While speaking at an ICANN international meeting in Nairobi this week, Rod Beckstrom criticized the security of DNS, saying it “can stop any time.” Furthermore, he went on to state:

The domain name system is under attack today as it has never been before. I have personally consulted with over 20 CEOs of the top registries and the top registrars globally, all of whom are seeing increasing attacks and complexity of attacks and who are extremely concerned,

While Beckstrom is perfectly accurate in his statement, to those with a vested in interest in certain start-up extensions and developing ccTLDs, them is fightin’ words. Specifically, Chris Disspain, chairman of the Country Code Name Supporting Organization (ccNSO) council, called the ICANN CEO out on the comment.

As a representative of the various companies that run ccTLDs for many governments, Disspain is worried that Beckstrom “could cause great concern among governments regarding how elements of critical Internet resources are operated and managed in their countries.” In other words, the ccNSO chairman is worried about how this could affect his associate’s for-profit operations running ccTLDs.

Source | Computer World
Photo | Flickr

0 comments

There are many security factors you should consider when deploying Linux-based virtual private servers (VPS) on systems such as OpenVZ. Some protect your users and some protect your server as a whole. Here are five steps you can take to make sure your server is secure:

1. Disable the root password on the real server. Users may decide to use root passwords on their VPS systems, but do not make it easy for attackers to get past them to the real system.

2. Create a user designed just for admin tasks and give it “sudo” rights.

3. Create an ssh user to handle any remote logins and an sftp user for uploads to the real server. Disable remote access for all other users.

4. Run OpenSSH on a port other than the default 22. You can use 2222 or something else.

5. Rely on SSH keys for the two secure users and disable clear password authentication.

Photo Source: Flickr

0 comments

Web server administrators should take notice of a “severe” vulnerability that computer scientists have discovered in OpenSSL, the free and open source encryption software package for Linux and Unix-like systems.

The bug is in OpenSSL’s cryptographic library and vulnerability allows attackers to retrieve a server’s cryptographic key, leaving any secure transactions, such as banking and sales, exposed to the attacker. Hundreds of thousands (perhaps even millions) of businesses, banks, and other enterprise-level institutions depend on SSL encryption security, particularly that of OpenSSL.

Those who discovered it said that the attack is difficult to execute, but administrators should still be cautious. An OpenSSL spokesperson said that they are already working on a solution and will release a patch for the software. Furthermore, an attack requires access to the power source of the device, making it unlikely that an attacker could exploit a server, since most attack remotely.

Source: The Register
Photo: Ivan Petrov

0 comments

According to Comodo Dragon, a new open source web browser, more than half of all sites using SSL certificates may be unsafe. This is because these days, it’s very easy to buy an SSL certificate and validate your website.

This trend is mainly a result of a huge spike in domain-validated SSL certificate sales. Offered by a number of registrars, including Go Daddy, these SSL certificates are less safe because anyone can get one. There is no verification to ensure the site in question is safe.

So in essence, just because a site has an SSL certificate doesn’t mean you can trust it. SSL security and the value of buying a certificate have been undermined.

0 comments

These days, it seems like Google runs everything. From Google Desktop to Google Search to Google WiFi in some areas, the company is in a position to collect all sorts of data about its users. The fears of privacy advocates will not be put to rest any time soon, however. In a keynote address to the Mobile World Congress today, Google CEO Eric Schmidt stated bluntly:
…[W]e can literally know everything if we want to. What people are doing, what people care about, information that’s monitored, we can literally know it if we want to, and if people want us to know it.

Fortunately, Google isn’t in the habit yet of collecting and analyzing all our personal data. But in my opinion, we should be wary.

Photo | Flickr

0 comments

Microsoft provides a tool for Windows Server 2008 that tests for security misconfiguration. It comes with a graphical interface and a command line interface for both local and remote scans. It looks for vulnerabilities, performs assessment checks, and checks SQL Server 2005.

In addition to Windows Server 2008, MBSA runs on Windows Vista, Windows Server 2003, Windows XP, and Windows 2000 systems. It scans for misconfigurations on Internet Information Server (IIS), SQL Server, Internet Explorer, and MS Office.

MBSA is available for download from the Microsoft website. It is free to download and use on Windows systems. It comes with a readme.html document containing information on system requirements, scan options, and tool support options.

Source: Microsoft

Photo: Flickr

0 comments

Is there such a thing as anonymous web hosting? For those looking to host website content that is controversial or possibly illegal in their respective jurisdictions, many “anonymous web hosts” have popped up. Often located in far-flung reaches of the world, these companies promise to keep your identity secret– for a price. Are they worth the extra money?

Assuming you’re hosting something controversial but legal, no. Any reputable host will keep your contact information safe from prying eyes. What you want to look for is an established, reputable company that complies with freedom of speech and expression laws. Such a host should only reveal your private information by court order.

If you trust your money with a fly-by-night operation overseas, good luck. Such a company is not as legally obligated to keep your identity secure and may be more vulnerable to hackers. Finally, such a firm is much more likely to close its doors without notice, taking your site with it.

0 comments

Whenever you start a new website, you want to make sure everyone can see it, that it loads quickly, and that hackers can’t bring it to its knees. Here are a few useful web tools to make sure you cover all three:

1. Accessibility. A-Checker - An accessibility testing tool. Simply enter the URL or upload the html file of the site page you want to evaluate, and it will test it according to HTML standards and accessibility standards.

2. Speed. Pingdom Full Page Test - This complete tester will load your entire web page, including images, CSS, flash, and anything else you might have stuck in there. It then evaluates the overall speed as well as each item.

3. Security. Zero Day Scan - An online service that tests your website for security vulnerabilities such as Cross-Site Scripting (XSS), SQL injection, and more. It then generates a report of the test results. Domain ownership verification is required.

0 comments

Any security-minded system administrator has heard of cross site scripting (XSS). It might even keep you up at night, but there are steps you can take to identify vulnerabilities in your websites and deal with them. One method of finding vulnerabilities is to use fuzz testing (the insertion of random commands and code into web applications to see how they react).

Powerfuzzer is a free web fuzzer that allows administrators to create custom tests for their web applications to identify vulnerabilities. In essence, it is a web application vulnerability scanner. Currently, Powerfuzzer tests for the following security vulnerabilities:

• Cross Site Scripting (XSS)
• Injenctions (SQL, LDAP, code, commands, and XPATh)
• CRLF
• HTTP 500 statuses

You can download Powerfuzzer from the project’s website. It is free and open source software, released under the GNU General Public License.

0 comments

Millions from around the world have donated to help earthquake victims in Haiti. With people so readily giving money, it’s no surprise that domain scammers are trying to take advantage of the situation. As is the norm after all disasters in the Internet age, unscrupulous con artists are registering domains and setting up fake donation sites.

The FBI sent out an alert today warning Americans of this danger. It said to watch out for spam emails and verify the legitimacy of non-profits before donating. According to the Associated Press, more than 400 domains related to the disaster have been registered since Monday. Most of them will likely be used for illegitimate purposes. Unfortunately, most of these scammers will probably never be tracked down and caught.

Photo | Flickr

0 comments