2012 the year of internet security growth

So many events in the past year have pivoted internet security as the number one most important focus for everyone here at global advanced media. I am sure people have seen news reports about major hacking and web sites being shut down, but there have been many more smaller businesses affected by attacks and that has changed the primary focus for our SEO team, web design team, and web site hosting team quite a bit the past year.

I remember the good old days when designers could focus on making new designs and adding original content. Our search engine optimization and search marketing teams focused exclusively on web sites performing well in the search engines. Our web hosting team focused solely on customer service for minor things like email setup. With all the attacks an exploits going around the web, we have learned that security needs to be the primary focus.

There have been several times in the year when we had to pause all projects and focus squarely on fixing hacks, updating security and repairing damage done to sites. Search engine marketing does not work if sites are hacked. Web site hosting is now more focused on recurring backups and checking for exploited files or un-patched scripts. Designers are not forced to think more about securing designs and choosing code that is less likely to fall prey to malicious systems.

All of our teams are now working to instruct people at the various businesses we work with on how to be more proactive about viruses, password security, and more. So far we have been able to recover completely from all the hacking attempts this year, and have made sure our checklist for clients includes strong passwords, and systems that double check backups as well as keep a closer eye on updates and intrusion attempts.

Billing clients for the extra work is a challenge, as it is difficult to explain to the average web site owner exactly how important all of these things are, and the amounts of time needed vary greatly depending on how many updates are needed watch month – but it’s something we are working on.

Anyone who is using wordpress on their web site should seriously consider adding the limit login attempts plugin, and the si captcha plugin (even if you only enable it on your login page) – we also suggest making sure that someone is keeping your wordpress up to date with the latest versions, and making backups in case the newer version break current themes or other plugins that are necessary for the functionally of your site.

Of course backups and updates are suggested for all systems, make sure your anti-virus is up to date or get a new one. Make sure you update and do not ignore updates for flash and java as well. If one  employee at your office ignores these updates, surfs facebook, and downloads emails – this is a recipe for disaster.

I  also suggest that everyone test their backups at least once a year, preferably every 3 months. Get a backup computer or server and start from scratch with your backups. Is all of your data safe? Is it all recoverable? How long does it take? You definitely need to know this before you find out the hard way.

Research before buying web software – script security is important

We spend a good deal of time researching software before we buy it, and even then we are at time disappointed with purchases we had hoped would make web sites function better. Whether it’s server side software for web site addons, or complete web site scripts, take the time to research the piece of software and the company behind it before you try it.

Over the years we have considered hundreds of scripts and programs, a few of those have proven to be excellent choices, but many are half baked, don’t do everything you want them to, or even worse, leave huge hacker / security vulnerabilities for you, and perhaps the other web sites hosted on your web server. Our most recent consideration is one of those, if the price and features combination seems too good to be true, maybe it is?

We have been looking for new chat programs to launch on as server addons for various client web sites, and integrations with a forums or membership system is a key functionality that has been requested. After on hour of research we determined that there were 4 programs that seemed to be a good fir for our client, so we decided to big deeper and see if we could narrow it down.

It would have been easy to just choose the most expensive and well known solutions, but we try to find options that will save our clients money, and often times not every site needs all the full blown features that the most expensive and well know companies make available. Looking for more affordable options we came across a piece of chat software that seemed to have a ton of features, and a very fair price. Wondering if it was perfect for our client, or too good to be true, we decided to do further research and see what other people were saying at other web sites.

Searching for their program and company name in google brought up tons of results, and most of them were from other places that were offering the program, places like hotscripts and the tons of clones out there, none of these were very helpful as far as finding critiques of the company. After digging a few hundred search results into google, we started finding security vulnerabilities posted at about a dozen sites. That;s red flag number one – but these could all be fixed in a current release – so we had to spend more time to find out.

More research revealed some posts on a forum where a particular user was complaining that it did not work in his current server / software environment and had received no support what so ever from the programs author. Red flag number two, but I looked further, and it appears that the post in question was on a forums that was for a similar, or competing product, so not as trustworthy of a review as we would like.

