Month of PHP Bugs

March is the Month of PHP Bugs. The Project’s goal is to improve PHP security. The bugs they are announcing each day are bugs with the core PHP code itself, not just poor coding practices of various PHP applications out there. A lot of this was sparked when Stefan Esser resigned from the PHP Security Response Team several months ago. (You can read an interview with him here.) He felt issues were not being addressed promptly enough or being ignored – and so we now have the Month of PHP Bugs.

My thoughts on PHP are conflicted. I used to be a big fan of PHP apps, they seemed to solve a lot of problems for me at work or other places (i.e. this blog is PHP based). But then I started to do some work with the Fedora Infrastructure team who had a poor opinion of PHP based on its security track record. I still use PHP applications, but I do tend to look for alternatives when I can. My PHP work apps are internal applications and safely behind the firewall. The publicly exposed PHP apps I use tend to be for personal use and are installed at my hosting provider who provides me the lazy path to updates through the one-click installs. So at least the path to upgrade is just a few clicks away.

In either case – looks like March might be a busy time for admins with a large number of publicly exposed PHP applications.

WordPress 2.1.1 Issues

Looks like WordPress had a breach in their security and someone was able to add some exploit code to some downloads of the 2.1.1 release. Not all downloads were affected, but WordPress has released 2.1.2 to help eliminate any issues. My host had just recently upgraded their on-click installs to 2.1.1 – looks like another time procrastination paid off as I had not updated yet! You can read about the issue here.

PayPal Security Keys

There has been talk of PayPal offering security keys for use with their site – as well as eBay’s website. The story recently surfaced on digg.com (it’s probably been on there 50 times before – it is digg.com after all). PayPal’s page on it is here. It is still in beta testing phase now, but if you give PayPal $5 then they will send you one of the key fobs. You then activate your account for use with the new key fob and your new login process will include entering your normal username and password, as well as the 6-digit number displayed on the key fob (which changes every 30 seconds). Two factor authentication.

This move is obviously due to the fact that eBay and PayPal customers are frequent targets of phishing attempts. By using a method as above those attacks become much, much more difficult to be successful. I applaud PayPal for making this move as a solution to the problem. There are several people that criticize PayPal for charging $5 for the key fob. I see no issue with that, it’s a token amount of money. These devices are not free and I am sure they realize if you charge just a little for something, only people who will really use it will ask for one. Why send a key to someone who has no real intention of using it. And if you give stuff away for free people will take it even if they have no intention of using it (my closet is full of T-shirts that I have and never wear only because they were given away for free from some convention).

The largest issue I see in the future with these measures are that one has the potential to end up with several of these key fobs from various banking sites and such if this becomes more of widespread practice. Just from sites I frequent I can think of three or four that I would like to see move towards this type of system. Despite that, I still think this is a good move by PayPal and am anxious to see how the system works for them.

Trojan on Dolphin Stadium Site

I just caught the article on Digg about a trojan being on the Dolphin Stadium website. Websense was the one with the warning on their site. Apparently a bit of javascript code had been dropped into the header of the site and was downloading a bit of malware – a keylogger/backdoor. You can read either of the above articles for more details.

This just goes to show that folks really need to keep their browsers (and web servers) updated with the most recent patches. Often you will hear the excuse from the user side that they don’t go to the “bad” parts of the Internet. But this is a common tactic – infecting either the main page of a mainstream site or often times easier, exploiting the banner ad system to get harmful content to run. So just a heads up that even if you stick to mainstream sites keep you browsers patched and seriously consider switching to an alternative browser such as Firefox.

AT&T Routing Internet Traffic to the NSA?

I am sure many of you saw the /. articles and such about AT&T routing Internet traffic directly to the NSA. I read through, wasn’t so sure of the initial sources and chose not comment on it at the time. I just saw this Wired article though with more details about what was going on.

So for those that laugh at my high interest in encryption – encyrpting my chat sessions, emails, etc. – keep on lauging. It is quickly becoming not so funny. Yeah, you’re right – do they really care what I have to say? Probably not. But the issue at hand in my opinion is the principal of it. Who gave these folks the right to monitor all Internet traffic? Do we not still live in the United States? The fear mongering is once again causing Americans to put up with their rights being lessened.

Really, who’s the victim here. It is the normal American. You can bet terrorists are using some sort of encryption or code to hide their communications. At any planning of any importance is certain to be guarded by such protections. It is the normal American that is the one subject to this loss of rights.

Pathetic….

Microsoft Beat to the Punch. Again.

For the second time this year Microsoft has failed to release a patch for a vulnerability that has public exploits already made available. This time the flaw is browser related. Exploits are already floating around out there, but Microsoft is still “testing” their patch and the last I saw not planning on releasing before April’s Black Tuesday. And this time there are two unofficial patches that beat Microsoft to the punch. One from eEye and one from Determina.

I know Microsoft says that big corporations only want patches released once a month, but I think that methodology fails to work anymore. People are still releasing their working exploit code into the wild before Microsoft will release their patches. I say Microsoft should release their patches as soon as they have been sufficiently tested. Companies can easily decide to only patch once a month if that is how often they are afforded scheduled downtime, that is their decision to make. Other, faster moving companies, would rather protect their users as soon as a patch is available. Especially when exploit code is already circulating about the Internet.

VM Rootkits?

There was an interesting article on Slashdot yesterday about Virtual Machine based root kits. Apparently some Microsoft and University of Michigan security researchers have figured out a way to hijack your OS and get it to run on top of a VM. This can be done through any number of unpatched exploits (either existing or future). Suddenly you are running your OS on a VM layer which can be doing any number of things your current scanning software has little chance of detecting. Worth a read and some insight as to what the future may hold for security professionals.

Mac OS X Security

Looks like Apple’s Mac OS X has caught the attention of security researchers (being generous with that term). Within the past week there have been three reports of security threats and or flaws for the OS:

Feb. 16 – OS X Trojan Appears

Feb. 17 – Second OS X worm appears

Feb. 21 – Critical browsing flaw found in Max OS X

The first one appears to be a work of social engineering rather than exploiting an actual flaw. The second one apparently takes advantage of an old Bluetooth flaw and the most recent (and most serious it would seem) is the browsing flaw in Safari, OS X’s default browser.

Looks like it is time to pay closer attention to the settings on the iBook at this point beyond the normal safety precautions.

LiveJournal Security Issues

I was asked what security issues prompted me to go back to hosting my own blog. This /. article is the one that got me thinking. Now I fully understand software has its flaws, but it seems that the high profile blogging sites are becoming more and more of a target for various flaws. Last fall it was myspace falling victim to a cross-site scripting worm. So with that I chose to move back to hosting my own blog again.

The blogging softare I use is certainly not immune to security issues. But with it on my server it is something I control a little more easily. We will see how it goes.