Yesterday my wife and I took a visit to the local Apple Store, my Time Capsule had died, and since it was one of the original models, it was under a replacement program. I took the Time Capsule back, they traded my broken one for a brand new one, and I was done.
My wife, however, was a different story. You may remember from a previous post of mine that my wife dropped her iPhone4 while getting my daughter out of the car. Whoops. Cracked the back glass to shreds.
She was fairly upset, since she had it about a week. Anyway, she went in, explained what she did to the Apple Genius dudes, and guess what?
They gave her a brand new phone.
/That's/ why I like Apple Stores.
Thanks to the Christiana Mall Apple Store Geniuses. You rule.
Showing posts with label apache. Show all posts
Showing posts with label apache. Show all posts
Monday, July 26
Monday, January 11
iPhone compatability
When I moved to the current theme, I received a couple emails telling me that the theme is hard to read on an iPhone. So I fixed that. If you browse to the blog on an iPhone you will now receive a completely different screen and interface, one that is very iPhone compatible, user-friendly, and still allows you to use all the features of the site (commenting, emailing, etc) as you normally would.
So here's what it will look like now when you navigate to the site on an iPhone:
You notice the drop down at the top right of the screen? This allows you to view the site via RSS, sort by category, even Email me directly from the blog.
If you don't like how the page looks on the iPhone, you can turn this feature off by scrolling down to the bottom of the page and flicking the switch, as seen below:
This is all made possible by the WPtouch theme. Thanks Wordpress.
So here's what it will look like now when you navigate to the site on an iPhone:
You notice the drop down at the top right of the screen? This allows you to view the site via RSS, sort by category, even Email me directly from the blog.
If you don't like how the page looks on the iPhone, you can turn this feature off by scrolling down to the bottom of the page and flicking the switch, as seen below:
This is all made possible by the WPtouch theme. Thanks Wordpress.
Reviewing ModSecurity 2.5, the book
Currently, I am reviewing a book for Packt Publishing, it's entitled "ModSecurity 2.5: Securing your Apache installation and web applications" by Magnus Mischel.
Consequently, I am playing with ModSecurity a bit, and I will try very hard to NOT break things on the blog.
So far it's a good book and it's been quite awhile since I've used ModSecurity (back in the 1.x days) and the configuration has completely changed. So I'm on a quick learning curve as well.
Consequently, I am playing with ModSecurity a bit, and I will try very hard to NOT break things on the blog.
So far it's a good book and it's been quite awhile since I've used ModSecurity (back in the 1.x days) and the configuration has completely changed. So I'm on a quick learning curve as well.
Wednesday, May 28
Apple also released Security Update 2008-003
- AFP Server
Issue: Files that are not designated for sharing may be accessed
remotely
Solution: Deny access to files and folders that are not inside a
folder
designated for sharing
Credit: Alex deVries and Robert Rich
- Apache
Issue: Multiple vulnerabilities in Apache 2.0.55, including cross-site
scripting.
Solution: Apache is updated to version 2.0.63 to address several
vulnerabilities
Note: This is for Mac OS X Server 10.4.x systems, since Leopard ships
with Apache 2.2.x.
- AppKit
Issue: Maliciously crafted file, unexpected application termination,
arbitrary code execution
Solution: Improved validation of document files.
Credit: Rosyna of Unsanity
- Apple Pixlet Video
Issue: Vulnerability to unexpected application termination, arbitrary
code execution
Solution: Improved bounds checking.
- ATS
Solution: Additional validation of embedded fonts.
Credit: Melissa O'Neill of Harvey Mudd College
- CFNetwork
Issue: Vulnerability leading to disclosure of sensitive information
Solution: User prompts
- CoreFoundation
Issue: Vulnerability leading to unexpected application termination or
arbitrary code execution
Solution: Additional validation of length parameters.
- CoreGraphics
termination or arbitrary code execution
Solution: Proper initialization of pointers
- CoreTypes
Issue: Lack of prompting against opening "certain potentially unsafe
content types" in Automator, Help, Safari, and Terminal
Solution: Enhancements to Download Validation in Mac OS X v10.4, and
Quarantine in Mac OS X v10.5
Credit: Brian Mastenbrook
- CUPS
Solution: Validation of environment variables
- Flash Player Plug-in
Issue: Arbitrary code execution
Solution: Updating to version 9.0.124.0
- Help Viewer
Issue: Vulnerability to application termination or arbitrary code
execution
Solution: Improved bounds checking
Credit: to Paul Haddad of PTH Consulting
- iCal
Issue: Vulnerability to unexpected application termination or
arbitrary
code execution
Solution: "Improving reference counting in the affected code"
Note: This issue only affects pre-Mac OS X 10.5 systems.
Credit: Rodrigo Carvalho of Core Security Technologies
- International Components for Unicode
Issue: Disclosure of sensitive information
Solution: "...replacing invalid character sequences with a fallback
character."
