Web HostingWeb Hosting

Why are there still so many website vulnerabilities?

The cracks in the armor of most enterprise websites are many including recurring holes in OpenSSL, PHP, and WordPress and are largely due to a combination of extensive customizations paired with a shortage of testing and fixing of vulnerabilities when compared with that of long-standing commercial OS software. CSO Magazine traverses the treacherous terrain of the massive security craters present in today’s websites. Find out what it takes to fix these holes from the start and throughout the development life cycle.

Read this full article at CSO Online

Five Security Tips for New Linux Admins

Learn Nmap and related tools. Learn some other port and vulnerability scanners. Use them. Also learn your distribution’s commands and utilities for managing ports. Shut down any open, unused ports. One company I know has only two, at most three, ports open on the external network. That makes them a very hard target indeed. The bad guys may find and attack those ports. Then again, they may just go looking for easier targets.

Complete Story

What is the difference between a Source NAT, Destination NAT and Masquerading?

Source NAT changes the source address in IP header of a packet. It may also change the source port in the TCP/UDP headers. The typical usage is to change the a private (rfc1918) address/port into a public address/port for packets leaving your network.

Destination NAT changes the destination address in IP header of a packet. It may also change the destination port in the TCP/UDP headers.The typical usage of this is to redirect incoming packets with a destination of a public address/port to a private IP address/port inside your network.

Masquerading is a special form of Source NAT where the source address is unknown at the time the rule is added to the tables in the kernel. If you want to allow hosts with private address behind your firewall to access the Internet and the external address is variable (DHCP) this is what you need to use. Masquerading will modify the source IP address and port of the packet to be the primary IP address assigned to the outgoing interface. If your outgoing interface has a address that is static, then you don’t need to use MASQ and can use SNAT which will be a little faster since it doesn’t need to figure out what the external IP is every time.

An Old Ubuntu Bug Lets Malicious Users Gain Sudo Access

It appears that there’s a bug in Ubuntu distributions which lets malicious users to locally exploit sudo and gain access to the user’s account without knowing their password. The bug was submitted to Canonical’s Launchpad back in September 2013 by user Mark Smith.

Complete Story

WordPress promises patch for zero-day “within hours”

Shortly after this article was posted, WordPress released version 4.2.1, flagging it as a critical update. Website owners are encouraged to update immediately, and automatic updates have started to roll out. More information is here. However, the release advisory from WordPress still suggests that no prior notification was received from Klikki Oy, something the research firm disputes.

Read this full article at CSO Online

Analyst Watch: Ten reasons why open-source software will eat the world

To be sure, many major Web companies like Google and Yahoo have been leveraging open-source dynamics aggressively and contribute back to the community. My aim is not to single out Facebook, except that it was during the F8 conference I had the opportunity to reflect on the drivers behind Facebook’s actions and why other technology providers may be wise to learn from them.

Complete Story

CloudFlare Introduces Virtual DNS Security Service

Security specialist CloudFlare today announced a new Virtual DNS service with the goal of helping to mitigate denial-of-service (DoS) attacks and improving Domain Name System (DNS) security overall.

Complete Story

Unix best practices: Remember, what you’re protecting is not systems but productivity

It’s possible to overdo security and end up damaging productivity. Many years ago, when helping to organize a security conference, I noted that the idea that a system wrapped in a waterproof safe and dropped into the deepest part of the seas was not as “secure” as it was useless. What most of us want are systems that will both be reliable and available. The CIA (confidentiality, integrity, and availability) model is a good reminder that what we’re protecting is not systems but productivity.

Complete Story

Worst security breaches of the year 2014: Sony tops the list

As 2014 winds down, the breach of Sony Pictures Entertainment is clearly the biggest data breach of the year and among the most devastating to any corporation ever.

Attackers broke in and took whatever they wanted, exfiltrating gigabytes and gigabytes of documents, emails and even entire movies, apparently at will for months and months on end.

Complete story

Segmenting for security: Five steps to protect your network

Relying on a DMZ to protect your network and data is like putting money in a bank that depends on one guard and a single gate to secure its deposits. Imagine how tempting all those piles of money would be to those who had access — and how keen everyone else would be to obtain access. But banks do not keep cash out on tables in the lobby, they stash it in security boxes inside vaults, behind locked doors, inside a building patrolled by a guard and secured by a gate. Likewise, network segmentation offers similar security for an organization’s assets.

Read this full article at Network World