Forwarded with permission from: Security UPDATE <Security_UPDATE (at) list.windowsitpro.com> PLEASE VISIT OUR SPONSORS, WHO BRING YOU SECURITY UPDATE FOR FREE: Ontrack Data Recovery: Data loss prevention tips http://list.windowsitpro.com/t?ctl=4CFB8:57B62BBB09A69279E815B5C43101D5A9 Free White Paper: Address the Insider Threat http://list.windowsitpro.com/t?ctl=4CFC4:57B62BBB09A69279E815B5C43101D5A9 Podcast: The Inside Story on Forefront Client Security http://list.windowsitpro.com/t?ctl=4CFAB:57B62BBB09A69279E815B5C43101D5A9 === CONTENTS =================================================== IN FOCUS: Secure PHP Configuration NEWS AND FEATURES - RFID Hacking Presentation Draws Legal Threats - 5 Vulnerabilities Kick Off Month of PHP Bugs - Recent Security Vulnerabilities GIVE AND TAKE - Security Matters Blog: Firefox 2.0.0.2 Released--Finally! - FAQ: Enable Parental Controls in Vista - Share Your Security Tips - Microsoft Learning Paths for Security: Securing Your Messaging Infrastructure PRODUCTS - Assess Your Data Vulnerability - Wanted: Your Reviews of Products RESOURCES AND EVENTS FEATURED WHITE PAPER ANNOUNCEMENTS === SPONSOR: Ontrack Data Recovery ============================= Ontrack Data Recovery: Data loss prevention tips Snow storms, extreme heat, hurricanes... they all have the potential to interrupt your business and damage your data storage systems. While your business might never be directly impacted by a natural disaster, data loss can strike companies anytime and anywhere. Be prepared by learning how to prevent data loss and what to do when data loss affects your business. Ontrack Data Recovery, the world leader in data recovery services and software, is pleased to offer a FREE e-newsletter that addresses data loss prevention and response. Recent topics discussed in Ontrack's Data Recovery News include: - Seven things to avoid when your drive crashes - Data recovery options for flash media - Do-it-yourself data recovery software products Sign up for the FREE Ontrack Data Recovery Newsletter today: http://list.windowsitpro.com/t?ctl=4CFB8:57B62BBB09A69279E815B5C43101D5A9 === IN FOCUS: Secure PHP Configuration ========================= by Mark Joseph Edwards, News Editor, mark at ntsecurity / net A Month of PHP Bugs was launched March 1. If you missed last week's editorial about this initiative, you can read it on our Web site at the URL below. Be sure to also read the related news item "5 Vulnerabilities Kick Off Month of PHP Bugs," which you can link to from the Security News and Features section below. http://list.windowsitpro.com/t?ctl=4CFB9:57B62BBB09A69279E815B5C43101D5A9 So far, Stefan Esser has posted several interesting vulnerabilities on his Month of PHP Bugs site, some of which you can avoid by specific practices. If you use PHP on your server, then you need to examine its configuration to make sure you're not overly exposing aspects of the engine, which could in turn expose your entire system and possibly other parts of your network. If your Web system is closed (i.e., you don't allow others to upload or create any files), your potential security risks are more limited than if it's open. Either way, you need to take precautions to ensure that certain functions aren't usable unless you intend for them to be used. One example is that PHP can allow the use of the exec and shell_exec functions, which essentially let you run OS commands and retrieve the output. I've used the shell-exec function to good advantage. I had an account with a Web hosting company, which had a server that would frequently slow to a crawl, making nearly all access impossible. I grew tired of the support staff's vague explanations and decided to investigate the problem myself. With the help of the shell_exec function (and a few others), I could use PHP to look at a lot of the server's operational characteristics. I discovered the bottleneck, contacted support, and alluded to the problem. I figure the support team members scratched their heads for a couple months wondering how I knew what was happening before they finally wised up and disabled the shell_exec function. In another example, I signed up for a blog at a popular site, which will remain unnamed here. I wanted specific blog functionality that wasn't available, so I went to work on a way around the limitations. I discovered that this site too allowed dangerous functions to operate. With a little work, I could navigate nearly the entire server disk subsystem at will, read configuration files, discover path