Except it won’t be.

I’m assuming the reporter who quoted the statement in the title as coming from the Davos “Global Shapers” group was trying to make his own headline. Hey, that works (I even used it myself). But this is not the first time we’ve been warned about the Armageddon that is cyber terror, and it’s time somebody called bullshit on it.

Now don’t get me wrong, I’m not mother Teresa. I work in IT security, and have been known to scare people now and then with the “this is what might happen to you if you won’t fix your security”.  Most times I’d like to think I was calling it the way I saw it, but I’m sure more than once people that were listening to me thought I was exaggerating. And probably much more than once, I was. But this is not an “exaggeration”. It’s something totally different.

Have you been terrorized? I bet you have. You don’t have to know someone who was killed by a suicide bomber; it’s enough if you think back to when the school bully tried to take your lunch. That was terrifying. And terrorizing. You thought bodily harm will come to you, and this is why “terror” works so well: it’s scary.

Is ‘cyber terror’ really that scary? Well, lets compare. Many of us have been “victims” of cyber terror. You probably visited a web site that was defaced by political hacker wannabes. Were you terrorized?

We’ve all heard about the attacks in Estonia. That was the most effective cyberwar to date. But did anyone died? Lets compare it to the war (actual war) in Georgia. Again Russia clashing with a neighbor, but this time people died; lost their homes; forced to move their lives elsewhere. I’m sorry, but that’s not the equivalent of having to reformat your computer or losing facebook connectivity for 24 hours.

War is war: people die, suffer bodily harm, have their lives change. I’m not against the term “cyber-war” or “cyber-terror”, but can we put it in proportion please?

So no, the next ‘cyber war’ or ‘cyber terror’ attack won’t be worse like 9/11. It won’t be even mildly comparable to 9/11. Unless it kills thousands of people, in which case there will be nothing “cyber” about it.

It seems like nowadays China is the immediate suspect when it comes to hacking attempts or cyber espionage. It’s therefore interesting to know that they are suffering from as much internal attacks as anyone else.

The ‘cyber security china 2012′ is organized with ISC2, which is typically a good indicator for interesting speakers and content (at least, that’s been my past experience in other countries). The description shows that the Chinese are worried about the same things we all are:

With support from Ministry of Public Security  of  China,  and  working  with  ISC2, ITU-IMPACT and  ISFS Hong kong, Cyber Security China 2011  is successfully organized in March 24-25 in Shanghai, China.  The  2011  event convened 130+ delegates from global and local cyber security authorities, government, law enforcement  agencies, users  and  security  vendors,  and  mainly  explored  the solutions  against  evolving cyber  threats  and  attacks,  and how to fight the  cyber crimes through public-private-partnership.

More information here.

Richard Stiennon writes:

I have only one security related prediction for 2012 and that is that we are in for a year that will make 2011 look tame in terms of major targeted attacks.

He gives the 2011 examples of the break-in to Sony playstation network and an attack on Stratfor (a defense intelligence organization). Here’s one from yesterday: A saudi attacker published the details of credit cards (and other personal information such as I.D numbers and address) for hundreds of thousands Israelis.

Going to be a fun year!

How hard is it to get facts straight? I don’t expect vendors to admit they sat on a vulnerability for months without patching: it’s human nature to blame someone else:

Opera […] claims that it couldn’t replicate the issue at the time. According to the vendor, its attempts to obtain more information from the researcher at the time weren’t successful.

Of course, when dealing with vendors, it’s always “the dog ate my homework” and “I swear we couldn’t reproduce it until it became public”
But I’m puzzled on why a technical reporter would just happily accept what’s being shoveled at him. For one, he could have contacted us and asked…

Here’s what really happened: We notified Opera about this vulnerability back in May. We gave them the Proof-of-Concept, disassembly, explanation and vulnerability analysis. So saying they did not have the full information is far from the truth. We didn’t ask for anything in return (we never do) but I admit we were skeptical based on previous experience with reporting vulnerabilities to Opera.
Then came the Million dollar question; we were asked if it worked on the latest version of Opera, and we said we don’t know. Since last time I checked, no one here worked for the Opera QA team, so we didn’t feel it was our job to check it. The response was typical:
“We only fix issues that are relevant to the latest version of Opera”

Followed by the all-too-common:”the items provided only cause crashes they have no intention to fix them”.

I guess they meant “we won’t fix them unless you drop a 0-day and we get a call from a computer magazine”.The Vendors-against-full-disclosure will continue, no doubt. Tech writers, get your spines refitted please: if you’re not a part of the solution, you’re a part of the problem.

BKABVCLD.RVW   20110323

“Above the Clouds”, Kevin T. McDonald, 2010, 978-1-84928-031-0,
UK#39.95
%A   Kevin T. McDonald
%D   2010
%G   978-1-84928-031-0 1-84928-031-2
%I   IT Governance
%O   UK#39.95
%O  http://www.amazon.com/exec/obidos/ASIN/1849280312/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/1849280312/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1849280312/robsladesin03-20
%O   Audience n+ Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   169 p.
%T   “Above the Clouds: Managing Risk in the World of Cloud Computing”

The preface does a complicated job of defining cloud computing.  The introduction does provides a simpler description: cloud computing is the sharing of services, at the time you need them, paying for the services you need or use.  Different terms are listed based on what services are provided, and to whom.  We could call cloud computing time-sharing, and the providers service bureaus.  (Of course, if we did that, a number of people would think they’d walked into a forty-five year time-warp.)

The text is oddly structured: indeed, it is hard to find any organization in the material at all.  Chapter one states that the cloud allows you to do rapid prototyping because you can use patched operating systems.  I would agree that properly up-to-date operating systems are a good thing, but it isn’t made clear what this has to do with either prototyping or the cloud.  There is a definite (and repeated) assertion that “bigger is better,” but this idea is presented as an article of faith, rather than demonstrated.   There is mention of the difficulty of maintaining core competencies, but no discussion of how you would determine that a large entity has such competencies.  Some of the content is contradictory: there are many statements to the effect that the cloud allows instant access to services, but at least one warning that you cannot expect cloud services to be instantly accessible.  Various commercial products and services are noted in one section, but there is almost no description or detail in regard to actual services or availability.