I will be contacting the author of this script to see id they have been aware and fixed the security issues that have been posted online. I will also be asking for a demo of the product to make sure that it works with the membership system that our client is using. Sure it says that it works with that particular program, but which version? Do ALL features work? Better to find out before purchasing if possible.

Before purchasing scripts, or even using free scripts online it’s best to look around the web and see if you can find and security or support issues with the company. Some web sites to definitely check include:

http://www.us-cert.gov

http://insecure.org/

http://secunia.com/

http://www.securityfocus.com/

http://www.f-secure.com/vulnerabilities/SA32603#

http://www.securitytracker.com/search/search.html

This method of research has saved tons of trouble in previous new business development. Working with clients for a new business plan they were setting everything up based upon a company’s affordable piece of social networking software. It looked good, the demo was decent, the pre sales support was fast. They put their entire business plan around the use of this product. I can’t remember what it was that led us to a bad forum thread about it, but that thread led us to links that found many more horror stories about the company, and then we realized that particular script would not work, and that too-good-to-be-true price and feature combination was indeed, too good to be true.

Lessons learned, even when a demo works and pre sales support is fast, it does not mean that everything will work as you planned, and it does not mean that you will get the support you have expected, and if the program will work as it was advertised.

Keeping a WP site takes some time, but it’s worth it

There are plenty of how instructions out there about how to keep your wordpress site secure, how to keep it from being hacked. For the average user it’s even easier today as many WP installations have the ability to upgrade with the click of a button from inside the administration dashboard. Sometimes I wait to upgrade when a new version comes out, thinking that a new newer version will be available a week or so later, sometimes that bites you in the butt.

The auto-upgrade doesn’t worth with all web servers or WP installs. I have several WP sites that I administer in which I have to manually upload all the new files and such. Not a big deal for one site, but having to do that for twenty web sites becomes a bit of time consuming work, especially if there are plugin upgrades needed. Some of the web servers I maintain have fantistico installers that are suppose to make upgrading very easy with one click to do it. Unfortunately fantsistico is slow to get the updates out, or the man web host I work with are slow to add the fantistico updates, so at times we wait for weeks to have the latest WP update available with that method. If it’s a major security bug update, then we end up doing all those manually – many more hours spent with repetitious ftp.

This is mainly a rant, and certainly any of WP gurus out there will just say that I should upgrade my servers to root access dedicated or VPS – sure that’d be great, but not in the budget any time soon. Keeping your site secure is important. I suppose my suggestion to people would be to find a hot when the one click upgrade is available, and make backups of your database.

I would love to have one solid stable version of WP that did not need to be updated ever, and new features could be rolled out as optional plugins. There are some new features that may make a manual upgrade worth the time and hassle, but a majority of the new features I can live without, I just want to live with a basic secure blogging platform.

Facebook and MySpace is not necessarily private space

More people need to be talking about these issues. We’ve brought them up, and often try to educate people we meet everyday.
I always ask people about their kids online and video game usage, and ask if they are aware of these issues, and more. It amazes me how many people are just not aware of these issues.

from the Tennessean Newspaper

MySpace isn’t private space
Teens’ personal thoughts exposed to all eyes

By VIVI HOANG • Staff Writer • February 17, 2008

Franklin mom May-Ling Weitzman faked a Facebook page, creating an online alter ego with a different age, name and graduation date. Then she searched for her teen daughter’s page.

Her daughter wasn’t fooled by the subterfuge and spotted Weitzman, 48, from a mile off with great amusement. But mom made her point: Web privacy is, essentially, a myth.
Advertisement

Kids these days can, with a touch of a finger, instantly post their thoughts online for all to see. But mix that with youthful impetuousness and the belief that only their friends can see their musings, and it’s a recipe for trouble and very real consequences, from embarrassment to more serious fallout such as failed friendship and missed job opportunities.

Parents can head off that problem by, like Weitzman, seeing what their kids are doing online — stressing that these virtual spaces are extensions of themselves, and to behave accordingly.

“I try to always tell my kids that being online, just because you’re sitting in your living room, it’s not private,” she said. “It’s as if you were in middle of a big city, in the middle of a large square.”

