin.net/home_page/downloads.php?relnotes=0
Add comment September 16th, 2008