Welcome to AppFail
You last visited: never

Welcome to AppFail

Posted on 2009-07-27

Security Post

HostGator, one of the many "unlimited" hosting for $4.95 providers out there (claims to host 2.2 million domains), seems to have gotten a bit scared by, or tried to capitalize on being the first to take proactive steps against a supposed 0day OpenSSH flaw.

The rumours of a 0day flaw have spread rapidly, and as is the nature of rumours, seems to be harder to quash than it was to start. The OpenBSD/OpenSSH team has stated that there are not aware of any exploits for the ubiquitous ssh daemon that provides secure remote shell access to most every unix or linux based operating system, but also maybe embedded devices such as routers, IP-KVMs, and other managed network devices. The rumours started with a group called 'Anti-Sec', who's stated goal is to change the way vulnerability disclosures are handled. With the current system, called full disclosure, when someone finds a vulnerability they report it to the affected vendors, and usually shortly after that they post about how it was done to the public, usually including a piece of example code, a proof of concept. In the view of 'Anti-Sec' this behaviour is self serving; it glorifies the security analyst, and hampering the security of the end users by allowing the less ethical side of the security sector to use the disclosure and sample code to develop exploits and malware. Anti-Sec feels that the full disclosure system has become about money, scaring people into buying the firewalls, anti-virus solutions, and other products of the security companies. The reason this system was adopted, was that vendors were not always eager to fix vulnerabilities, especially back before the internet was as popular, and automated patching systems were not possible. Full disclosure is a way to force the vendors to take on the extraordinary cost of fixing the vulnerabilities as quickly as possible. The rumours started when Anti-Sec hacked the popular image hosting site ImageShack.us and posted their manifesto. Other attacks following, including astalavista and then the systems of the security analyst who was investigating the astalavista attack. Then, someone not actually part of the anti-sec movement, started posting 'console captures' of a tool called 'open0wn' or 'openPWN', which purported to be able to break into most recent versions of openssh. It has since been revealed that this was in fact a hoax.

HostGator took the extraordinary step of entirely disabling SSH on all of their servers and claiming that they themselves were developing a patch for the unknown OpenSSH vulnerability. It is quite obvious from their single sentence post two weeks later that they jumped the gun. It is rather unlikely that they were developing their own patch, as doing so would require knowledge of the vulnerability, which no one has, because as far as is known, no vulnerability exists. So, either HostGator over reacted to rumours instead of following established procedures, or they tried to capitalize on the hype and be the first web hosting provider to "protect" their customers from this evil vaporware exploit. A few weeks without SSH access would definitely be enough to get me to take my $5 somewhere else.

Tip: Phil Lavin

Posted on 2009-06-28

Security Post The US-CERT (read United States Computer Emergency Readiness Team) has released an update on the 26th about new phishing scams on the internet.

The marked increase in Spam, Phishing, and Malicious Code attacks related to recent celebrity deaths has sparked growing concerns that many users are still overly susceptible to social engineering and other human attack vectors.

Read more

Posted on 2009-06-25

Security Post

WebCT, the popular Learning Management System used at many post secondary institutions, fails at implementing password hashing. The use of an outdated cryptographic hashing function makes WebCT vulnerable to offline brute force attacks, but also to shoulder surfing and other password guessing techniques. WebCT contains sensitive information such as grades, but also in-progress and submitted assignments, which if stolen could result in a charge of Academic Dishonestly (plagiarism) and result in possible lost credits or expulsion.

Read more

Posted on 2009-06-24

Security Post

The most common cause of Security Fails is improper implementation, people who do not fully understand the concepts involved trying to engauge in complicated crypto. We'll be profiling a number of different security fails that we know about, and we would love it if you could point out any that you happen to know about or find. FreeBSD Security Officer and all around security Guru Colin Percival offers his advice on what is the Cryptographic right answer.

By: Allan Jude

Posted on 2009-06-01

Security Post

Hashing is a mathematical function that takes any string, and turns it into a relatively small number of a fixed size. This number is often displayed as a hexadecimal string to make it easier to display. In effect, a hash divides an infinite number of strings of infinite length, into a finite domain of a fixed length. Hashing is a secure way to store passwords for authentication without the possibility of disclosure.

Read more

First Previous
  1 2

Cuiusvis hominis est errare; nullius nisi insipientis in errore perseverare - Any man can make a mistake; only a fool keeps making the same one.

Digg Proof Hosting
The key to surviving Digg and Slashdot is Infrastructure. You can't get it from a regular web host, it requires experience. The High Load Hosting Experts at ScaleEngine can make your site thrive, and avoid having your site featured on AppFail.

Cyber Security Alerts

Page Generated in 104ms