Then there’s the problem of other people’s kids. Coping with a snide comment, rumor-laden blog post or less-than-tasteful photos presents a parental challenge unheard of even 10 years ago.

Solving the problem may be as simple as sitting your teen down for a frank talk.

“They’re young and not realizing any repercussions in the future,” said Melissa Wert, technology integration specialist at Harpeth Hall. “These kids don’t even understand the power they have in their hands to destroy somebody or do harmless, fun, entertaining things.”
What kids are doing online

For the wired generation, pursuing real-world relationships into the cyber-realm by blogging, leaving comments and posting photos and videos comes as natural as breathing.

According to a December report from the Pew Internet & American Life Project, 64 percent of kids ages 12 to 17 who are online are crafting things to go on it.

But teens often treat their personal spaces online as if they’re playgrounds only their friends can enter. Up go their thoughts, their gripes, their photos from that last wild party.

A few years ago when Tammy Nash, a counselor at Martin Luther King Jr. Magnet High School, heard that a student had posted a suicide note online, she checked out the youth’s site. Nash was able to help the teen but remembers being taken aback by some of the sexually provocative passages the student had published in such a public space.

“It’s like a diary,” Nash said. “Some of them are just getting into the shock-jock thing.”

Harpeth Hall sophomore Chelsea Stessel has seen spats flare up over something as innocuous as a boy leaving a flattering comment on a girl’s photo.

Stessel, 16, has staked out cyber real estate since she was in grade school, starting with the kid-centric Neopets and moving on to Xanga, MySpace and finally, Facebook. She’s so aware of the Internet’s influence she’s even joined her school’s chapter of Teenangels, a division of WiredSafety.org that educates parents and youth about online safety and privacy.

“I make sure I don’t post anything anyone would see and get offended by,” she said. “If I have a problem with someone, I deal with it in person or a call.”
Follow the Golden Rule

If everyone played by the rules, or at least the Golden Rule, this would be less of a problem.

Anya Weitzman, 18-year-old daughter of May-Ling Weitzman and a University School of Nashville senior, knows this is wishful thinking: A friend of hers in college skipped a big football game that everyone on her floor went to watch so she could study for an exam.

Schoolmates heckled the friend viciously online for the affront.

“You say a word, and it’s ephemeral, it’s gone,” Anya said, pointing out that conversely, what’s done online can become virtually permanent, easily saved and duplicated.

As far back as 2002, there was the Star Wars Kid, a hapless Quebec teen whose awkward light-saber slashings got leaked to the Internet and viewed by millions. It spawned several mocking remixes, including Matrix and Lord of the Rings versions. So extensive was the humiliation, the 10th grader dropped out of school and finished the semester at a children’s psychiatric ward.

Glencliff High teacher Philip Davis has had numerous conversations with students about how they carry themselves online. He uses analogies like, “Your room is not made of glass — why would you post things online for everyone to see?”

Sites such as Facebook and MySpace allow users to choose how private their profiles are, but teens sometimes aren’t aware or haven’t taken the time to do it, so their profiles remain public by default.

Chris Johnson, 17, a Glencliff senior, had his MySpace page set up by a friend, and didn’t realize he could configure the page to limit who could view it. But he’s savvy enough to censor what goes up on his profile. A photo he might consider harmless fun with his friends might produce far less humorous interpretations from others.

His page is a reflection of who he is, and Johnson wants it to be a positive one.

“These days, parents know how to get on,” he said. “And you don’t want younger kids to see. You want to set an example for them. They follow what you do.”
Many eyes are watching

But in the foggy bliss of youth, sometimes repercussions seem nebulous and far-off.

“They think people aren’t going to see that,” said Michael LoJacono, 17, a USN senior. “There are teachers who have Facebooks. There are a lot of chances for things to happen.”

And people are paying attention.

When Mike Saint, 58, asked while in the car with his 15-year-old daughter Molly, a Harpeth Hall sophomore, whether he should get a Facebook account, she nearly drove off the road.

