LogChaos – Challenges and Opportunities of Security Log Standardization
Oct 28, 2009 Security Tutorial
View more presentations from Anton Chuvakin.
More Scriptkiddies poking at WordPress
Oct 21, 2009 Security News
The scriptkiddies have again launched their Super Sad SQL Injection Cannon of Crud (TM) at my site. I was alerted by my systems that the following attacks were detected and blocked:
- UNION SELECT CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58)) FROM wp_users where id=1/*
- UNION SELECT null,CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58)),null,null,null FROM wp_users where id=1/*
If anyone is interested, I will pass along the offending IPs for your blocklists.
WordPress Hardening Release
Oct 21, 2009 Security News
In preparation for version 2.9, WordPress has back-ported some of their bugfixes and security hardening to the 2.8 branch with the release of 2.8.5.
The headline changes in this release are:
- A fix for the Trackback Denial-of-Service attack that is currently being seen.
- Removal of areas within the code where php code in variables was evaluated.
- Switched the file upload functionality to be whitelisted for all users including Admins.
- Retiring of the two importers of Tag data from old plugins.
It is advisable for all users to upgrade to 2.8.5 to get the benefit from all of the behind-the-scenes changes to WordPress that should go a long way to making it more secure. Also mentioned is a handy plugin called the WordPress Exploit Scanner. This plugin searches files on your website, posts, and the comments table of your database looking for anything suspicious.
Read all about it here.
New “SSL” Spam trying to spread Malware
Oct 14, 2009 Security Events, Security News
I, and others, have been receiving spam messages that claim to be from the “System Administrator” advising people to go to a linked URL that tries to spoof the targets domain somewhat to make it more credible. Mine looked like this (edited slightly for privacy):
Attention!
On October 16, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour.
The changes will concern security, reliability and performance of mail service and the system as a whole.
For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.
This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That’s all.http://updates.<mysite>.com.secure.admin-data.net/ssl/id=731758587-admin@<mysite>.com-patch66701.aspx
Thank you in advance for your attention to this matter and sorry for possible inconveniences.
System Administrator
Seems that these links direct victims to a site that then installs some nastiness on their PCs:
Threat characteristics of ZBot – a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.
(see the entire ThreatExpert report here).
When is the Windows-based malware insanity going to stop? This, folks, is why I have used Linux for my computing needs for the past five years. Brian Krebs at the Washington Post agrees. Anti-virus/anti-malware/personal firewall/PC-prophylactics are not going to stop this kind of thing from happening, so catch the clue-train now and go download a nice Linux distro for your home computer.
Amazon Web Services Security — Part One
Oct 13, 2009 Review
After reading about the Cloud Services FAIL over at T-Mobile/Sidekick, I wanted to dig into Amazon’s Web Services (S3, EC2, etc.) which I utilize to see what they say about the security in-place. Here are some interesting bits:
Network Security
The AWS network provides significant protection against traditional network security issues and the customer can implement further protection. The following are a few examples:
Distributed Denial Of Service (DDoS) Attacks: AWS Application Programming Interface (API) endpoints are hosted on large, Internet-scale, world-class infrastructure that benefits from the same engineering expertise that has built Amazon into the world’s largest online retailer. Proprietary DDoS mitigation techniques are used. Additionally, Amazon’s networks are multi-homed across a number of providers to achieve Internet access diversity.
Man In the Middle (MITM) Attacks: All of the AWS APIs are available via SSL-protected endpoints which provide server authentication. Amazon EC2 AMIs automatically generate new SSH host certificates on first boot and log themto the instance’s console. Customers can then use the secure APIs to call the console and access the host certificates before logging into the instance for the first time. Customers are encouraged to use SSL for all of their interactions with AWS. IP Spoofing: Amazon EC2 instances cannot send spoofed network traffic. The Amazon -controlled, host-based firewall infrastructure will not permit an instance to send traffic with a source IP or MAC address other than its own.
Port Scanning: Port scans by Amazon EC2 customers are a violation of the Amazon EC2 Acceptable Use Policy (AUP). Violations of the AUP are taken seriously, and every reported violation is investigated. Customers can report suspected abuse via the contacts available here: http://aws.amazon.com/contact- us/report-abuse/ When Port scanning is detected it is stopped and blocked. Port scans of Amazon EC2 instances are generally ineffective because, by default, all inbound ports on Amazon EC2 instances are closed, and are only opened by the customer. The customer’s strict management of security groups can further mitigate the threat of port scans. If the customer configures the security group to allow traffic from any source to a specific port, then that specific port will be vulnerable to a port scan. In these cases, the customer must use appropriate security measures to protect listening services that may be essential to their application from being discovered by an unauthorized port scan. For example, a web server must clearly have port 80 (HTTP) open to the world, and the administrator of this server is responsible for ensuring the security of the HTTP server software, such as Apache.
Packet sniffing by other tenants: It is not possible for a virtual instance running in promiscuous mode to receive or “sniff” traffic that is intended for a different virtual instance. While customers can place their interfaces into promiscuous mode, the hypervisor will not deliver any traffic to them that is not addressed to them. Even two virtual instances that are owned by the same customer, located on the same physical host, cannot listen to each other’s traffic. Attacks such as ARP cache poisoning do not work within Amazon EC2. While Amazon EC2 does provide ample protection against one customer inadvertently or maliciously attempting to view another’s data, as a standard practice customers should encrypt sensitive traffic.
This is good stuff. It is more than you can expect from most dedicated hosting datacenters. I believe that these measures actually make virtualized/ cloud environments more manageable from a security standpoint than a bunch of cheap Intel-based physical boxes connected to the Internet with only border security and the client’s knowledge to keep them safe. Next time I will take a look at another area of security where I believe AWS are doing things right.
