I was scanning my server log files the other day and found that this old “bot” is still making the rounds. It help’s to shut the door on this with some configuration. It’s specifically looking for PHP vulnerabilities and is easily identified by the expletive in it’s User-Agent HTTP request headers.
This HTTP Header is a feature added by MSIE8 to force it to restrict some XSS vectors that can be disabled by the user. Generally you can add it into your webserver configuration.
X-XSS-Protection: 1; mode=block
Best practices for web applications often call for the use of a CDN. Those of you that have worked with YSlow! are likely very accustomed to seeing warnings for this reason. I’ve found that CloudFlare is very easy to setup, and for basic services costs absolutely nothing. In addition to the obvious performance advantages of using a CDN to offload much of your network traffic, it also has the advantage of improved security.
CDN’s work by caching a copy of your static content at several locations around the world, making it closer and faster for your users.
Implementation takes only minutes as it requires that you:
- create a (free) account,
- retrieve your existing DNS values from your current provider,
- determine direct vs. CDN “cloud” routing for each subdomain,
- change your DNS records to point to the CloudFlare DNS servers
Some additional advantages I’ve seen since implementing:
- Site remains available in limited capability to users during server outages or upgrades.
- Simplified network configuration as all requests can be sent outside of the LAN for users local to the servers
- IPv6 dual-stack support
Categories: MSIE bugs, WebStandards, Work acceleration, akamai, application, browser, cache, cdn, client, cloudflare, content, delivery, fast, http, ipv4, ipv6, network, performance, security, server, speed, web, webapp
To prevent XSS/CSRF exploits in MSIE8 and newer, it’s often best to close as many attack vectors as possible. An easy one to implement is an HTTP Header to prevent MSIE from “sniffing” the content to change it when incorrect.
Example: we would not want an HTML page intentionally served with ‘text/plain’ to be rendered as HTML.
This could be added programatically to pages in your application, via a servlet or servlet filter or added to the httpd.conf file.
Apache2 example: httpd.conf
Header set X-Content-Type-Options nosniff
Categories: MSIE bugs, WebStandards, Work change, conf, content, csrf, header, http, httpd, mime, msie, nosniff, security, sniff, type, xss
Here are a few notable methods:
If you make heavy (or even typical) use of your computer, you’ll often notice that it just doesn’t seem as fast as it once was. For a slight increase in performance, disk space and to generally remove some of the ‘temporary’ files/cruft that are routinely written to disk you have a few options.
Here are a few of my current favorites for doing ‘Spring Cleaning’ on my computers… BleachBit and CCleaner
Categories: Work anti, cache, clean, cruft, delete, disk, forensic, remove, security, temp, wipe
This topic, and Firefox add-on have received a lot of press lately, as such I figured that I’d capture some comments on the topic. HTTP Session hijacking is nothing new, anyone with the ability to monitor your non-secured network traffic can do this with little effort… what’s happened here is that there are now some really simple to use tools to do the job.
In the past, someone would have to passively monitor your network traffic with a tool like WireShark, and all they’d really have to do is wait for you to access a website to watch the ‘HTTP Cookies’ (or even a URL that contains a ’session id’). With that information, they simply need to use the same value that you do to essentially take over your session and your current state. Banks are particularly at risk for this, but in most cases they use HTTPS/SSL for all secure data including logins. Social websites such as Facebook and even GMail, often default to non-secure logins to maximize their server and network performance.
Best defense here… never use non-secure login forms, especially when using a public wireless (or wired) network.
Interesting enough, there’s now a Firefox add-on that monitors for usage of Firesheep on the network, unfortunately neither of these currently work in Linux… links below!
If you’ve been online at all in the last decade, you’ve heard of the “dangers” of HTTP Cookies. More nefarious and harder to remove are Flash Cookies as they are handled by a plugin/extension/addon to the browser and exist outside of the normal security settings.
To see or delete Flash data, you’ve got to visit the following URL:
You will probably be suprised to see many of the sites listed, as Flash is often being used to present you with ads in addition to the interactive elements that you might expect.
This one is quite eye-opening. I recently suffered a hard-drive failure and was unable to boot either operating system in a multi-boot environment. The only item not backed up was a large number of photos and movies that I had accumulated and intended to burn to a CD/DVD. Using a ‘Live’ Ubuntu CD, I was able to use the Foremost program to analyze the drive media and locate all JPG and MPG files and copy them to a ’safe’ location.
What’s frightening here is that these files are not located by their filenames, but by their contents… largely the first few bytes of the file itself when stored on disk. In my experience, Foremost was easily able to parse NTFS and EXT4 partitions.
Word to the wise… this is only possible if you do not use encryption to obscure the data on the drive itself. I’d personally recommend enabling the options provided by your operating system itself if you store sensitive data. Alternately, software like TrueCrypt can be used to hide specific assets.
Here’s another great reason to use Linux over Windows. Ksplice Uptrack provides for runtime patching of the Linux kernel without rebooting of the machine. This has great advantages where you need to maintain the security of a server but have limited opportunites to reboot due to SLA’s (Service Level Agreements). Ubuntu Linux was the first supported operating system, other variants are now available too, though often for a fee.
Categories: Life, WebStandards, Work free, kernel, ksplice, linux, patch, reboot, security, ubuntu, update