Chapter two does admit that there can be some problems with using cloud services.  Despite this admission some of the material is strange.  We are told that you can eliminate capacity planning by using the cloud, but are immediately warned that we need to determine service levels (which is just a different form of capacity planning).  In terms of preparation and planning, chapter three does mention a number of issues to be addressed.  Even so, it tends to underplay the full range of factors that can determine the success or failure of a cloud project.  (Much content that has been provided previously is duplicated here.)  There is a very brief section on risk  management.  The process outline is fine, but the example given is rather flawed.  (The gap analysis fails to note that the vendor does not actually answer the question asked.)  SAS70 and similar reports are heavily emphasized, although the material fails to mention that many of the reasons that small businesses will be interested in the cloud will be for functions that are beyond the scope of these standards.  Chapter four appears to be about risk assessment, but then wanders into discussion of continuity planning, project management, testing, and a bewildering variety of only marginally related topics.  There is a very terse review of security fundamentals, in chapter five, but it is so brief as to be almost useless, and does not really address issues specifically related to the cloud.  The (very limited) examination of security in chapter six seems to imply that a good cloud provider will automatically provide additional security functions.  In certain areas, such as availability and backup, this may be true.  However, in areas such as access control and identity management, this will most probably involve additional charges/costs, and it is not likely that the service provider will be able to do a better job than you can, yourself.  A final chapter suggests that you analyze your own company to find functions that can be placed into the cloud.

Despite the random nature of the book, the breadth of topics means it can be used as an introduction to the factors which should be considered when attempting to use cloud computing.  The lack of detail would place a heavy burden of research and work on those charged with planning or implementing such activities.  In addition, the heavily promotional tone of the work may lead some readers to underestimate the magnitude of the task.

copyright, Robert M. Slade   2011     BKABVCLD.RVW   20110323

Interesting report by Verizon. Highlights:

• External attacks are up 22% and are now responsible for 92% of losses.
• Insider attack is down 31%. (Finally implementing internal security measures and not just focusing on the perimeter?)
• Victims were not ‘chosen’ because they were large, important or had financial data. They were simply the easiest targets.
• 92% of loss resulted from simple, known vulnerabilities

The conclusions sound a lot like the Gartner report:

“Every year that we study threat actions leading to data breaches, the story is the same; most victims aren’t overpowered by unknowable and unstoppable attacks. For the most part, we know them well enough and we also know how to stop them.”

And here’s the same thing in different wording:

“The latest round of evidence leads us to the same conclusion as before: your security woes are not caused by the lack of something new. They almost surely have more to do with not using, under using, or misusing something old.”

And of course, I like this one because it highlights Automated Vulnerability Assessment:

“SQL injection attacks, cross-site scripting, authentication bypass, and exploitation of session variables contributed to nearly half of breaches attributed to hacking or network intrusion. It is no secret that attackers are moving up the stack and targeting the application layer. Why don’t our defenses follow suit? As with everything else, put out the fires first: even lightweight web application scanning and testing would have found many of the problems that led to major breaches in the past year.”

Basically, your organization already has the security solution that it needs; you’re just not using it.

I was recently made aware of a site/service called About.Me.  It allows you to sign up, and create a very short Web page about yourself.  I created a page, noted that there wasn’t much else I could do, and figured that was it.

The next day I received a message noting that they were providing email as well.  I could sign up for my own email address (as if I didn’t have enough already) with them.  The instructions said that I could access it via POP and IMAP.

So, I gave it a try.  I activated the email address, and started to test it.  I can send mail to the address (from another account), and retrieve it, but when I tried to send mail through their SMTP server I got an error.  Having done this before, with a variety of servers, I tried some variations on the instructions.  More error messages, and no sent email.

So, I tried their help and support systems.  I ran into the same page of (incorrect) instructions again and again.  I tried to find some way to contact them.  The pages and links labelled “Feedback” have no contact information on them, and no input fields to fill in and send.  Nothing.

Eventually, I did find something that allowed me to send them a message.  I gave details of what I was doing, and sent copies of the error messages I received.

I got a message back.  It asked me for details.  I sent back the same details, including the error messages.  I got a second message.  It asked if I had seen any error messages.

I have sent them a third message with the error messages again.

I very much doubt that this is going to be one of the runaway social media success stories.

This guide can also be found at http://security-24-7.com/hardening-guide-for-drupal-7-7/
Pre-installation notes The guide bellow is based on CentOS 5.5 (i386), Apache 2.2.19, MySQL 5.5.15

The guide bellow is based on the previous guides:

• Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)
• Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)
• Hardening guide for PHP 5.3.2 on Apache 2.2.15 / MySQL 5.1.47 (RHEL 5.4)