- Image Capture
Issue: Path traversal vulnerability
Solution: Improved URL handling
Issue: Privilege elevation
Solution: Improved handling of temporary files
- ImageIO
Issue: Out-of-bounds memory read leading to information
disclosure
Solution: Additional validation of BMP and GIF images
Credit: Gynvael Coldwind of Hispasec
Issue: Multiple vulnerabilities in libpng version 1.2.18
Solution: Updating to version 1.2.24
Issue: Vulnerability to unexpected application termination or
arbitrary code execution
Solution: Additional validation of JPEG2000 images.
- Kernel
Issue: Remote vulnerability to unexpected system shutdown due
to undetected failure condition
Solution: Proper detection of the failure condition.
Issue: Local user vulnerability to unexpected system shutdown
due to mishandling of code signatures
Solution: Perform additional validation of code signatures
- LoginWindow
Issue: Race condition preventing MCX preferences being applied
Solution: Eliminate the race condition
Issue: IPv6 vulnerability leading to unexpected application
termination, information disclosure, or arbitrary code execution
Solution: Properly initializing variable.
Credit: Derek Morr of The Pennsylvania State University
- ruby
Issue: Remote vulnerability
Solution: Mongrel updated to version 1.1.4
- Single Sign-On
Issue: Password disclosure in sso_util
Solution: Make password parameter optional, force sso_util to promp
Credit: Geoff Franks of Hauptman Woodward Institute
- Wiki Server
Issue: Remote vulnerability to information disclosure
Solution: Improved handling of error messages
Credit: Don Rainwater of the University of Cincinnati
Apple also released Security Update 2008-003
- AFP Server
Issue: Files that are not designated for sharing may be accessed
remotely
Solution: Deny access to files and folders that are not inside a
folder
designated for sharing
Credit: Alex deVries and Robert Rich
- Apache
Issue: Multiple vulnerabilities in Apache 2.0.55, including cross-site
scripting.
Solution: Apache is updated to version 2.0.63 to address several
vulnerabilities
Note: This is for Mac OS X Server 10.4.x systems, since Leopard ships
with Apache 2.2.x.
- AppKit
Issue: Maliciously crafted file, unexpected application termination,
arbitrary code execution
Solution: Improved validation of document files.
Credit: Rosyna of Unsanity
- Apple Pixlet Video
Issue: Vulnerability to unexpected application termination, arbitrary
code execution
Solution: Improved bounds checking.
- ATS
Solution: Additional validation of embedded fonts.
Credit: Melissa O'Neill of Harvey Mudd College
- CFNetwork
Issue: Vulnerability leading to disclosure of sensitive information
Solution: User prompts
- CoreFoundation
Issue: Vulnerability leading to unexpected application termination or
arbitrary code execution
Solution: Additional validation of length parameters.
- CoreGraphics
termination or arbitrary code execution
Solution: Proper initialization of pointers
- CoreTypes
Issue: Lack of prompting against opening "certain potentially unsafe
content types" in Automator, Help, Safari, and Terminal
Solution: Enhancements to Download Validation in Mac OS X v10.4, and
Quarantine in Mac OS X v10.5
Credit: Brian Mastenbrook
- CUPS
Solution: Validation of environment variables
- Flash Player Plug-in
Issue: Arbitrary code execution
Solution: Updating to version 9.0.124.0
- Help Viewer
Issue: Vulnerability to application termination or arbitrary code
execution
Solution: Improved bounds checking
Credit: to Paul Haddad of PTH Consulting
- iCal
Issue: Vulnerability to unexpected application termination or
arbitrary
code execution
Solution: "Improving reference counting in the affected code"
Note: This issue only affects pre-Mac OS X 10.5 systems.
Credit: Rodrigo Carvalho of Core Security Technologies
- International Components for Unicode
Issue: Disclosure of sensitive information
Solution: "...replacing invalid character sequences with a fallback
character."
- Image Capture
Issue: Path traversal vulnerability
Solution: Improved URL handling
Issue: Privilege elevation
Solution: Improved handling of temporary files
- ImageIO
Issue: Out-of-bounds memory read leading to information
disclosure
Solution: Additional validation of BMP and GIF images
Credit: Gynvael Coldwind of Hispasec
Issue: Multiple vulnerabilities in libpng version 1.2.18
Solution: Updating to version 1.2.24
Issue: Vulnerability to unexpected application termination or
arbitrary code execution
Solution: Additional validation of JPEG2000 images.
- Kernel
Issue: Remote vulnerability to unexpected system shutdown due
to undetected failure condition
Solution: Proper detection of the failure condition.
Issue: Local user vulnerability to unexpected system shutdown
due to mishandling of code signatures
Solution: Perform additional validation of code signatures
- LoginWindow
Issue: Race condition preventing MCX preferences being applied
Solution: Eliminate the race condition
Issue: IPv6 vulnerability leading to unexpected application
termination, information disclosure, or arbitrary code execution
Solution: Properly initializing variable.
Credit: Derek Morr of The Pennsylvania State University
- ruby
Issue: Remote vulnerability
Solution: Mongrel updated to version 1.1.4
- Single Sign-On
Issue: Password disclosure in sso_util
Solution: Make password parameter optional, force sso_util to promp
Credit: Geoff Franks of Hauptman Woodward Institute
- Wiki Server
Issue: Remote vulnerability to information disclosure
Solution: Improved handling of error messages
Credit: Don Rainwater of the University of Cincinnati
Wednesday, March 12
Internet Zoning Initiative, and why it's stupid
Usually I'm not very vocal about 'policy' ideas. Things that may become law in other words.. But I read this article as a recommendation from Marc Sachs. We were sitting in the ISC chat room last night, he asked us if we had read it, and I said no. So I grabbed the pdf and here I am blogging about it.
