Heise Security: The Hole Trick
How Skype & Co. get 'round firewalls. Plus: PHP security, phishing facts and passwords in plain sight.
Ever wondered how some applications are able to get around firewall restrictions
intended to prevent their use? Here’s
a good explanation
This short two-pager provides a reasonably comprehensive explanation
of how UDP Hole Punching is accomplished, allowing users to bypass your
attempt to prevent them from using Skype, gaming software and other peer-to-peer
PHP Security Under Scrutiny
Stefan Esser, a longtime PHP developer on the PHP Group’s
internal security team, quit
on Dec. 9, claiming that "any attempt to improve the security
of PHP from the inside is futile."
Ha! Welcome to the world of programming a product for profit. The problem
with PHP is not so much the product itself, but what is possible and how
well-documented the potential for harm is. The same is true for programming
in ASP, AJAX or any other programming language.
Probably the most important aspect of all of this also comes from Mr.
Esser’s blog entry: "For the ordinary PHP user this means that
I will no longer hide the slow response time to security holes in my advisories.
It will also mean that some of my advisories will come without patches
available, because the PHP Security Response Team refused to fix them
for months. It will also mean that there will be a lot more advisories
about security holes in PHP."
If you’re running PHP exposed to untrusted visitors, expect to be
on a bumpy road for a while.
Cacti Command Execution and SQL Injection Vulnerabilities
Cacti is a PHP-based front-end to a Web server statistics management program.
Two PHP files supplied with Cacti, cmd.php and copy_cacti_user.php have
multiple vulnerabilities which could permit a remote criminal to exploit
the victim systems to modify data or manipulate the victim system. Patches
This is a perfect example of the security issues with PHP. The files
above are not simple sample files, but files required for the normal operation
of the tool. In this case, the developers of Cacti have failed to take
the appropriate steps to ensure their customers aren’t compromised.
However, it's worth remembering that whenever non-binary files make up
part of the expected operational files in any system, they should be inspected
and, where necessary, modified to provide the level of security you require.
This ensures that you are not victimized by poor programming techniques
which you can alter.
Our biggest concern here is that this tool may well be deployed on thousands
-- if not millions -- of hosted Linux-based Web servers where users will
be unaware the tool even exists. This certainly could create a wide-scale
problem, if it hasn’t already. Cybertrust continues to monitor for
Publicize the Phishing Facts
The U.K. payments association APACS continues to refuse to divulge
statistical information it has on individual banking institutions and
phishing attempts. It claims that statistics on successful phishing attempts,
bank by bank, "would be unhelpful, spook potential customers, damage
e-business and create an erroneous picture of banks' security."
This type of smoke and mirrors is bound to fail eventually. Interestingly,
on the one side you have Microsoft stating that CardSpace is needed to
ensure that consumers don’t see e-commerce as a fraud-ridden world.
Yet, APACS believes we don’t yet know this or aren’t able to
digest information about the threat Microsoft is worried about.
Meanwhile, APACS thinks that if we see one bank’s customers as more
prone to being duped via phishing attacks, we’ll get an erroneous
picture of the bank's security! Well, if one bank has twice as many customers
phished, then we must look at something. Today it seems that only APACS
and the bank are looking into the issue, and we should be satisfied with
Data Security Fears Growing, Could Lead to Lost
According to a new study done by the Ponemon Institute on behalf of Unisys,
almost half of those polled indicated that they have stopped using personal
online banking as well as telephone or online purchasing involving their
credit card number.
Other significant observations conclude that U.K. and U.S. consumers
are nearly identical in their fear. More than three-quarters of the respondents
would be willing to switch financial institutions if they believed they
would gain better security, but only 10 percent said they would pay for
increased security. That 10 percent is down from last year, when 40 percent
said they would pay.
This shows the added need for the U.K.'s APACS -- and the equivalent
in the U.S. and other countries -- to publish information about successful
phishing attacks bank by bank so consumers can get the information they
desire to make a change. If they don’t, the survey suggests that
consumers will simply stop using online services completely, as the survey
indicated that consumers are looking for regulation, either by governments
or the financial community itself, to better secure them.
Class President Charged with Changing Grades
The senior class president and student voted "most likely to become
president of the United States" allegedly used the laptop supplied
to him by the school board in his capacity of student advisor to the board.
He obtained a school computer technology specialist's password from a
notepad on the employee's desk to elevate privileges required to get into
and modify grades from past years.
OK, so the password was written down -- and this is yet another reminder
to everyone that writing passwords down defeats the purpose of them. It
also reminds us that nobody, not even "computer technology specialists,"
are impervious to the problems all users face trying to maintain security.
A digital certificate, used in conjunction with a pass phrase, would have
thwarted the attempt from the student’s own computer, which likely
would have prevented the student from even thinking about the crime.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.