Researchers find that 21 financial sites store sensitive information in your cache

• Browsers used to never cache any content that was served over HTTPS
• The internet has changed significantly since then and many more sites use HTTPS for entire browsing sessions, including Google and Facebook
• Secure sites are supposed to send special headers instructing the browser which files not to cache, but it seems somes sites do not bother, and some send a non-standard header that only works with Internet Explorer
• Researchers from Independent Security Evaluators in Baltimore conducted a survey of a number of popular financial sites and found rather disappointing results
• “Non-technical users likely believe that if, after visiting a site and viewing personal data, they logout and close their browsers, that their data will be safe. Our findings prove this assumption incorrect in 70% of the cases tested.”
• ADP, Verizon Wireless, Scottrade, Geico, Equifax, PayPal and Allstate were among the websites that saved items such as prescription information, utility bills, check images and credit reports.
• All told 21 of 30 sites checked improperly stored sensitive data in the users’ local cache
• ISE identified 4 different ways to instruct Internet Explorer to not cache sensitive information, only one of which is actually an HTTP Standard
• The correct way to tell a browser to not store sensitive data is to send the header: “Cache-Control: no-store”
• Part of the problem may be that most Online Banking systems were designed in the early 2000s, when Internet Explorer had over 90% market share
• Researchers Report

Amazon vows to help you fight government requests for data stored on their cloud

• An Amazon executive said “If a U.S. entity is serving us with a legally binding subpoena, we contact our customer and work with that customer to fight the subpoena. We will do that proactively and help the customer in any way to comply with the subpoena or fight it.”
• Amazon also recommends that you encrypt all data stored in the cloud
• However, many such orders from US Agencies include a gag order, preventing Amazon from informing the customer that their data is being sought. If Amazon faced a subpoena that required it to keep the order secret, such encryption would be useful to customers. “If the data is encrypted, all we’d be handing over would be the ciphertext,”
• One of Amazon’s main rivals, RackSpace said: “Rackspace reviews any orders to determine that they are lawful and have been issued in accordance with the 4th amendment. We are prohibited from accessing and disclosing customer data stored on their servers or storage devices in our data centers without a properly issued, lawful request from a court with jurisdiction over both Rackspace and the data sought. In the event Rackspace receives a court order for customer data that does not adhere to the 4th amendment, Rackspace will oppose the order.”
• Amazon is also building a $600 million private cloud for the CIA, a contract protested by IBM

WordPress plugins still a security nightmare

• Security researchers at Checkmarx find that 12 of the top 50 wordpress plugins are susceptible to common attacks
• The researchers also found that 7 of the top 10 e-commerce plugins contained flaws
• Many popular plugins are susceptible to SQL injection, Cross-Site Script Injection (XSS), Cross-Site Request Forgery (CSRF), Remote/ Local File Inclusion (RFI/ LFI) and Path Traversal
• “First of all, Web admins think that if they are downloading these plug-ins from a reputable source, then there is an assumption that they are receiving a secure plug-in,”
• Checkmarx started their research in January, at which time 18 of the top 50 wordpress plugins were vulnerable. During a subsequent scan in June, every plugin tested had been updated but only 6 fixed all of the vulnerabilities
• The researchers recommend that you only download plugins from official sources, and that the official sources conduct more intense security scans on plugins before they are listed in the marketplace
• Research Paper

Feedback:

• Question on serial access on routers

• Windows LAN Mail Server?

• Raspberry Pi Router

• NSA Concernes from Germany

• TOR Proxy via a Jail or VM?

• VPS Breach

• Whats to become a excellent PenTester

• PCBSD moving forward with Rolling Release of 9-STABLE

TechSNAP Bitmessage: BM-GuGEaEtsqQjqgHRAfag5FW33Dy2KHUmZ

Round-Up:

• GCHQ intercepted foreign politicians’ communications at G20 summits
• LinkedIn Outage Due To Possible DNS Hijacking [Update: Fidelity.com Also Affected]
• Network Solutions takes credit for downing Linkedin and others
• Terrorists Live tweet during attack
• Playstation 4 Reportedly Running a Modified FreeBSD 9.0
• Project Loon – Google
• Former President of TigerDirect indicted for money laundering
• 9 reasons your syadmin hates you
• Stanford launches the Cookie Clearing House with Mozilla and Opera
• Bruce Schneier – Evidence that the NSA Is Storing Voice Content
• Richard Betjtlich (the Mandian APT report) on What businesses need to know
• MySQL Man page relicense was a bug, has been fixed

The post What’s in Your Cache | TechSNAP 115 first appeared on Jupiter Broadcasting.

