CMU announces free Firefox add-on to increase browser security against DNS flaw and digital signature problems


Carnegie-Mellon University is making available a free add-on for Firefox 3.0 that’s intended to increase browser security.

The Firefox add-on was developed at the university’s School of Computer Science and College of Engineering and is available for free download. The Perspectives software not only protects Firefox users against attacks that might occur because of the recently disclosed software flawin the DNS, but it also defends against some digital certificate problems.

The extension provides two primary benefits:

  1. If you connect to a website with an untrusted (e.g.,self-signed certificate)*, Firefox will give you a very nasty security error and force you to manually install an exception. Perspectives can detect whether a self-signed certificate is valid, and automatically overrides the annoying security error page if it is safe to do so.
  2. It is possible that an attacker may trick one of the many Certificate Authorities trusted by Firefox into incorrectly issuing a certificate for a trusted website. Perspectives can also detect this attack and will warn you if things look suspicious.

* The same is true for HTTPS sites with certificates that contain mismatched domain names (e.g., http://www.gmail.com uses a certificate for mail.google.com) or certificates that are expired.

Because of the API used, the code only works in Firefox 3.x, not Firefox 2.x.

How it works, from the CMU web page:

“Perspectives is a new approach to help clients securely identify Internet servers in order to avoid “man-in-the-middle” attacks. Perspectives is simple and cheap compared to existing approaches because it automatically builds a robust database of network identities using lightweight network probing by “network notaries” located in multiple vantage points across the Internet.”

Original Source: networkworld.com

Basic Apache Hardening in SLES 10


I setup a SuSE Enterprise Linux (SLES) 10 SP2 web server last week, and wanted to do some basic hardening of the default Apache configuration.  Here’s what I did.

  1. edit /etc/apache2/httpd.conf
  2. Add RewriteEngine On
  3. Add RewriteLogLevel 2
  4. Add RewriteLog /var/log/apache2/rewrite.log
  5. Add ServerSignature Off
    The ServerSignature directive allows the configuration of a trailing footer line under server-generated documents
  6. Add ServerTokens Prod
    This directive controls whether Server response header field which is sent back to clients includes a description of the generic OS-type of the server as well as information about compiled-in modules
  7. Add ErrorDocument 500 “Internal server error” to return a generic error message when http 500 error occurs
  8. Add ErrorDocument 404 “An unknown error occurred, please try again later”  (http 404 = not found)
  9. Add ErrorDocument 403 “An unknown error occurred, please try again later”    (http 403 = forbidden)
  10. Save – exit httpd.conf
  11. touch /var/log/apache2/rewrite.log to create the rewrite.log file
  12. touch /srv/www/htdocs/.htaccess to create the .htaccess file
  13. Edit the /srv/www/htdocs/.htaccess file
  14. Add Options +FollowSymLinks –MultiViews
    Note: FollowSymLinks must be set to + for rewrite to work!
  15. Add rewrite rules appropriate for your environment.  I’m using some rules that can be found in the Pauldotcom Security Weekly episode #94 show notes, which were based on a post by nullbyte.
  16. Save – exit .htaccess
  17. YaST – Network Services – HTTP Server
  18. Server Modules tab – rewrite – toggle status to enabled – finish
  19. From a terminal run: SuSEconfig
  20. From a terminal run: /etc/init.d/apache2 restart
  21. With a web browser, try to access a page on the server that does not exist, ie  http://server/nothere.html
  22. View the  /var/log/apache2/rewrite.log 
    You should see the attempt logged

Free ConfigCheck Utility for VMware ESX host security assesment


Tripwire has a free, Windows based security assessment tool called ConfigCheck for VMware ESX hosts.  It rapidly assesses the security of VMware ESX hypervisor configurations compared to the VMware Infrastructure 3 Security Hardening guidelines. According to the VMware website:

Tripwire ConfigCheckTMis a free utility you can use to rapidly assess the security of your VMware ESX host configurations, according to the VMware security hardening guidelines. Co-developed by VMware and Tripwire, ConfigCheck provides an immediate assessment of the server configuration to ensure VMware Infrastructure environments are properly configured.

