Tuesday, June 27, 2006

AppleWebKit - Exploit

This is not good:

DR001 : AppleWebKit XMLHttpRequest arbitrary file disclosure vulnerability
Discovered 2005-02-13
Published 2005-04-16
Discoverer David Remahl
CVE IDs CAN-2005-0976

XMLHttpRequest is a JavaScript component that allows scripts to perform http queries and read their result. The attack described herein requires that the attacker has the ability to place an HTML file on the victim's system and predict its path. By exploiting AppleWebKit's special treatment of XMLHttpRequest when running from a file: document, the attacker can gain read access to any file on the system with a known path that the user running the browser has access to.

Apple WebKit

Monday, June 26, 2006

SSL Server - Weak Encryption Vulnerability

You may want to ensure that your server is configured to disallow weak encryption. The Secure Socket Layer (SSL) protocol allows for secure communication between a client and a server. The consequenses of allowing low encryption suppor may allow an attacker to exploit this vulnerability to decrypt secure communications without authorization.

SSL encryption ciphers are classified based on encryption key length:

HIGH - key length larger than 128 bits
MEDIUM - key length equal to 128 bits
LOW - key length smaller than 128 bits

Commercial SSL servers should only support MEDIUM or HIGH strength ciphers to guarantee transaction security. Messages encrypted with LOW encryption ciphers are easy to decrypt.

Although weak cipher support may be available at the SSL layer. Some servers may implement additional protection at the data layer. For example, some SSL servers and SSL proxies (such as SSL accelerators) allow cipher negotiation to complete but send back an error message and abort further communication on the secure channel. This
vulnerability may not be exploitable for such configurations.

Here's how to disable low encryption ciphers on some common web servers:

Apache

Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the
following lines:

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

For Apache/apache_ssl include the following line in the configuration file
(httpsd.conf):

SSLRequireCipher ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

Tomcat
sslProtocol="SSLv3" ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA"

Web Sense

Isn't it nice of Web Sense to check out the app that I've been having all the security problems with - what my whole blog is about? Web Sense is some sort of security monitoring service I guess. You can check out their web site:

Web Sense

But wait, how is it that they are going straight to a result page, with no referrer? That would pretty much mean that they are posting data straight to my page from their location or some invalid source page...wouldn't it? And why are requests coming from different machines with different operating systems? Perhaps some kind of proxy.

And why would they be looking at the site at 2 a.m.?

winhttp autoproxy service - Security Issue?

When I changed an app to run under a non-windows administrator account (as it should have been in the first place but that was explained two posts ago) someone was somehow trying to start the winhttp autoproxy service about 15 times. The only thing running under this user name was my web app. Therefore I must assume someone has hacked my application somehow and was trying to fire up the service.

I am using Jboss and about to switch to another platform because I am nervous about so many functions in Jboss that it actually creats a myriad of security holes. Because I have written an optimized application I don't need all that functionality and will opt for a lighter application to serve up the pages.

Aha! You say - but it could be a cross site scripting attack and that will affect you no matter what web server you are using. True, but my whole application and all forms run on one underlying form processing functionality and all database calls are checked to be sql safe in this process.

True I could have missed something and I already have further enhancements planned, but the less convoluted-ness you have on your system and the less "things" running the less chance for a security breach. You just eliminate additional possiblities.

I feel a new post coming on related to system convolusion (is that a word?) ...stay tuned...

Sunday, June 25, 2006

www.whois.sc - publishing your system info

Take a look at domains in www.whois.sc and you will find that they not only publish information about the site, but also the OS on which the site is running, the web server, version numbers - everything. It doesn't seem to me that they should be publishing this information without explicit permission from the web site owners. Once someone knows what operating system you run and the software you are running on it they are able to eliminate a great deal of work in the number of exploits they have to try to get a result. They can go for blood out of the gate for holes in those known types of software.

Oh and by the way now your system information is searchable, making it easier for hackers to find all the sites that run PHP for instance...

If I were you, I would recommend that you request removal from this database:
Hacker Info

Of course they provide no way to contact them on their web site without creating an account. Isn't that lovely. Therefore I looked up the DNS records and drilled down first using the whois on DNSStuff.com which led me to this address:

hostmaster@ascern.com

However if you look up the domain name records using the DNS Lookup Tool on the right side of the screen you get:


cluster.nameintel.com. A IN 300 66.249.4.251
nameintel.com. NS IN 86400 ns1.dnscloud.com.
nameintel.com. NS IN 86400 ns2.dnscloud.com.
ns1.dnscloud.com. A IN 3600 209.59.193.17
ns2.dnscloud.com. A IN 3600 64.246.165.245

The contact for this particular set of domain records is:

Domain name: NAMEINTEL.COM

Registrant, Administrative, Technical Contact:

Name Intelligence, Inc.
12806 SE 22nd PL
Bellevue, WA 98005
By phone: 206-838-9035
By email: port43@nameintel.com

Status: Registrar-Lock

Name Servers:
ns1.dnscloud.com
ns2.dnscloud.com

You can also contact the higher level network that supports them here:
Fiber Cloud

Hmm I wonder if they like this being published?

Security Tools

My hosting company just informed me that Sysinternals.com is a good and trusted source for security tools. Of course you must validate everything you download and run it first in test environment before production, but they seem to think this is a trusted source. Visit the web site for more information on Security Tools.

Top 10 code security tips - from Microsoft

Microsoft published the following top 10 list for secure code including authenticating user input, preventing cross site scripting, buffer overruns and sql injection attacks. Web Application Code Security Tips

Sending Spam Complaints - Foreign Languages

Here's a page that tells how to send spam / abuse complaints in foreign languages - including China - as they say.

Sending Spam Complaints - Foreign Languages

I have no idea if these are legitimate...

Qualys - Vulnerability Management

Here is a company that offers protection for e-commerce infrastructure. They offer a Free 14 Day trial of their Vulnerability Management Tool. They are working with some big name e-commerce companies.

Thursday, June 22, 2006

Strong Authentication - Secure Application Login

Here's an article on various types of secure login procedures. Interestingly enough the article ends with information on the time it takes help desks to retrieve lost passwords. Yes, security has a price. That point has been brought up many times in previous posts.

Password Security

Tuesday, June 20, 2006

Security Scan for a Windows Server: Microsoft Baseline Security Analyzer

Run Microsoft Baseline Security Analyzer on your machine to find things that may be insecure on a Windows Server:

Secure Windows Server

Sunday, June 11, 2006

Is your OS Detectable by Hackers?

You may want to check this out to make sure your OS is not detectable by hackers. Being able to detect the operating system...one step closer to knowing what hacks to try...

OS Fingerprinting

Saturday, June 10, 2006

Hacking by SQL Injection

Similar to cross site scripting (seem my previous post on the topic) web site owners should be aware of sql injection attacks which are very similar. The attacker inserts sql code into a text box on a web site in order to insert and remove information from a database. Additionally a hacker could actually obtain control over the machine and execute other actions as well.

Here's a good article on the subject:

sql injection

Friday, June 09, 2006

How Google Can Help Stop Hackers

I just read this article about how Google helps hackers:

Google Helps Hackers

Instead of providing a mechanism to HELP hackers Google could actually help stop hackers by maintaining a list of such hacks and reporting the issue to server owners when possible. For instance instead of allowing these known hacks to get into the Google search results and cache, Google could have an automatic way to look up the domain owner and send a friendly email to those (who wish to get them) to alert them to a potential problem on their network.