The Musings of Chris Samuel

If you’re worried about spam and scams coming through the Internet Portal (thanks to Stephen Conroy for pointing that threat out) then get yourself a Kogan Portector! Here’s their advert for it on YouTube..

Of course you must be sure to read the disclaimer..

DISCLAIMER: The Kogan “Portector” Internet Filter is not a real product. This product is in no way affiliated with Communications Minister Stephen Conroy, The Australian Labor Party, or the Australian Government. Incorrect use may result in uncensored Internet content, freedom of speech, freedom of choice, freedom of thought, and protection of your civil liberties.

Phew, thanks Kogan for saving us!

Along with folks like the Samba project I’ve joined the Great Australian Internet Blackout, so the first time (and only the first time) you visit the site you’ll get the notice about the protest. Here’s why the proposed mandatory filtering is a bad idea from the Great Australian Internet Blackout website:

• It won’t protect children: The filter isn’t a “cyber safety” measure to stop kids seeing inappropriate content such as R and X rated websites. It is not even designed to prevent the spread of illegal material where it is most often found (chat rooms, peer-to-peer file sharing).
• We will all pay for this ineffective solution: Under this policy, ISPs will be forced to charge more for consumer and business broadband. Several hundred thousand dollars has already been spent to test the filter – without considering high-speed services such as the National Broadband Network!
• A dangerous precedent: We stand to join a small club of countries which impose centralised Internet censorship such as China, Iran and Saudi Arabia. The secret blacklist may be limited to “Refused Classification” content for now, but what might a future Australian Government choose to block?

If you’re using WordPress with a theme that supports widgets then participating is as easy as adding a text widget (or using one you already have) and add the single line of HTML to activate the blackout.

To paraphrase Kryten from Red Dwarf, it has just two minor flaws. One, it won’t work, and two, it won’t work. Now I realise that, technically speaking, that’s only one flaw but I thought it was such a big one it was worth mentioning twice.

This just in from Ben Lawrie:

For the last 6 weeks or so, a bunch of us have been working on a really serious issue in SSL. In short, a man-in-the-middle can use SSL renegotiation to inject an arbitrary prefix into any SSL session, undetected by either end.

But wait, there’s more..

To make matters even worse, through a piece of (in retrospect) incredibly bad design, HTTP servers will, under some circumstances, replay that arbitrary prefix in a new authentication context. For example, this is what happens if you configure Apache to require client certificates for one directory but not another. Once it emerges that your request is for a protected directory, a renegotiation will occur to obtain the appropriate client certificate, and then the original request (i.e. the stuff from the bad guy) gets replayed as if it had been authenticated by the client certificate. But it hasn’t.

Ben has a patch against the current development head of OpenSSL to ban renegotiation, but for most people it’ll need backporting to their current OpenSSL versions..

WordPress 2.8.5 has just been released:

As you know over the past couple of months we have been working on the new features for WordPress 2.9. We have also been working on trying to make WordPress as secure as possible and during this process we have identified a number of security hardening changes that we thought were worth back-porting to the 2.8 branch so as to get these improvements out there and make all your sites as secure as possible.

It includes a fix for a trackback DoS attack that’s apparently going on at the moment. I’ve updated the 3 blogs I look after with a quick svn switch http://svn.automattic.com/wordpress/tags/2.8.5.

Oh joy, Microsoft have managed to introduce security problems into Firefox through a plugin for it that they silently install without your knowledge!

Along with .NET Framework 3.5 SP1, Microsoft have been silently installing a Windows Presentation Foundation Plugin that allows the embedding of XAML applications (an XML-based UI technology) in web pages, called XBAP (XAML Web App). The exploit is drive-by, meaning that the victim only needs to be lured onto a web-page for the attack to be effective. The only safe thing to do until a patch is issued, is to open Firefox’s AddOn Manager and disable the WPF plugin.

Mozilla might already have reacted to this, my brother (who alerted me to the above story) said:

Firefox popped up saying it’s blocking 2 Microsoft add-ons so they must be cracking down on them

Dear Microsoft – please do not stuff about with peoples web browsers that don’t belong to you, you’re just not qualified..

Oh dear, so Nominum crop up on ZDNet decrying “freeware” (by which they probably mean open source) as bad and closed source as being good by saying:

Nominum software was written 100 percent from the ground up, and by having software with source code that is not open for everybody to look at, it is inherently more secure.

Because, of course, that security through obscurity approach works so well for people like Microsoft (have you patched the SMB2 remote admin attack on your Windows boxes yet?). They go on to justify this by saying that you should look at all the security patches that get applied to BIND et. al and contrast that with their own software.

Nominum has not had a single known vulnerability in its software.

Which would be almost impressive, if it were actually true, which it isn’t. That quote is from 22nd September 2009, but over a year earlier they had to release a security patch for their software (PDF document), because:

Cache poisoning allows an attacker to selectively control destination web sites for users accessing a compromised DNS. For example, if a cache entry for Google is poisoned, a user typing in www.google.com would not get the Google website but rather a site controlled by the attacker.

In fact it wasn’t just one piece of software they wrote that had a bug, it was two..

This vulnerability affects all customers using versions of CNS and Vantio released before June 4th, 2008 regardless of what features are being used.

So perhaps people in (smoked) glass houses shouldn’t try and throw stones…

My esteemed friend Dr. Rich Boakes has noticed some odd behaviour in his Apache logs that turned out to be people abusing his OpenID server to make page requests to remote sites, presumably as a way of increasing clicks. He raises an interesting point as to whether this makes OpenID servers potential DDoS amplifiers (I suspect he’s right).

Found via InsideHPC (quoting EnterpriseStorageForum.com):

Intel found that if a user sets up a BIOS password on the SSD, then disables or changes the password, the contents of the drive become corrupted and irretrievably lost.

Probably not an issue for HPC storage systems, more an issue for desktop ones I guess.

Oh no, not again..

Various analysts and sites have recently confirmed a vulnerability is present in FireFox 3.5.1 that has had exploit PoC released. When exploited, the vulnerability can lead to system compromise or induce a DOS. No Patch is available.

Interestingly the SecurityFocus BID for this says it’s FF 3.5, but the ISC SANS post above does say 3.5.1 (and they do know what they’re talking about). There is also a CVE number allocated to it, but I’m having problems reaching that at present to check what it says. One possible explanation is that Mozilla pushed out 3.5.1 to fix the 3.5 0day that appeared recently, but this bug was found beforehand and Mozilla weren’t aware of it prior to releasing 3.5.1 (or they thought it was more important to get the other fix out whilst they worked on this).

Oh joy, within 24 hours of the MS IE/ActiveX exploit we have a remote vulnerability against Firefox 3.5.

The vulnerability is caused due to an error when processing JavaScript code handling e.g. “font” HTML tags and can be exploited to cause a memory corruption. Successful exploitation allows execution of arbitrary code. The vulnerability is confirmed in version 3.5. Other versions may also be affected.

Currently Mozilla have no “known vulnerability” page for Firefox 3.5 security issues, I presume once it’s created it’ll be here.

There is a sample exploit available already, so it’ll be in the wild soon if not already.