Bits of Wisdom

If you need to use rsync with a proxy:

set enviroent variable RSYNC_PROXY, if this is set rsync automaticly uses this proxy on port 873

set RSYNC_PROXY=12.34.56.78:80
rsync -auv –delete –stats  /cygdrive/c/source/directory username@hostname::rsync_share
set RSYNC_PROXY=

If you are using an apache as proxy your config should be looking a bit like this

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
…
<IfModule mod_proxy.c>
AllowCONNECT 873
</IfModule>

The Register reports that the bad guys steped up quite a bit.

Now quite sophisticated tactics:

• spreading Trojans via JS and PDF flaws from somewhat legimate pages
• reading keystrokes / logins
• withdrawing only from positive accounts, trying to obscure the withdraws
• taking screenshots (sounds like partial biomechanical processing)
• Using money mules to obfuscate the money trail

It’s a dangerous internet out there

What’s behind the Few Letter Acronyms

ECM: A really big and really expensive document management system

BPM: A really expensive workflow system

SharePoint: A big collection of lots of little document management systems

RM: The art of legally deleting most files while keeping the rest for a really long time

WCMS: Web-team Creates More Stuff

E2.0: Facebook without the fun

Enterprise Portal: A way of assembling all of your ugly and annoying applications in one place

DAM: A way of assembling all your ugly and annoying images in one place

E-mail Archiving: Er….well, mercifully no acronym yet

First published by CMS Watch

In difficult times people are looking for easy solutions for their problems. The old tricks work again.

Wired has a nice write up: how to run a scam

SANS.org has put togehter a list of the most dangerous – and often encountered – programming errors. Nothing realy new here, but nicely put together:

CATEGORY: Insecure Interaction Between Components

CWE-20: Improper Input Validation

It’s the number one killer of healthy software, so you’re just asking for trouble if you don’t ensure that your input conforms to expectations…MORE >>

CWE-116: Improper Encoding or Escaping of Output

Computers have a strange habit of doing what you say, not what you mean. Insufficient output encoding is the often-ignored sibling to poor input validation, but it is at the root of most injection-based attacks, which are all the rage these days…MORE >>

CWE-89: Failure to Preserve SQL Query Structure (aka ‘SQL Injection’)

If attackers can influence the SQL that you use to communicate with your database, then they can…MORE >>

CWE-79: Failure to Preserve Web Page Structure (aka ‘Cross-site Scripting’)

Cross-site scripting (XSS) is one of the most prevalent, obstinate, and dangerous vulnerabilities in web applications…If you’re not careful, attackers can…MORE >>

CWE-78: Failure to Preserve OS Command Structure (aka ‘OS Command Injection’)

When you invoke another program on the operating system, but you allow untrusted inputs to be fed into the command string that you generate for executing the program, then you are inviting attackers…MORE >>

CWE-319: Cleartext Transmission of Sensitive Information

If your software sends sensitive information across a network, such as private data or authentication credentials, that information crosses many…MORE >>

CWE-352: Cross-Site Request Forgery (CSRF)

With cross-site request forgery, the attacker gets the victim to activate a request that goes to your site. Thanks to scripting and the way the web works in general, the victim…MORE >>

CWE-362: Race Condition

Attackers will consciously look to exploit race conditions to cause chaos or get your application to cough up something valuable…MORE >>

CWE-209: Error Message Information Leak

If you use chatty error messages, then they could disclose secrets to any attacker who dares to misuse your software. The secrets could cover a wide range of valuable data…MORE >>

CATEGORY: Risky Resource Management

CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer

Buffer overflows are Mother Nature’s little reminder of that law of physics that says if you try to put more stuff into a container than it can hold, you’re…MORE >>

CWE-642: External Control of Critical State Data

There are many ways to store user state data without the overhead of a database. Unfortunately, if you store that data in a place where an attacker can…MORE >>

CWE-73: External Control of File Name or Path

When you use an outsider’s input while constructing a filename, you’re taking a chance. If you’re not careful, an attacker could… MORE >>

CWE-426: Untrusted Search Path

If a resource search path is under attacker control, then the attacker can modify it to point to resources of the attacker’s choosing. This causes the software to access the wrong resources at the wrong time…MORE >>

CWE-94: Failure to Control Generation of Code (aka ‘Code Injection’)

For ease of development, sometimes you can’t beat using a couple lines of code to employ lots of functionality. It’s even cooler when…MORE >>

CWE-494: Download of Code Without Integrity Check

You don’t need to be a guru to realize that if you download code and execute it, you’re trusting that the source of that code isn’t malicious. But attackers can perform all sorts of tricks…MORE >>