Tripwire ConfigCheck is simple & easy to use. To properly install & start-up the utility, follow these steps or read the blog posting:

To install and run ConfigCheck:

  1. Download the file configcheck.zip to a Windows machine that has Java Runtime Environment (JRE) version 1.5, or higher.
  2. Unzip the configcheck.zip file
  3. Double click on the file configcheck.cmd
  4. Accept the license agreement
  5. Enter the ESX host and user credentials
  6. Click the “Check Configuration” button

Once the check is complete you can click the test results to view remediation steps and view the Tripwire ConfigCheck Remediation Guide.  You can also listen to the Tripwire Podcast Operationalizing VMware ESX Best Practices – Introducing Tripwire ConfigCheck.

Multivendor DNS Flaw auditing tool


Earlier I discussed the multivendor DNS flaw and linked to Dan’s web page that contains a tool you can run to see if your DNS servers are vulnerable to cache poisioning.

Jose has developed a basic open source tool called CacheAudit that can be used to determine if the cache on your DNS server has been poisoned.  He describes the tool’s operation as:

“The overall concept was to take periodic dumps of the in-memory cache from the recursive server, validate these dumps against the authoritative name servers, and peer recursive name servers, alerting when something could not be validated.”

You can also view his presentation on Recursive DNS cache auditing.

Test for Multivendor DNS Flaw


By now, everyone on the Internet is aware of the fundamental flaw in DNS that all major vendors released security patches for this week.  Dan Kaminsky, the security researcher who discovered the cache poisoning bug, has developed a test for this flaw that you can find at his web site. 

Many people have downplayed this flaw, saying it’s not as serious as some speculate, since only recursive DNS servers are at risk.  Maybe that’s true, but who uses these DNS servers?  All DNS clients, from workstations to servers to routers.  And if the DNS servers have their caches poisoned, they can redirect these unsuspecting clients to potentially malicious web sites.

Dan, who is an expert in all things DNS, has this advice for network administrators:

“If it recurses, patch it.  I don’t care if it’s firewalled.  Patch it, or kill it.”

Dan has purposely not released details on the DNS vulnerability so that users will hopefully have time to patch their systems prior to exploits being developed.  Dan is scheduled to reveal all the details at Blackhat on August 7th, so stay tuned.  For more details, see the CERT vulnerability notes for VU#800113.  Dan was also interviewed by Rich at the Network Security Podcast, where he goes into more detail on the issues.

Also note that the ISC has put out a temporary patch for BIND 8, but because of legacy issues, they are suggesting BIND 8 be retired.  The ISC has some nice documentation on the BIND 8 to BIND 9 migration process.

Sun Java Multiple Security Vulnerabilities Rated Highly Critical


Sun has disclosed multiple security vulnerabilities within their Java product, which are summarized here.  The categories of vulnerabilities include:

1) Security Bypass
2) Exposure of system information
3) Exposure of sensitive information
4) DoS
5) System access

The following Sun products are affected:

Java Web Start 1.x
Java Web Start 5.x
Java Web Start 6.x
Sun Java JDK 1.5.x
Sun Java JDK 1.6.x
Sun Java JRE 1.3.x
Sun Java JRE 1.4.x
Sun Java JRE 1.5.x / 5.x
Sun Java JRE 1.6.x / 6.x
Sun Java SDK 1.3.x
Sun Java SDK 1.4.x

The recommendation is to update your software immediately to a patched version:

JDK and JRE 6 Update 7:
http://java.sun.com/javase/downloads/index.jsp

JDK and JRE 5.0 Update 16:
http://java.sun.com/javase/downloads/index_jdk5.jsp

SDK and JRE 1.4.2_18:
http://java.sun.com/j2se/1.4.2/download.html

SDK and JRE 1.3.1_23 (for customers with Solaris 8 and Vintage Support Offering support contracts):
http://java.sun.com/j2se/1.3/download.html

Go read Microsoft Security Advisory 954462 now


If you are responsible for the web server or web application security, go read Microsoft Security Advisory 954462, Rise in SQL Injection Attacks Exploiting Unverified User Data Input immediately.  It contains important information on detecting and mitigating SQL injection vulnerabilities.

This advisory is not specific to only Microsoft products like the IIS web server and SQL database.  Other web servers and database programs are also vulnerable to these attacks.

You may also want to check out the Top 15 free SQL Injection Scanners and check your own web sites for vulnerabilities.