5 Million Customers Compromised
By Ian Scott
In early December, CheckFree Corp. experienced a situation where their domain registration account was compromised and subsequently, DNS was hijacked. CheckFree offers a bill payment service through several banks, including Bank of America, many who use the service were diverted to a server located in the Ukraine and unwittingly gave up their usernames and passwords to the hijackers.
According to ITBusiness.ca, “CheckFree disclosed that it was warning many more customers than previously thought.” Apparently, up to 5 million customers may have been affected by the event.
Topics: Personal Security |
Misleading Security Headline
By Ian Scott
I hate misleading headlines. Every so often, one appears relating to some security issue or vulnerability. Today, I received an email from PC Mag that held my interest for a number of reasons including the fact that I make use of the SSL protocol and manage a number of SSL certificates for clients. The headline?
“SSL Crack Shows You Must Advance Your Security.”
I clicked through to the article and was a bit disappointed to read that the story was unable to show any problems with the SSL protocol at all. What it did discuss was that a research team was able to generate a rogue SSL certificate that web browsers recognized as being issued by an SSL certificate issuer, RapidSSL.
But this has nothing to do with SSL; rather it has to do with the hash function, in this case, MD5, that RapidSSL uses to generate SSL certificates.
Flaws in the MD5 function have been known for years and its been recommended that where hash functions are required, the use of SHA2 be used.
So it is not that there is a problem with SSL itself. The problem lies with the certificate issuers who are still using MD5.
Topics: Digital Signatures, Encryption, Just Plain Silly |
Flash For Linux Vulnerability
By Ian Scott
Another Adobe Flash vulnerability has been discovered in Versions 10.0.12.36, 9.0.151.0 and earlier, for Linux. According to the Adobe website, “… that could allow an attacker who successfully exploits this potential vulnerability to take control of the affected system. A specially formed SWF must be loaded in Flash Player for Linux by the user for an attacker to exploit this potential vulnerability.”
Adobe acknowledged and provided a fix for the vulnerability on December 17, 2008. Likely, most distributions of Linux have the fix in their updates and you should be able to obtain with whatever package management system your distribution uses.
You also can get a fixed version directly from Adobe.
Adobe’s bulletin and instructions for upgrading are here.
Topics: Uncategorized |
Modsecurity On Centos 4.7 64 Bit Architecture
By Ian Scott
Some might have a problem installing Mod Security on Centos 4.7 and 64 bit architectures, if following the instructions on the Modsecurity website.
My webserver has been upgraded to httpd-2.0.52-41 using the CentosPlus repository. I don’t know if others using versions previous to this will have the same problem or not – but it has to with one of mod_security’s requirements: mod_unique_id.
It could be the result of an older httpd.conf file being used in place of the one that might come with a brand new install of Centos and Apache, but my configuration file did not have the module loaded. I had to manually add the following to my httpd.conf file:
LoadModule unique_id_module modules/mod_unique_id.so
Another requirement of mod_security is libxml2. The official documentation at modsecurity.org tells you to add the following line to your httpd.conf file:
LoadFile /usr/lib/libxml2.so
If you are on a 64 bit system, it is likely however that this path is incorrect. What you need to add to your httpd.conf file is this:
LoadFile /usr/lib64/libxml2.so
Hopefully this will help anyone who may be having trouble with installing Mod Security on their webserver. I didn’t even realize that the mod_unique_id module was not loaded until I happened to check the /var/log/httpd/error_log file and noticed lines of something like “mod security requires mod_unique_id.” When I restarted httpd, there was no error message and thought everything was working as it should.
Topics: Computer Security, Firewalls |
Nothing Is Guaranteed
By Ian Scott
This past weekend, one of the top web hosting firms, ThePlanet.com had an explosion and fire in a data centre, located in Texas. This affected thousands and thousands of websites as although apparently none of the servers in the facility were damaged, backup power to the facility was not allowed by the fire fighting staff that arrived on the scene.
Topics: Uncategorized |
Is Facebook Breaking Privacy Laws?
By Ian Scott
I just logged off the popular and well known “Social Networking” site, Facebook after playing some Scrabulous moves with some of my friends. There is no doubt that Facebook can be a great tool for keeping in touch with friends and acquaintances and some of the third party applications such as Scrabulous are popular with Facebook users. But there are some who are very concerned about personal privacy that many users may be giving up unknowingly. Read the rest of this entry »
Topics: Personal Security, Privacy |
« Previous Entries Next Entries »