Security Watch

Heise Security: The Hole Trick

How Skype & Co. get 'round firewalls. Plus: PHP security, phishing facts and passwords in plain sight.

• By Russ Cooper
• 02/05/2007

This short two-pager provides a reasonably comprehensive explanation of how UDP Hole Punching is accomplished, allowing users to bypass your attempt to prevent them from using Skype, gaming software and other peer-to-peer applications.

PHP Security Under Scrutiny
Stefan Esser, a longtime PHP developer on the PHP Group’s internal security team, quit on Dec. 9, claiming that "any attempt to improve the security of PHP from the inside is futile."

Ha! Welcome to the world of programming a product for profit. The problem with PHP is not so much the product itself, but what is possible and how well-documented the potential for harm is. The same is true for programming in ASP, AJAX or any other programming language.

Probably the most important aspect of all of this also comes from Mr. Esser’s blog entry: "For the ordinary PHP user this means that I will no longer hide the slow response time to security holes in my advisories. It will also mean that some of my advisories will come without patches available, because the PHP Security Response Team refused to fix them for months. It will also mean that there will be a lot more advisories about security holes in PHP."

If you’re running PHP exposed to untrusted visitors, expect to be on a bumpy road for a while.

Cacti Command Execution and SQL Injection Vulnerabilities
Cacti is a PHP-based front-end to a Web server statistics management program. Two PHP files supplied with Cacti, cmd.php and copy_cacti_user.php have multiple vulnerabilities which could permit a remote criminal to exploit the victim systems to modify data or manipulate the victim system. Patches are available.

This is a perfect example of the security issues with PHP. The files above are not simple sample files, but files required for the normal operation of the tool. In this case, the developers of Cacti have failed to take the appropriate steps to ensure their customers aren’t compromised.

However, it's worth remembering that whenever non-binary files make up part of the expected operational files in any system, they should be inspected and, where necessary, modified to provide the level of security you require. This ensures that you are not victimized by poor programming techniques which you can alter.

Our biggest concern here is that this tool may well be deployed on thousands -- if not millions -- of hosted Linux-based Web servers where users will be unaware the tool even exists. This certainly could create a wide-scale problem, if it hasn’t already. Cybertrust continues to monitor for such problems.

Publicize the Phishing Facts
The U.K. payments association APACS continues to refuse to divulge statistical information it has on individual banking institutions and phishing attempts. It claims that statistics on successful phishing attempts, bank by bank, "would be unhelpful, spook potential customers, damage e-business and create an erroneous picture of banks' security."

This type of smoke and mirrors is bound to fail eventually. Interestingly, on the one side you have Microsoft stating that CardSpace is needed to ensure that consumers don’t see e-commerce as a fraud-ridden world. Yet, APACS believes we don’t yet know this or aren’t able to digest information about the threat Microsoft is worried about.

Meanwhile, APACS thinks that if we see one bank’s customers as more prone to being duped via phishing attacks, we’ll get an erroneous picture of the bank's security! Well, if one bank has twice as many customers phished, then we must look at something. Today it seems that only APACS and the bank are looking into the issue, and we should be satisfied with that.

Data Security Fears Growing, Could Lead to Lost Customers
According to a new study done by the Ponemon Institute on behalf of Unisys, almost half of those polled indicated that they have stopped using personal online banking as well as telephone or online purchasing involving their credit card number.

Other significant observations conclude that U.K. and U.S. consumers are nearly identical in their fear. More than three-quarters of the respondents would be willing to switch financial institutions if they believed they would gain better security, but only 10 percent said they would pay for increased security. That 10 percent is down from last year, when 40 percent said they would pay.

This shows the added need for the U.K.'s APACS -- and the equivalent in the U.S. and other countries -- to publish information about successful phishing attacks bank by bank so consumers can get the information they desire to make a change. If they don’t, the survey suggests that consumers will simply stop using online services completely, as the survey indicated that consumers are looking for regulation, either by governments or the financial community itself, to better secure them.

Class President Charged with Changing Grades
The senior class president and student voted "most likely to become president of the United States" allegedly used the laptop supplied to him by the school board in his capacity of student advisor to the board. He obtained a school computer technology specialist's password from a notepad on the employee's desk to elevate privileges required to get into and modify grades from past years.

OK, so the password was written down -- and this is yet another reminder to everyone that writing passwords down defeats the purpose of them. It also reminds us that nobody, not even "computer technology specialists," are impervious to the problems all users face trying to maintain security. A digital certificate, used in conjunction with a pass phrase, would have thwarted the attempt from the student’s own computer, which likely would have prevented the student from even thinking about the crime.