Web

Web related security entries. Anything that has to do with PHP/ASP/JSP, including Apache, IIS, Macromedia flash, etc.

2nd Annual Cyber Security China 2012

It seems like nowadays China is the immediate suspect when it comes to hacking attempts or cyber espionage. It’s therefore interesting to know that they are suffering from as much internal attacks as anyone else.

The ‘cyber security china 2012’ is organized with ISC2, which is typically a good indicator for interesting speakers and content (at least, that’s been my past experience in other countries). The description shows that the Chinese are worried about the same things we all are:

With support from Ministry of Public Security  of  China,  and  working  with  ISC2, ITU-IMPACT and  ISFS Hong kong, Cyber Security China 2011  is successfully organized in March 24-25 in Shanghai, China.  The  2011  event convened 130+ delegates from global and local cyber security authorities, government, law enforcement  agencies, users  and  security  vendors,  and  mainly  explored  the solutions  against  evolving cyber  threats  and  attacks,  and how to fight the  cyber crimes through public-private-partnership.

More information here.

First big break-in of the year

Richard Stiennon writes:

I have only one security related prediction for 2012 and that is that we are in for a year that will make 2011 look tame in terms of major targeted attacks.

He gives the 2011 examples of the break-in to Sony playstation network and an attack on Stratfor (a defense intelligence organization). Here’s one from yesterday: A saudi attacker published the details of credit cards (and other personal information such as I.D numbers and address) for hundreds of thousands Israelis.

Going to be a fun year!

The truth behind the Opera unpatched vulnerability

How hard is it to get facts straight? I don’t expect vendors to admit they sat on a vulnerability for months without patching: it’s human nature to blame someone else:

Opera […] claims that it couldn’t replicate the issue at the time. According to the vendor, its attempts to obtain more information from the researcher at the time weren’t successful.

Of course, when dealing with vendors, it’s always “the dog ate my homework” and “I swear we couldn’t reproduce it until it became public”
But I’m puzzled on why a technical reporter would just happily accept what’s being shoveled at him. For one, he could have contacted us and asked…

Here’s what really happened: We notified Opera about this vulnerability back in May. We gave them the Proof-of-Concept, disassembly, explanation and vulnerability analysis. So saying they did not have the full information is far from the truth. We didn’t ask for anything in return (we never do) but I admit we were skeptical based on previous experience with reporting vulnerabilities to Opera.
Then came the Million dollar question; we were asked if it worked on the latest version of Opera, and we said we don’t know. Since last time I checked, no one here worked for the Opera QA team, so we didn’t feel it was our job to check it. The response was typical:
“We only fix issues that are relevant to the latest version of Opera”

Followed by the all-too-common:”the items provided only cause crashes they have no intention to fix them”.

I guess they meant “we won’t fix them unless you drop a 0-day and we get a call from a computer magazine”.The Vendors-against-full-disclosure will continue, no doubt. Tech writers, get your spines refitted please: if you’re not a part of the solution, you’re a part of the problem.

REVIEW: “Above the Clouds”, Kevin T. McDonald

BKABVCLD.RVW   20110323

“Above the Clouds”, Kevin T. McDonald, 2010, 978-1-84928-031-0,
UK#39.95
%A   Kevin T. McDonald
%D   2010
%G   978-1-84928-031-0 1-84928-031-2
%I   IT Governance
%O   UK#39.95
%O  http://www.amazon.com/exec/obidos/ASIN/1849280312/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/1849280312/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1849280312/robsladesin03-20
%O   Audience n+ Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   169 p.
%T   “Above the Clouds: Managing Risk in the World of Cloud Computing”

The preface does a complicated job of defining cloud computing.  The introduction does provides a simpler description: cloud computing is the sharing of services, at the time you need them, paying for the services you need or use.  Different terms are listed based on what services are provided, and to whom.  We could call cloud computing time-sharing, and the providers service bureaus.  (Of course, if we did that, a number of people would think they’d walked into a forty-five year time-warp.)

