security Archive

Securing Elasticsearch – Part 1

The most frequently asked question for ElasticSearch and security is "how do I require login"? Once you've answered and implemented the answer to that question; a larger, truly more troublesome issue looms. The same principals used to secure ElasticSearch; typically a proxy fronted by Apache/nginx use various auth techniques. If you...
Read More

Why are we spending so much time refuting?

There's a nice juicy war going on in the 'data / web' sector, that seems more heated than I can remember. It essentially boils down to sensationalist claims from the likes of MongoDB and MemSQL, which in turn draw refuting remarks from industry professionals that are typically embedded with RDBMS technologies. The...
Read More

Worthy of distribution: Your cell phone records

This is just too cool, and too perfect a testament for how you can derive a lot through data and social networking.Via the F-Secure labs blog: http://www.zeit.de/datenschutz/malte-spitz-data-retentionShows an extremely well put together example of combining a tidbit of privileged information with social networking and how this truly is a brave...
Read More

On MySQL: The latest, far-reaching password circumvention

By now, everyone has, or will be hearing about this issue. While it's an extremely simple hack and covers (dare I say the majority) of MySQL installation version. Let's not forget to finish reading the entire disclosure: From the disclosure: But practically it's better than it looks - many MySQL/MariaDB builds are not...
Read More

GitHub hacked, and private repositories

And this is precisely why albeit 'nifty', storing your private/proprietary code in a 'private repository' on the likes of GitHub / Bitbucket is a generally poor idea. - Keeping your code in SCM behind closed doors isn't difficult. I find it very troublesome (annoying) to see how many people can't...
Read More

Disable PHP 5.4’s built-in web server, while keeping CLI …

Administrators: Don't get blind-sided by PHP 5.4's CLI web server!I've gone over a similar issue like this before regarding the likes of git/hg. While those are developer tools and are less likely to be present on a production machine.PHP 5.4 is jumping on the bandwagon to include a 'cute' little...
Read More

Observations: Google’s new Terms of Service

The new TOS and Privacy Policy documents from Google are a welcome change, reducing 60 individual ones into a standard, global set is a much better idea for understanding's sake. Observation 1:We may review content to determine whether it is illegal or violates our policies, and we may remove...
Read More

PHP Vulnerability – DJBX33A – Hash table collisions

Trickling through my RSS feeds this morning was an article with quite the topic "PHP Vulnerability May Halt Millions of Servers". In a nutshell: A modest size POST to almost all PHP versions in the wild (Sans 5.3.9+) are in danger of an extremely simple DoS. The vulnerability exploits the PHP internal...
Read More

Worthy of distribution: Cloud analogy

This post on Beyond Bandwidth seems to summarize some of my feelings about cloud computing - it's best thought of as an outsourcing task for the most part; Although the benefits of something like an extra DNS server are a bit more than an 'outsource benefit'; but you get the...
Read More

Is there a hacking campaign against open source?

Linux.com, kernel.org, mysql(twice this year), wordpress and php have all reported breaches of some sort this year. Is there some sort of campaign against these 'high profile' open source projects? It's starting to feel like it, to me.The more hands you get in the pot, the more nervous you should...
Read More

The inherent risks of ‘daemonize’ features in developer tools – Git, Mercurial (hg)

A handful of tools such as mercurial, git, (soon PHP - which chances are will be it's own binary) have their own 'daemonize' functionality.Whatever your reasons - if you want to disable these; there's little to no help in figuring out how... til now...If you want to disable Mercurial's hg...
Read More

Kernel.org, linux.com down, still… also, Git! – Updated!

With news breaking about the compromised systems for kernel.org, linux.com, which are sites are "down for maintenance". Completely - and it's been this way for many days now. (Kernel.org since the 28th)I think it's safe to say the range and scope of the issues are pretty disappointing - the longer these...
Read More

Worthy of distribution: Reset root MySQL password

Oh snap! Need to reset your mysql root/admin (or any?) MySQL password? Well, you'll need root and control over MySQLd to some extent, but this is worthy of a rainy-day bookmark indeed: http://mysqlpreacher.com/wordpress/2011/03/recovering-a-mysql-root-password-three-solutions/ Subscribe in a reader...
Read More

/usr/bin/chage – Sending emails when a pasword expires, or is about to

There's a lot of scripts out there that do this but they either don't revolve around /etc/shadow enough or they're sloppy.Here's my spin on a script for nightly cron that will parse /etc/shadow and send out emails based on the per-user values. It's resistant to garbage dates (99999 'expiration' dates)....
Read More

Shortcut to a directory with a bat file and a sub directory containing the same name

Check this out.Make a directory structure like this:DirDir/AnotherDirDir/anotherdir.batFill the .bat file with something creative... (Non destructive)Now, make a shortcut from anywhere to Dir/AnotherDir - lemme guess, it tries to name the shortcut after the bat file? Odd! Rename it in the prompt then. Save your shortcut and try to use...
Read More

Amazon AWS – The risk of using a cooked AMI

Straight from the horses mouth; I no longer use this AMI - but the only ones I've used are Debian EBS and SLES ... Fortunately I already went through authorized_keys on the one I do keep around.People take AWS services seriously - but the AMI sharing always set off a...
Read More

Apple updater today…

I need music. I spend a lot of time holed up in an office with IM with my peers as my main form of human interaction.For a long time, I've relied on iTunes. Things have changed - I dont want to purchase through iTunes anymore - I don't want DRM'd...
Read More

Google profile images, FAIL- Worthy of distribution

Most folks probably don't know that google has updated the user profile pages look'n'feel. Including some changes to profile pictures... Most of us feel somewhat comfortable uploading an image and cropping it using the interface provided to us from sites (Granted,  you get what you ask for if you upload...
Read More

On: ntp, ntpd. link dump!

So, in order to quickly have a (debian) machine up and running on ntp, you're bound to do something like this 'apt-get install ntp ntpdate'.The problem is that this installs 'ntpd' too. The default configuration is to allow your server to answer to NTP queries from anywhere.If you want to...
Read More

Time to be informed!

What would you do if you received a legitimate looking email from your hosting company asking you to OPEN an SMTP relay?That's apparently a new style of spam (to create more spam !) targeting administrators. I'm sure there's a handful of 'admins' who can get by and would more than...
Read More