Read The Blog Post View more…

Better site performance through Apache .htaccess

Web performance is becoming a large factor on many web applications currently developed, and is a large topic within web development, and has became a factor in google search since the back end of 2014.

Compress content

Compression reduces the response time by reducing the size the HTTP request.

its a worthwhile to implement gzip your HTML documents, scripts & css.

images and downloadable files should be compressed via other means, using image compression.

To compress your web documents with apache  use of mod_deflate

Read On…

Operating System Hardening – Working with Services

Services are programs that run when the operating system boots, and they are often are running in the background without the users interacting directly with them. Many services are quite important -even critical. However a service can provide an attack vector that someone could exploit against your system, so be sure to enable only those services that are absolutely required. Part of operating system hardening is disabling unnecessary service on your windows computer (any version – from XP to windows 8 or windows server 2012), you first select the control panel and then select Administrative Tools.

The remote registry service is shown. This service is used to allow technical support personnel to access that systems registry remotely. The service can be quite usefully in some situations, but it can also function as a means for an attacker to get into your system. If you don’t need it, turn it off. The issue is not that a given service is “bad”; it is more of an issue of ensuring that you know what services to run (or not). Windows also provides a brief summary of what the service does and any services that depend on that service. If you don’t know what a service does, then you should probably leave its default setting.
Read On…

Monitoring Networks

It is important to monitor the network and make sure that the traffic on it belongs then. In this section, we will explore basic network monitors

Network Monitors

Network monitors, also called sniffers, were originally introduced to hep troubleshoot network problems. Simple network configuration programs like Ipconfig don’t get down on the wire and physically happening on a network. Instead, examining the signalling traffic that occurs on a network requires a network monitor.
Read On…

Enable SSH Login Notification on Linux

Is the Linux server utilized by multiple customers? If that’s the case, attempt to add an SSH login notification whenever someone logs in.

The good example below send’s an e-mail if somebody logs to your server. With this to operate, your server must have the ability to send mail while using mail command.

Replace YOUR_EMAIL_ADDRESS with the email address that you want to receive login notifications.

CentOS

Open the file ~/.bash_profile in a text editor.

Append the following lines:
Read On…

Disaster Recovery

Disaster recovery is the ability to recover system operations after a disaster. A key aspect of disaster recovery planning is designed a comprehensive backup plan that includes backup storage, procedures, and maintenance. Many options are available to implement disaster recovery. The following sections discuss backups and disaster recovery planning.

Types of Backup

Backups are duplicate copies of key information, ideally stored in a local other than the one where the information is stored currently. Backups include both paper and computer records. Computer records are usually backed up using a backup program, backup systems, and backup procedures.
Read On…

Redundant Array of Independent Disks

Redundant Array of Independent Disks (RAID) is a technology that uses multiple disks to provide fault tolerance. There are several designations for RAID levels.


 

Raid Level 0

RAID 0 is disk striping. It uses multiple drives and maps them together as signal physical drive. This is done primarily for performance, not for fault tolerance. If any drive in a RAID 0 array fails, the entire logical drive becomes unusable.
Read On…

Identifying Critical Systems and Components

Sometimes your systems are dependent on things that you would not normally consider. Basic utilities such as electricity, water, and natural gas are key aspects of business continuity. In the vast majority of cases, electricity and water are restored – at least on an emergency basis – fairly rapidly. The damage created by blizzards, tornadoes, and other natural disasters in managed and repaired by utility companies and government agencies. Other disasters such as a major earthquake or hurricane, can overwhelm these agencies, and services may be interrupted for quite a while. When these types of events occur, critical infrastructure may be unavailable for days, weeks, or even months.

When you evaluate your business’s sustainability, realize that disasters do indeed happen. If possible, build infrastructure that doesn’t have a single point of failure (SPOF) or connection.; After the September 11, 2001 terrorist attack on the World Trade Centre (WTC), several ISP’s and other companies became non-functional because the WTC houses centralized communication systems and computer departments. If you’re the administrator for a small company, it is not uncommon for the SPOF to be router/gateway. The best way to remove an SPOF from your environment is to add redundancy.
Read On…

Understanding Control Types False Positives/Negatives

Risk Assessment / Analysis involves calculating potential risks and making decisions based on the variables associated with those risks (likelihood, ALE, impact, and so forth). Once you’ve identified risks that you want to address with actions other than avoidance, you put controls in place to address those risks.