PHP installation phase

1. Login to the server using Root account.
2. Before compiling the PHP environment, install the following RPM from the CentOS 5.5 DVD source folder:
   rpm -ivh kernel-headers-2.6.18-194.el5.i386.rpm
rpm -ivh glibc-headers-2.5-49.i386.rpm
rpm -ivh glibc-devel-2.5-49.i386.rpm
rpm -ivh gmp-4.1.4-10.el5.i386.rpm
rpm -ivh libgomp-4.4.0-6.el5.i386.rpm
rpm -ivh gcc-4.1.2-48.el5.i386.rpm
rpm -ivh libxml2-2.6.26-2.1.2.8.i386.rpm
rpm -ivh zlib-devel-1.2.3-3.i386.rpm
rpm -ivh libxml2-devel-2.6.26-2.1.2.8.i386.rpm
rpm -ivh pkgconfig-0.21-2.el5.i386.rpm
rpm -ivh libpng-devel-1.2.10-7.1.el5_3.2.i386.rpm
rpm -ivh libjpeg-devel-6b-37.i386.rpm
3. Download MySQL development RPM from: http://download.softagency.net/MySQL/Downloads/MySQL-5.5/
4. Download PHP 5.3.8 source files from: http://php.net/downloads.php
5. Download the latest libxml2 for PHP from: http://xmlsoft.org/sources/
6. Copy the MySQL development RPM using PSCP (or SCP) into /tmp
7. Copy the PHP 5.3.8 source files using PSCP (or SCP) into /tmp
8. Move to /tmp cd /tmp
9. Install the MySQL development RPM:
   rpm -ivh MySQL-devel-5.5.15-1.rhel5.i386.rpm
10. Remove MySQL development RPM:
    rm -f MySQL-devel-5.5.15-1.rhel5.i386.rpm
11. Extract the php-5.3.8.tar.gz file: tar -zxvf php-5.3.8.tar.gz
12. Extract the libxml2 source file: tar -zxvf libxml2-2.7.7.tar.gz
13. Move the libxml2-2.7.7 folder: cd /tmp/libxml2-2.7.7
14. Run the commands bellow to compile the libxml2: ./configuremakemake install
15. Move to the PHP source folder: cd /tmp/php-5.3.8
16. Run the commands bellow to compile the PHP environment:
    ./configure --with-mysql=mysqlnd --with-libdir=lib --prefix=/usr/local/apache2 --with-apxs2=/usr/local/apache2/bin/apxs --with-openssl --with-zlib --with-gd --with-jpeg-dir=/usr/lib --with-png-dir=/usr/lib --enable-pdo --with-pdo-mysql=mysqlnd --enable-ftp
make
    make install
17. Edit using VI, the file /usr/local/apache2/conf/httpd.conf Add the following string, to the end of the AddType section:
    AddType application/x-httpd-php .php       

    Replace the line from:
    DirectoryIndex index.html
To:
    DirectoryIndex index.php index.html index.htm

    Replace the value of the string, from:
    LimitRequestBody 10000
To:
    LimitRequestBody 600000

18. Copy the PHP.ini file cp /tmp/php-5.3.8/php.ini-development /etc/php.ini
19. Change the permissions on the php.ini file: chmod 640 /etc/php.ini
20. Edit using VI, the file /etc/php.ini Replace the value of the string, from:
    mysql.default_host =
To:
    mysql.default_host = 127.0.0.1:3306       

    Replace the value of the string, from:
pdo_mysql.default_socket=
To:
    pdo_mysql.default_socket=127.0.0.1

    Replace the value of the string, from:
    allow_url_fopen = On
To:
    allow_url_fopen = OffReplace the value of the string, from:
expose_php = On
To:
    expose_php = Off

    To:Replace the value of the string, from:To:To:To:Replace the value of the string, from:To:To:To:Replace the value of the string, from:To:To:To:Replace the value of the string, from:To:To:To:Replace the value of the string, from:To:To:Replace the value of the string, from:To:Replace the value of the string, from:To:To:Replace the value of the string, from:To:Replace the value of the string, from:
    memory_limit = 128M
To:
    memory_limit = 64MReplace the value of the string, from:
;open_basedir =
To:
    open_basedir = "/www"

    Replace the value of the string, from:To:Replace the value of the string, from:
    post_max_size = 8M
To:
    post_max_size = 2MReplace the value of the string, from:
disable_functions =
To:
    disable_functions = fpassthru,crack_check,crack_closedict,crack_getlastmessage,crack_opendict, psockopen,php_ini_scanned_files,shell_exec,chown,hell-exec,dl,ctrl_dir,phpini,tmp,safe_mode,systemroot,server_software, get_current_user,HTTP_HOST,ini_restore,popen,pclose,exec,suExec,passthru,proc_open,proc_nice,proc_terminate, proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid, posix_setsid,posix_setuid,escapeshellcmd,escapeshellarg,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid, posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid, posix_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,system,posix_getsid,posix_getuid,posix_isatty, posix_setegid,posix_seteuid,posix_setgid,posix_times,posix_ttyname,posix_uname,posix_access,posix_get_last_error,posix_mknod, posix_strerror,posix_initgroups,posix_setsidposix_setuid

    Replace the value of the string, from:To:Replace the value of the string, from:
    ;include_path = ".:/php/includes"
To:
    include_path = "/usr/local/lib/php;/usr/local/apache2/include/php"

    Replace the value of the string, from:
    display_errors = On
To:
    display_errors = Off

    Replace the value of the string, from:
    display_startup_errors = On
To:
    display_startup_errors = Off

    Replace the value of the string, from:
    ;gd.jpeg_ignore_warning = 0
To:
    gd.jpeg_ignore_warning = 1

21. Run the commands bellow to restart the Apache service:
    /usr/local/apache2/bin/apachectl stop       

    /usr/local/apache2/bin/apachectl start

    /usr/local/apache2/bin/apachectl start

    /usr/local/apache2/bin/apachectl start

    /usr/local/apache2/bin/apachectl start

    /usr/local/apache2/bin/apachectl start

    /usr/local/apache2/bin/apachectl start

    /usr/local/apache2/bin/apachectl start

    /usr/local/apache2/bin/apachectl start

22. Remove the PHP source and test files:
    rm -f /tmp/php-5.3.8.tar.gz
rm -f /tmp/libxml2-2.7.7.tar.gz
rm -rf /tmp/php-5.3.8
rm -rf /tmp/libxml2-2.7.7
rm -rf /tmp/pear
rm -rf /usr/local/apache2/lib/php/test
rm -rf /usr/local/lib/php/test

Drupal installation phase

1. Login to the server using Root account.
2. Run the command bellow to login to the MySQL:
   /usr/bin/mysql -uroot -pnew-password       

   Note: Replace the string “new-password” with the actual password for the root account.

