This morning, wamu.org : The Diane Rehm Show featured guests Robert O’Harrow, author of “No Place to Hide,” Bruce Schneier, security expert and blogger, and Joe Whitley, the former general counsel of the Department of Homeland Security. The show outlined the current tensions between security and privacy and highlighted the threats to privacy brought about by advances in infomation technology, data minining and even medical technology. While some of these issues may seem a bit tiresome for those who study security and privacy, the guests emphasized an important point: Threats to privacy are not well-understood by the public, which may be a reason for the general lack of concern over the overextension of the NSA’s surveillance powers.
Christopher Kunz reports on the existence of another web app worm, this time exploiting in the widely used Mambo portal/CMS system. Like the Santy worm that attacked phpBB, Elxbot identifies vulnerable installs via Google, but goes way beyond simple site defacement.
Jeff Moore discusses this as a good example of why web apps need better installation/update systems. He’s absolutely right. Wordpress, one of the most popular open-source web apps, has a fairly decent installer, but is a nightmare to upgrade. The developers don’t even release “upgrades” per se, but give users some minimal instructions on what files to overwrite and what to skip. Even though the XML-RPC vulnerability that hit Wordpress and many other PHP-based apps a few months ago was patched immediately, it seems likely that there are large numbers of Wordpress users that are unaware of the problem and have not installed (it’s difficult to find sources for stats on this, though).
Beyond that, this underlines the need for both educating developers on secure coding practices, and developing freely available tools to help developers audit their applications. This is particularly important for the open-source web applications that drive a large portion (a majority?) of dynamic web sites. An Information Week article from a couple weeks ago that discusses how malicious coders are now targeting applications (including web apps) quotes Howard Schmidt:
In an e-mail, Howard Schmidt, a noted cyber-security expert and former CSO for both Microsoft and eBay, said the SANS report highlights the utility of hardening the presentation and application layers as a means to reduce cyber security events. “The first stop on the way to fix this is through secure coding and better QA of development processes, penetration testing on compiled code as well as vulnerability testing of integrated deployed applications via Web front ends,” he wrote.
Hopefully more people will start to realize this before the problem gets worse.
In this version, the CIRDB has been updated to import XML data from the National Vulnerability Database, and a few bug fixes were made (a library file was missing in the previous distribution to support RSS feeds of the status of each domain over SSL).
I am pleased to announce the availability of the first beta of my_cassandra.php, which can be downloaded from my home page
(change the extension from phps to php after you download it).
Because you get the source code and the custody of your profiles, this version of Cassandra should not generate the privacy concerns that the online version did. As it is under your control you can also run it at the intervals you choose. It is made available under an open source license so you can modify it. It runs under PHP so it should run on almost any platform by changing the path to PHP (from “#!/usr/bin/php -q” for MacOS X).
P.S.: I already received a patch from Benjamin Lewis from Purdue ITSP, improving robustness while reading a profile. Thanks Ben!