So essentially what the Internet Zoning Initiative is, is the ability (trying to become a requirement) for lawmakers to tell web providers to essentially make different "channels" out of the web.
For instance, if you had a website that had normal content and adult content, it would require you to run a "Child-free" website on port 80, then, using virtual hosting, run your adult website on port 69. (Or whatever.) Here's an example they give in their pdf:
Now, this, to me, is like asking a kid to click on, "Are you above the age of 18? Yes, or No". If a teenager (or adult for that matter) wants to go and look at whatever they want to look at, what are they going to click? Yeah, I can just imagine a kid now, sitting behind his desk at home, "Oh wait, I'm not 18, let me click No." Come on people.
All you are doing is saying that basically the kid has to either click on the link on your port 80 website to go to your port 69 website. OOhh!! What protection! Even that, hey, I can just add http://urlgoeshere:69 to my browser address bar, and thusly, I am there man!
I think this whole idea is founded well. Okay, so you want to protect kids on the internet, fine. I have no problem with that idea. But the idea that you have here is a bit off base. I've heard that OS X's parental controls are quite good. However, never having tested them, I can't endorse them either yet. But the idea of putting porn on a totally different port isn't going to solve a THING.
The only idea that I have ever seen that was at least descent was the invention of the ".xxx" domain for 'adult' content. That's at least blockable and instantly distinguishable.
Besides, let's look at the corporate implications for this. Inline proxies would have to start listening on, essentially all ports. IDS/IPS's would have to normalize http over any port, there would be all kinds of holes poked in the firewalls.. It's just not feasible. Sorry, try again.
Subscribe in a reader
Saturday, March 8
Subscribers Part 2
In my previous post I said that I lost about 100 subscribers. Looks like one of the url's that I had through Google Reader didn't transfer over, and one of the url's that bloglines grabs didn't transfer over.
See the problem is this:
Some people subscribed to esler.is-a-geek.net
Some subscribed to www.joelesler.net
Under those two domain names, some people subscribed to the rss.xml, and others subscribed to the atom.xml. (Little did you know, it was the same exact file.. heh)
That's a potential of 4 different subscription points. Then, as I have been trying to do, I had everyone (using mod_redirect) reading the feeds from feedburner. At this url: http://feeds.feedburner.com/RandomThoughtsFromJoelsWorld. This is the url that is now managing all the feeds.
So what it looks like happened is, I lost all the people that were subscribed through Google Reader and Bloglines at the esler.is-a-geek.net url. I can correct some of that, by using webhops and redirects, but I think I'll wind up losing about 50 or so still.
So, here is the correct URL to repoint your rss readers at. I apologize for all the moving and confusion around here. Switching my blog from blogger to mac.com hosted, and back, then moving from Georgia to Delaware, in the meantime switching ISP's 3x. It caused some havok.
So, I apologize, now, my blog is hosted through the custom domain feature at Google, I should have no problems, and I won't move it anymore. Thanks for your patience.
Subscribe in a reader
Monday, January 21
RSS Feeds, all in one place
I've been using Feedburner for quite awhile now to serve up my RSS and Atom feeds for this blog. It keeps really nice stats and I like how it keeps a good subscriber count, auto-pings all the blog update services, and reformats my blog so that every reader can read it correctly.
So, using mod_rewrite I am sending all the atom.xml and rss.xml subscribers over to feedburner. Hopefully this won't cause alot of headaches. It certainly makes things easier for me.
Subscribe in a reader
RSS Feeds, all in one place
I've been using Feedburner for quite awhile now to serve up my RSS and Atom feeds for this blog. It keeps really nice stats and I like how it keeps a good subscriber count, auto-pings all the blog update services, and reformats my blog so that every reader can read it correctly.
So, using mod_rewrite I am sending all the atom.xml and rss.xml subscribers over to feedburner. Hopefully this won't cause alot of headaches. It certainly makes things easier for me.
Subscribe in a reader
Wednesday, December 26
OSX, Windows, and security
Posted today as a comment. Please read inline (Italics is for the comment, non-italics is for me).
You are correct that third-party applications are weak points. This applies equally if not moreso to Mac OS X. I think there is use of more third-party apps under Mac OS X than typically by Windows XP/Vista users.
I'm not talking about 3rd party apps. I am talking about Open source apps that are integrated into the OS. Apache, Mysql, tcpdump, bind..etc.. Neither OS supports the updating of a 3rd party app through their Software Update package. They SHOULD. I talked about this back here.
Windows is, in fact, much more open than Mac OS X. Mac OS X upon release looked nothing like FreeBSD 4, which it was based on. Note that FreeBSD 5 was almost done at the time Mac OS X was released and FreeBSD is now on version 7.