    

3. Run the following commands from the MySQL prompt:
   CREATE USER 'blgusr'@'localhost' IDENTIFIED BY 'password2'; SET PASSWORD FOR 'blgusr'@'localhost' = OLD_PASSWORD('password2');
   CREATE DATABASE Z5J6Dw1;
   GRANT ALL PRIVILEGES ON Z5J6Dw1.* TO "blgusr"@"localhost" IDENTIFIED BY "password2";
   FLUSH PRIVILEGES;
   quit       

   Note 1: Replace “blgusr” with your own MySQL account to access the database.
   Note 2: Replace “password2” with complex password (at least 14 characters).
   Note 3: Replace “Z5J6Dw1” with your own Drupal database name.

   Note 1: Replace “blgusr” with your own MySQL account to access the database.Note 2: Replace “password2” with complex password (at least 14 characters).Note 3: Replace “Z5J6Dw1” with your own Drupal database name.

   Note 1: Replace “blgusr” with your own MySQL account to access the database.Note 2: Replace “password2” with complex password (at least 14 characters).Note 3: Replace “Z5J6Dw1” with your own Drupal database name.

   Note 1: Replace “blgusr” with your own MySQL account to access the database.Note 2: Replace “password2” with complex password (at least 14 characters).Note 3: Replace “Z5J6Dw1” with your own Drupal database name.

   Note 1: Replace “blgusr” with your own MySQL account to access the database.Note 2: Replace “password2” with complex password (at least 14 characters).Note 3: Replace “Z5J6Dw1” with your own Drupal database name.

   Note 1: Replace “blgusr” with your own MySQL account to access the database.Note 2: Replace “password2” with complex password (at least 14 characters).Note 3: Replace “Z5J6Dw1” with your own Drupal database name.

   Note 1: Replace “blgusr” with your own MySQL account to access the database.Note 2: Replace “password2” with complex password (at least 14 characters).Note 3: Replace “Z5J6Dw1” with your own Drupal database name.

   Note 1: Replace “blgusr” with your own MySQL account to access the database.Note 2: Replace “password2” with complex password (at least 14 characters).Note 3: Replace “Z5J6Dw1” with your own Drupal database name.

4. Download Drupal 7.7 from: http://drupal.org/project/drupal
5. Copy the Drupal 7.7 source files using PSCP (or SCP) into /www
6. Move to /www cd /www
7. Extract the file bellow:
   tar -zxvf drupal-7.7.tar.gz
8. Remove Drupal source file:
   rm -f /www/drupal-7.7.tar.gz
9. Rename the Drupal folder:
   mv /www/drupal-7.7 /www/drupal
10. Remove default content:
    rm -f /www/drupal/CHANGELOG.txt
rm -f /www/drupal/COPYRIGHT.txt
rm -f /www/drupal/INSTALL.pgsql.txt
rm -f /www/drupal/LICENSE.txt
rm -f /www/drupal/UPGRADE.txt
rm -f /www/drupal/INSTALL.mysql.txt
rm -f /www/drupal/INSTALL.sqlite.txt
rm -f /www/drupal/INSTALL.txt
rm -f /www/drupal/MAINTAINERS.txt
rm -f /www/drupal/sites/example.sites.php
11. Edit using VI, the file /usr/local/apache2/conf/httpd.conf
    Replace the line from:
    DocumentRoot "/www"
To:
    DocumentRoot "/www/drupal"
12. Run the commands bellow to restart the Apache service:
    /usr/local/apache2/bin/apachectl stop  /usr/local/apache2/bin/apachectl start    

     

     

13. Create the following folders:
    mkdir /www/drupal/sites/default/files  mkdir /www/private    

     

     

14. Copy the settings.php file:
    cp /www/drupal/sites/default/default.settings.php /www/drupal/sites/default/settings.php
15. Change permissions on the settings.php file:
    chmod a+w /www/drupal/sites/default/settings.php       

    chmod -R 777 /www/drupal/sites/default/fileschmod -R 777 /www/private

16. Open a web browser from a client machine, and enter the URL bellow:
    http://Server_FQDN/install.php
17. Select “Standard” installation and click “Save and continue”.
18. Choose the default “English” and click “Save and continue”.
19. Specify the following details:
    • Database type: MySQL
    • Database name: Z5J6Dw1
    • Database username: blgusr
    • Database password: password2
    • Click on Advanced Options
    • Database host: 127.0.0.1
    • Table prefix: Z5J6Dw1_

    Note 1: Replace “Z5J6Dw1” with your own Drupal database name.
    Note 2: Replace “blgusr” with your own MySQL account to access the database.
    Note 3: Replace “password2” with complex password (at least 14 characters).

20. Click “Save and Continue”.
21. Specify the following information:
    • Site name
    • Site e-mail address (for automated e-mails, such as registration information)
    • Username (for the default administrator account)
    • E-mail address
    • Password
22. Select “Default country” and “Default time zone”.
23. Unselect the “Update Notifications” checkboxes.
24. Click “Save and Continue”.
25. Close the web browser.
26. Create using VI the file /www/config.php with the following content:
    $databases = array ( ‘default’–>  $databases = array (
    ‘default’ =>
    array (
    ‘driver’ => ‘mysql’,
    ‘database’ => ‘Z5J6Dw1′,
    ‘username’ => ‘blgusr’,
    ‘password’ => ‘password2′,
    ‘host’ => ‘127.0.0.1′,
    ‘port’ => ‘’,
    ‘prefix’ => ‘Z5J6Dw1_’,
    ),
    ),
    );
    ?>    

    Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘’ tag.
    Note 2: Replace “blgusr” with your own MySQL account to access the database.
    Note 3: Replace “password2” with complex password (at least 14 characters).
    Note 4: Replace “Z5J6Dw1” with your own Drupal database name.

    Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘’ tag. Note 2: Replace “blgusr” with your own MySQL account to access the database. Note 3: Replace “password2” with complex password (at least 14 characters).Note 4: Replace “Z5J6Dw1” with your own Drupal database name.

    Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘’ tag. Note 2: Replace “blgusr” with your own MySQL account to access the database. Note 3: Replace “password2” with complex password (at least 14 characters).Note 4: Replace “Z5J6Dw1” with your own Drupal database name.

    Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘’ tag. Note 2: Replace “blgusr” with your own MySQL account to access the database. Note 3: Replace “password2” with complex password (at least 14 characters).Note 4: Replace “Z5J6Dw1” with your own Drupal database name.

    Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘’ tag. Note 2: Replace “blgusr” with your own MySQL account to access the database. Note 3: Replace “password2” with complex password (at least 14 characters).Note 4: Replace “Z5J6Dw1” with your own Drupal database name.

    Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘’ tag. Note 2: Replace “blgusr” with your own MySQL account to access the database. Note 3: Replace “password2” with complex password (at least 14 characters).Note 4: Replace “Z5J6Dw1” with your own Drupal database name.

27. Edit using VI, the file /www/drupal/sites/default/settings.php Add the following line:
    include('/www/config.php');       

    Remove the following section:
$databases = array ( 'default' => array ( 'default' => array ( 'driver' => 'mysql', 'database' => 'Z5J6Dw1', 'username' => 'blgusr', 'password' => 'password2', 'host' => '127.0.0.1', 'port' => '', 'prefix' => 'Z5J6Dw1_', ), ), );Replace the string from:
ini_set('session.cookie_lifetime', 2000000);
To:
    ini_set('session.cookie_lifetime', 0);

    To:To:To:To:To:Remove the following section:To:Replace the string from:To:

28. Change permissions on the settings.php file:
    chmod a-w /www/drupal/sites/default/settings.php
29. Add the following lines to the /www/drupal/.htaccess file:
    # Block any file that starts with “.”

     Order allow,deny


     Order allow,deny

# Allow “.” files with safe content types

     Order deny,allow

30. Run the command bellow to change permissions on the /www/drupal/.htaccess file:
    chmod 444 /www/drupal/.htaccess
31. Download into /www/drupal/sites/all/modulesthe latest build of the modules bellow:
    • Drupal Firewall - http://drupal.org/project/dfw
    • SpamSpan filter - http://drupal.org/project/spamspan
    • Content Security Policy - http://drupal.org/project/content_security_policy
    • GoAway - http://drupal.org/project/goaway
    • IP anonymize - http://drupal.org/project/ip_anon
    • Flood control - http://drupal.org/project/flood_control
    • Password policy - http://drupal.org/project/password_policy
    • Persistent Login - http://drupal.org/project/persistent_login
    • Secure Permissions - http://drupal.org/project/secure_permissions
    • Security Review - http://drupal.org/project/security_review
    • System Permissions - http://drupal.org/project/system_perm
    • Block anonymous links - http://drupal.org/project/blockanonymouslinks
32. From SSH session, move to the folder /www/drupal/sites/all/modules.
33. Extract the downloaded above modules:
    tar zxvf dfw-7.x-1.1.tar.gz       

    tar zxvf spamspan-7.x-1.1-beta1.tar.gz

    tar zxvf spamspan-7.x-1.1-beta1.tar.gztar zxvf content_security_policy-7.x-1.x-dev.tar.gz

    tar zxvf spamspan-7.x-1.1-beta1.tar.gztar zxvf content_security_policy-7.x-1.x-dev.tar.gztar zxvf goaway-7.x-1.2.tar.gz

    tar zxvf spamspan-7.x-1.1-beta1.tar.gztar zxvf content_security_policy-7.x-1.x-dev.tar.gztar zxvf goaway-7.x-1.2.tar.gztar zxvf ip_anon-7.x-1.0.tar.gz

    tar zxvf spamspan-7.x-1.1-beta1.tar.gztar zxvf content_security_policy-7.x-1.x-dev.tar.gztar zxvf goaway-7.x-1.2.tar.gztar zxvf ip_anon-7.x-1.0.tar.gztar zxvf flood_control-7.x-1.0.tar.gz

    tar zxvf spamspan-7.x-1.1-beta1.tar.gztar zxvf content_security_policy-7.x-1.x-dev.tar.gztar zxvf goaway-7.x-1.2.tar.gztar zxvf ip_anon-7.x-1.0.tar.gztar zxvf flood_control-7.x-1.0.tar.gztar zxvf password_policy-7.x-1.0-beta1.tar.gz

    tar zxvf spamspan-7.x-1.1-beta1.tar.gztar zxvf content_security_policy-7.x-1.x-dev.tar.gztar zxvf goaway-7.x-1.2.tar.gztar zxvf ip_anon-7.x-1.0.tar.gztar zxvf flood_control-7.x-1.0.tar.gztar zxvf password_policy-7.x-1.0-beta1.tar.gztar zxvf persistent_login-7.x-1.x-dev.tar.gz

    tar zxvf spamspan-7.x-1.1-beta1.tar.gztar zxvf content_security_policy-7.x-1.x-dev.tar.gztar zxvf goaway-7.x-1.2.tar.gztar zxvf ip_anon-7.x-1.0.tar.gztar zxvf flood_control-7.x-1.0.tar.gztar zxvf password_policy-7.x-1.0-beta1.tar.gztar zxvf persistent_login-7.x-1.x-dev.tar.gztar zxvf secure_permissions-7.x-1.5.tar.gz

    tar zxvf security_review-7.x-1.x-dev.tar.gz

    tar zxvf system_perm-7.x-1.x-dev.tar.gz

    tar zxvf blockanonymouslinks-7.x-1.1.tar.gz

34. Remove the modules source files:
    rm -f /www/drupal/sites/all/modules/dfw-7.x-1.1.tar.gz       

    rm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gz

    rm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gzrm -f /www/drupal/sites/all/modules/content_security_policy-7.x-1.x-dev.tar.gz

    rm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gzrm -f /www/drupal/sites/all/modules/content_security_policy-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/goaway-7.x-1.2.tar.gz

