A new DHS report released on August 2, BREACH vulnerability in compressed HTTPS, detailed how an attacker could derive information from the length of a compressed encrypted stream.
From the report:
While the CRIME attack is currently believed to be mitigated by disabling TLS/SSL/level compression, compressed HTTP responses represent a significant unmitigated vector which is currently exploitable. By injecting plaintext into an HTTPS request, an attacker can learn information about the corresponding HTTPS response by measuring its size.
The article states what the symptoms are, as well as potential fixes. Basically, disable HTTP compression.
Another WordPress maintenance release
The WordPress team released the 3.4.2 maintenance and security update addressing some bugs and security issues.
- Old browser fixes for the admin
- Plugin compatibility fixes
- Theme preview bug fixes
- Address pagination rewrite fixes
- Header image sizing fixed
- Trackback error fixes
Download or update in your WordPress dashboard
WordPress is great, but the more people that use it, the more “criminals” out there that will target it’s vulnerabilities.
Alex has a detailed write up covering his site being hacked, in My website was hacked – yours could be too! You won’t know until it’s too late.
From the article (read the whole thing):
Yesterday I found out that my website had been hacked. Not only that, but it had been hacked months ago, and I hadn’t even noticed. How did this happen?
I only found out about it because somebody was kind enough to email me to let me know that they saw this on Google
Even the best of us get hacked when we use any “standardized” platform (Windows, OS X, WordPress, Drupal, etc.).
What is WSO? It’s an environment hackers can upload to your server when they find a vulnerability, and use it to access everything on your site. When you’ve been hacked, this is the payload that a hacker wants delivered. It could site dormant for months before being activated. Ever hear about those “Zombie Computers”? WSO is like a bite from a zombie, it can transform your website into anything they want at any time, all they have to do is wake it up.
Did Alex make any mistakes? Maybe … he should have been aware of the TimThumb vulnerability, as most WordPress developers were. Is it his fault? Not really.
Some points made in the article:
- Security is a nightmare
- Local data storage is limited
- Local data can be manipulated
- Offline apps are a nightmare to sync
- The cloud owes you nothing
- Forced Upgrades aren’t for everyone
- Web Workers offer no prioritization
- Format incompatibilities abound
- Implementations are browser-dependent
- Hardware idiosyncrasies bring new challenges
- Politics as usual
The point of most of the article is just about fundamental problems building web “applications” … or just web sites that do things normally reserved for desktop applications, not necessarily problems introduced by HTML5.
Web developers are responsible for writing websites that work today, but also years or even decades from now (though I would argue the average website shouldn’t be left alone for a decade).
It can be difficult to protect a website against all future attacks. There is one big one we all have to be prepared for (because it is just so easy to fix)… SQL Injection attacks.
NETTUTS posted an article, 5 Helpful Tips for Creating Secure PHP Applications.
Frequently PHP sites have security issues, as some things make sense but are just not fully thought out.
When doing web development, it’s nice to program for the ideal input, but we also have to assume all other possible input.
Here’s the list of 5 tips that are explained in detail in the article:
- Use Proper Error Reporting
- Disable PHP’s “Bad Features”
- Validate Input
- Watch for Cross Site Scripting (XSS) Attacks in User Input
- Protecting against SQL Injection
You may have noticed the Entrecard advertisement on the side of this blog, it’s a site that links bloggers together.
Entrecard helps you get the word out about your blog, and hopefully find more people that you want to follow, as well as readers for your own blog.
One of the habits Entrecard creates is looking through a lot of blogs in the beginning of the day. You can see a list of blogs that are members of Entrecard and have looked at your site. It’s nice to see a list of people who are interested in your subject matter. Unfortunately, that list of blogs can reach into the hundreds on a daily basis.
I found myself queuing up about 40-50 tabs in Chrome (still using and loving it) and looking through everyones blogs.
This brings me to OpenDNS.
Before using OpenDNS servers, I would normally be able to only load up a page or two before pages started to fail. I know I have a fast computer, and that the links were valid, the hosts were not going down, it was merely a problem with my internet connection. Seeing as the problem was mostly binary — either pages loaded or had DNS issues, I figured the problem was DNS related.
OpenDNS has a great tutorial on how to setup OpenDNS on your network.
It was quick, easy, and drastically improved some browsing experiences (normal browsing is a bit faster, but not as noticable as when I load dozens of pages at a time).
One bonus is that you have a dashboard that can be used to control your networks usage. You can easily filter sites, monitor usage, and create shortcuts for any machine in your network (home points to www.google.com, mail could point to mail.google.com/a/domain.com, etc).
Below are some recent articles about OpenDNS:
- Lose your Time Warner internet connection (again)? You could try Open DNS
- 20,000 K-12 Schools Adopt Free Web Security Tool
- OpenDNS – a blogger writes about DNS security issues, and why OpenDNS helps