The text is oddly structured: indeed, it is hard to find any organization in the material at all.  Chapter one states that the cloud allows you to do rapid prototyping because you can use patched operating systems.  I would agree that properly up-to-date operating systems are a good thing, but it isn’t made clear what this has to do with either prototyping or the cloud.  There is a definite (and repeated) assertion that “bigger is better,” but this idea is presented as an article of faith, rather than demonstrated.   There is mention of the difficulty of maintaining core competencies, but no discussion of how you would determine that a large entity has such competencies.  Some of the content is contradictory: there are many statements to the effect that the cloud allows instant access to services, but at least one warning that you cannot expect cloud services to be instantly accessible.  Various commercial products and services are noted in one section, but there is almost no description or detail in regard to actual services or availability.

Chapter two does admit that there can be some problems with using cloud services.  Despite this admission some of the material is strange.  We are told that you can eliminate capacity planning by using the cloud, but are immediately warned that we need to determine service levels (which is just a different form of capacity planning).  In terms of preparation and planning, chapter three does mention a number of issues to be addressed.  Even so, it tends to underplay the full range of factors that can determine the success or failure of a cloud project.  (Much content that has been provided previously is duplicated here.)  There is a very brief section on risk  management.  The process outline is fine, but the example given is rather flawed.  (The gap analysis fails to note that the vendor does not actually answer the question asked.)  SAS70 and similar reports are heavily emphasized, although the material fails to mention that many of the reasons that small businesses will be interested in the cloud will be for functions that are beyond the scope of these standards.  Chapter four appears to be about risk assessment, but then wanders into discussion of continuity planning, project management, testing, and a bewildering variety of only marginally related topics.  There is a very terse review of security fundamentals, in chapter five, but it is so brief as to be almost useless, and does not really address issues specifically related to the cloud.  The (very limited) examination of security in chapter six seems to imply that a good cloud provider will automatically provide additional security functions.  In certain areas, such as availability and backup, this may be true.  However, in areas such as access control and identity management, this will most probably involve additional charges/costs, and it is not likely that the service provider will be able to do a better job than you can, yourself.  A final chapter suggests that you analyze your own company to find functions that can be placed into the cloud.

Despite the random nature of the book, the breadth of topics means it can be used as an introduction to the factors which should be considered when attempting to use cloud computing.  The lack of detail would place a heavy burden of research and work on those charged with planning or implementing such activities.  In addition, the heavily promotional tone of the work may lead some readers to underestimate the magnitude of the task.

copyright, Robert M. Slade   2011     BKABVCLD.RVW   20110323

Verizon data breach report

Interesting report by Verizon. Highlights:

  • External attacks are up 22% and are now responsible for 92% of losses.
  • Insider attack is down 31%. (Finally implementing internal security measures and not just focusing on the perimeter?)
  • Victims were not ‘chosen’ because they were large, important or had financial data. They were simply the easiest targets.
  • 92% of loss resulted from simple, known vulnerabilities

The conclusions sound a lot like the Gartner report:

“Every year that we study threat actions leading to data breaches, the story is the same; most victims aren’t overpowered by unknowable and unstoppable attacks. For the most part, we know them well enough and we also know how to stop them.”

And here’s the same thing in different wording:

“The latest round of evidence leads us to the same conclusion as before: your security woes are not caused by the lack of something new. They almost surely have more to do with not using, under using, or misusing something old.”

And of course, I like this one because it highlights Automated Vulnerability Assessment:

“SQL injection attacks, cross-site scripting, authentication bypass, and exploitation of session variables contributed to nearly half of breaches attributed to hacking or network intrusion. It is no secret that attackers are moving up the stack and targeting the application layer. Why don’t our defenses follow suit? As with everything else, put out the fires first: even lightweight web application scanning and testing would have found many of the problems that led to major breaches in the past year.”

Basically, your organization already has the security solution that it needs; you’re just not using it.

About.Them

I was recently made aware of a site/service called About.Me.  It allows you to sign up, and create a very short Web page about yourself.  I created a page, noted that there wasn’t much else I could do, and figured that was it.

The next day I received a message noting that they were providing email as well.  I could sign up for my own email address (as if I didn’t have enough already) with them.  The instructions said that I could access it via POP and IMAP.

So, I gave it a try.  I activated the email address, and started to test it.  I can send mail to the address (from another account), and retrieve it, but when I tried to send mail through their SMTP server I got an error.  Having done this before, with a variety of servers, I tried some variations on the instructions.  More error messages, and no sent email.

