| . |
|
Bitland.Net Security Notes
Comments? email jwilkins-at-bitland*net
More information on the author at Jonathan Wilkins's home page RSS feed available at http://www.bitland.net/index.rss 
|
| Archives: 2007, 2006, 2005, 2004, 2003, 2002, 2001, 2000 |
| |
| |
| Fully patched IE safe only 7 days in 2004 | (2006/12/08 18:27) |
I can't find a date on the article, but the folks at scanit published a paper on browser security in 2004. They went through public security resources and tracked the lifetime of various browser vulnerabilities. They found that even if you installed all available patches as soon as they came out, if you were running IE, you would still have been vulnerable to publicly disclosed code execution bugs on all but seven days. Given the amount of auditing that IE7 has recieved, I expect that it will fare much better, but this is the sort of thing that has prompted MSFT to invest as much as it has over the past few years. Other browser manufacturers fared better, but nowhere near what they should have done. If you were running Opera, you could have been owned via publicly disclosed bugs on 65 days. Mozilla had the best record of the major browsers, being vulnerable 59 days of the year. While that's a major improvement, if you were running Mozilla, you were vulnerable 2/12 months. To recap, vulnerable days by browser:
|
| +digg | +del.icio.us | [Web ] | Permanent link |
| |
| Cybercrime nets more than illegal drugs in 2004 | (2006/12/08 15:15) |
I just read here that in 2004 computer crime exceeded the illegal drug trade in revenues. Apparently the take was around $105 billion. |
| +digg | +del.icio.us | [Security ] | Permanent link |
| |
| Multiple Instances of Portable Firefox | (2006/12/04 20:20) |
Firefox Portable is great when you want to test against prior versions of the browser, but by default it doesn't allow multiple instances. This means you can't run it alongside your current version of Firefox or under different profiles simultaneously. In order to fix this, just copy the file FirefoxPortable.ini from the Other subdirectory of your portable Firefox installation to the same directory as FirefoxPortable.exe and change the AllowMultipleInstances line to true. |
| +digg | +del.icio.us | [Web ] | Permanent link |
| |
| Only allow GET and HEAD requests under Apache | (2006/12/04 19:00) |
Disallowing TRACE under Apache is a standard requirement for most sites these days due to Cross Site Tracing (XST). Most pages that make this recommendation suggest using mod_rewrite (./configure --enable-rewrite) and an entry in httpd.conf like the following:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
This is fine, but lots of times the other verbs aren't needed anyway. Given that, why allow them? Here's a better ruleset:
RewriteEngine on
RewriteCond %{REQUEST_METHOD} !^(GET|HEAD)
RewriteRule .* - [F]
You may need POST or other methods, but it's simple to add them. Also note that if you're using virtual hosts, you have to place this in each VirtualHost section as it's not inherited by default. |
| +digg | +del.icio.us | [Web ] | Permanent link |
| |
| Tinfoil Hats *Magnify* Radiation | (2006/12/04 12:00) |
Just linking this piece of silliness because I read it over the summer and then lost it and needed it in a conversation recently. MIT grad students investigate the effectiveness of tin foil hats "Overall, the foil effectively weakened radio waves by up to 10 decibels over most of the frequency spectrum (there were no significant differences among helmet shapes). But at 1.2 and 2.6 GHz which fall within the band reserved for government satellites, GPS systems and mobile phone corporations passage through the foil amplified these waves by 20 to 30 decibels" |
| +digg | +del.icio.us | [Weird ] | Permanent link |
| |
| GET considered harmful | (2006/12/03 01:15) |
Ok, it's not quite that bad, but I'm seeing a ton of web application developers making the same mistake in the use of the GET method. Essentially, GET is only supposed to be used in cases where no data is being changed on the server. This is spelled out in the HTTP RFC (see RFC 2616 section 9 for details), and is responsible for at least a few major bugs over the years. I even recently came across this error on Yahoo's Developer Security Best Practice page (see the Request Forgery section). The HTTP/1.1 RFC says that GET and HEAD in particular are supposed to be safe and idempotent. This means that they should not perform any action other than retrieval (safe) and that there should be no side effects of multiple calls (idempotent). The most famous error of this type was when Google released the Google Web Accelerator (GWA). This broke a ton of applications and particularly those that were based on Ruby on Rails since applications built with Rails were especially prone to use GETs to perform actions. In order to speed up the user's experience GWA would pre-fetch all of the links on a page. This was great for images and so forth, but Rails applications were doing things like deleting records and cancelling accounts through GETs. The authors of some web applications made things worse by relying on JavaScript confirmations. Of course, GWA (correctly) wasn't doing JavaScript. |
| +digg | +del.icio.us | [Web ] | Permanent link |
| |
| FireBug - JavaScript Debugger Extension | (2006/11/21 12:14) |
FireBug is a new Firefox extension that provides JavaScript debugging and a much improved DOM inspector. The author (Joe Hewitt) has more detail on the FireBug home page There is also a video on FireBug from a talk he gave at Yahoo. The console is also really handy for watching AJAX transactions and you can directly type javascript at it, just like python in interactive mode. Update: SecurityFocus just released an article on FireBug |
| +digg | +del.icio.us | [Misc ] | Permanent link |
| |
| Page load time digression | (2006/11/20 18:38) |
This has almost nothing to do with security, though I suppose you could say it helps with DOS resistance, but is interesting none the less. A couple of weeks ago, Slashdot featured a rather self serving article from Akamai that said that web surfers would only tolerate a 4 second load time for web pages. Ignoring the fact that Akamai makes huge amounts of money on web site caching, the question of optimizing page load occupied me for a couple of hours since I thought I'd speed up page load time for my photography web site. One good resource was Aaron Hopkins page on speeding up page load time I also found a few good firefox plugins, like LORI, which shows page load time in your Firefox status bar. It also turns out that the Tamper Data extension, which may already use, has a really neat feature that graphs page loads. This feature isn't obvious, but Simon Willison has a page that describes it. Also helpful was the WebSiteOptimization.com Web Page Analyzer |
| +digg | +del.icio.us | [Misc ] | Permanent link |
| |
| Running Multiple Instances of Firefox | (2006/09/17 20:30) |
I find it really useful to be able to run multiple instances of Firefox in order to do web testing as well as to support running things like Tor. Firefox doesn't support this out of the box, but there's a quick tweak you can use to enable this. You need to do the following:
I also use a different theme for each profile so I have a visual hint which profile I'm running. |
| +digg | +del.icio.us | [Tools ] | Permanent link |
| |
| Leaving Microsoft | (2006/01/14 10:57) |
January 9th was my last day at Microsoft. I joined MSFT in March of 2002, which means that I was there for almost four years, which is also the longest I've ever stayed at one job. I'm sure that a lot of people who know me are probably surprised that they put up with me that long. From day one, the vast majority of my machines were running OpenBSD. I will say one thing. From the moment I got there (a little after the billg security email), people were willing to work on security and get issues resolved. I'm joining a small security consulting company (Information Security Partners) effective the 23rd of the month. |
| +digg | +del.icio.us | [Misc ] | Permanent link |
| |
| RSS feed available at http://www.bitland.net/index.rss |