January 29, 2008

security aka counter terrorism vs. privacy

Filed under: privacy,society,surveillance — admin @ 1:29 pm

This iamge gets it exactly to the point where all current discussion about the security in our society is going. The so called security in our society against some so called terrorists have and will be always and immense attack on our privacy. They don’t make a more secure life, they just do more surveillance on everyone of us.

Security Fence

October 30, 2007

Leopard’s firewall, can you count on it?

Filed under: apple,firewall — admin @ 8:35 pm

Heise.de examined recently the firewall which comes with apple’s new OS X version “Leopard”. It looks like they really learned nothing from what other operating system developers had to learn in the past years. It’s hard to guess how Apple (or even just the people using it) wants still to claim that their system should be more secure than other after having a closer look on what they deliver as a so called firewall. Here the facts:

  • It’s not enabled by default. Microsoft have been blamed for that years ago, while releasing SP 2 for Win XP
  • If you have enabled it and upgrade to “Leopard”, it will get disabled. Microsoft had done this fault as well years ago.
  • If you enable it and request it to deny everything, so nothing else than to block anything which comes from outside to your computer, so called trustworthy services are still open and can be accessed. WTF? A firewall which is just useless?!
  • The only way you can really secure your firewall is to put hands on the firewall your self, without any “klick’n’bunti”. And this is certainly nothing that a so called Mac user wants to do, nor 99% percent of the people will understand or even just do it.

It certainly looks like Apple just released a firewall which is just useless for most of their users. And it looks like that usability (nice GUI’s as a top criteria!) have another time won over security. And it becomes again clear that you can’t have any security if you aren’t understanding what are you doing (while clicking).

So and what can you do as a Mac-User? You have to wait until Apple thinks that it is a security issue and will release an update. With FOSS anyone could release an update, and everyone could profit. Fortunately I’m not using anymore any closed systems. 🙂

Check out the whole story @ heise.de in German or in English.

October 9, 2007

Encryption seems to work…

Filed under: cryptography,law,privacy,skype,surveillance — admin @ 11:40 pm

In the last few days 2 news showed in a way that encryption really works. And therefore the government is looking for new ways to still gain access to your data:

  • In UK you can now be charged with up to 5 years of prison, if you don’t give away your password to encrypted data. Heise.de (German)
  • In nearly every newspaper in Switzerland there have been reports about the problem that drug dealers are using more and more Skype to communicate, which encrypts the traffic in a secure manner and the Skype company seems not to really want to work together with the government. Heute-Online (German)

The first news is indeed a shame and an attack on your right to not cooperate and not to charge yourself. However it is rather questionable how investigation teams can show that you really won’t have forgot your password.

The second one is in the context of security not that good: Skype is not a free/open protocol. It is still proprietary and the company won’t open the protocol nor the services. So if you’d like to communicate in a secure manner you have to rely on their integrity, that they won’t wiretap on their servers or change the software (like JAP did it) that eavesdropping is possible. Therefor we, on immerda.ch are encouraging people to use open protocols like Jabber or SIP (Hopefully to come soon 🙂 ) to be sure that no wiretapping is possible and that you are not depending on a company providing you the services for free and without any cooperation to the police.

September 21, 2007

TLS-Cookie can track you

Filed under: browser,firefox,privacy — admin @ 11:48 am

It’s always interesting how some features which are nice and really used, can become evil for you if your configuration is not very strict:

Alexander Klink found out that you can track people over websites by setting them a so called TLS-cookie. Which is nothing else than a server is setting you a client certificate in your Web browser, which is presented to every Web server without notifications by default settings within your Firefox. Read more on Heise.de in German.

So what to do? Just disable the automatic sending of a certificate under Preferences -> Advanced -> by switching from “Select one automatically” to “Ask me every time” in the Certificates section. With this option you will always be asked if a server is requesting a certificate if you want to present any. Then you can decide if you want to or not…

September 13, 2007

Social networking privacy

Filed under: privacy,social networks,society — admin @ 10:24 pm

BlogSec, a very nice blog about blogs and security, have published some interesting articles about social networking platforms and (their) privacy:

and they want to continue their article series about this topic, so other interesting articles might get to your attention.

It is always suprising how today people are throwing away their privacy that fast and what people make public about themself. Hopefully some people will change their mind about privacy and all after they read that. Will they? Maybe there’s something like hope out there… 😛

September 5, 2007

About third party packages in hosted CMS’s

Filed under: joomla,webapplications — admin @ 2:26 pm

Recently we had an incident on one of our PHP-Hosting servers and everyone could learn once again a bit more about security and how important it is to track all the software-versions installed on a server. However first we want to post some facts:

  1. One Joomla website defaced
  2. No other hosted websites affected, nor spied
  3. Defacement could have been avoided
  4. Nothing more happened, but everyone has to learn something

Turkish script kiddies defaced a little Joomla website hosted by us and called them self the bloodiest terror group :P. Unfortunately none of our administrators was near a computer and the Joomla users simply replaced the defaced index.php with an original one. However the defacement happened again and again and it was obvious that this is very nasty. Finally when someone of us could have a look at the site, we saw that we have done a mistake from our side which made the Joomla installation completely writable by the web server. This is very bad from our side, as we try to avoid such setups in normal and try to restrict write permission per default to a minimum. However nobody is perfect, so such things might happen and it is important that everyone using our systems is also watching on our fingers. So we fixed these settings and thought that it is done with that.

