[ale] semi OT - misc security issues to think about - 07/12/12
Ted W
ted at techmachine.net
Fri Jul 13 09:05:11 EDT 2012
On Jul 12, 2012, at 4:11 PM, Ron Frazier (ALE) wrote:
> Hi all,
>
> FWIW, here are some miscellaneous security items that you might want to be aware of that I heard on the latest Security Now podcast. I haven't had any chance to investigate any of these in detail.
>
> * If you're a lastpass user, there is a setting in the options which allows you to turn on iterative password hashing. This helps prevent brute force attacks on your password. Recommended setting is 512 I believe. Apparently, for some accounts, it is not turned on by default.
>
> * If you're forced to use Windows, a vulnerability in Vista and Windows 7 sidebars and gadgets has been discovered which potentially allows an attacker to do "remote code execution". In other words, they can take over your machine. Microsoft has released a FixIt button on their website to totally disable sidebars and gadgets.
>
> * The following applies if you use the Plesk website management system. This is a quote from the following website:
>
> http://blog.sucuri.net/2012/06/plesk-vulnerability-leading-to-malware.html
>
> "The first issue is that old versions of Plesk store passwords in clear text (yes, clear text in 2012). The second is a remote SQL vulnerability that has been found in old versions of Plesk allowing attackers to exploit those passwords."
>
> As I understand it, even if your Plesk installation has been updated, the passwords in the database are vulnerable until they are changed.
>
> Sincerely,
>
> Ron
>
> --
>
> (To whom it may concern. My email address has changed. Replying to former
> messages prior to 03/31/12 with my personal address will go to the wrong
> address. Please send all personal correspondence to the new address.)
>
> (PS - If you email me and don't get a quick response, you might want to
> call on the phone. I get about 300 emails per day from alternate energy
> mailing lists and such. I don't always see new email messages very quickly.)
>
> Ron Frazier
> 770-205-9422 (O) Leave a message.
> linuxdude AT techstarship.com
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
If I heard the report correctly. LastPass users with existing accounts do NOT have iterative hashing enabled and must manually go into their settings and turn it on. For new LastPass users (signed up after this announcement was made), the option will be enabled by default.
And, not to hijack this and turn it into a discussion about Micro$oft (in)security, if you run ANY version make sure you're systems are up to date (DUH!!!). They recently released a patch for the XML Core Services vulnerability (finally!!!) -- http://technet.microsoft.com/en-us/security/bulletin/ms12-043
--
Ted W. < Ted at Techmachine.net >
Registered GNU/Linux user #413569
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20120713/c2afd790/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mail.ale.org/pipermail/ale/attachments/20120713/c2afd790/attachment.bin
More information about the Ale
mailing list