So, I tried their help and support systems.  I ran into the same page of (incorrect) instructions again and again.  I tried to find some way to contact them.  The pages and links labelled “Feedback” have no contact information on them, and no input fields to fill in and send.  Nothing.

Eventually, I did find something that allowed me to send them a message.  I gave details of what I was doing, and sent copies of the error messages I received.

I got a message back.  It asked me for details.  I sent back the same details, including the error messages.  I got a second message.  It asked if I had seen any error messages.

I have sent them a third message with the error messages again.

I very much doubt that this is going to be one of the runaway social media success stories.

Hardening guide for Drupal 7.7

This guide can also be found at http://security-24-7.com/hardening-guide-for-drupal-7-7/
Pre-installation notes The guide bellow is based on CentOS 5.5 (i386), Apache 2.2.19, MySQL 5.5.15

The guide bellow is based on the previous guides:

PHP installation phase

  1. Login to the server using Root account.
  2. Before compiling the PHP environment, install the following RPM from the CentOS 5.5 DVD source folder:
    rpm -ivh kernel-headers-2.6.18-194.el5.i386.rpm
    rpm -ivh glibc-headers-2.5-49.i386.rpm
    rpm -ivh glibc-devel-2.5-49.i386.rpm
    rpm -ivh gmp-4.1.4-10.el5.i386.rpm
    rpm -ivh libgomp-4.4.0-6.el5.i386.rpm
    rpm -ivh gcc-4.1.2-48.el5.i386.rpm
    rpm -ivh libxml2-2.6.26-2.1.2.8.i386.rpm
    rpm -ivh zlib-devel-1.2.3-3.i386.rpm
    rpm -ivh libxml2-devel-2.6.26-2.1.2.8.i386.rpm
    rpm -ivh pkgconfig-0.21-2.el5.i386.rpm
    rpm -ivh libpng-devel-1.2.10-7.1.el5_3.2.i386.rpm
    rpm -ivh libjpeg-devel-6b-37.i386.rpm
  3. Download MySQL development RPM from: http://download.softagency.net/MySQL/Downloads/MySQL-5.5/
  4. Download PHP 5.3.8 source files from: http://php.net/downloads.php
  5. Download the latest libxml2 for PHP from: http://xmlsoft.org/sources/
  6. Copy the MySQL development RPM using PSCP (or SCP) into /tmp
  7. Copy the PHP 5.3.8 source files using PSCP (or SCP) into /tmp
  8. Move to /tmp cd /tmp
  9. Install the MySQL development RPM:
    rpm -ivh MySQL-devel-5.5.15-1.rhel5.i386.rpm
  10. Remove MySQL development RPM:
    rm -f MySQL-devel-5.5.15-1.rhel5.i386.rpm
  11. Extract the php-5.3.8.tar.gz file: tar -zxvf php-5.3.8.tar.gz
  12. Extract the libxml2 source file: tar -zxvf libxml2-2.7.7.tar.gz
  13. Move the libxml2-2.7.7 folder: cd /tmp/libxml2-2.7.7
  14. Run the commands bellow to compile the libxml2: ./configuremakemake install
  15. Move to the PHP source folder: cd /tmp/php-5.3.8
  16. Run the commands bellow to compile the PHP environment:
    ./configure --with-mysql=mysqlnd --with-libdir=lib --prefix=/usr/local/apache2 --with-apxs2=/usr/local/apache2/bin/apxs --with-openssl --with-zlib --with-gd --with-jpeg-dir=/usr/lib --with-png-dir=/usr/lib --enable-pdo --with-pdo-mysql=mysqlnd --enable-ftp
    make
    make install
  17. Edit using VI, the file /usr/local/apache2/conf/httpd.conf Add the following string, to the end of the AddType section:
    AddType application/x-httpd-php .php       

    Replace the line from:
    DirectoryIndex index.html
    To:
    DirectoryIndex index.php index.html index.htm

    Replace the value of the string, from:
    LimitRequestBody 10000
    To:
    LimitRequestBody 600000

  18. Copy the PHP.ini file cp /tmp/php-5.3.8/php.ini-development /etc/php.ini
  19. Change the permissions on the php.ini file: chmod 640 /etc/php.ini
  20. Edit using VI, the file /etc/php.ini Replace the value of the string, from:
    mysql.default_host =
    To:
    mysql.default_host = 127.0.0.1:3306       

