Lost!

Not really, but I liked the title. Then again, I’ve seen many a newbie “web master” say the same thing whenever they look at their logs…

I appears that I’m getting a lot more traffic when it comes to Blog indexing services. For instance:

bloglines.com (never heard of ‘em) indexed me the other day. While looking at their website, I was reminded of just starting a dynamic, php based, website that was going to be paid for by advertising. That was around the bubble and everyone was doing it, but bloglines doesn’t have that professional crisp touch to it. Oh, and if the site admin actually see’s this - no one cares about the weather anymore. Thats why I have a weather plugin for FireFox…

There are a few others that have indexed me as well, but I’m not sure about ibizconsole.net… I’m getting the spam vibe from them.

Speaking of spam, just a quick note and plugin alert… Spam Karma 2 is the one of the best anti-spam plugins I’ve ever seen. This plugin has kept the spam reaching the visitors of this blog to a bare minimum. On top of that, I haven’t customized anything about Spam Karma 2, and it’s catching nearly every single spam message. Out of the messages that make it through, I’ve only gotten a few by some smaller Google Adsense related spammers that literally write their own spam comment instead of using a bot. Continue reading…

Apparently, Microsoft is attempting to stand behind Vista, to the point where they’ve told several researchers and hackers that the User Account Control system is not buggy nor an issue when dealing with security.

Doesn’t sound like much until you read into the stories and discover that the UAC houses vulnerabilities that allow attackers to install software into the Kernel or allow attackers to forge the message alert that UAC uses for software installs.

You see, UAC uses color coded alert messages for software installs to attempt to get users to realize, just from the color, if the software is trusted or not. Green means it’s part of the operating system. Blue means a third party application, but signed and Yellow means not signed. This vulnerability would allow something that would normally be Yellow to turn Green and one click can give an attacker full access to the computer.

Microsoft had the following to say: (stolen from Symantec)

“It’s very important to remember that UAC prompts are not a security boundary — they don’t offer direct protection,” said Whitehouse. “They do offer you a chance to verify an action before it happens. Once you allow an action to proceed, there may be no easy way back. So while Microsoft may use the word ‘trust’ in relation to UAC in some of their [other] documentation, in actual fact, even the data these UAC prompts provide you with can’t be trusted.”

Joanna Rutkowska found problems with UAC as well and Microsoft blew her off. Maybe Microsoft is either saying their UAC model is fine the way it is or they’re feverishly working on a solution while appearing to buff on the outside… Either way, I refuse to move to Vista until the release of SP1.

The Honey Pot project released a technical white paper that every web application developer and wannabe web coder should read. It gives away many details on packages that have problems as well as what the vulnerabilities are as well as why the vulnerability is executed. Topics covered are Remote Code Inclusion, SQL Injection, and Cross Site Scripting (XSS).

What’s also surprising (but makes sense if you think about it), in the 2006 SANS survey, SANS included web applications as the number one cross platform attack target. Then again, with as many people writing code and not thinking about security, I can see why this has happened. That and people are generally not smart enough to look through code before slapping it on their web server (note: a long time ago, in a galaxy far far away, I did this too…). I’ve downloaded several packages only to delete them just from looking at the code.

The following packages are talked about in detail:

• PHP XMLRPC Code injection vulnerability - because this is a library it is very hard to estimate the number of installations.
• Mambo remote code-inclusion, around 1,300,000 publicly accessible installations.
• AWStats configdir command injection, around 170,000 publicly accessible installations. (However, access to AWStats is usually restricted so that only the site admins can view the visitor statistics.)
• PHPBB admin_styles remote code-inclusion, around 1,500,000 publicly accessible installations.
• PHPBB viewtopic code injection, (the flaw that Santy exploited), around 1,500,000 publicly accessible.
• WebCalendar includedir remote code-inclusion, around 230,000 publicly accessible installations.
• Coppermine Photo Gallery remote code-inclusion, around 430,000 publicly accessible installations. (In this case the exploit was against the third item in the reference, a problem with theme.php and THEME_DIR.)
• Zeroboard remote code-inclusion problem, very hard to estimate number of installations.
• PHPNuke SQL injection in querylang parameter, very hard to estimate number of installations.

What surprises me is that WordPress is not on the list. With all the reporting that WordPress does in the code (if you didn’t know this: meta name=generator content=WordPress 2.0.9 !– leave this for stats — - that’s in the publicly viewable code of nearly every WordPress template - front end or back end.) With the reporting code WP generates, it would allow an attacker to specifically focus on a specific vulnerability.

Anyway, enough of me talking, check out the full report.

Thats right! In PA, 2 teens in high school nearly killed a teacher over an iPod.

One teen had been listening to the iPod in class so the teacher confiscated it, just like the old days. Except, after class, the kid came back with another student. Violence ensued and all hell broke loose.

Now, the teacher is in critical care with a triple spinal fractures. It’s an iPod people! Check out the full story.

In a reminder of what society has turned itself into by being paranoid by pranks, police panicked and blew up 2 out of 3 CD players taped under the pews of a church that started to play foul music in the middle of the Ash Wed. Mass. Check out the CNN story.

I find it absolutely crazy that our society is so worried about bombs and terrorists that we’re willing to call in the bomb squad over this kind of stuff. Seriously folks, whats next? When the kids in college start making smoke bombs out of beer cans - are we going to call the bomb squad and round up every idiot that’s drunk?