Windows is more open than OSX? OSX contains Open Source code, and Windows total code is closed. So right there, by default, you are wrong. OSX was BASED on Freebsd. No one says it is anymore. Far from it. Technically it could be argued that OSX is based on NEXTSTep.
Microsoft provides symbol tables and wonderful debugging tools for its applications. Apple provides nothing in this area of comfort.
Apparently you have never looked at Xcode and all the debugging apps that are OSX based?
When Microsoft releases a specification, especially one based around security - thousands of intelligent code reviewers with the right kind of security backgrounds get to review it. Microsoft offers Blue Hat and other forums where the best and brightest in the security world get to give input into their process of building a secure operating system along with secure applications.
Yes, when Microsoft releases a SPECIFICATION, it is reviewed. Not CODE. Neither does Apple. Btw -- how did that OpenDoc xml specification do? Oh that's right, got rejected. Microsoft does offer Blue Hat and the such, but the attendance is thin, is under NDA, and is secretive.
Apple throws rotten apples at vulnerability researchers.
Apple's product security team gives credit where credit is due. What do you want the product security team to do? Pay vulnerability researchers? MSFT doesn't do that either. That comment just makes no sense. Anyone that has actually worked with Apple Product Security team (and yes, I have) know they take the time to respond to an issue. Don't believe everything you read in the press.
Microsoft launched the Trustworthy Computing Initiative in 2002. Apple has never spent a dime or taken any "breaks" to check their code for security. Microsoft has been doing this for almost 6 years now and have applied it to all of their software. Security is baked into Microsoft applications.
WRONG. Apple does spend dimes on security, lots of them. Except they don't need a separate department, (oh wait... they have one it's called the Product Security team), to manage all the vulnerabilites.
For Apple, it's iced on as "features". You can just look at Matasano or anyone's assessment of the security features in Mac OS X LeoTard. It's abominable to think that Apple is doing a good job with regards to security.
I agree. Apple could do more. A lot more. I know they are taking steps to improve security especially in Quicktime. I can't talk anymore about that though.
I am anxious to see the mantra "replace Mom and Dad's computer with a Mac this Christmas" backfire this year.
That's what they said last year too.
Do you remember why people write viruses?
Lack of a home life? Or to make money?
They write viruses to teach stupid people lessons.
Yeah? Or they are doing it for fun and profit. I'll stick with my thoughts.
You are that stupid person. Apple fanboys will eat their words when something bad happens this year.
That's what they said last year, and the year before. I'm not stupid. I know it's a reality. Our time is coming. I take a few extra steps to secure my computer.
And Apple doesn't care. They will wash their hands of liability while their customers suffer. They aren't "doing anything to stop the problem".
Wrong. See above. I can't talk about it any further.
They aren't "solving the QuickTime vulnerability problem". This would mean implementing a software assurance program. This would mean implementing something such as the Microsoft Security Development Lifecycle. Apple has not done this.
It doesn't mean that, it just means that the Quicktime team needs to re-look at all their code and secure it. You don't need a program or another acronym to solve the problem. Apple just needs to fix their code, they are, again, see above. Can't talk about it any further.
Apple does not "test test test test and test". That's what Microsoft does. Apple does not test at all... they think that testing and debugging are the same thing! A "quality test program" means integrating Quality Risk Management.
Riiiight. So Apple never seeds developer releases to test stuff?
It is held strongly by the Enterprise and research community that Sourcefire is the worst security company in the history of security companies.
Really? Is that why Snort is the IDS to which all other IDS's are measured? Is that why we have products that other companies can't even fathom? Please, show me this "strongly" held opinion.
Why haven't they been bought yet?
Tried that once, remember the whole CHKP thing?
Why are they going out of business?
What? Who said we are going out of business? Last time I checked we IPO'ed? We're making money?
I would never start a company based on an open-source product that is doomed to fail because of its architecture. Network intrusion detection was dead on arrival, but you think the 1998 Ptacek/Newsham paper would have killed it for sure. What is wrong with Sourcefire to think that they could continue this on for 10 years?
You would never make any money either apparently. Also, Um, what code do we have that counters the Ptacek/Newsham paper? Target based fragmentation? We've even take it a step further and countered Target based stream reassembly?
Windows vulnerabilities cause less damage.
$ lost by Blaster < $ lost by Quicktime. Yeah, um, no? Let's check our facts here.
Most are under a risk management plan, where an Enterprise business or government agency has compensating controls. They also have backups. Mac OS X users never have backups. I have never met a single one that does backups.
Time Machine was invented to solve this problem. Works for me.
Most Mac OS X users are complete newbies, that's why they are using Apple in the first place. If they already knew Windows well - they would stay with it.
Yeah, all people want that bloatware and Vista that doesn't work with their hardware. However, I will agree that most OSX users are newbies. Welcome. I will also disagree and say that most security people I know use OSX.
In the event of an emergency, Mac OS X users cannot help themselves. They rely on Apple to fix their problems. They can just take their laptop or iPod back to the Apple store and a Genius can order their replacement.
I know, isn't that a novel idea?
Even if it's a simple matter such as a battery or hard drive - expect to wait 4 to 8 weeks while your new equipment arrives.