    Replace the value of the string, from:
    pdo_mysql.default_socket=
    To:
    pdo_mysql.default_socket=127.0.0.1

    Replace the value of the string, from:
    allow_url_fopen = On
    To:
    allow_url_fopen = OffReplace the value of the string, from:
    expose_php = On
    To:
    expose_php = Off

    To:Replace the value of the string, from:To:To:To:Replace the value of the string, from:To:To:To:Replace the value of the string, from:To:To:To:Replace the value of the string, from:To:To:To:Replace the value of the string, from:To:To:Replace the value of the string, from:To:Replace the value of the string, from:To:To:Replace the value of the string, from:To:Replace the value of the string, from:
    memory_limit = 128M
    To:
    memory_limit = 64MReplace the value of the string, from:
    ;open_basedir =
    To:
    open_basedir = "/www"

    Replace the value of the string, from:To:Replace the value of the string, from:
    post_max_size = 8M
    To:
    post_max_size = 2MReplace the value of the string, from:
    disable_functions =
    To:
    disable_functions = fpassthru,crack_check,crack_closedict,crack_getlastmessage,crack_opendict, psockopen,php_ini_scanned_files,shell_exec,chown,hell-exec,dl,ctrl_dir,phpini,tmp,safe_mode,systemroot,server_software, get_current_user,HTTP_HOST,ini_restore,popen,pclose,exec,suExec,passthru,proc_open,proc_nice,proc_terminate, proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid, posix_setsid,posix_setuid,escapeshellcmd,escapeshellarg,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid, posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid, posix_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,system,posix_getsid,posix_getuid,posix_isatty, posix_setegid,posix_seteuid,posix_setgid,posix_times,posix_ttyname,posix_uname,posix_access,posix_get_last_error,posix_mknod, posix_strerror,posix_initgroups,posix_setsidposix_setuid

    Replace the value of the string, from:To:Replace the value of the string, from:
    ;include_path = ".:/php/includes"
    To:
    include_path = "/usr/local/lib/php;/usr/local/apache2/include/php"

    Replace the value of the string, from:
    display_errors = On
    To:
    display_errors = Off

    Replace the value of the string, from:
    display_startup_errors = On
    To:
    display_startup_errors = Off

    Replace the value of the string, from:
    ;gd.jpeg_ignore_warning = 0
    To:
    gd.jpeg_ignore_warning = 1

  21. Run the commands bellow to restart the Apache service:
    /usr/local/apache2/bin/apachectl stop       

    /usr/local/apache2/bin/apachectl start

    /usr/local/apache2/bin/apachectl start

    /usr/local/apache2/bin/apachectl start

    /usr/local/apache2/bin/apachectl start

    /usr/local/apache2/bin/apachectl start

    /usr/local/apache2/bin/apachectl start

    /usr/local/apache2/bin/apachectl start

    /usr/local/apache2/bin/apachectl start

  22. Remove the PHP source and test files:
    rm -f /tmp/php-5.3.8.tar.gz
    rm -f /tmp/libxml2-2.7.7.tar.gz
    rm -rf /tmp/php-5.3.8
    rm -rf /tmp/libxml2-2.7.7
    rm -rf /tmp/pear
    rm -rf /usr/local/apache2/lib/php/test
    rm -rf /usr/local/lib/php/test

Drupal installation phase

  1. Login to the server using Root account.
  2. Run the command bellow to login to the MySQL:
    /usr/bin/mysql -uroot -pnew-password       

    Note: Replace the string “new-password” with the actual password for the root account.

     

  3. Run the following commands from the MySQL prompt:
    CREATE USER 'blgusr'@'localhost' IDENTIFIED BY 'password2'; SET PASSWORD FOR 'blgusr'@'localhost' = OLD_PASSWORD('password2');
    CREATE DATABASE Z5J6Dw1;
    GRANT ALL PRIVILEGES ON Z5J6Dw1.* TO "blgusr"@"localhost" IDENTIFIED BY "password2";
    FLUSH PRIVILEGES;
    quit       

    Note 1: Replace “blgusr” with your own MySQL account to access the database.
    Note 2: Replace “password2” with complex password (at least 14 characters).
    Note 3: Replace “Z5J6Dw1” with your own Drupal database name.

