Tag Archives: security

Time To Dump Antivirus As Endpoint Protection?

Posted on by

1. Abandon antivirus
Businesses could remove host-based security from their desktops and trust that their perimeter will keep out the malware.

via Time To Dump Antivirus As Endpoint Protection? — Dark Reading.

There are some other useful tips in this article as well.  I like the above quoted idea because AV software can be a pretty heavy load on an endpoint requiring constant maintenance and upgrade.  These upgrade cycles in and of themselves pose a security hazard.  The more complex a system becomes, the more that can go wrong.

Global WordPress Brute Force Flood

Posted on by

As I type these words, there is an on-going and highly-distributed, global attack on WordPress installations across virtually every web host in existence. This attack is well organized and again very, very distributed; we have seen over 90,000 IP addresses involved in this attack.

via Global WordPress Brute Force Flood | HostGator Web Hosting Blog | Gator Crossing.

This wordpress blog has been receiving these attacks since around the beginning of the year.   Getting rid of the admin account is a first step and using strong passwords is a second, I chose to just shut down access from the Internet entirely by disabling the wp-admin directory and wp-login.php access in httpd.conf.   That may not be practical for most sites however.  The error logs were getting quiet in the last 3 or 4 weeks and then this week they’re back up to full speed blocking with IPs from ranges all over the place.   It looks like I’m not the only one experiencing this according to here and here.

Update:  From my observations of the logs over these last few months these bots are hitting the sites very patiently, sometimes once an hour thus running under the radar of the security plug ins I tried.

Update II: More links here, here, and from here:

These rules will block access for the offending IP address for 5 minutes upon 10 failed login attempts over a 3 minute duration.

This won’t work.  Each IP from these bots may hit you once or twice an hour so any limit login plugin won’t detect them at any rate to ban them.  You can’t stop this on an IP basis.  Since my logs last rotated Sunday morning (almost 6 days ago) I have had 500 different IP addresses hit wp-login.php.  They all have been given 403 Forbidden responses yet they keep coming.

Microsoft: Uninstall Faulty Patch Tuesday Security Update

Posted on by

Microsoft patchMicrosoft announced last night that it has stopped pushing a security update originally released on Patch Tuesday because the fix is causing some PCs to blue screen. Microsoft recommends users uninstall the patch, which is also causing compatibility with some endpoint security software.

via Microsoft: Uninstall Faulty Patch Tuesday Security Update | threatpost.

This is why I always turn automatic updates off on all PCs and update on my own terms and on my own schedule.

Don’t Use Linksys Routers

Posted on by

Today I am publishing 5 Linksys router vulnerabilities so that consumers may be aware of the risks.
linksys vulns.txt

via Don’t Use Linksys Routers « Superevr.

I run a WRT54GL in my network but installed tomato on it because I never liked the linksys GUI and wanted to try out tomato.  Here’s his take on the WRT54GL:

1. Linksys WRT54GL Firmware Upload CSRF Vulnerability
I demonstrate Cross-Site File Upload in my BlackHat and AppSec USA talks. If you need more info on the vector itself, check out How to upload arbitrary file contents cross-domain by Kotowicz.

I suspect these kind of exploits exist in all consumer grade routers.

Google Uses Reputation To Detect Malicious Downloads

Posted on by

Unlike Microsoft’s solution, CAMP attempts to detect locally whether any downloaded file is malicious, before passing characteristics of the file to its server-based analysis system. First, the system checks the binary against a blacklist–in this case, Google’s Safe Browsing API. If that check returns no positive result and, if the file has the potential to be malicious, CAMP will check a whitelist to see if the binary is a known good file.

via Google Uses Reputation To Detect Malicious Downloads – Dark Reading.

CAMP’s 99-percent success rate trounced four antivirus products, which individually only detected at most 25 percent of the malicious files and collectively detected about 40 percent, the researchers stated.

Sslstrip Tutorial

Posted on by

Description: SSLstrip was released by Moxie to demonstrate the vulnerabilities he spoke about at Blackhat 2009. In this video we will look at how to get started with SSLstrip. We setup 2 vmware machines, one running Widnows XP (victim) and the other Backtrack 3 (Attacker). Before we actually begin hacking using SSLstrip, we need to setup the entire Man in the Middle Mechanism and packet redirection / forwarding mechanism. We do this by using the following commands in sequence:

via Sslstrip Tutorial.

This tool assumes a man in the middle setup and that http traffic (port 80) gets redirected to a port sslstrip listens to on the attacker’s machine (port 10000 in this video).  Sslstrip then intercepts https traffic and returns to the victim http traffic.  The victim thinking his traffic is encrypted is  transmitting in plain text while sslstrip manages the ssl session with the victim’s destination (i.e. bank).  Since this attack is using http the victim does not need to validate an ssl certificate thus it’s transparent.  Detecting this attack is simple because the browser returns http in the displayed url instead of https so an alert victim should know.  But not everyone may notice this.

OAuth – A great way to cripple your API

Posted on by

Even the original social networking sites behind OAuth decided they really need other options for different use-cases, such as Twitter’s xAuth, or Yahoo offering Direct OAuth, which turns the entire scheme into a more complicated version of HTTP Basic Authentication, with no added benefits. Perhaps the most damaging point against OAuth, is that the original designer behind it decided to remove his name from the specification, and is washing his hands clean of it.

via Insane Coding: OAuth – A great way to cripple your API.

First Bitcoin Hedge Fund Launches From Malta

Posted on by

The private key itself is AES-256 encrypted. After exporting Bitcoin private keys from wallet.dat file, data is stored in a TrueCrypt container on three separate flash drives. Using Shamir’s Secret Sharing algorithm, the container password is then split into three parts utilizing a 2-of-3 secret sharing model. Incorporating physical security with electronic security, each flash drive from various manufacturers is duplicated several times and, together with a CD-ROM, those items are vaulted in a bank safety deposit box in three different legal jurisdictions. To leverage geographic distribution as well, each bank stores only part of a key, so if a single deposit box is compromised, no funds are lost.

via First Bitcoin Hedge Fund Launches From Malta – Forbes.

Sharpening Endpoint Security

Posted on by

Endpoints are as hard to define as they are to protect. The term traditionally referred to desktops and laptops, but endpoints now encompass smartphones, tablets, point-of-sale machines, bar code scanners, multifunction printers and practically any other device that connects to the company network. Without a well-conceived strategy, keeping track of and securing these devices is difficult and frustrating.

via Sharpening Endpoint Security – Dark Reading.

Some IT shops buy cleverly marketed products that promise off-the-shelf endpoint security using anti-malware and sandboxing. In most cases, attackers can easily bypass those defenses