Or, um... they have a shitton of them in the store. I've went to an Apple store for a battery problem. Walked out with a brand new battery. I've never walked into a Microsoft Store and done that... oh yeah, that's because....
This is what is known to me as "a lot more damage". It's no wonder that Enterprises and government agencies don't use Apple computers!
Hm.. Didn't read the news this week did you? I know LtC Wallington, and I applaud his efforts.
Most Apple users don't care; they are used to crappy service and long wait times. They waited in line for their iPhone for 26 hours -- waiting for their replacement iPhone that doesn't have a faulty antenna or battery (or whatever) "isn't that big of a deal" -- even if it takes 6 weeks!
I only waited 4 hours. On release day. They people that waited 26 were just trying to make the news. They succeeded.
Most Apple products are purchased by Dad or on credit anyways -- so it's not like it's real money!
Where do you get this utterly pointless statistic?
Where did this conversation go anyway? You were wrong "ANONYMOUS".
You are correct that third-party applications are weak points. This applies equally if not moreso to Mac OS X. I think there is use of more third-party apps under Mac OS X than typically by Windows XP/Vista users.
I'm not talking about 3rd party apps. I am talking about Open source apps that are integrated into the OS. Apache, Mysql, tcpdump, bind..etc.. Neither OS supports the updating of a 3rd party app through their Software Update package. They SHOULD. I talked about this back here.
Windows is, in fact, much more open than Mac OS X. Mac OS X upon release looked nothing like FreeBSD 4, which it was based on. Note that FreeBSD 5 was almost done at the time Mac OS X was released and FreeBSD is now on version 7.
Windows is more open than OSX? OSX contains Open Source code, and Windows total code is closed. So right there, by default, you are wrong. OSX was BASED on Freebsd. No one says it is anymore. Far from it. Technically it could be argued that OSX is based on NEXTSTep.
Microsoft provides symbol tables and wonderful debugging tools for its applications. Apple provides nothing in this area of comfort.
Apparently you have never looked at Xcode and all the debugging apps that are OSX based?
When Microsoft releases a specification, especially one based around security - thousands of intelligent code reviewers with the right kind of security backgrounds get to review it. Microsoft offers Blue Hat and other forums where the best and brightest in the security world get to give input into their process of building a secure operating system along with secure applications.
Yes, when Microsoft releases a SPECIFICATION, it is reviewed. Not CODE. Neither does Apple. Btw -- how did that OpenDoc xml specification do? Oh that's right, got rejected. Microsoft does offer Blue Hat and the such, but the attendance is thin, is under NDA, and is secretive.
Apple throws rotten apples at vulnerability researchers.
Apple's product security team gives credit where credit is due. What do you want the product security team to do? Pay vulnerability researchers? MSFT doesn't do that either. That comment just makes no sense. Anyone that has actually worked with Apple Product Security team (and yes, I have) know they take the time to respond to an issue. Don't believe everything you read in the press.
Microsoft launched the Trustworthy Computing Initiative in 2002. Apple has never spent a dime or taken any "breaks" to check their code for security. Microsoft has been doing this for almost 6 years now and have applied it to all of their software. Security is baked into Microsoft applications.
WRONG. Apple does spend dimes on security, lots of them. Except they don't need a separate department, (oh wait... they have one it's called the Product Security team), to manage all the vulnerabilites.
For Apple, it's iced on as "features". You can just look at Matasano or anyone's assessment of the security features in Mac OS X LeoTard. It's abominable to think that Apple is doing a good job with regards to security.
I agree. Apple could do more. A lot more. I know they are taking steps to improve security especially in Quicktime. I can't talk anymore about that though.
I am anxious to see the mantra "replace Mom and Dad's computer with a Mac this Christmas" backfire this year.
That's what they said last year too.
Do you remember why people write viruses?
Lack of a home life? Or to make money?
They write viruses to teach stupid people lessons.
Yeah? Or they are doing it for fun and profit. I'll stick with my thoughts.
You are that stupid person. Apple fanboys will eat their words when something bad happens this year.
That's what they said last year, and the year before. I'm not stupid. I know it's a reality. Our time is coming. I take a few extra steps to secure my computer.
And Apple doesn't care. They will wash their hands of liability while their customers suffer. They aren't "doing anything to stop the problem".
Wrong. See above. I can't talk about it any further.
They aren't "solving the QuickTime vulnerability problem". This would mean implementing a software assurance program. This would mean implementing something such as the Microsoft Security Development Lifecycle. Apple has not done this.
It doesn't mean that, it just means that the Quicktime team needs to re-look at all their code and secure it. You don't need a program or another acronym to solve the problem. Apple just needs to fix their code, they are, again, see above. Can't talk about it any further.
Apple does not "test test test test and test". That's what Microsoft does. Apple does not test at all... they think that testing and debugging are the same thing! A "quality test program" means integrating Quality Risk Management.
Riiiight. So Apple never seeds developer releases to test stuff?
It is held strongly by the Enterprise and research community that Sourcefire is the worst security company in the history of security companies.
Really? Is that why Snort is the IDS to which all other IDS's are measured? Is that why we have products that other companies can't even fathom? Please, show me this "strongly" held opinion.
Why haven't they been bought yet?
Tried that once, remember the whole CHKP thing?