“She was incredulous,” said Saint, who runs a management consultant firm. “But after a while, she thought it was kind of cool. She helped me set it up.”

He uses his access to Facebook for work but he also finds it is an easy, quick way of keeping up-to-date on what his daughter has going on.

“I used to say there’s nothing meaner in the world than a seventh-grade girl to another seventh-grade girl, whether it’s in person, over the phone, instant messaging or on Facebook,” Saint said. “You hope your children socialize with children whose parents are teaching them right from wrong and good from bad in dealing with other people.”

Molly, also a Teenangel, advises parents to work on an open relationship with children. “Know what your kids are doing. Most kids will let their parents see their Facebook.”

Not just friends and parents are paying attention, but teachers, college admissions counselors and employers. At the Career and Employment Center at Middle Tennessee State University, students are told employers can, and do, access social networking sites to check on prospective employees.

“We have a PowerPoint presentation that actually . . . has four pictures that were gotten off Facebook or MySpace and show students being students — just not very professional,” said center director Bill Fletcher. “What if an employer saw this? Would they want to hire you?”
Parents have options

If you discover inappropriate content related to your child online, you’ve got a few options.

First, if it was your own kid that posted it, use the circumstances as a teaching moment, said Anastasia Goodstein, author of Totally Wired: What Teens and Tweens Are Really Doing Online.

There are paid services like Reputation Defender that search out what information about your family can be found online and then endeavor to remove what’s inaccurate or slanderous.

“But if it is something that goes viral — say, it’s a topless photo of their daughter that was taken without the daughter realizing it was going to be spread around — you can’t do anything,” said Goodstein. “You have to soldier through it.”

Vivi Hoang can be reached at 259-8067 or vhoang@tennessean.com.

Five Most Overlooked Open Source Vulnerabilities Found By Audits

Foudn via yahoo news / Techweb
Five Most Overlooked Open Source Vulnerabilities Found By Audits

By Charles Babcock
InformationWeek Tue Jan 22, 5:45 PM ET

After reviewing 300 million lines of code in 2007, Palamida, a vulnerability audit and software risk management company, says it’s identified the five vulnerabilities most frequently overlooked by users in their open source code.
ADVERTISEMENT

The five are listed in alphabetical order. Palamida did not attempt to assign a frequency ranking to the five, CEO Mark Tolliver said. Also, the Palamida list reflects known vulnerabilities that have been aired and fixed by their parent projects but are still encountered in the user base, such as businesses and government agencies. The projects named are not frequent offenders when it comes to security vulnerabilities, but their code is so widely used that unpatched vulnerabilities show up in Palamida’s enterprise and nonprofit agency software scans. In all cases, a patch is available to fix the vulnerability.

Open source code is “not any more vulnerable than commercial software” and in some cases, less so, said Tolliver. Open source projects tend to acknowledge their vulnerabilities and fix them promptly, he added.

The company conducts audits on enterprise software, spotting uses of open source and identifying origins of code. It both sells products to conduct audits and offers audit services and risk management consulting.

Palamida’s list of five frequently overlooked vulnerabilities is as follows:

Geronimo 2.0, the application server from the Apache Software Foundation, contains a vulnerability in its login module that allows remote attackers to bypass authentication requirements, deploy a substitute malware code module, and gain administrative access to the application server. The access is gained by “sending a blank user name and password with the command line deployer in [Geronimo’s] deployment module,” the Palamida report said. A blank user name and password should trigger a “FailedLoginException” response in Geronimo 2.0 but doesn’t.

A patch for the vulnerability exists at https://issues.apache.org/jira/secure/attachment/12363723/GERONIMO-3404.patch.

Geronimo competes with Red Hat’s JBoss and other open source application servers.

The JBoss Application Server has a “directory traversal vulnerability in its DeploymentFileRepository class in releases 3.2.4 through 4.0.5. It allows remote authenticated users to read or modify arbitrary files and possibly execute arbitrary code,” the Dec. 7 report concluded.

A patch is available at http://jira.jboss.com/jira/browse/ASPATCH-126.