    Note 1: Replace “blgusr” with your own MySQL account to access the database.Note 2: Replace “password2” with complex password (at least 14 characters).Note 3: Replace “Z5J6Dw1” with your own Drupal database name.

    Note 1: Replace “blgusr” with your own MySQL account to access the database.Note 2: Replace “password2” with complex password (at least 14 characters).Note 3: Replace “Z5J6Dw1” with your own Drupal database name.

    Note 1: Replace “blgusr” with your own MySQL account to access the database.Note 2: Replace “password2” with complex password (at least 14 characters).Note 3: Replace “Z5J6Dw1” with your own Drupal database name.

    Note 1: Replace “blgusr” with your own MySQL account to access the database.Note 2: Replace “password2” with complex password (at least 14 characters).Note 3: Replace “Z5J6Dw1” with your own Drupal database name.

    Note 1: Replace “blgusr” with your own MySQL account to access the database.Note 2: Replace “password2” with complex password (at least 14 characters).Note 3: Replace “Z5J6Dw1” with your own Drupal database name.

    Note 1: Replace “blgusr” with your own MySQL account to access the database.Note 2: Replace “password2” with complex password (at least 14 characters).Note 3: Replace “Z5J6Dw1” with your own Drupal database name.

    Note 1: Replace “blgusr” with your own MySQL account to access the database.Note 2: Replace “password2” with complex password (at least 14 characters).Note 3: Replace “Z5J6Dw1” with your own Drupal database name.

  4. Download Drupal 7.7 from: http://drupal.org/project/drupal
  5. Copy the Drupal 7.7 source files using PSCP (or SCP) into /www
  6. Move to /www cd /www
  7. Extract the file bellow:
    tar -zxvf drupal-7.7.tar.gz
  8. Remove Drupal source file:
    rm -f /www/drupal-7.7.tar.gz
  9. Rename the Drupal folder:
    mv /www/drupal-7.7 /www/drupal
  10. Remove default content:
    rm -f /www/drupal/CHANGELOG.txt
    rm -f /www/drupal/COPYRIGHT.txt
    rm -f /www/drupal/INSTALL.pgsql.txt
    rm -f /www/drupal/LICENSE.txt
    rm -f /www/drupal/UPGRADE.txt
    rm -f /www/drupal/INSTALL.mysql.txt
    rm -f /www/drupal/INSTALL.sqlite.txt
    rm -f /www/drupal/INSTALL.txt
    rm -f /www/drupal/MAINTAINERS.txt
    rm -f /www/drupal/sites/example.sites.php
  11. Edit using VI, the file /usr/local/apache2/conf/httpd.conf
    Replace the line from:
    DocumentRoot "/www"
    To:
    DocumentRoot "/www/drupal"
  12. Run the commands bellow to restart the Apache service:
    /usr/local/apache2/bin/apachectl stop  /usr/local/apache2/bin/apachectl start    

     

     

  13. Create the following folders:
    mkdir /www/drupal/sites/default/files  mkdir /www/private    

     

     

  14. Copy the settings.php file:
    cp /www/drupal/sites/default/default.settings.php /www/drupal/sites/default/settings.php
  15. Change permissions on the settings.php file:
    chmod a+w /www/drupal/sites/default/settings.php       

    chmod -R 777 /www/drupal/sites/default/fileschmod -R 777 /www/private

  16. Open a web browser from a client machine, and enter the URL bellow:
    http://Server_FQDN/install.php
  17. Select “Standard” installation and click “Save and continue”.
  18. Choose the default “English” and click “Save and continue”.
  19. Specify the following details:
    • Database type: MySQL
    • Database name: Z5J6Dw1
    • Database username: blgusr
    • Database password: password2
    • Click on Advanced Options
    • Database host: 127.0.0.1
    • Table prefix: Z5J6Dw1_

    Note 1: Replace “Z5J6Dw1” with your own Drupal database name.
    Note 2: Replace “blgusr” with your own MySQL account to access the database.
    Note 3: Replace “password2” with complex password (at least 14 characters).