Why are they going out of business?
What? Who said we are going out of business? Last time I checked we IPO'ed? We're making money?
I would never start a company based on an open-source product that is doomed to fail because of its architecture. Network intrusion detection was dead on arrival, but you think the 1998 Ptacek/Newsham paper would have killed it for sure. What is wrong with Sourcefire to think that they could continue this on for 10 years?
You would never make any money either apparently. Also, Um, what code do we have that counters the Ptacek/Newsham paper? Target based fragmentation? We've even take it a step further and countered Target based stream reassembly?
Windows vulnerabilities cause less damage.
$ lost by Blaster < $ lost by Quicktime. Yeah, um, no? Let's check our facts here.
Most are under a risk management plan, where an Enterprise business or government agency has compensating controls. They also have backups. Mac OS X users never have backups. I have never met a single one that does backups.
Time Machine was invented to solve this problem. Works for me.
Most Mac OS X users are complete newbies, that's why they are using Apple in the first place. If they already knew Windows well - they would stay with it.
Yeah, all people want that bloatware and Vista that doesn't work with their hardware. However, I will agree that most OSX users are newbies. Welcome. I will also disagree and say that most security people I know use OSX.
In the event of an emergency, Mac OS X users cannot help themselves. They rely on Apple to fix their problems. They can just take their laptop or iPod back to the Apple store and a Genius can order their replacement.
I know, isn't that a novel idea?
Even if it's a simple matter such as a battery or hard drive - expect to wait 4 to 8 weeks while your new equipment arrives.
Or, um... they have a shitton of them in the store. I've went to an Apple store for a battery problem. Walked out with a brand new battery. I've never walked into a Microsoft Store and done that... oh yeah, that's because....
This is what is known to me as "a lot more damage". It's no wonder that Enterprises and government agencies don't use Apple computers!
Hm.. Didn't read the news this week did you? I know LtC Wallington, and I applaud his efforts.
Most Apple users don't care; they are used to crappy service and long wait times. They waited in line for their iPhone for 26 hours -- waiting for their replacement iPhone that doesn't have a faulty antenna or battery (or whatever) "isn't that big of a deal" -- even if it takes 6 weeks!
I only waited 4 hours. On release day. They people that waited 26 were just trying to make the news. They succeeded.
Most Apple products are purchased by Dad or on credit anyways -- so it's not like it's real money!
Where do you get this utterly pointless statistic?
Where did this conversation go anyway? You were wrong "ANONYMOUS".
Wednesday, December 19
Mac versus Windows vulnerability stats for 2007
byte_bucket over in the #pauldotcom IRC channel turned me onto this article, simply because I am a self proclaimed Apple fanboy. Sounds good, I don't mind, I like it when people point me to articles. I read alot of news during the day, but sometimes I don't get to see all the news articles.
UPDATE: From the comments: iamnowonmai says "I would like to see a list of all the vulnerabilities in Xthe third-party software that people commonly use on XP. Since Acrobat is not a part of the OS, it doesn't count? Or Word? Outlook? And at least the third-party software gets updated on a Mac. How many fools are out there still using Acrobat version 4?"
Brings up a good point. Windows doesn't have to patch all the "other" software that is on it's system. Apple does. Apple includes alot of software to make their user experience better and more seamless. Windows relies on 3rd party developers for this. Say what you will, but these are things you need to take into thought when you read this article.
Anyway, George Ou writes on zdnet.com an article comparing the amount of vulnerabilities for XP, Vista, and OSX. At first glance we look at this column comparison and say "holy crap, osx had a hell of alot more vulnerabilities than Vista or XP combined!"
True. Now, in my usual Microsoft punditry and OSX defender stance, let me point out the less obvious in these three operating systems.
1) OSX hasn't had to deal with a bunch of hackers before, now that it's being increasingly targeted, especially Quicktime, Apple is dealing with it.
2) XP and Vista are closed platforms. Apple, save for their internal binaries, is pretty much open. You can see how it all works.
3) and probably the most critical, OSX is built, and contains a TON of open source software. Cups, apache, pcre, mysql, the list goes on and on and on.
So not only does Apple have to patch their own stuff, but they have to wait for the open source community to patch, then get the communities patch, tie it into their products, test test test test and test, then release their own patch. Makes sense so far right? OSX Server even contains software owned by my company. Sourcefire. OSX Server contains ClamAV.
Are there more vulnerabilities in OSX then there are in Windows? Yes. But you are comparing apples (no pun intended, okay, well, slightly) and oranges. Windows has 94% marketshare! Just one vulnerability for Windows has the potential to cause alot more damage than 30 vulnerabilities for OSX.
Then you have to look at the security models of the two. OSX, most everything runs in "userland". Whereas in Windows, applications and services run at alot of different permissions, system, admin, user, etc...
One thing I don't like about Leopard is the same thing I didn't like about Tiger. The firewall. There is no "DENY ALL". There is a "Deny all, um.. except stuff that will break osx". Which is fine, as long as there aren't any vulnerabilities in things like mDNSResponder. (port 5353) But, there have been remote vulns in mDNSResponder! The other thing I don't like about the Leopard firewall? It's OFF by default. Granted, there is only one port open by default in OSX (5353), as opposed to Windows where there are at least 3.
