This morning, wamu.org : The Diane Rehm Show featured guests Robert O’Harrow, author of “No Place to Hide,” Bruce Schneier, security expert and blogger, and Joe Whitley, the former general counsel of the Department of Homeland Security.  The show outlined the current tensions between security and privacy and highlighted the threats to privacy brought about by advances in infomation technology, data minining and even medical technology.  While some of these issues may seem a bit tiresome for those who study security and privacy, the guests emphasized an important point: Threats to privacy are not well-understood by the public, which may be a reason for the general lack of concern over the overextension of the NSA’s surveillance powers.

Christopher Kunz reports on the existence of another web app worm, this time exploiting in the widely used Mambo portal/CMS system.  Like the Santy worm that attacked phpBB, Elxbot identifies vulnerable installs via Google, but goes way beyond simple site defacement.

Jeff Moore discusses this as a good example of why web apps need better installation/update systems.  He’s absolutely right.  Wordpress, one of the most popular open-source web apps, has a fairly decent installer, but is a nightmare to upgrade.  The developers don’t even release “upgrades” per se, but give users some minimal instructions on what files to overwrite and what to skip.  Even though the XML-RPC vulnerability that hit Wordpress and many other PHP-based apps a few months ago was patched immediately, it seems likely that there are large numbers of Wordpress users that are unaware of the problem and have not installed (it’s difficult to find sources for stats on this, though).

Beyond that, this underlines the need for both educating developers on secure coding practices, and developing freely available tools to help developers audit their applications.  This is particularly important for the open-source web applications that drive a large portion (a majority?) of dynamic web sites.  An Information Week article from a couple weeks ago that discusses how malicious coders are now targeting applications (including web apps) quotes Howard Schmidt:

In an e-mail, Howard Schmidt, a noted cyber-security expert and former CSO for both Microsoft and eBay, said the SANS report highlights the utility of hardening the presentation and application layers as a means to reduce cyber security events. “The first stop on the way to fix this is through secure coding and better QA of development processes, penetration testing on compiled code as well as vulnerability testing of integrated deployed applications via Web front ends,” he wrote.

Hopefully more people will start to realize this before the problem gets worse.

In this version, the CIRDB has been updated to import XML data from the National Vulnerability Database, and a few bug fixes were made (a library file was missing in the previous distribution to support RSS feeds of the status of each domain over SSL).

  I am pleased to announce the availability of the first beta of my_cassandra.php, which can be downloaded from my home page
(change the extension from phps to php after you download it).

Because you get the source code and the custody of your profiles, this version of Cassandra should not generate the privacy concerns that the online version did.  As it is under your control you can also run it at the intervals you choose.  It is made available under an open source license so you can modify it.  It runs under PHP so it should run on almost any platform by changing the path to PHP (from “#!/usr/bin/php -q” for MacOS X).
Enjoy!

P.S.: I already received a patch from Benjamin Lewis from Purdue ITSP, improving robustness while reading a profile.  Thanks Ben!

It is very risky to enable all client-side scripting technologies when browsing the web (plugins/ActiveX/ JavaScript/Flash etc…).  I installed the “NoScript” extension for Firefox, which allows JavaScript to run only on some whitelisted sites. It is a wonderful idea, except that it comes with a list of pre-enabled sites with some that you can’t delete (the arrogance of dictating unerasable sites!), and the defaults are to not block Flash and other plugins. Moreover, it’s only as secure as DNS, unless you require the “full addresses” option through which I presume you could require an https (SSL) url. Unfortunately there is no way to enable “base 2nd level domains” *and* require SSL, to say for example that I want to trust all *.purdue.edu sites that I contact through SSL and that have valid SSL certificates. It is better than nothing, but needs SSL support to be really useful.  Most people don’t understand the limitations and vulnerabilities of DNS, and the need for SSL, and will therefore have an unwarranted feeling of security while using this plugin.