  20. Click “Save and Continue”.
  21. Specify the following information:
    • Site name
    • Site e-mail address (for automated e-mails, such as registration information)
    • Username (for the default administrator account)
    • E-mail address
    • Password
  22. Select “Default country” and “Default time zone”.
  23. Unselect the “Update Notifications” checkboxes.
  24. Click “Save and Continue”.
  25. Close the web browser.
  26. Create using VI the file /www/config.php with the following content:
    $databases = array ( ‘default’–>  $databases = array (
    ‘default’ =>
    array (
    ‘driver’ => ‘mysql’,
    ‘database’ => ‘Z5J6Dw1’,
    ‘username’ => ‘blgusr’,
    ‘password’ => ‘password2’,
    ‘host’ => ‘127.0.0.1’,
    ‘port’ => ”,
    ‘prefix’ => ‘Z5J6Dw1_’,
    ),
    ),
    );
    ?>    

    Note 1: Make sure there are no spaces, newlines, or other strings before an opening ” tag.
    Note 2: Replace “blgusr” with your own MySQL account to access the database.
    Note 3: Replace “password2” with complex password (at least 14 characters).
    Note 4: Replace “Z5J6Dw1” with your own Drupal database name.

    Note 1: Make sure there are no spaces, newlines, or other strings before an opening ” tag. Note 2: Replace “blgusr” with your own MySQL account to access the database. Note 3: Replace “password2” with complex password (at least 14 characters).Note 4: Replace “Z5J6Dw1” with your own Drupal database name.

    Note 1: Make sure there are no spaces, newlines, or other strings before an opening ” tag. Note 2: Replace “blgusr” with your own MySQL account to access the database. Note 3: Replace “password2” with complex password (at least 14 characters).Note 4: Replace “Z5J6Dw1” with your own Drupal database name.

    Note 1: Make sure there are no spaces, newlines, or other strings before an opening ” tag. Note 2: Replace “blgusr” with your own MySQL account to access the database. Note 3: Replace “password2” with complex password (at least 14 characters).Note 4: Replace “Z5J6Dw1” with your own Drupal database name.

    Note 1: Make sure there are no spaces, newlines, or other strings before an opening ” tag. Note 2: Replace “blgusr” with your own MySQL account to access the database. Note 3: Replace “password2” with complex password (at least 14 characters).Note 4: Replace “Z5J6Dw1” with your own Drupal database name.

    Note 1: Make sure there are no spaces, newlines, or other strings before an opening ” tag. Note 2: Replace “blgusr” with your own MySQL account to access the database. Note 3: Replace “password2” with complex password (at least 14 characters).Note 4: Replace “Z5J6Dw1” with your own Drupal database name.

  27. Edit using VI, the file /www/drupal/sites/default/settings.php Add the following line:
    include('/www/config.php');       

    Remove the following section:
    $databases = array ( 'default' => array ( 'default' => array ( 'driver' => 'mysql', 'database' => 'Z5J6Dw1', 'username' => 'blgusr', 'password' => 'password2', 'host' => '127.0.0.1', 'port' => '', 'prefix' => 'Z5J6Dw1_', ), ), );Replace the string from:
    ini_set('session.cookie_lifetime', 2000000);
    To:
    ini_set('session.cookie_lifetime', 0);

    To:To:To:To:To:Remove the following section:To:Replace the string from:To:

  28. Change permissions on the settings.php file:
    chmod a-w /www/drupal/sites/default/settings.php
  29. Add the following lines to the /www/drupal/.htaccess file:
    # Block any file that starts with "."

         Order allow,deny


         Order allow,deny

    # Allow "." files with safe content types

         Order deny,allow
  30. Run the command bellow to change permissions on the /www/drupal/.htaccess file:
    chmod 444 /www/drupal/.htaccess
  31. Download into /www/drupal/sites/all/modulesthe latest build of the modules bellow:
  32. From SSH session, move to the folder /www/drupal/sites/all/modules.
  33. Extract the downloaded above modules:
    tar zxvf dfw-7.x-1.1.tar.gz       

    tar zxvf spamspan-7.x-1.1-beta1.tar.gz

    tar zxvf spamspan-7.x-1.1-beta1.tar.gztar zxvf content_security_policy-7.x-1.x-dev.tar.gz