So, yes, OSX has more vulnerabilities then Windows, but does it matter?
UPDATE: From the comments: iamnowonmai says "I would like to see a list of all the vulnerabilities in Xthe third-party software that people commonly use on XP. Since Acrobat is not a part of the OS, it doesn't count? Or Word? Outlook? And at least the third-party software gets updated on a Mac. How many fools are out there still using Acrobat version 4?"
Brings up a good point. Windows doesn't have to patch all the "other" software that is on it's system. Apple does. Apple includes alot of software to make their user experience better and more seamless. Windows relies on 3rd party developers for this. Say what you will, but these are things you need to take into thought when you read this article.
Thursday, November 29
Now, that's a nice User-Agent
I was looking through my httpd-access.log today for something, and ran across this, (Yes, I have removed the IP):
"[29/Nov/2007:17:18:18 -0500] "GET /uploaded_images/questionmark-785318.jpg HTTP/1.1" 200 6203 "http://www.bloglines.com/myblogs_display?sub=44519724&site=8488306" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071025 Internet Explorer'); DROP TABLE browsers;--"
Little injection attempt there? Trying to drop the ol' browser table in some kind of stats db.
So who cares. Well it made me think of something. If this person can obviously alter his/her User-Agent to do that, what is to make you think that the rest of the Agent string is valid? How do we know that his person is really using "Internet Explorer"?
At what point does the trust break. I've often gone with the adage of "don't trust anything", not a single packet. What if you use p0f to passively fingerprint the OS'es of the machines attempting to access your network, okay, and I go in, compile my own kernel on my Linux box, and set my IP and TCP attributes such that it will appear to be Windows when I communicate with your network?
What can you trust on your own network? If someone hacks into your web server, is there any merit in seeing what they did once they got on the machine? You no longer can trust a single thing on the box, and definitely anything coming out of the box! It has to be rebuilt.
Mod_security did not catch the above attempt btw. (It will now)
Sunday, November 25
joelesler.net
I decided I should go ahead and actually get a primary domain, instead of surfing off of esler.is-a-geek.net (which is a dynamic dns freebie domain (is-a-geek.net), and bought joelesler.net. I couldn't get joelesler.com, my long lost twin in Australia owns that one, and I am not a .org, so I didn't get that one. esler.org and esler.net were also taken, or I would have grabbed those as well. That way I could set up fun email address for the whole family.
The only one that was available is esler.com, but they want 2500 bucks for that one. I'm not going to pay 2500 bucks for my own damn last name. But esler.com used to be a website for an airport in Alexandria, Louisiana, (seriously! Esler airpark!), so someone has it parked, and has the stranglehold on that one currently. I actually landed at the airpark once when I was in the military. We were going to Fort Polk, and that's the airport we landed in. Of course I didn't know it until later.
I have email here, all the DNS zones I can handle, and loads of other goodies that you can do with your own domain. So I have changed my email on the right of page to reflect my new domain.
Esler.is-a-geek.net will still work for now, it's free! But eventually, when I get tired of renewing it every 90 days, I'll ditch it.
Saturday, November 24
joelesler.net
I decided I should go ahead and actually get a primary domain, instead of surfing off of esler.is-a-geek.net (which is a dynamic dns freebie domain (is-a-geek.net), and bought joelesler.net. I couldn't get joelesler.com, my long lost twin in Australia owns that one, and I am not a .org, so I didn't get that one. esler.org and esler.net were also taken, or I would have grabbed those as well. That way I could set up fun email address for the whole family.
The only one that was available is esler.com, but they want 2500 bucks for that one. I'm not going to pay 2500 bucks for my own damn last name. But esler.com used to be a website for an airport in Alexandria, Louisiana, (seriously! Esler airpark!), so someone has it parked, and has the stranglehold on that one currently. I actually landed at the airpark once when I was in the military. We were going to Fort Polk, and that's the airport we landed in. Of course I didn't know it until later.
I have email here, all the DNS zones I can handle, and loads of other goodies that you can do with your own domain. So I have changed my email on the right of page to reflect my new domain.
Esler.is-a-geek.net will still work for now, it's free! But eventually, when I get tired of renewing it every 90 days, I'll ditch it.
Friday, November 23
Thank you for watching
-- Thank you for reading, but that's not what I am asking. --
Look at the log entry. If you have access to apache logs yourself, go look at yours, or find some on the internet, then come back and tell me what is wrong with that log entry.
(BTW -- Those of you that cut and pasted, about 20 of you did it, so don't feel bad, you are not alone.)
Monday, November 12
800 posts, and mod_security blocking
Took a look at my mod_security logs tonight. Apparently, if you use Google's Reader to my rss feed, then actually try to go to my website via the link in the RSS.. trying to do all this when you are behind a Bluecoat Proxy server on your internal network...
"!^(((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-
9][0-9]?)|)|unknown)$" at HEADER("X-FORWARDED-FOR")
You get blocked. The bluecoat proxy forwards your "X-forwarded for" header to the Google Reader, then, finally when you click on the link to come to my website, Google forwards your internal IP.