Unfortunately one week later the defacement happened again and this time not the index.php was replaces by their ridiculous statement: the whole configuration.php (Joomla configuration file) was overwritten. But why was it still writable? Well CMS’s are normally chosen because they are nice and simple to use. And therefore their configurations files have often to be writable by the web server. This is a severe security fact, however most user want this as they don’t want to upload the configuration every time by ftp. This was why we had enabled that overwriting of the configuration.php is possible.

So we restored the configuration.php (as it was completely overwritten with the defacement) changed the MySQL password (as this is normally in the configuration file and was accessible therefore by the script kiddies, however we don’t think they were interested in that) and locked from now on for security reasons every configuration.php on our host to be overwritten by the web server. Just a little side note on that: Normally when we setup a new Joomla-Site, we told the people that currently the configuration.php is writable and for security reasons they should tell us when they finished with configuration don’t need to change it anymore, so we can lock it. However less than 10 percents of the Joomla users told us in the past to lock the configuration.php. :-/ So now every configuration.php is locked per default and we learned that we have to insist more on this issue.

After restoring the page we could then examine how the page was defaced. While searching for actual possibilities to deface Joomla websites, we found a posting which lead us to some issues with a third-party gallery module. So we found out that there was exploit publicly posted in the mid of July and a fix for this exploit 1 day later (FOSS rules!). So we examined more about this exploit and found out that exactly this was used to upload some php-script which contained some kind of a web-shell. A so called swiss-army-web-knife in php. This shell then could be used to step through all folders of the installation and edit any files which were writable by the web server (index.php and configuration.php). However due to our open_basedir restrictions they could not access any other folders on our server than the application’s one. Yes we know that there are possibilities for advanced white and black hats to walk around this restriction however for these script kiddies it did its job. 🙂

They uploaded as well other php scripts as well some Perl scripts which could have been used to run some irc-bots and which could have been used to attack as well other servers from our server. However they were completely unusable on our servers, as our (we hope) secure setup avoided them to be executed.

So finally we removed all the uploaded scripts, patched the third party module with the update available since a month, informed the Joomla-users about our examination and since then their site wasn’t defaced anymore. So we all could learn once again some stuff about security:

  1. Security can not be delegated, everyone is responsible for it
  2. Nobody is perfect, everyone can make mistakes which lead to security issues
  3. Tracking the version of your current installed software, modules etc. is important! If the update would have been installed the site would have never got defaced
  4. Hosters can (but this is already very hard and a lot to do) only watch the versions of the main application, but they can not automatically know which third party modules you install nor they can track the versions. The best thing is that you look on yourself that your application is uptodate
  5. A safe setup can avoid of much more damage. (Access all the other setups etc.)
  6. Security gives a lot to do!

Therefor we want once again to remind you to:

  1. not delegate security to us…
  2. track the versions of your installed software…
  3. be aware of security issues, harden your application and work with us together to make our hosting a more secure place


July 22, 2007

give mod_security a try

Filed under: apache,mod_security,webapplications — admin @ 6:08 pm

We recently installed and activated Mod Security on our PHP and Perl Hosts. It seems to be a resonable tool to have attackers as well spammers (and this seems to be the most interesting part) away from your webapplication. However it needs a certain configuration and continous monitoring and might break your web application as there might be valid requests which will match agains the regular expressions of the tools.

So it might be good to start with it on only certain vhosts and the customizing the rule sets. You can as well define the rules for each vhosts, as well maybe adding specific rules.

Note to hosted sites: it might be that your site now breaks. 🙁 We could not test everything however we tried to monitor the servers a bit and figure out problems.

For installation notes, as well further infos, have a look on our wiki-page. Would be nice if other people contribute some infos: http://www.immerda.ch/index.php/Mod_Security

June 18, 2007

having fun with postgresql

Filed under: Uncategorized — admin @ 12:41 am

someone pointed me to a nice article, which is about to have fun with postgresql.

the document describes some common weak settings of a postgresql setup, as well how it can be exploited. this is mainly due to the fact of the weak authentication setting in the default config of postgresql, which allows local user to be just authenticated agains the database. however you can use this to get higher access to the database by some remote views. as well some other well known attacks are described.

however what is important, is the conclusion how to avoid such attacks and this is mainly done by removing the insecure local connection authentication setting.

June 12, 2007

safari on windows? apple’s nightmare…

Filed under: browser,safari — admin @ 6:04 pm

Apple announced their Webbrowser now publicly available for beta testing. Some people downloaded it and it took them 2 hours to get a serious security hole which lets safari executing any program you’d like to. 🙂

However other people found in one afternoon 6 bugs, 4 of them are DOS and 2 are remote code execution bugs. Even better 🙂

And Heise.de testet the browser on the usability as well, there satetement:

Even if you are interested in trying it out, wait it’s not yet worth to test it…

Fefe is even commenting that people should stop thinking that Apple is developing trustworthy software. So no big thing that apple’s stock is dropping… 😉 So apple’s nightmare just started, however let’s give them a chance to improve their stuff…


June 11, 2007

The world of surveillance

Filed under: privacy,society,surveillance — admin @ 4:05 pm

Spiegel Online, a online portal of a german magazin, has some interesting article about a flash animation, which discusses today surveillance problematic.
The flash animation is really done nicely and argues also very good towards the common arguments pro surveillance:

If i don’t do anything illegal, i don’t have to care about any repression… bla bla bla 😉

So surveillance is for sure against a free society and never good for a development of a healthy discussion culture!

« Previous PageNext Page »
Proudly powered by wordpress 4.9.8 - Theme by neuro