Tag

security Archives - AWS Managed Services by Anchor

A dev’s guide to safely escaping and encoding URLs

By | Technical | One Comment

A lot of the support work that we do here at Anchor involves looking at websites. You could say that we’ve seen a few websites in our time. Something we come across pretty frequently is inadequate protection when it comes to handling user-submitted form data and URLs. This might not seem like a big deal, but it has some pretty big security implications, mostly relating to cross-site scripting. These problems can enable malicious activity like leaking of private data. The short version is that user-supplied data can never be trusted, and you need to carefully escape and format the data to make it safe for the intended use, such as printing it on a webpage. A very simple example Let’s say you run a site that accepts news tips from…

Read More

How to explain Hash DoS to your parents by using cats

By | Technical | No Comments

We came across this interesting article recently, it’s about how an attacker can perform a denial-of-service attack by feeding perverse input to a system that uses weak hashing algorithms. This is referred to as a Hash DoS, and the specific target mentioned in the article is btrfs. btrfs is a next-gen filesystem that’s expected to replace ext3/4 in Linux. It’s still considered experimental but is quite usable and maturing fast. This article piqued our interest because we’re using btrfs “for reals” here at Anchor. It’s well and good to say that, but the article isn’t very exciting unless you have a background in computer science. How would you explain Hash DoS to your parents, who probably don’t have a CompSci background? This is the internet, so the answer is cats….

Read More

An interesting HTTP injection rootkit

By | Technical | No Comments

We came across this story last week, it’s particularly interesting and relevant to us as a webhosting company. The LWN writeup describes a kernel module that maliciously intercepts HTTP requests and injects iframe tags into the HTML. This sort of behaviour isn’t terribly new to us. We see code injection attacks fairly frequently, mostly against PHP-based sites, but they’re usually done through an FTP account with a weak password. This one is interesting because it doesn’t leave obvious evidence on the system. Website code is usually hackishly modified by injecting some obfuscated PHP at the beginning of the file, which often causes visible errors on the site and is very easy to detect. That’s not necessary with this attack because it hooks into the system at a low level, looking…

Read More

Why it’s a good idea to keep on top of Windows Updates

By | Technical | No Comments

Our IDS has proven itself to be extremely valuable several times so far, we thought we’d share something interesting that it picked up. What’s an IDS? In case you’ve not come across the term “IDS” before, and seeing as we haven’t mentioned it previously, we’ll go over that first. An Intrusion Detection System, or IDS for short, is a system that sits on a network and compares packets to a set of rules. These rules contain signatures, which are patterns that are defined to detect malicious and potentially dangerous network activity. When our IDS detects something, it will write a line to a log file that we monitor. It does NOT capture and keep data. We wont go into further detail about our IDS at this stage; maybe later 😉…

Read More

News from the CRIME scene

By | Technical | No Comments

The dust from ekoparty, an Argentinian security conference, has settled, and we now have details on CRIME, an attack on the encryption widely used in web browsers. When we previously talked about CRIME the details of the attack were speculation. They now appear to have been correct. To recap, if the attacker can hijack your browser as well as sniff your (encrypted) network traffic, they can perform a chosen-plaintext attack to extract small amounts of information from your session. This information, like a login cookie, can then be used to impersonate you. Interesting details A couple of other things have come out that weren’t initially obvious. Actually performing the exploit in the browser can be done in a number of ways, such as query strings in GET requests and image…

Read More

Discussing a new attack on SSL/TLS

By | Technical | No Comments

I thought I’d take the opportunity to focus on something different for this post, we’re going to look at a recently announced attack against SSL/TLS called “CRIME”. To bring you up to speed, SSL (Secure Sockets Layer) is the original protocol that secures your connection whenever you use a URL beginning with “https://” in your browser. Various flaws have been discovered over time, and SSL has been updated to fix them. TLS (Transport Layer Security) is the successor to SSL and is largely similar in implementation. Out of familiarity, many people still refer to TLS as SSL. While details of CRIME are yet to be released (it’ll be publicised at Ekoparty, an upcoming Security Conference), it follows on from an earlier attack called BEAST from the same researchers and there…

Read More

The “chmod 777” trap: How and why to avoid it

By | Technical | No Comments

It can be a frustrating experience trying to get your web application to work. When the world seems to be working against you, and you get “permission denied” at every turn, it can be very tempting to break out the “chmod 777” — and give everyone on your server permission to write to your files. In case you’re not familiar with chmod, it’s a tool to specify access control on your files. The “7” refers to full read, write and execution privileges. The three sevens means that it applies to yourself, to other people in your group, and to everyone else on the server. While this approach does solve your immediate problem, it isn’t without its own drawbacks. They’re subtle drawbacks; you don’t notice them straight away, but given the…

Read More

Announcement of PHP security vulnerability (CVE-2012-1823)

By | Company News, Technical | No Comments

One of our sysadmins picked up the disclosure of this PHP vulnerability last week. It’s kind of important, so we thought we’d share it with you. Eindbazen PHP-CGI advisory (CVE-2012-1823) It’s interesting because a default mod_php installation isn’t vulnerable, but a fairly common deployment technique using php-cgi is (because it’s sane and not a gaping security hole the size of a hallway). Details are still up in the air. There’s a couple of official updates for PHP, but it’s been shown that they do not fix the problem. As a result, people have come up with a few mitigation techniques that will dodge this bullet until it’s properly fixed. To clarify our position, Anchor uses php-cgi and immediately took steps to mitigate the threat. We’ve written about our use of…

Read More

For the lulz (Building Secure Websites)

By | Technical | No Comments

With all of the #antisec love going around, we felt was a good time to discuss some of the key principles in writing secure webcode. Today’s topic is unsanitised input. A great piece of philosophy for designing secure systems is that any piece of information that comes from an external source is inherently untrustworthy. This applies quite strongly to the web – every detail in a web request comes from a user somewhere, and can easily be forged and specially crafted to manipulate poorly written code. This is particularly notable in languages like PHP, where there is a low barrier to entry for writing code, but doesn’t often provide good frameworks or assistance to avoid being caught out by these problems. Validate All Input The first rule is to validate…

Read More

Implementing proper trust relationships in backup systems

By | Technical | No Comments

As many people may have read today, a certain web hosting company which operates in Australia suffered an attack which resulted in significant amounts of data loss. Not only was their live production data lost, but all backups were also unrecoverably lost in the process. Whilst significant technical details have yet to be released as to the nature of these attacks, now is an opportunity as good as ever to explain how the trust relationships exist between the backup server and the system being backed up across our entire server infrastructure. Our backup servers are separated with there being a minimal trust relationship between the backup server and the system being backed up: All backups happen on an independent network which is inaccessible from the Internet. The backup server can…

Read More