26 March 2002

FrontPage Bug Opens Microsoft Sites To Attackers Microsoft released a bulletin and patch for the buffer overflow flaw, which allows attackers to run code of their choice on a vulnerable server, on Jun. 21, 2001.  [News Bytes] I did have to chuckle a bit after reading this. A couple of MS sites were defaced because they'd left an old unpatched version of the Front Page extensions on the server. The moral of the story is, get rid of anything that your are not using. If you happen to be using the Front Page extensions (not recommended) please keep an eye on security patches. 6:46:55 PM      comment []   Security CIO Insight have run a survey amongst CIO's about their attitudes to security. While I'm not sure how much should be put on these kinds of surveys there are a few interesting items: Sixty-five percent of respondents said they'd met with senior executives during the past 12 months to discuss security. And 74 percent said their colleagues understood the concerns raised and seemed willing to make changes to business practices to make their companies more secure. Still, a full 30 percent of CIOs said those same business executives forced their CIOs to cancel planned changes to business practices to ensure better security after receiving complaints from business units or end users. [CIO Insight] via [Security Focus] So Senior Execs are not yet taking security very serious. Thats not really news, but it's interesting to see a study confirming it. To be fair though , it is very easy for us Security Professionals to blame the business side for not wanting to make changes, but it really is our responsibility to educate not only Senior Management, but also the users of our systems and networks about the importance of security. Many traditional security measures do literally make the job of the business side harder. Access tools are extremely cumbersome and non userfriendly and while company firewalls do stop a lot of bad attacks, they can also create technical barrers for employees and business groups to interact in less formall ways with customers and business partners. The solution as I see it is to make individual applications or application subsystems secure in their own right. An internal trading or back office system should be at least as secure to the internal network as a online personal banking system has to be on the public internet. By taking care when we develop and deploy these apps and working with our users on good day to day security procedures, the complaints from our users are likely to be reduced quite strongly while improving the overall security of the organisation. 6:33:14 PM      comment []   Apache security configuration guide Included below is a recommended security configuration guide for the Apache web server, designed to provide security administrators with a method of configuring an installation based on the agreed security risk profile of the target system. The security configuration document divides recommendations into levels "Premium", "Standard", and "Basic", and covers a variety of installation, configuration and ongoing management tasks, including:  * Linux and Windows Installation Requirements  * Apache Base Installation  * Identification and Authentication  * Privacy and Encryption  * Access Control  * Auditing  * WebSphere [Open System Security Resources] If you use the Apache Web server or any of it's commercial derivatives including IBM Websphere or Oracle AppServer you might want to take a look at this guide.  While most of what it covers is standard practice, many people are moving to Apache from MS IIS. Apache uses configuration files and modules concepts that might be a bit foreign for IIS users. This guide makes it simple to do a quick security audit on your apache servers. 4:19:13 PM      comment []

© Copyright 2002 Pelle Braendgaard. Last update: 26/03/2002; 17:19:13. <