There’s a really good paper that has won the first annual Security Best Practices competition held by FIRST (www.first.org ) and the CERT Coordination Center . The paper is from Taiwan, and shows a very interesting methodology of study, and more importantly a means to educate the human. As the paper says; “Social engineering concentrates on the weakest link of the computer security chain, which is also the most essential part of the security component: human.” You owe it to yourself to read it, and try to implement something educational within your organization. Your security patches will have no effect against a good social engineer.

I downloaded IE 8 down to my Virtual Machine, to checkout what the fuss was about. I wanted to see this IE 7 emulation, and just general improvements to the UI. As I was playing around, I clicked on the Windows Update option in IE 8. When I went there, I saw the following page.. which I find funny, and intriguing.

Never ever write applications that depend on the version of a browser. This is the internet.

Basically, if you need a job, or hate your current job, and have time to commit, and if you’re a professional, or just disciplined and care about every little thing you do..Or, if you just want to work with me.. :

Geneva Data, an Internet Security company is looking for PHP developer to work on a unique project in San Antonio, Texas.
We’re open to a full-time, part-time, contract, consulting or project work. We just want the most innovative local PHP programmer available (with experience.)

“Experience” means you can show us proof of your work … whether you have been in the workforce for 6 months or 60 years.

“Innovative” means that you’ve never encountered a problem that you couldn’t solve. We appreciate individuals who experiment with new technologies on personal projects. Creativity is a plus with us.

• MySQL and/or Linux proficiency is a further plus.

• Experience with Internet Security is a HUGE plus (you know how to use tcpdump etc).

• Local (San Antonio) or in-state (Texas) candidates preferred.

So, if this sounds interesting to you.. please contact me vid at phpcult dot com.

Nik Cubrilovic has gone on a little troll and posted 4 tips on ‘Preventing PHP Leakage’. I have some more tips for him and others who think he had something valuable to say..

Make sure you’ve read AND understood the PHP INSTALL doc before you deploy a production server.

… If that’s too hard, I also recommend the following industry practices, which will only help secure your site against this unreliable and clunky language known as PHP. If you use any other language, you can ignore these tips.. since they aren’t PHP.

1. Use firewalls : Firewalls can help prevent unauthorized access to your web servers. If you use PHP, more than likely your server will just give out the root password under high load.
2. Enable SSH on a different port: All PHP hackers know that SSH runs on port 22, trick them all by using port 4222.. they’ll never be able to guess it. For more fun, write a script that will change the SSHD listen port randomly by the hour..
3. TEST : There is thing that you absolutely need to do with PHP code, and that is called testing. See, PHP code unlike any other code sometimes just doesn’t do what you want.. it does what you told it do… unless of course you’ve tested it, and trained it. So, if you test and train the PHP (mod_knowwhatimeant), you’re guaranteed to have the code work to your liking.

All of these solutions are well kept secrets by the upper echelon of the PHP community. Rasmus, Andrei, Sara et al, use these techniques all the time, but won’t tell you this stuff unless you pay them in large sums of picture postcards, or beer.

If you feel all the work above is too much, use a different language, anything but PHP will suffice.

In other words.. what makes people think about privacy, and how they value it. The official abstract says: “The purpose of this paper is to detect the presence of sophisticated economic motives behind individual concerns for privacy. Recent theories of privacy demands in commercial contexts have assumed an economically aware and sophisticated consumer, capable of evaluating the indirect consequences of information transmission. We present evidence, from a large-scale experiment evoking a realistic context, that privacy concerns are indeed sensitive to the indirect consequences of information transmission.” It’s a fascinating read for all who want to understand what customers value among their personal information. From my understanding so far, it’s data use that affects people, not data collection. Full Report Here.

BlogSecurity, brings up an interesting point about blogs, and security. As vulnerabilities are found, patches are issued, but how does one educate the end user about these patches? I recently found an old old site of mine which I had put up to test a shared hosting provider, defaced. The reason? A vulnerable version of wordpress. I was able to patch the hole and fix the problem relatively easily, but what about joe blogger? He’s more passionate about politics than the blogging tool he uses, more than likely, he doesn’t even log in to the administrative interface, but uses a third party app to post to the blog. How do we let this person know that he’s vulnerable? Operating Systems have some version of “software update”. Desktop applications have a way of checking for “newer versions”, which can then help you decide if you want to upgrade or not.. but web based software normally doesn’t have anything like this.

SugarCRM seems to be the only thing that can check for newer version of itself, and then try to patch itself. So.. should non technical people be forced to use a hosted/managed service? (This is a dumb question.. please don’t answer it).. or should there be a standard way of letting package users about updates?

Example: Wordpress.

Everytime you post, when WP hits pingomatic, it should also hit automattic, and do a version check. Automattic should ping back by saying, your version is

a: current

b: old

c: Critically vulnerable

Based on these responses, the user is notified via email, for answer b. But for version C, wordpress goes into read only mode.. no new posts, no comments, until the user acknowledges the threat, and does something about it.

To make it extra annoying, we allow the user to say “OK, I’m aware of the bug, but I want to post anyway”, but right after the post, we go back to read only mode. So, the user can continue to use the software, but we now have a web version of the shareware snag screen. I’m not sure how well this will work, or if it’s even a good idea.

It would be impossible to implement this idea on the already insecure installs out there, so it would address the needs of the future, but not the existing vulnerable installations. I don’t think this alone will solve the problem, except maybe create a new one, until we figure out a sane way of doing this..

So.. I guess I’ll ask you guys what you think.. I have no clue, I’m going to go back to my corner now..:)