Here is a quick script for you to check if your cPanel/WHM server is vulnerable. Execute the following as root. If you get ANY cipher output, your server can be considered vulnerable. Replace the XXX.XXX.XXX.XXX with your server’s IP Address. Run this in Terminal as root. If there is no output, your SSL versions are securely disabled.
for port in 21 443 465 993 995 2083 2087 2078 2096; do echo “Scanning $port”; for cipher in $(openssl ciphers -sslv3 ‘ALL:eNULL’ | sed -e ‘s/:/ /g’); do echo -n | openssl s_client -sslv3 -cipher “$cipher” -connect xxx.xxx.xxx.xxx:$port 2>&1 | grep -i “Cipher is”; done; done
Disable SSL 3.0 in Windows
You can disable support for the SSL 3.0 protocol on Windows by following these steps: Continue reading
Connecting to a mail server using Telnet is pretty straight forward and can be used both for security testing as well as actual communications. Debugging code and creating communication applications using the mail protocols might require debugging with these tools and below is a sample of how to connect and communicate with a mail server using telnet… Continue reading
Our friend Eugene Shultz, CISM, CISSP at Emagined Security is speaking and we recommend our security friends, partners, and clients to attend.
Date: 2 November 2010, 3pm GMT
Duration: 1 hours
As malware proliferation continues, so do the instances of organised attacks, such as the recent Stuxnet threat against industrial control systems.
The criminal intent on display is just one example of many instances that continue to impact enterprises, but go unreported by the media.
Join our panel of security experts for what promises to be an entertaining and fascinating insight into the world of advanced targeted attacks, where we aim to provide answers to the following questions: Continue reading
A cryptographic method could see cloud services work with sensitive data without ever decrypting it.
By Tom Simonite
A novel technique could see future Web services work with sensitive data without ever being able to read it. Several implementations of a mathematical proof unveiled just last year will allow cryptographers to start making the proposal more practical.
In 2009 Craig Gentry of IBM published a cryptographic proof that was that rare thing: a true breakthrough. He showed that it was possible to add and multiply encrypted data to produce a result that–when decrypted–reveals the result of performing the same operations on the original, unencrypted data. It’s like being able to answer a question without knowing what the question is. Continue reading
An AT&T security breach has exposed the email addresses of thousands of elite iPad customers including the White Chief of Staff.
According to ValleyWag, the breach, which comes just weeks after an Apple employee lost an iPhone prototype in a bar, exposed the most exclusive email list on the planet, a collection of early-adopter iPad 3G subscribers that includes thousands of A-listers in finance, politics and media, from New York Times Co. CEO Janet Robinson to Diane Sawyer of ABC News to film mogul Harvey Weinstein to Mayor Michael Bloomberg. It even appears that White House Chief of Staff Rahm Emanuel’s information was compromised. Continue reading
According to various reports, in the past few days a number of websites created using WordPress have been hacked. While the attack initially appeared to be limited to web sites hosted by American ISP DreamHost, it has since become apparent that blogs hosted at GoDaddy, Bluehost and Media Temple have also been affected. Unconfirmed reports by WPSecurityLock suggest that other PHP-based management systems, such as the Zen Cart eCommerce solution, have also been targeted. Continue reading
Update 2: Simple clean up solution: http://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.html
Update 1: Note that we are not blaming WordPress here. I am assuming that if the problem was on WordPress itself, the number of infected sites would be much much bigger. Maybe a plugin is vulnerable or someone stole lots of passwords. Also, all the hacked sites were on shared hosts, no one so far on a private server.
We are seeing multiple reports today of WordPress sites (running their latest version) getting compromised. The initial reports today were restricted only to Dreamhost, but now we are seeing the same pattern on blogs hosted at GoDaddy, Bluehost, Media temple and other places. Continue reading
Web application security is often viewed incorrectly as a set of server and host-based security issues, rather than code-level and configuration-based security vulnerabilities. Although servers and hosts may still be the cause for exploitations, it is critical that security professionals recognize the major impact of poorly written web applications as well as how their applications and servers are configured separately and in combination. The Internet is increasingly responsible for handling and storing information and files of a sensitive nature requiring security and protection. Keeping hackers at bay and assuring the privacy of private and proprietary documents is paramount. Below are the top ten security vulnerabilities and how Security Programmers mediate these to prevent exploitation.
Security Web Programmers are often not given the clout nor the attention they deserve. Security programmers apply a much higher degree of attention, detail, and time to programming. Secure software may require more time and money than insecure software. A comparison must be made between the cost of securing web applications, and an insecure web application bringing the business down or releasing sensitive information to potentially nefarious hackers. Continue reading
By Craig Priess
March 8, 2010 11:34 AM ET
CSO – The rise in popularity and the pervasive nature of online banking over the last decade have been meteoric. The power of convenience has largely trumped customer fears about security, but there are signs that the tide may be turning. Perhaps exacerbated by the global recession and shocks to the financial markets, cybercriminals have been targeting business bank accounts at increasing frequencies over the last year, catapulting the conversation about online banking security into corporate realms. With cybercriminals readjusting their focus from individual to much more lucrative business accounts, this disturbing trend is now getting the attention of authorities such as the FBI, FDIC, and Department of Homeland Security, and has been described by many as a leading cybercriminal trend for 2010. Continue reading