The third frequently encountered vulnerability on the list is the LibTiff open source library for reading and writing Tagged Image File Format, or TIFF, files. The LibTiff library before release 3.8.2 contains command-line tools for manipulating TIFF images on Linux and Unix systems and is found in several Linux distributions.

Using the LibTiff library in a version before 3.8.2 allows “context-dependent attackers to pass numeric range checks and possibly execute code via large offset values in a TIFF directory,” the Palamida report states. The large values may lead to an integer overflow or other unanticipated result and constitutes an “unchecked arithmetic operation,” the report said.

A patch is available at http://security.debian.org/pool/updates/main/t/tiff/tiff_3.7.2.orig.tar.gz.

The fourth vulnerability on the list is found in Net-SNMP, or the programs that deploy the SNMP protocol. It’s found in version 1.0, version 2c and version 3.0. When certain versions of Net-SNMP are running in master agentx mode, the software allows “remote attackers to cause a denial of service (crash) by causing a particular TCP disconnect, which triggers a freeing of an incorrect variable,” the report said.

A patch is available at http://downloads.sourceforge.net/net-snmp/net-snmp-5.4.1.zip?modtime=1185535864&big_mirror=1.

The fifth overlooked vulnerability is found in Zlib, a software library used for data compression. Zlib 1.2 and later versions allow a remote attacker to cause a denial-of-service attack. The attack designs a compressed stream with an incomplete code description of a length greater than 1, causing a buffer overflow.

The patch consists of upgrading zlib to version 1.2.3 at www.zlib.net/zlib-1.2.3.tar.gz.

The fact that the vulnerabilities exist doesn’t mean that anyone should stop using open source code. But users should adopt vulnerability patches or update to the latest, stable version of the code, said Theresa Bui, VP of marketing at Palamida. A complete description of the five vulnerabilities, along with their Common Vulnerability and Exposure number, can be found at Palamida’s Dec. 7 Web site listing. The CVE is a project of the Mitre Corp. that gives vulnerabilities a shared definition and reference number across security vendors.

See original article on InformationWeek.com

CIA Says Hackers Have Cut Power Grid

Hopefully if they are reporting this it means that we have fixed all the potential problems in this area. Just another reminded that as our society becomes more and more dependent upon technology, we also become more vulnerable to problems – be it intentional maliciousness or just breaking down.

Story found via PcWorld:
CIA Says Hackers Have Cut Power Grid
Several cities outside the U.S. have sustained attacks on utility systems and extortion demands.
Robert McMillan, IDG News Service
Saturday, January 19, 2008 6:00 AM PST

Criminals have been able to hack into computer systems via the Internet and cut power to several cities, a U.S. Central Intelligence Agency analyst said this week.

Speaking at a conference of security professionals on Wednesday, CIA analyst Tom Donahue disclosed the recently declassified attacks while offering few specifics on what actually went wrong.

Criminals have launched online attacks that disrupted power equipment in several regions outside of the U.S., he said, without identifying the countries affected. The goal of the attacks was extortion, he said.

“We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands,” he said in a statement posted to the Web on Friday by the conference’s organizers, the SANS Institute. “In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet.”

“According to Mr. Donahue, the CIA actively and thoroughly considered the benefits and risks of making this information public, and came down on the side of disclosure,” SANS said in the statement.

One conference attendee said the disclosure came as news to many of the government and industry security professionals in attendance. “It appeared that there were a lot of people who didn’t know this already,” said the attendee, who asked not to be identified because he is not authorized to speak with the press.

He confirmed SANS’ report of the talk. “There were apparently a couple of incidents where extortionists cut off power to several cities using some sort of attack on the power grid, and it does not appear to be a physical attack,” he said.

Hacking the power grid made front-page headlines in September when CNN aired a video showing an Idaho National Laboratory demonstration of a software attack on the computer system used to control a power generator. In the demonstration, the smoking generator was rendered inoperable.

The U.S. is taking steps to lock down the computers that manage its power systems, however.

On Thursday, the Federal Energy Regulatory Commission (FERC) approved new mandatory standards designed to improve cybersecurity.

CIA representatives could not be reached immediately for comment.