thrtcl spr-mstrbtn!

I’m done with this blog. The archive will stay here for other purpose.

It doesn’t mean that I hate blog. I just don’t like the way it handles my articles. Wiki is good to fill my needs.

Will redirect you to my other page in 5 seconds. Or… just go to http://jim.geovedi.com/

Just came back from holiday and reviewed apache logfile on my homeserver, I noticed that there are some wacky lines in access_log:

200.217.***.*** - - [11/Feb/2005:15:47:15 +0700]
"GET /cgi-bin/awstats.pl?configdir=|echo%20;
echo%20;id;echo%20;echo| HTTP/1.0" 404 287
200.217.***.*** - - [11/Feb/2005:15:47:45 +0700]
"GET /awstats/awstats.pl?configdir=|echo%20;
echo%20;id;echo%20;echo| HTTP/1.0" 404 287

After 2 minutes googling, I found a reference to the AWSTATS exploit. Looks like versions of awstats 6.2 and lower are vulnerable, version 6.3 has the fix.

More googling results mention that Infecktion Group claimed credit for many web defacements related to this awstats vulnerability and has reported over 400 such defacements, though it is unclear how many and whether the same attack vector was utilized.

Probably due to Santy worm, Google filtering some keywords.

But, it seems that Google guys are just searching for predefined strings…not so smart! inurl: admin.php [Blocked], inurl: admin.PHP [Pass], inurl:”admin php” [Pass], anything different than .php (for example: .pHp) will work..

The Higher Regional Court now has ruled that blocking email by content is unlawful as it is considered confidential in German law. Blocking is only allowed when, say, a viral attack is imminent. The implications of the ruling aren’t yet fully clear. Whether the Higher Regional Court has unintentionally legalised spam (which frequently is filtered by content) remains to be seen.

On Tue, 18 Jan 2005 14:31:39 EST, “Sigmon Cheri Y Civ 82 CSS/SCPD :: Software Dev” said:

Item: The “ongoing” debate among choices of open source vs. proprietary (all companies’) solutions, not just the major players in the industry.

I’m certain you’ve seen similar situations… where there are groups of people who are very opinionated one way or the other. My concern is the best solution(s) security-wise, regardless of the source. Any comments? From a broad-brush perspective?

Define “best”.

Most secure, no matter *how* hard it is to use? There’s some pretty bad-ass MLS systems available - and they’re often a royal pain to *do* anything (because you keep finding you can’t easily get around some compartmentalization feature that’s intentionally getting in your way). This one’s easy. Turn it off, encase it in a large concrete block, and dump it into the Marianas Trench. Quite secure, but not very useful. (Apply some thermite along the way if you’re *really* paranoid).
.
:
Remember that security is a process, and a balancing act. Let’s say your security budget is S, the cost of an incident is C, and the likelyhood of an incident is P. If you can make S = C*P, you have perfect security (if S is greater, you’re spending too much, and if S is lower, you could still save money by increasing S). Those of you who want to model multiple events and costs can generalize it to a summation across all C(sub n)*P(sub n).

The really mathematically astute will realize that (a) if you’re bothering with the summation, the function quite possibly has multiple local maximums and minimums, and (b) the exact location and value of said inflection points of the curve depend on coefficients that are basically non-measurable, and you’re left making educated guesses (”What’s the % chance per year of compromise of a fully patched Windows box with an idiot user, and the %chance for a box that’s missing some patches, but has a user who doesn’t click on every “ooh shiny?” and the ever-favorite “What’s the least costly (money, people time, political brownie points) way to convince a particular Very Important Butthead to buy in to a specific proposal, or should we just punt and do things some way that V. Butthead will go along with?”)
.
:
Read more at SecProg@SecurityFocus.com.

[Sidebar: Fill Your Jump Bag]

A “jump bag” is a collection of critical items you might need during crisis response when an attacker invades your network. It should contain these items:

• Tape recorder or minidisk
• Backup media
• Binary backup software
• CDs with statically linked binaries of critical OS executables
• Forensic software
• Windows NT and 2000 resource kits
• Bootable CD-ROMs
• USB token memory device
• External hard drive
• Small hub
• Patch cables
• Laptop with dual operating system capability
• Call list and cell phone
• Plastic baggies for handling evidence
• Extra notebooks for taking notes

A jump bag is not only needed when an attacker invades my network but for any critical situation — for example, when one partition in my fiance’s hard drive crashed few days ago and she has many imporant data for almost 18GB.

At that time, I have no tools in hand, so approx. I took 3 hours to recovery the data (~45 minutes spent to search the proper recovery software). After that incident, I realize how important having a jump bag and thinking to have one near future.

Several kernel level bounds checking vulnerabilities were found during an audit performed by Immunity team on the recent Darwin kernel xnu­517.7.7. These vulnerabilities are mostly in user to kernel memory copy operations and also allocation of kernel memory driven by user supplied size value(s).

Well, they also put the an interersting bug on at(1). Actually, i still wondering how someone can use the advantage of /etc/master.passwd in multi-user mode. The /etc/master.passwd is consulted when the system is running in single-user mode. At other times this information is handled by lookupd. By default, lookupd gets information from NetInfo, so this file will not be consulted unless someone have changed lookupd’s configuration.

BTW, Mac OS X 10.3.7 is still using buggy version of sudo. Last week I received a mail reply from Apple Product Security Team, they said my information has been passed along to their engineering team for further analysis.

Starting today until January 14, 2005, I’ll be in BS7799 Lead Auditor Course organized by Bellua — in association with Bureau Veritas, at Gran Melia Hotel, Jakarta. The course is intended for all those who wish to undertake and eventually lead audits of Information Security Management Systems. It is also useful for those interested in implementation of BS7799. It is essential for those wishing to register with IRCA as an ISMS Auditor.

Honeynet Project just released a report about the security of Linux. The life expectancy of Linux has lengthened dramatically since 2001 and 2002, the project said, from a mere 72 hours two and three years ago to an average of three months today.

Why? There are several explanations for that:

1. Default installation of Linux distributions are becoming harder to compromise.
2. The primary threat is changing from machine-focused to human-focused.
3. Based purely on economies of scale, attackers are targeting Win32 based system and their users.
4. Windows, through piracy and low-cost ditributions in developing countries (such as China), has increased market penetration.

The FBI is warning that fraudsters are using internet scams in the aftermath of the Asian tsunami disaster. The agency is warning of phishing websites claiming to be for relief charities, and emails offering to find victims for a fee or requesting that money be deposited in overseas accounts. Perhaps most appalling, those who have appealed online for information about missing friends and relatives are being contacted via email by opportunists proposing to investigate, in exchange for a hefty retainer.

Related stories:

• The Register, Tsunami relief donors under cyber-attack, says FBI
• vnunetwork, FBI warns of tsunami email scams
• vnunetwork, Phishing attacks increase by 29 per cent