The national institute of standards and technology (NIST) places controls into various types. The control Types fall into three main categories: Management, Operational, and Technical, as defined in special publications 800-12. Table 1.3 list the controls the control types and the control they are associated with.
Read On…

Securing wp-login.php with Fail2Ban

 

With the recent dictionary attacks becoming a daily occurrence on WordPress, I installed a simple configuration for fail2ban that requires no access to the backend of each site you host and works as a integral part of any linux server system alongside iptables. This should protect all the sites on a server from being attacked by a lone attacker or a botnet.
Read On…

Developing Policies, Standards, and Guidelines

The process of implementing and maintaining a secure network must first be addressed from a policies, standards, and guidelines perspective, This sets the tone, provides authority, and gives your efforts the teeth they need to be effective. Policies and guidelines set a standard of expectation in an organization, the process of developing these policies will help everyone in an organisation become involved and invested in making security efforts successful.  You can think of policies as providing high-level guidance on large issues.

Standards tell people what is expected, and guidelines provide specific advice on how to accomplish a given task or activity.

We will discuss the policies, standards, and guidelines you’ll need to establish in order for your security efforts to be successful.

  Read On…

Risks Associated with Virtualization

If Cloud computing has grown in popularity, virtualization has become the technology du jour, Virtualization consists of allowing one set of hardware to host multiple virtual machine. Its is in use at most large corporations, and it is also becoming more common at smaller businesses.

Some of the possible security risks with virtualization include the following:
Read On…

Risks Associated with Cloud Computing

The term cloud computing has grown in popularity recent, by few agree on what it truly means. For the purpose of security+, cloud computing means hosting services and data on the internet instead of locally. Some examples of this including running office suit applications such as office 365 or Google Docs from the web instead of having similar applications installed on each workstation; storing data on server space, such as Google Drive, Sky Drive or Amazon Web Services; and using cloud-based sites such as salesforce.com.

Read On…

Apache: Log Management: SetEnvIf

maintenance on an Apache2 webserver takes a bit of fine tuning to get everything logging perfectly to our specifications. Apache has excellent logging capability and these logs, if properly maintained are an excellent information resource for any administrator or web analyst.

However, if unmanaged these logs can get too large to handle and cumbersome to explorer for errors or unauthorized access.
Read On…

Additional Risk Terminology

Ensuring that you understand the scope of terms of hardware and service-level agreement (SLA) related terms. Doing so can help avoid frustration and prevent unanticipated disruption from crippling your organisation. The following notes are key measures with which you should be familiar when research additional risk terminology as a result of risk assessments.
Read On…

Force SSL/TLS https using .htaccess and mod_rewrite

When using Apache, you can use mod_ssl to force SSL with the SSLRequireSSL Directive:

This directive forbids access unless HTTP over SSL (i.e. HTTPS) is enabled for the current connection. This is very handy inside the SSL-enabled virtual host or directories for defending against configuration errors that expose stuff that should be protected. When this directive is present all requests are denied which are not using SSL.

This will not do a redirect to https though. To redirect, try the following with mod_rewrite in your .htaccess file

 

or any of the various approaches given at

You can also solve this from within PHP in case your provider has disabled .htaccess (which is unlikely since you asked for it, but anyway)

 

Measuring and Weighing Risk – Risk Assessment.

planning risk

Risk Assessment

Risk assessment is also know as risk analysis or risk calculation. For purposes of uniformity, we will use risk assessment in term of choice for this discussion. Risk assessment deals with the threats, vulnerabilities, and impacts of a loss of information capabilities or a loss of information itself. A vulnerability is a weakness that could be exploited by a threat. Each risk that can be identified should be outlined, described, and evaluated for the likelihood of its occurring. The key here is to think outside the box. Conventional threats and risks are often too limited when considering risk assessment.

