Categories
Computer & Network Security>Malware|Research|Computer & Network Security>Vulnerabilities

PHP source code compromised?

Source: http://barracudalabs.com/2013/10/php-net-compromise/ 

It was announced that the PHP website was hacked and serving malware.  If the attackers had access to their internal servers, can we trust the PHP sourcecode anymore?

So far PHP Group has been unable to determine the cause of an infection to two of their servers.  According to their reports, they have recreated web servers and have revoked the PHP SSL cert and are reissuing it in case the private key was compromised.

According to Rasmus Lerdorf, PHP creator, “Not much to say about the effect on end users who visited the site during that time because the windows where the changed file was actually being served were really small and our focus has been on establishing the integrity of the PHP source code we distribute…” http://www.infoworld.com/d/security/phpnet-compromised-and-used-attack-visitors-229531

From a security perspective, it sounds like the source code is their priority, but they can’t tell us whether or not it has been compromised or not.  This does not leave much room for comfort in the integrity of the source code at the moment.  We will continue to monitor this closely.  Considering over 85%* of the web is run using PHP, this could be a serious blow to open source developers and their level of security.

Other references: http://arstechnica.com/security/2013/10/hackers-compromise-official-php-website-infect-visitors-with-malware/

*http://w3techs.com/technologies/overview/programming_language/all

See an update on who was affected by the attack.

 

Categories
Research

VERIS Community Database (VCDB)

VERIS as described by it’s creators:

“One of the most critical and persistent challenges plaguing efforts to manage information risk is a lack of data. To aid removal of this barrier to more widely available security data, we offer the Vocabulary for Event Recording and Incident Sharing (VERIS) for public consideration and use. VERIS is a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner. The overall goal is to lay a foundation on which we can constructively and cooperatively learn from our experiences to better manage risk.”

Categories
Research|Computer & Network Security>Vulnerabilities

Real Time Cyber Attack Viewer

Categories
Computer & Network Security>Microsoft|Computer & Network Security>Microsoft Security Bulletin|Computer & Network Security>Patches

Microsof October Security Bulletin

This summary includes 4 critical and 4 important vulnerabilities.

Source: http://technet.microsoft.com/en-us/security/bulletin/ms13-oct

Categories
Computer & Network Security>Microsoft|Computer & Network Security>Microsoft Security Bulletin|Computer & Network Security>Patches

Microsoft September Security Bulletin

This bulletin listed 4 critical and 9 important vulnerabilities.

Source: http://technet.microsoft.com/en-us/security/bulletin/ms13-sep

Categories
Computer & Network Security>Microsoft|Computer & Network Security>Microsoft Security Bulletin|Computer & Network Security>Patches

Microsoft August Security Bulletin

Three bulletins have a maximum severity rating of Critical while the other five have a maximum severity rating of Important.

Categories
Research|Computer & Network Security>Vulnerabilities

New OWASP top 10 shows same mistakes

OWASP is an organization that tracks most common web vulnerabilities and gives guidance for writing secure applications.  They have released the New Top 10.  Unfortunately, it is not that much different than the old top 10.  Does this mean that most web developers don’t know about the most common security risks?

Read more here

Categories
Uncategorized

Microsoft July Security Bulletin

For Patch Tuesday this month, we are receiving critical updates from both Microsoft and Adobe. Microsoft has five bulletins, bringing the six-month total up to 51 bulletins, about 20% more than we had in 2012.

Read more here.

Categories
Computer & Network Security>Java|Computer & Network Security>Patches|Computer & Network Security>Zero-day

93% of organizations have have not patched Java

Even after the major press about the recent Java Zero-Day vulnerabilities, organizations still have not updated the software.  Java, one of the most deployed applications in the world, has released a several serious issues over the past few months.

Read article from Websense here

Categories
Research|Computer & Network Security>Viruses

Pushdo Botnet Morphs To Elude Hunters

Interesting discussion about a powerful botnet.  Many folks have heard the term but not of the command and control centers that manage them.  Read more here