    tar zxvf spamspan-7.x-1.1-beta1.tar.gztar zxvf content_security_policy-7.x-1.x-dev.tar.gztar zxvf goaway-7.x-1.2.tar.gz

    tar zxvf spamspan-7.x-1.1-beta1.tar.gztar zxvf content_security_policy-7.x-1.x-dev.tar.gztar zxvf goaway-7.x-1.2.tar.gztar zxvf ip_anon-7.x-1.0.tar.gz

    tar zxvf spamspan-7.x-1.1-beta1.tar.gztar zxvf content_security_policy-7.x-1.x-dev.tar.gztar zxvf goaway-7.x-1.2.tar.gztar zxvf ip_anon-7.x-1.0.tar.gztar zxvf flood_control-7.x-1.0.tar.gz

    tar zxvf spamspan-7.x-1.1-beta1.tar.gztar zxvf content_security_policy-7.x-1.x-dev.tar.gztar zxvf goaway-7.x-1.2.tar.gztar zxvf ip_anon-7.x-1.0.tar.gztar zxvf flood_control-7.x-1.0.tar.gztar zxvf password_policy-7.x-1.0-beta1.tar.gz

    tar zxvf spamspan-7.x-1.1-beta1.tar.gztar zxvf content_security_policy-7.x-1.x-dev.tar.gztar zxvf goaway-7.x-1.2.tar.gztar zxvf ip_anon-7.x-1.0.tar.gztar zxvf flood_control-7.x-1.0.tar.gztar zxvf password_policy-7.x-1.0-beta1.tar.gztar zxvf persistent_login-7.x-1.x-dev.tar.gz

    tar zxvf spamspan-7.x-1.1-beta1.tar.gztar zxvf content_security_policy-7.x-1.x-dev.tar.gztar zxvf goaway-7.x-1.2.tar.gztar zxvf ip_anon-7.x-1.0.tar.gztar zxvf flood_control-7.x-1.0.tar.gztar zxvf password_policy-7.x-1.0-beta1.tar.gztar zxvf persistent_login-7.x-1.x-dev.tar.gztar zxvf secure_permissions-7.x-1.5.tar.gz

    tar zxvf security_review-7.x-1.x-dev.tar.gz

    tar zxvf system_perm-7.x-1.x-dev.tar.gz

    tar zxvf blockanonymouslinks-7.x-1.1.tar.gz

  34. Remove the modules source files:
    rm -f /www/drupal/sites/all/modules/dfw-7.x-1.1.tar.gz       

    rm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gz

    rm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gzrm -f /www/drupal/sites/all/modules/content_security_policy-7.x-1.x-dev.tar.gz

    rm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gzrm -f /www/drupal/sites/all/modules/content_security_policy-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/goaway-7.x-1.2.tar.gz

    rm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gzrm -f /www/drupal/sites/all/modules/content_security_policy-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/goaway-7.x-1.2.tar.gzrm -f /www/drupal/sites/all/modules/ip_anon-7.x-1.0.tar.gz

    rm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gzrm -f /www/drupal/sites/all/modules/content_security_policy-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/goaway-7.x-1.2.tar.gzrm -f /www/drupal/sites/all/modules/ip_anon-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/flood_control-7.x-1.0.tar.gz

    rm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gzrm -f /www/drupal/sites/all/modules/content_security_policy-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/goaway-7.x-1.2.tar.gzrm -f /www/drupal/sites/all/modules/ip_anon-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/flood_control-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/password_policy-7.x-1.0-beta1.tar.gz

    rm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gzrm -f /www/drupal/sites/all/modules/content_security_policy-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/goaway-7.x-1.2.tar.gzrm -f /www/drupal/sites/all/modules/ip_anon-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/flood_control-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/password_policy-7.x-1.0-beta1.tar.gzrm -f /www/drupal/sites/all/modules/persistent_login-7.x-1.x-dev.tar.gz

    rm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gzrm -f /www/drupal/sites/all/modules/content_security_policy-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/goaway-7.x-1.2.tar.gzrm -f /www/drupal/sites/all/modules/ip_anon-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/flood_control-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/password_policy-7.x-1.0-beta1.tar.gzrm -f /www/drupal/sites/all/modules/persistent_login-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/secure_permissions-7.x-1.5.tar.gz

