The cracks in the armor of most enterprise websites are many including recurring holes in OpenSSL, PHP, and WordPress and are largely due to a combination of extensive customizations paired with a shortage of testing and fixing of vulnerabilities when compared with that of long-standing commercial OS software. CSO Magazine traverses the treacherous terrain of the massive security craters present in today’s websites. Find out what it takes to fix these holes from the start and throughout the development life cycle.
Learn Nmap and related tools. Learn some other port and vulnerability scanners. Use them. Also learn your distribution’s commands and utilities for managing ports. Shut down any open, unused ports. One company I know has only two, at most three, ports open on the external network. That makes them a very hard target indeed. The bad guys may find and attack those ports. Then again, they may just go looking for easier targets.
Source NAT changes the source address in IP header of a packet. It may also change the source port in the TCP/UDP headers. The typical usage is to change the a private (rfc1918) address/port into a public address/port for packets leaving your network.
Destination NAT changes the destination address in IP header of a packet. It may also change the destination port in the TCP/UDP headers.The typical usage of this is to redirect incoming packets with a destination of a public address/port to a private IP address/port inside your network.
Masquerading is a special form of Source NAT where the source address is unknown at the time the rule is added to the tables in the kernel. If you want to allow hosts with private address behind your firewall to access the Internet and the external address is variable (DHCP) this is what you need to use. Masquerading will modify the source IP address and port of the packet to be the primary IP address assigned to the outgoing interface. If your outgoing interface has a address that is static, then you don’t need to use MASQ and can use SNAT which will be a little faster since it doesn’t need to figure out what the external IP is every time.
It appears that there’s a bug in Ubuntu distributions which lets malicious users to locally exploit sudo and gain access to the user’s account without knowing their password. The bug was submitted to Canonical’s Launchpad back in September 2013 by user Mark Smith.
Shortly after this article was posted, WordPress released version 4.2.1, flagging it as a critical update. Website owners are encouraged to update immediately, and automatic updates have started to roll out. More information is here. However, the release advisory from WordPress still suggests that no prior notification was received from Klikki Oy, something the research firm disputes.
To be sure, many major Web companies like Google and Yahoo have been leveraging open-source dynamics aggressively and contribute back to the community. My aim is not to single out Facebook, except that it was during the F8 conference I had the opportunity to reflect on the drivers behind Facebook’s actions and why other technology providers may be wise to learn from them.
Security specialist CloudFlare today announced a new Virtual DNS service with the goal of helping to mitigate denial-of-service (DoS) attacks and improving Domain Name System (DNS) security overall.
It’s possible to overdo security and end up damaging productivity. Many years ago, when helping to organize a security conference, I noted that the idea that a system wrapped in a waterproof safe and dropped into the deepest part of the seas was not as “secure” as it was useless. What most of us want are systems that will both be reliable and available. The CIA (confidentiality, integrity, and availability) model is a good reminder that what we’re protecting is not systems but productivity.
Attackers broke in and took whatever they wanted, exfiltrating gigabytes and gigabytes of documents, emails and even entire movies, apparently at will for months and months on end.
Relying on a DMZ to protect your network and data is like putting money in a bank that depends on one guard and a single gate to secure its deposits. Imagine how tempting all those piles of money would be to those who had access — and how keen everyone else would be to obtain access. But banks do not keep cash out on tables in the lobby, they stash it in security boxes inside vaults, behind locked doors, inside a building patrolled by a guard and secured by a gate. Likewise, network segmentation offers similar security for an organization’s assets.