    rm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gzrm -f /www/drupal/sites/all/modules/content_security_policy-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/goaway-7.x-1.2.tar.gzrm -f /www/drupal/sites/all/modules/ip_anon-7.x-1.0.tar.gz

    rm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gzrm -f /www/drupal/sites/all/modules/content_security_policy-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/goaway-7.x-1.2.tar.gzrm -f /www/drupal/sites/all/modules/ip_anon-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/flood_control-7.x-1.0.tar.gz

    rm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gzrm -f /www/drupal/sites/all/modules/content_security_policy-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/goaway-7.x-1.2.tar.gzrm -f /www/drupal/sites/all/modules/ip_anon-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/flood_control-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/password_policy-7.x-1.0-beta1.tar.gz

    rm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gzrm -f /www/drupal/sites/all/modules/content_security_policy-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/goaway-7.x-1.2.tar.gzrm -f /www/drupal/sites/all/modules/ip_anon-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/flood_control-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/password_policy-7.x-1.0-beta1.tar.gzrm -f /www/drupal/sites/all/modules/persistent_login-7.x-1.x-dev.tar.gz

    rm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gzrm -f /www/drupal/sites/all/modules/content_security_policy-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/goaway-7.x-1.2.tar.gzrm -f /www/drupal/sites/all/modules/ip_anon-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/flood_control-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/password_policy-7.x-1.0-beta1.tar.gzrm -f /www/drupal/sites/all/modules/persistent_login-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/secure_permissions-7.x-1.5.tar.gz

    rm -f /www/drupal/sites/all/modules/security_review-7.x-1.x-dev.tar.gz

    rm -f /www/drupal/sites/all/modules/system_perm-7.x-1.x-dev.tar.gz

    rm -f /www/drupal/sites/all/modules/blockanonymouslinks-7.x-1.1.tar.gz

35. Open a web browser from a client machine, and enter the URL bellow:
    http://Server_FQDN/?q=user/login
36. From the upper menu, click on Configuration -> People -> Account Settings -> “Who can register accounts”: select Administrators only -> click on “Save configuration”.
37. From the upper menu, click on Configuration -> Media -> File system -> “Private file system path”: specify /www/private -> click on “Save configuration”.
38. From the upper menu, click on Configuration -> Development -> Logging and errors -> “Error messages to display”: select None -> click on “Save configuration”.
39. From the upper menu, click on Modules -> from the list of modules, select “Update manager” -> click on “Save configuration”.
40. From the upper menu, click on Modules -> from the main page, select the following modules:
    • Drupal firewall
    • SpamSpan
    • Content Security Policy
    • Content Security Policy Reporting
    • GoAway
    • IP anonymize
    • Flood control
    • Password change tab
    • Password policy
    • Persistent Login
    • Secure Permissions
    • Security Review
    • System Perms
    • BlockAnonymousLinks
41. Click on Save configuration.

Drupal SSL configuration phase

1. Add the following line to the /www/drupal/sites/default/settings.php file:
   $conf['https'] = TRUE;
2. Download into /www/drupal/sites/all/modulesthe latest build of the modules bellow:
   • Secure Pages - http://drupal.org/project/securepages
   • Secure Login - http://drupal.org/project/securelogin
3. From SSH session, move to the folder /www/drupal/sites/all/modules.
4. Extract the downloaded above modules:
   tar zxvf securepages-7.x-1.x-dev.tar.gz       

   tar zxvf securelogin-7.x-1.2.tar.gz

   tar zxvf securelogin-7.x-1.2.tar.gz

   tar zxvf securelogin-7.x-1.2.tar.gz

   tar zxvf securelogin-7.x-1.2.tar.gz

   tar zxvf securelogin-7.x-1.2.tar.gz

   tar zxvf securelogin-7.x-1.2.tar.gz

   tar zxvf securelogin-7.x-1.2.tar.gz

   tar zxvf securelogin-7.x-1.2.tar.gz

5. Remove the modules source files:
   rm -f /www/drupal/sites/all/modules/securepages-7.x-1.x-dev.tar.gz       

   rm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz

   rm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz

   rm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz

   rm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz

   rm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz

   rm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz

   rm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz

   rm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz

6. Open a web browser from a client machine, and enter the URL bellow:
   https://Server_FQDN/?q=user/login
7. From the upper menu, click on Modules -> from the main page, select the following modules:
   • Secure Login
   • Secure Pages
8. Click on Save configuration.
9. From the upper menu, click on Configuration -> from the main page, click on the link Secure Pages -> under Enable Secure Pages -> choose Enabled -> click on Save configuration.

We’ve had means of expressing our opinions on various things for a long time.  Amazon has had reviews of the books pretty much since the beginning.  But how do we know that the reviews are real?  Virus writers took the opportunity presented by Amazon to trash my books when they were published.  (Even though they used different names, it only took a very simple form of forensic linguistics to figure out the identities.)

More recently, review spam has become more important, since many people are relying on the online reviews when buying items or booking services.  A number of “companies” have determined that it is more cost effective to have bots or other entities flood the review systems with fake positive reviews than it is to make quality products or services.  So, some nice people from Cornell university produced and tested some software to determine the fakes.

Note that, from these slides, there is not a lot of detail about exactly how they determine the fakes.  However, there is enough to indicate that sophisticated algorithms are less accurate than some fairly simple metrics.  When I teach about software forensics (aspects of which are similar to forensic lingusitics, or stylistic forensics), this seems counterintuitive and surprises a lot of students.  Generally they object that, if you know about the metircs, you should be able to avoid them.  In practice, this doesn’t seem to be the case.  Simple metrics do seem to be very effective in both forensic linguistics, and in software forensics.

ZDNet has a nice piece on why cheap GPU’s are making strong passwords useless. They are right, of course (though it’s pretty much been that way for 20 years, since the need for /etc/shadow) but they missing the obvious solution to the problem.