The key components of a assessment process are outlined here:

Risk to which the organisation is exposed: This component allows you to develop scenarios that can help you evaluate how to deal with these risks if they occur. An operating system, server, or application may have know risks in certain environments. You should create a plan for how your organisation will best deal with these risks and the best way to respond.

Risks in need of addressing: The risk-assessment component also allows an organisation to provide a reality check on which risk are real and which are unlikely. This process helps and organisation focus on its resources as well as on the risks that are most likely to occur, for example, industrial espionage and theft are likely, but the risk of a hurricane damaging the server room in another state or country is very low. Therefore, more resources should be allocated to prevent espionage or theft as opposed to the latter possibility.

 

Coordination with BIA: The risk-assesment component, in conjunction with the business impact analysis (BIA), provides an organisation with an accurate picture of the situation facing it. It allows on organisation to make intelligent decisions about how to respond to various scenarios.

 

Computing Risk assessment

 

When your not doing dis assessment, one of the most important thing to do its prioritise. Not everything should be weighed evenly because some events have a greater likelihood of happening. In addition, a company can accept some risks, whereas other would be catastrophic of the company.

 

Risk Calculation

 

For the purpose of risk assessment, both in the real world and for the exam you should familiarize yourself with a number of terms to determine the impact an event  could haveL

  • ALE is the anual loss expectancy value. This is a monetary measure of how much loss you could expect in a year.
  • SLE in another monetary value, and it represents how much you expect to lose at any one time: the single loss expectancy. SLE can be devided into two components:
    • AV (asset Value)
    • EF (exposure factor)
  • ARO is the likelihood, often drawn from historical data, of an event occurring within a year: the annualised rate of occurrence.

When you compute the risk assessment, remember this formula:
SLE x ARO = ALE 

 

As an example, if you can reasonably expect that every SLE< which is equal to asset value (AV) times exposure factor (EF), will be the equivalent of £1,000 and that there will be a seven such offurrences a year (ARO), then the ALE is £7,000 conversely, if there is only a 10 percent change of an event occurring within a year time period (ARO = 0.1) then the ALE drops to £100.

 

Quantitate Vs. Qualitative Risk Assessment

 

Risk assessment can be either qualitative (opinion-based and subjective) or quantitative (cost-based and objective), depending on whether you are focusing on currency amounts. The formula for single loss expectancy (SLE), annual loss expectancy (ALE), and annualised rate of occurrence (ARO) are all based on doing assessments that lead to currency amounts and are thus quantitive.

 

To understand the difference between quantitative and qualitative, it helps to use a simple example. Imagine that you get an emergency call to help a small company that you have never heard from before. It turns out that their one and only server has crashed and that their backups are useless. One of the lost files was the only copy of the company’s history. This file detailed the company from the day it began to the present day and had the various iterations of the mission statment as it changed over time. As painful a loss as this file represents to the company’s culture, it has nothing to do with filing orders and keeping customers happy, and thus it’s loss is qualitative in nature.

 

Another loss was the customers database, This held customer contact information as well as the history of all past orders, charge numbers, and so on. The company cannot function without this file, and it needs to be re-created by pulling all of the hard copy invoices from storage and re-entering them into the system. This loss can be calculated by the amount of business lost and the amount of time it takes to find/re-enter all the data, and thus it is quantitative loss.

 

EFF’s “Let’s Encrypt” a new free certificate authority launching in summer 2015

4vBYgpew

Links: https://letsencrypt.org/

Links: https://www.eff.org/deeplinks/2014/11/certificate-authority-encrypt-entire-web

GitHub: https://github.com/letsencrypt/

● A new CA initiative put together with Mozilla, Cisco, Akamai, Identrust, and University of
Michigan.

● Let’s Encrypt is a new free certificate authority, which will begin issuing server
certificates in 2015. Server certificates are the anchor for any website that wants to
offer HTTPS and encrypted traffic, proving that the server you are talking to is the
server you intended to talk to. But these certificates have historically been expensive,
as well as tricky to install and bothersome to update. The Let’s Encrypt authority will
offer server certificates at zero cost, supported by sophisticated new security protocols.
The certificates will have automatic enrollment and renewal, and there will be publicly
available records of all certificate issuance and revocation.