Which mod_security didn't like:
"!^(((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-
9][0-9]?)|)|unknown)$" at HEADER("X-FORWARDED-FOR")
It doesn't like you. I commented out the rule, so everything should be fine now.
800 posts, and mod_security blocking
Took a look at my mod_security logs tonight. Apparently, if you use Google's Reader to my rss feed, then actually try to go to my website via the link in the RSS.. trying to do all this when you are behind a Bluecoat Proxy server on your internal network...
"!^(((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-
9][0-9]?)|)|unknown)$" at HEADER("X-FORWARDED-FOR")
You get blocked. The bluecoat proxy forwards your "X-forwarded for" header to the Google Reader, then, finally when you click on the link to come to my website, Google forwards your internal IP.
Which mod_security didn't like:
"!^(((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-
9][0-9]?)|)|unknown)$" at HEADER("X-FORWARDED-FOR")
It doesn't like you. I commented out the rule, so everything should be fine now.
Monday, December 18
Christmas, and the holiday spirit, and Internet security
Recently, since we've all been shopping, out there paying attention to gifts, what we are going to get, and what we aren't going to get. An attack has been going on. Apparently, against my web server.
I review my weblogs (I review all my logs) on a weekly basis. Because really, what's the point in having logs if you're not going to look at them? A log that isn't looked at is a pointless log. You might as well shut off syslog if you aren't going to look at the logs. But I digress.
I review my weblogs. I have mod_security installed on my apache webserver here, so through my custom mod_security rules, I am provided with audit_log in my logging directory.
I usually get about 200 to 300 entries a week in that file. All denied.
Last week that number jumped to almost 9000. As of this morning (my logs roll over on Sunday), I had over 3000.
As I am on my blackberry I don't have a copy of the logs, so I'll post a sample entry later.
But the string I see a lot is "x-aaaaaaaaaaa" in the header.
Anyone else seeing these?
I review my weblogs (I review all my logs) on a weekly basis. Because really, what's the point in having logs if you're not going to look at them? A log that isn't looked at is a pointless log. You might as well shut off syslog if you aren't going to look at the logs. But I digress.
I review my weblogs. I have mod_security installed on my apache webserver here, so through my custom mod_security rules, I am provided with audit_log in my logging directory.
I usually get about 200 to 300 entries a week in that file. All denied.
Last week that number jumped to almost 9000. As of this morning (my logs roll over on Sunday), I had over 3000.
As I am on my blackberry I don't have a copy of the logs, so I'll post a sample entry later.
But the string I see a lot is "x-aaaaaaaaaaa" in the header.
Anyone else seeing these?
Friday, August 25
Traffic
I've started taking a look at my access_log file in apache, I've been blogged on a couple different rather public blogs recently and my traffic has increased exponentially.
So, let me put this out there.
My web server is protected by at least 6 different methods (3rd party programs). If I don't like what you are doing on my site, (like trying to wget -r it or something), or hell, if I don't like your User-Agent, you will be denied.
mod_security + Inline Snort + Firewalls and some other tidbits of niceness, are handy.
So, let me put this out there.
My web server is protected by at least 6 different methods (3rd party programs). If I don't like what you are doing on my site, (like trying to wget -r it or something), or hell, if I don't like your User-Agent, you will be denied.
mod_security + Inline Snort + Firewalls and some other tidbits of niceness, are handy.
Monday, June 19
mod_security and other fun tools
You're only minutes away from protecting your web sites from all manner of attack and spam. To do this, you need to download one piece of software, mod_security, install it on your web server and then configure it. Its not difficult or time consuming at all, and if you follow these instructions you should be ready to go in minutes!
Got Root : Setup of mod_security
No, I didn't follow this setup, but I ripped this of the "Got Root?" Website for an easy setup of mod_Security. I started playing with it awhile ago to see if I could use it to block all these wonderful attacks that I get constantly pointed at my site.
So... I installed it, with it's default ruleset, it started dropping all the virus and Rbot crap that is all around my network here at knology.net.
I run Snort-inline too with a bunch of stuff set to drop, so it was kinda cool to be able to control all this stuff coming at my webserver...
I jumped on Google and searched for "mod_security rules".. It brought me here..
Click hereI took these rules, (apparently they are updated often), and put them in my mod_security rules as well.
Talking to a friend of mine shortly after tho, he suggested that I put the rules in a seperate file and source them from the mod_security.conf file. I thought that was an excellent idea, so that's what I did.
kinda like: "include conf/mod_sec/modsecurity-general.conf" <-- this was his example...
This worked even better, and now, I'll probably script some kind of update to it so it updates daily and protects my apache install from lots of stuff...
So, back to playing with iptables, Snort-inline, and mod_security.
technorati tags:mod_security, iptables, Snort, Snort-inline, security
Subscribe to:
Posts (Atom)
-
Without going off the deep-end here and discussing every single Snort rule keyword, I just wanted to touch on a few modifiers that people so... -
Let me start off by saying I'm not bashing the writer of this article, and I'm trying not to be super critical. I don't want to...
-
In my constant state of trying to make things a bit more efficient for myself. (I'm a big believer in automation, ask anyone that has e...