    rm -f /www/drupal/sites/all/modules/security_review-7.x-1.x-dev.tar.gz

    rm -f /www/drupal/sites/all/modules/system_perm-7.x-1.x-dev.tar.gz

    rm -f /www/drupal/sites/all/modules/blockanonymouslinks-7.x-1.1.tar.gz

  35. Open a web browser from a client machine, and enter the URL bellow:
    http://Server_FQDN/?q=user/login
  36. From the upper menu, click on Configuration -> People -> Account Settings -> “Who can register accounts”: select Administrators only -> click on “Save configuration”.
  37. From the upper menu, click on Configuration -> Media -> File system -> “Private file system path”: specify /www/private -> click on “Save configuration”.
  38. From the upper menu, click on Configuration -> Development -> Logging and errors -> “Error messages to display”: select None -> click on “Save configuration”.
  39. From the upper menu, click on Modules -> from the list of modules, select “Update manager” -> click on “Save configuration”.
  40. From the upper menu, click on Modules -> from the main page, select the following modules:
    • Drupal firewall
    • SpamSpan
    • Content Security Policy
    • Content Security Policy Reporting
    • GoAway
    • IP anonymize
    • Flood control
    • Password change tab
    • Password policy
    • Persistent Login
    • Secure Permissions
    • Security Review
    • System Perms
    • BlockAnonymousLinks
  41. Click on Save configuration.

Drupal SSL configuration phase

  1. Add the following line to the /www/drupal/sites/default/settings.php file:
    $conf['https'] = TRUE;
  2. Download into /www/drupal/sites/all/modulesthe latest build of the modules bellow:
  3. From SSH session, move to the folder /www/drupal/sites/all/modules.
  4. Extract the downloaded above modules:
    tar zxvf securepages-7.x-1.x-dev.tar.gz       

    tar zxvf securelogin-7.x-1.2.tar.gz

    tar zxvf securelogin-7.x-1.2.tar.gz

    tar zxvf securelogin-7.x-1.2.tar.gz

    tar zxvf securelogin-7.x-1.2.tar.gz

    tar zxvf securelogin-7.x-1.2.tar.gz

    tar zxvf securelogin-7.x-1.2.tar.gz

    tar zxvf securelogin-7.x-1.2.tar.gz

    tar zxvf securelogin-7.x-1.2.tar.gz

  5. Remove the modules source files:
    rm -f /www/drupal/sites/all/modules/securepages-7.x-1.x-dev.tar.gz       

    rm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz

    rm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz

    rm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz

    rm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz

    rm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz

    rm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz

    rm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz

    rm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz

  6. Open a web browser from a client machine, and enter the URL bellow:
    https://Server_FQDN/?q=user/login
  7. From the upper menu, click on Modules -> from the main page, select the following modules:
    • Secure Login
    • Secure Pages
  8. Click on Save configuration.
  9. From the upper menu, click on Configuration -> from the main page, click on the link Secure Pages -> under Enable Secure Pages -> choose Enabled -> click on Save configuration.

 

Fake Online Reviews

We’ve had means of expressing our opinions on various things for a long time.  Amazon has had reviews of the books pretty much since the beginning.  But how do we know that the reviews are real?  Virus writers took the opportunity presented by Amazon to trash my books when they were published.  (Even though they used different names, it only took a very simple form of forensic linguistics to figure out the identities.)

More recently, review spam has become more important, since many people are relying on the online reviews when buying items or booking services.  A number of “companies” have determined that it is more cost effective to have bots or other entities flood the review systems with fake positive reviews than it is to make quality products or services.  So, some nice people from Cornell university produced and tested some software to determine the fakes.

Note that, from these slides, there is not a lot of detail about exactly how they determine the fakes.  However, there is enough to indicate that sophisticated algorithms are less accurate than some fairly simple metrics.  When I teach about software forensics (aspects of which are similar to forensic lingusitics, or stylistic forensics), this seems counterintuitive and surprises a lot of students.  Generally they object that, if you know about the metircs, you should be able to avoid them.  In practice, this doesn’t seem to be the case.  Simple metrics do seem to be very effective in both forensic linguistics, and in software forensics.