● The Let’s Encrypt CA will be operated by a new non-profit organization called the
Internet Security Research Group (ISRG). EFF helped to put together this initiative with
Mozilla and the University of Michigan, and it has been joined for launch by partners

Remotely Exploitable ‘Bash Shell’ Vulnerability Affects Linux OS X systems wide open

download
A Critical remotely exploitable vulnerability has been discovered in the widely used Linux and Unix command-line shell, known as Bash, aka the GNU Bourne Again Shell, leaving countless websites, servers, PCs, OS X Macs, various home routers, and many more open to the cyber criminals.
Earlier today, Stephane Chazelas publicly disclosed the technical details of the remote code execution vulnerability in Bash which affects most of the Linux distributions and servers worldw

.

REMOTELY EXPLOITABLE SHELLSHOCK
The vulnerability (CVE-2014-6271) affects versions 1.14 through 4.3 of GNU Bash and being named as Bash Bug, and Shellshock by the Security researchers on the Internet discussions.
According to the technical details, a hacker could exploit this bash bug to execute shell commands remotely on a target machine using specifically crafted variables. “In many common configurations, this vulnerability is exploitable over the network,” Stephane said.
This 22-year-old vulnerability stems from the way bash handles specially-formatted environment variables, namely exported shell functions. When assigning a function to a variable, trailing code in the function definition will be executed.

 

BASH BUG AFFECTS MILLIONS OF SYSTEMS

 

The vulnerability is present in Bash up to and including version 4.3, and was discovered by Stephane Chazelas. It puts Apache web servers, in particular, at risk of compromise: CGI scripts that use or invoke Bash in any way – including any child processes spawned by the scripts – are vulnerable to remote-code injection. OpenSSH and some DHCP clients are also affected on machines that use Bash.

 

In Simple words, If Bash has been configured as the default system shell, an attacker could launch malicious code on the server just by sending a specially crafted malicious web request by setting headers in a web request, or by setting weird mime types. Proof-of-concept code for cgi-bin reverse shell has been posted on the Internet.

According to the NIST vulnerability database, which rates the flaw 10 out of 10 in terms of severity:

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

Authentication: Not required to exploit

Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

This is a serious risk to Internet infrastructure, just like Heartbleed bug, because Linux not only runs the majority of the servers but also large number of embedded devices, including Mac OS X laptops and Android devices are also running the vulnerable version of bash Software. NIST vulnerability database has rated this vulnerability “10 out of 10” in terms of severity.

HOW TO CHECK FOR VULNERABLE SHELL
To determine if a Linux or Unix system is vulnerable, run the following command lines in your linux shell
If you see the words “shellshock” in the output, errrrr… then you are at risk.

 

BASH BUG PATCH

 

You are recommended to disable any CGI scripts that call on the shell, but it does not fully mitigate the vulnerability. Many of the major operating system and Linux distribution vendors have released the new bash software versions today, including:
  • Red Hat Enterprise Linux (versions 4 through 7) and the Fedora distribution
  • CentOS (versions 5 through 7)
  • Ubuntu 10.04 LTS, 12.04 LTS, and 14.04 LTS
  • Debian

 

What is a specific example of how the shellshock bash bug could be exploited?

 

With access to bash, even from the POV of a web user, the options are endless. For example, here’s a fork bomb:

Just put that in a user agent string on a browser, go to your web page, and instant DDoS on your web server.

Or, somebody could use your server as an attack bot:

Put that on several other servers and you’re talking about real bandwidth.

Other attack vectors:

There’s endless other possibilities: reverse shells, running servers on ports, auto-downloading some rootkit to go from web user to root user. It’s a shell! It can do anything. As far as security disasters go, this is worse than even Heartbleed.

The important part is that you patch your system. NOW! If you still have external-facing servers that are still unpatched, what are you doing still reading this?!

Hackers are already doing these things above, and you don’t even know it!

Source: Security.StackExchange