The solution is not to make passwords more complex. It’s making them less complex (so that users can actually remember them) and making sure brute force is impossible. We know how to do that, we just have to overcome a generation-old axiom about trivial passwords being easy to break (they are not, if you only get very few tries).

It’s not just cheap GPUs. Complex passwords are also the problem. Simple passwords are the solution.

So I haven’t written for a while, and that’s mainly because setting up your own security consultancy takes a lot more time that I would have imagined, but hey, it’s been a fun ride so far.

So while everyone else is off writing about Sony, I figured that I’d lighten the mood here with something that I think is such a great idea. The guys at Secure Racing have a challenge coming up, which sounds like it’s going to be great fun, and it’s such a novel idea as well.

So taken directly from the Secure Racing website, here is all the information about the challenge coming up on the 19th June at Brands Hatch.

“Secure Racing, the Information Security industry’s motorsport team, has laid down a challenge to anyone with a flair for code-breaking or a passion for cryptography.

At the team’s first race on 19th June at the Brands Hatch circuit in Kent, the Secure Racing Aston Martin will feature a hidden coded message somewhere within its livery and decals. The question is – can you find it and decipher it?
This is the first time a motorsport team anywhere in the world has offered a competition like this on their car. Developed by the Threats and Vulnerabilities Team at PWC, it forms the basis of a competition for anyone who wants to test their mettle and win fantastic prizes. Anyone can enter.

One week after the race, one winner and nine runners up will be drawn at random from the first 100 correct answers that we receive. Later this year, the lucky winner will get to jump in the Secure Racing Aston Martin Vantage GT4 to experience the exhilarating speed of getting around a circuit alongside a professional race driver. The winner will also get tickets to join the team at the Silverstone British GT Championship round and, along with the nine runners up, they will also receive complimentary membership to the Secure Racing members club – the details of which will be announced on race day.
Anyone who attends the Brands Hatch race on 19th June will have a chance to get up close and personal with our Aston and therefore have the best chance of spotting and cracking the code. For those that can’t make it, we will be posting pictures of the car on our website a couple of days after the race so you can take part.
Those who find and crack our code should email their answer to richard.moss@secureracing.co.uk
Ladies and gentlemen – the fun begins here. Start your engines, the Secure Racing story is about to begin.
Discounted admission tickets available exclusively for Secure Racing fans at: www.motorsportvision.co.uk/secracing“

It’s amazing to compare how the Microsoft Security Response Center handles vulnerability disclosures versus how things were just 10 or 12 short years ago.

Here’s a typical disclosure process 10 years ago (based on a very true story):

Us: (sending an email to secure@microsoft.com) we’ve discovered a vulnerability in an office product. Here are the technical details. Can you confirm the issue and let us know when it’s patched?
Microsoft: Thanks for reporting, bla bla, we’ll get back to you soon

[about a week passes]

Us: Hi MSRC, any news about our office vulnerability?
[no reply]
[Sending a personal email to an MSRC friend to speed things up]
Microsoft: Oh, thanks for reminding us. We’ll check with the office team

[another few days pass]

Us: Hello? Anybody there?
Microsoft: Oh, yes. That vulnerability thing. Here’s what we decided: (a) It’s not a vulnerability. (b) it’s not a problem with the office product but with the world (or the RFC) (c) The office team can’t recreate it (d) even if the vulnerability was real, it wouldn’t be exploited in real world scenarios
Us: are you kidding us? Did you actually look at the sample code we gave you?
[a few days pass. We are pondering if to go complete full disclosure or give them time to digest]

Microsoft: Ok, this time we actually read your advisory and yes, it seems to work. But it’s just a denial of service. Nobody will ever exploit it because of … [something that heap spraying/DEP bypass/code mutation made look ridiculous about a year later]
Us: [starting the get mad] look guys. We sent you PoC code. You actually want us to write an exploit code for you?
Microsoft: yes, that would help convince our developers

[Us, spending time writing code so that Microsoft is convinced to fix their own products based on free information while wasting our precious time]

Us: here it is
Microsoft: oh, wow, it really does run code. Ok, we’ll fix it in the next release cycle which should be right after the democratic primaries of 2012.

Us: Ok, forget it. We’re going full disclosure

Microsoft: no, wait wait wait. We found your name on the world wide web and now realize you’re legit. Ok, we’ll fix it. Happy now? We might even mention your name in our advisory if/when that happens.

If it sounds familiar, that means you were disclosing vulnerabilities to vendors in the early 2000’s or late 1990’s. If you think I’m exaggerating, it’s only because you didn’t.

But here’s the amazing thing. Just a few years later, some radical changes started to happen. The big dysfunctional dinosaur that was MSRC became an efficient, friendly and if I didn’t know it, I would think it’s a different company altogether. Here’s a real recent discussion:

Us: Hello MSRC, here’s information about an office vulnerability
Microsoft: Hi, thanks for reporting. I checked the information, went over the sample code and have some technical questions [some intelligent questions here, basically they are doubting the findings but being really careful to check all the angles first]

[technical discussion continues for a couple of days with questions and answers going back and forth]

Microsoft: Ok, we get the picture now. Thanks for reporting. Here’s the guy that is going to be responsible for your case.
[a few days pass]
Microsoft: Ok, we now know it’s a […] vulnerability and not a […] one. We’ll pass it to the relevant team, just wanted to keep you posted
[further proactive updates and niceties continue until disclosure time. Credits, the end.]

What could have possibly caused this radical change that made MSRC focus on the technical side instead of the PR, not to mention being so research-friendly? New team? New procedures? Full disclosure forced them to see the truth? Too many beers at defcon finally showed them the light? Whatever they are taking, I wish they could spread some around. Most of the other vendors could use that. Yes, I’m looking at you Google.

At the BC ISMS User Group meeting last week we were concentrating on the relationship between the ISO 27000 family of standards, and the PCI-DSS (Payment Card Industry Data Security Standards, usually just known as PCI).  PCI-DSS is of growing concern for pretty much anyone who does online retail commerce (and, come to that, anyone who does any kind of commerce that involves any use of a credit card).