CWE-404: Improper Resource Shutdown or Release

When your precious system resources have reached their end-of-life, you need to…MORE >>

CWE-665: Improper Initialization

Just as you should start your day with a healthy breakfast, proper initialization helps to ensure…MORE >>

CWE-682: Incorrect Calculation

When attackers have some control over the inputs that are used in numeric calculations, this weakness can lead to vulnerabilities. It could cause you to make incorrect security decisions. It might cause you to…MORE >>

CATEGORY: Porous Defenses

CWE-285: Improper Access Control (Authorization)

If you don’t ensure that your software’s users are only doing what they’re allowed to, then attackers will try to exploit your improper authorization and…MORE >>

CWE-327: Use of a Broken or Risky Cryptographic Algorithm

You may be tempted to develop your own encryption scheme in the hopes of making it difficult for attackers to crack. This kind of grow-your-own cryptography is a welcome sight to attackers…MORE >>

CWE-259: Hard-Coded Password

Hard-coding a secret account and password into your software’s authentication module is…MORE >>

CWE-732: Insecure Permission Assignment for Critical Resource

If you have critical programs, data stores, or configuration files with permissions that make your resources accessible to the world – well, that’s just what they’ll become…MORE >>

CWE-330: Use of Insufficiently Random Values

If you use security features that require good randomness, but you don’t provide it, then you’ll have attackers laughing all the way to the bank…MORE >>

CWE-250: Execution with Unnecessary Privileges

Spider Man, the well-known comic superhero, lives by the motto “With great power comes great responsibility.” Your software may need special privileges to perform certain operations, but wielding those privileges longer than necessary can be extremely risky…MORE >>

CWE-602: Client-Side Enforcement of Server-Side Security

Remember that underneath that fancy GUI, it’s just code. Attackers can reverse engineer your client and write their own custom clients that leave out certain inconvenient features like all those pesky security controls…MORE >>

CMS watch on Sharepoint

A key sentence: SharePoint was architected fundamentally for departmental use.

Der Standard berichtet: Es gebe “keine Auskunftspflicht des Providers über die Daten (Namen und Anschrift) jener Nutzer, die kopierte Musiktitel aus dem Internet heruntergeladen haben.”

Somit ist es der Urheber-Verwertungsindustrie auf zivilrechtlichem Wege nicht möglich Filesharer zu belangen. Im Telekommunikationsgesetz (TKG) ist ein Verbot der Verkehrsdatenspeicherung und die Verpflichtung zur unverzüglichen Datenlöschung festgeschrieben.

Soviel zur Lage.

Wired hat wiedermal bewiesen das man mit trockenen Statistiken und Mathematik auch etwas Spaß haben kann.

Weil wiedermal eine kleine Melung über die Grippe in den Nachrichten war: Wired vergleicht H1N1 mit der Spanischen Grippe von 1918 und … der Epedemie aus Stephen Kings The Stand.

Die Fatalität einer “normalen” Grippe liegt bei 20.000 Toten bei 5 Millionen Infizierten an pro Jahr in Deutschland. Macht 0,4%.

Bis zum Ende der Meldepflicht der Schweinegrippe-Fälle in Österreich waren 10.000 Fälle bekannt. Davon 2 Todesfälle. Daraus berechnet sich eine Mortalität von 0,02 %. Somit ist die normale Grippewelle viel eher zu fürchten als die Schweinegrippe.

Wired rechnete damals noch mit hoch angesetzten 0,7.

I had Adobe Acrobat on my system and tried to upgrade. Adobe Installer complained some .msi file could not be found, so uninstalling or upgrading would not work. Nice work Adobe. For what do i need the installer when I got the new version at hand?

After some trying, swearing and googeling I came across the WINDOWS INSTALLER CLEANUP UTILITY. Yes, Microsoft has a tool for screwed up Installers. Better yet, it works fine. Nuked Acrobat from my system.

Will not touch it again, using Foxit Reader now. Displays PDFs, is fast, works.

swfupload is a great utility to do fancy uploads. Supports multiple uploads at once, nice progress bars, uses flash. So all things have good and bad sides.

If you work in a distributed enviroment and want to upload not to your metadata server but to one of you satelite-servers, flash says: no cross domain posting. But there is a workaround. Create a crossdomain.xml in the root folder of the server you’re uploading to. It should look a bit like this

<?xml version=”1.0″?>
<!DOCTYPE cross-domain-policy
SYSTEM “http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd”>
<cross-domain-policy>
<allow-access-from domain=”tintifax.yourdomain.com” />
<allow-access-from domain=”*.otherdomain.com” />
</cross-domain-policy>