Watch out for this Apache bug

There is a nasty Apache exploit going around right now that exploits a vulnerability in versions 1.3.x, 2.0.x and 2.2.x. Basically, it allows the process to exhaust all available memory and crash by sending GET requests with overlapping byte ranges. The methodology seems to borrow a page from the teardrop attack. Yes, I’ve been studying for a security certification….

Why SSL isn’t fooolproof security

Over at Rabbit-Hole, a commenter posted that my low-tier VPN is unnecessary if you’re using SSL. He’s wrong.

Perhaps I should have titled this “When SSL isn’t foolproof security,” but it’s too late now. Oh well.

When you’re sitting on a strange network (not your home or work network), SSL is vulnerable to a classic man-in-the-middle attack. If you’re paying attention, you should know if your session is being hijacked. But who’s paying attention?

Read more

Dark ages of security, or golden age of hacking?

Earlier this week, Rob O’Hara argued that hackers, in spite of the publicity they get, aren’t necessarily sophisticated at all.

Details of the Citigroup hack prove it.
Read more

How to use Sticky Keys to change/unlock a forgotten password

This isn’t a particularly new trick, nor did I invent it. But it’s a good trick for breaking into a Windows system when you don’t have a lot of tools at your disposal, and have legitimate reason to do so–like a lost or forgotten local administrator password. I’ve talked about some of those reasons before. I’d also add someone locking themselves out of their own computer to the list. It happens, just like people locking themselves out of their cars, or their houses.

Not every writeup I’ve seen of this trick goes into what I would call sufficient detail. So I’ll take a shot at it.

Read more

How to audit your PC’s software for updates

Sometimes you like to use backdated software, perhaps to avoid bloatware. But perhaps you have some old software you’ve forgotten about. If you want to know, Secunia has a free product called PSI that will scan your system and alert you to any outdated software you may have. Then you can either update it, if it’s something you use and want to keep up to date, or uninstall it. Read more

If I’m making more mistakes lately…

Yesterday’s post was hastily done. A longtime reader pointed out one mistake, and a questionable one–a tricky was/were instance, which, since I wasn’t actually there to see the event, means I can’t actually tell you which one would be proper… Although in the rest of the English-speaking world, “were” would be correct. Except Canada, perhaps.

I have some, er, distractions going on lately.

Read more

Don’t use Internet Explorer this Christmas

In case you haven’t heard elsewhere, there’s a nifty unpatched vulnerability for Internet Explorer floating around. And it’s actively being exploited. Metasploit, an exploit toolkit used by penetration testers and script kiddies alike, is able to detect and utilize it.

Under these circumstances, Microsoft has been known to rush out a patch before the next scheduled Patch Tuesday, but the Christmas and New Year’s holidays will obviously slow things down.

In the meantime, installing Firefox and/or Chrome is prudent. I have and use both, since, to my knowledge, there hasn’t been a time yet when both of the two most popular alternative browsers had unpatched exploits in the wild.

How to secure your wi-fi router

It’s not enough to know what to look for in a router. I wanted to get some solid advice on wi-fi network security. Who better to give that advice than someone who built an airplane that hacks wi-fi? So I talked to WhiteQueen at http://rabbit-hole.org, the co-builder of a wi-fi hacking airplane that made waves at Defcon.

Hacker stereotypes aside, WhiteQueen was very forthcoming. He’s a white hat, and I found him eager to share what he knows.

Read more

Buffer overflows explained

Buffer overflows are a common topic on a Security+ exam. The textbook explanation of them is confusing, perhaps even wrong. I’ve never seen buffer overflows explained well.

So I’m going to give a simplified example and explanation of a buffer overflow, similar to the one I gave to the instructor, and then to the class.

Read more

If you use Mozilla, you need to read this

No sooner than I presented Mozilla, specifically Mozilla Firefox, as a safe alternative to Internet Explorer did an exploit for Mozilla show up. Argh!

At least the fix came out swiftly and installs painlessly. Visit the page, click another link, wait a minute or so, and then restart the browser. Badda bing, badda boom, you’re patched. No reboot necessary.I still stand by my recommendation of Mozilla, whether it’s the entire bloatware Mozilla suite or the lightweight Mozilla Firefox, over IE. Why? Lessons learned from Linux.

When a vulnerability is discovered in a Microsoft product, an unpredictable length of time passes before the vulnerability is patched. Sometimes it’s a matter of days, but sometimes the length of time is just plain ridiculous. Forgetting for a minute how frequently patches come out–a case can be made that Linux gets more patches than Windows but just as strong of a case can be made that it gets less–the length of time that passes between the instant the vulnerability is discovered and announced and the release of a patch is usually very small. Usually it’s a matter of hours.

The reason is simple. Lots and lots of eyeballs looking at the code. And in Open Source, having your name in the code is a badge of honor. It’s a big, big line on a resume to say you wrote a line of code in the Linux kernel.

Other open-source software gets patched just as quickly, however. Not every open source programmer is comfortable maintaining operating system kernels. And no self-respecting programmer wants his or her system hacked due to a vulnerability in a piece of software she or he was perfectly capable of fixing.

This particular vulnerability stems from a little-known capability in Mozilla. I’m sure there was a legitimate use for it at one time, but were Mozilla being designed and rewritten from scratch today, I can’t see how it would possibly be implemented because the potential for abuse is huge. The code’s gone now. It won’t be in Firefox 0.92 or the next revision of the Mozilla suite.

Will there be other instances of this? Sure. Probably less of it, since Mozilla was a total rewrite of Netscape and the engine is entirely different from the one in Netscape 4.x. The IE codebase goes back to the early 1990s, as it’s based on the old NCSA Mosaic code, which Microsoft licensed from Spyglass. (Go into IE and hit Help, About to see for yourself.) There’s much more potential for harmful dead wood in IE than in Mozilla, but the presence of some in either is inevitable.

But at the end of this year’s storm season, I expect Mozilla to come out a lot stronger because most of the dead wood will be shaken out. I don’t expect the same from IE. The codebase is too old, the teams too disparate, and the motivations behind the changes that have been made were too different from Mozilla.

I’m standing by my browser.