Shop Amazon – Year End Deals

W3 Total Cache (a popular wordpress plugin) may expose sensitive data

• W3 Total Cache is a very popular and powerful caching plugin
• The recently discovered problems are technically a configuration error, not a vulnerability, but because it is the default configuration, most sites are vulnerable
• It can provide significant speed gains over stock wordpress
• Page Cache – By creating flat .html versions of the page after it is dynamically generated, subsequent anonymous visitors can be shown the cached version of the page, significantly reducing server load and response times
• Database Cache – By caching the results of database queries, if the same read query needs to be is executed again, the cached result can be used, significantly reducing the number of database queries required to render a page
• Object Cache – A higher level cache than the database cache, Objects may be constructed from the results of many queries and plugins, caching the complete object may result in significant page load time improvements
• Minify Cache – By removing comments and whitespace from .css and .js files and gzipping them, less bandwidth is required to download the file
• JS and CSS Combining – By combining many files into only 1 or 2 files, the total number of requests to the server is reduced, which can markedly improve performance
• CDN Offloading – W3TC can automatically change the URLs of content such as .css and .js files in addition to media such as images and thumbnails. My loading these content from a CDN instead of the main site, users get faster responses and the site gets reduced load. W3TC can also use multiple subdomains for the loading, allowing it to take advantage of browser’s parallel downloading features
• All of these caches offer a number of numbers, allowing you to choose between caching to disk, advanced caching to disk, Opcode caches such as APC or dedicated caches such as memcache
• All of these features make W3TC very popular and well respected
• However, W3TC defaults to disk based caching because it does not require any additional configuration or server side features (such as APC or the IP address of a memcache server)
• The problem stems from the fact that W3TC keeps its database and object caches in a web accessible directory (alongside the page and minification caches, which need to be web accessible)
• This means that if your web server is configured to allow directory listing, any visitor can browse to /wp-content/w3tc/dbcache and see a list of all of the items in your database cache, and by downloading and analyzing these files, they may be able to recover sensitive information, such as the hashed passwords of users or administrators
• If an attacker were to get the password hash for an administrative account, if they brute forced that hash, they could then take over that wordpress installation
• Disabling directory indexing does not entirely solve the problem, as the filenames of the cache objects are the md5 hash of the string: w3tc${host}${site_id}_sql_${query}
• You should configure your web server to deny access to the /wp-content/w3tc/dbcache , /wp-content/w3tc/objectcache and /wp-content/w3tc/log directories (using .htaccess will work for apache)
• If you use an Opcode cache, or Memcache, you site is not affected by this configuration error
• Make sure your memcache instances are secured, as if they are publicly addressable, any information cached in them may be accessible
• The creators of W3TC are working on an update to address the issue
• Allan’s slides on improving your Blog with ScaleEngine

Inventor of SSH warns that improper key management makes SSH less secure than it should be

• This news story has created a significant amount of FUD due to the general media’s lack of understanding of what SSH is and what it does
• SSH is not vulnerable or compromised
• The story started with an interview of Tatu Ylonen, the inventor of SSH
• “In the worst-case scenario, most of the data on the servers of every company in the developed world gets wiped out."
• The problem is actually caused by users, and bad management practises
• Users often generate many SSH keys, and store them unencrypted in predictable locations (~/.ssh/id_rsa) where they may be stolen if someone compromises their account or the server they are stored on
• Many logins, especially those that are shared, will contain large authorized_keys files, allowing many keys to access that account, often these lists are not pruned because keys are hard to identify
• While auditing a large financial institution, auditors found more than 1 million unaccounted-for keys — 10 percent of which granted root access, or control of the server at the most basic level
• federal rules for classified computer networks cover the “issuance and assignment and storage of keys” but do not dictate what should be done with used keys. Auditing guidelines require that administrators be able to enumerate exactly who has access to specific systems, but often times SSH access is not properly accounted for, as each line in the authorized_keys file is not easily linked to a specific person, and the control of those keys is not guaranteed
• A stolen SSH key is what lead to the compromise of the FreeBSD Packaging Building Cluster last month
• It is recommended that companies refresh keys on a regular basis and remove old keys to prevent them being used to access sensitive servers, although most companies do not have such a policy
• Tools such as puppet can help with the management of authorized_keys files across a large number of servers, but it is up to the user to ensure the security of their private key
• One solution to this problem may be a new feature of OpenSSH that allows it to be configured to check the results of a command, before optionally checking the authorized_keys file
• This feature can be used to check for keys in directory services such as LDAP or Active Directory, simplifying the administration of multiple servers and SSO by storing cannonical keys in a central location

Feedback:

• Raspberry Pi Used To Replace A 30-Foot GSM Base Station And Create A Working Mobile Network

• Compare bare-metal HVs?

• Open Source Virtual Desktop Broker?

• Management Tools – KVM

• VPS Suggestions?

• [Hall of Shame] Claro (Latam ISP) is installing routers with passphrase based on their BSSID and is also shown on WLAN name.

Round-Up:

• Steam suffers ‘no connection’ outage on Christmas morning
• Netflix is down: AWS outage takes down service on some devices — Online Video News
• Aaron Toponce : Linux. GNU. Freedom.
• Plain Text Offenders
• Daily Dot | YouTube strips Universal and Sony of 2 billion fake views
• Brazil blocks port 25
• Congress tweaks US video-privacy law so Netflix can get on Facebook
• I probably should not have admin access to this… : pwned
• How the Internet is becoming a closed shop

Amazon Book:
[asa]B003F3PKTK[/asa]

Audible Book Pick: The Master Switch: The Rise and Fall of Information Empires Audio Book

The post SSH FUD Busting | TechSNAP 90 first appeared on Jupiter Broadcasting.