It kind of crystalized some ideas that I’ve been mulling over recently.

Over the past year or so, I’ve been examining some situations for small charitable organizations, as well as some small businesses.  Many would like to sell subscriptions, raffle tickets, accept donations, or sell small, specialty items over the net.  However, I’ve had to consistently advise them that they do not want to get involved with PCI: it’s way too much work for a small company.  At the same time, most small Web hosting providers don’t want to get involved in that, either.

The unintended end result consequence of PCI is that small entities simply cannot afford to be involved with credit cards anymore.  (It’s kind of too bad that, a decade ago, MasterCard and Visa got within about a month of releasing SET [Secure Electronic Transactions] and then quit.  It probably would have been perfect for this situation.)

Somewhat ironically, PCI means a big boost in business for PayPal.  It’s fairly easy to get a PayPal account, and then PayPal can accept credit cards (and handle the PCI compliance), and then the small retailer can get paid through a PayPal account.  So far PayPal has not created anything like PCI for its users (which is, again, rather ironic given the much wilder environment in which it operates, and the enormous effort phishing spammers make in trying to access PayPal accounts.)  (The PayPal Website is long on assurances in terms of how PayPal secures information, and very short on details.)

This is not to say that credit cards are dead.  After all, most PayPal purchases will actually be made with credit cards: it’s just that PayPal will handle the actual credit card transaction.  Even radical new technologies for mobile payments tend to be nothing more that credit card chips embedded in something else.

These musings, though, did give a bit more urgency to an article on F-commerce: the fact that a lot of commercial and retail activity is starting to happen on Facebook.  Online retail transactions aren’t new.  They aren’t even new in terms of social networks or a type of currency created within an online system.  Online game systems have been dealing with the issue for some time, and blackhats have been stealing such credits and even using them to launder money for a number of years now.  However, the sheer size of Facebook (third largest “national population” in the world), and the fact that that entire population is (by selection) quite affluent means that the new Facebook credit currency may very quickly balloon to an enormous size in relation to other currencies.  (We will leave aside, for the moment, the fact that I personally consider Facebook to be tremendously divisive to the Internet as a whole.  And that Facebook does not have the best record in terms of security and privacy.)  Creation of wealth, ex nihilo, on a very, very large scale.  What are the implications of that?

When I was a teenager, back when dinosaurs ruled the earth, and Disneyland was the only Disney amusement park, I was taken to said theme park for the first time.  I was immediately struck by the total artificiality of the place, and the fact the everybody wanted it to be so.  For some reason I could not get the idea out of my mind, that if you dug a pit, entrenching sharpened stakes on the floor of it, and put ropes up to manage the line, people would line up and jump in.

I was forcibly reminded of this by a story about the coverage of the Japanese quake and tsunami, and the use of smartphones and social media to document the event and disseminate the information as never before.  We are used to “reality” television which is completely unreal, and an unusual reality strikes us as fantastic.

And I’d like to reiterate my advice to prepare for the next disaster: get trained in emergency management and response.

CanSecWest was fun, met a lot of people researchers, consultants and customers. Lot of them came to hear good quality lectures and I believe they have found them.

Quite a few came to see the buzz around Pwn2Own and I don’t think they could have missed the shouts of victory and the press eagerly interviewing them after their triumphant wins. I also had a chance to meet a few of our SSD researchers which shared some thoughts on the Pwn2Own even highligting the fact that 15K isn’t that much anymore for a IE8 vulnerability that can bunk its protected mode, or get you elevated privileges on the Chrome browser - I have to agree on that. This probably means there are a few chrome 0-days out there, but they are simply being sold for larger amounts of money.
Also got a chance to talk to a few of the mobile researchers that were quite impressed with the BlackBerry find, highlighting how ground breaking that was, as being the first publicly done and documented breach into the BlackBerry “fortress” - I am not sure if it is in fact the first one but it was impressive none-the-less.

For all those that came and talked to us in our booth about the SecuriTeam Secure Disclosure, just in case you didn’t write it down, the way to reach our program is by emailing SSD@beyondsecurity.com, we also offer our existing researchers a 1,000 USD bring-a-friend offer - if you need more details email me.

Thanks,
Noam

noamr[]beyondsecurity[@]com

The review of the Mac functions in my little book is sometimes annoying in terms of the jargon used: does “go straight to the corresponding window” mean that the window becomes active, or comes to the foreground? Does it open a window if it doesn’t exist? Does it relate to programs, or just folders? You need to work through the material with the book in one hand, and the Mac under the other. (This process is not aided by inconsistencies in the operation of the Mac itself. As I was working through this content I tried to create a new document from within the TextEdit program, and found that I did not have any options to create a file in any of the new folders I had established previously. Later in the chapter there was mention of dragging folders to the Dock, and so I tried that to see whether it would allow me to use that folder. Lo and behold, now I could create files in any of the new folders I had made, not just the one I dragged to the Dock. Handy for my purposes, but not very informative in terms of why it worked that way.)

(More inconsistency: hiding the Finder behaves differently from other applications. And hiding used with Expose can give you some very … interesting effects. So far I have not had the nerve to play with hiding, Expose, and Spaces all at the same time.)

One of the constant claims made by Mac devotees is that the Mac is better at media. Well, over the past couple of weeks we’ve had occasion to try and watch a couple of TV shows over the Internet. (Once we just forgot: once the cable went out in the middle of the show.) Since the current desktop is seven years old, I figured that the Mac should be given a chance to prove its worth and strut its stuff. We watched one show on the desktop, and one on the Mac.

Mac: total FAIL. Choked, gasped, stopped for no apparent reason (no, it wasn’t the net feed dying: it skipped a bunch of the show, and went to the next series of ads), would not respond to commands, and overall a general lack of “good viewing experience.” The old desktop was grinding away with the fan running full out most of the time, but at least it played the show all the way through.