information, and then manipulate my blog to gain the functionality I wanted by using the information I had gathered to enable my custom scripts to run. Eventually, the site staff figured out what was happening and disabled many dangerous functions. In addition to exec and shell-exec, some dangerous PHP functions are suexec, passthru, proc_open, proc_close, proc_get-status, proc_nice, proc_terminate, system, popen, pclose, dl, ini_set, virtual, set_time_limit, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, and escapeshellarg. Go to this URL for other potentially dangerous functions: http://list.windowsitpro.com/t?ctl=4CFAF:57B62BBB09A69279E815B5C43101D5A9 You can disable functions by adding (or editing) a line in your php.ini file like this: disable_functions = "shell_exec, suexec, passthru" More help for configuring PHP can be found at these URLs: Ayman Hourieh's Blog http://list.windowsitpro.com/t?ctl=4CFB4:57B62BBB09A69279E815B5C43101D5A9 WEB-DOT-DEV--PHP Configuration http://list.windowsitpro.com/t?ctl=4CFAE:57B62BBB09A69279E815B5C43101D5A9 PHP Manual http://list.windowsitpro.com/t?ctl=4CFC1:57B62BBB09A69279E815B5C43101D5A9 PHP Security Consortium's PhpSecInfo http://list.windowsitpro.com/t?ctl=4CFC3:57B62BBB09A69279E815B5C43101D5A9 Finally, a good resource with lots of other links (including books) is available at the PHP Security Consortium's Web site: http://list.windowsitpro.com/t?ctl=4CFC7:57B62BBB09A69279E815B5C43101D5A9 === SPONSOR: NetIQ ============================================= Free White Paper: Address the Insider Threat Learn how to develop a comprehensive management system that virtually eliminates the risk of an insider threat. Co-authored by NetIQ and Dr. Eric Cole, this informative white paper identifies the key business processes that must be secured and ready to build a solution to contain the insider threat http://list.windowsitpro.com/t?ctl=4CFC4:57B62BBB09A69279E815B5C43101D5A9 === SECURITY NEWS AND FEATURES ================================= RFID Hacking Presentation Draws Legal Threats IOActive, a consulting firm that specializes in information risk management and application security analysis, was slated to give a presentation on RFID hacking at the Black Hat DC Briefings last week; however the presentation was withdrawn due to controversy. http://list.windowsitpro.com/t?ctl=4CFBA:57B62BBB09A69279E815B5C43101D5A9 5 Vulnerabilities Kick Off Month of PHP Bugs Of the first five vulnerabilities posted by Stefan Esser, two could cause a system crash, one could cause maximum CPU usage thereby creating a Denial of Service (DoS) condition, and two can be exploited to cause data overflow conditions. http://list.windowsitpro.com/t?ctl=4CFB6:57B62BBB09A69279E815B5C43101D5A9 Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://list.windowsitpro.com/t?ctl=4CFB0:57B62BBB09A69279E815B5C43101D5A9 === SPONSOR: Core Security ===================================== Podcast: The Inside Story on Forefront Client Security Are all of your malware definitions completely up to date? If they are, then you are halfway home to total malware protection. Windows Vista may be the most secure Microsoft OS ever released, but malware is constantly evolving, and sometimes out-of-the-box security just isn't enough. In this exclusive podcast, Windows IT Pro Research and Strategy Director Karen Forster interviews Microsoft Product Manager Josue Fontanez about Microsoft's unified malware protection package: Forefront Client Security. http://list.windowsitpro.com/t?ctl=4CFAB:57B62BBB09A69279E815B5C43101D5A9 === GIVE AND TAKE ============================================== SECURITY MATTERS BLOG: Firefox 2.0.0.2 Released--Finally! by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=4CFC0:57B62BBB09A69279E815B5C43101D5A9 Mozilla Foundation released Firefox 2.0.0.2, fixing many security bugs along with other annoying problems. http://list.windowsitpro.com/t?ctl=4CFBB:57B62BBB09A69279E815B5C43101D5A9 FAQ: Enable Parental Controls in Vista by John Savill, http://list.windowsitpro.com/t?ctl=4CFBE:57B62BBB09A69279E815B5C43101D5A9 Q: How do I enable the Windows Vista Parental Controls feature on a domain-joined machine? Find the answer at http://list.windowsitpro.com/t?ctl=4CFB5:57B62BBB09A69279E815B5C43101D5A9 SHARE YOUR SECURITY TIPS AND GET $100 Share your security-related tips, comments, or problems and solutions in Security Pro VIP's Reader to Reader column. Email your contributions to r2r@private If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. MICROSOFT LEARNING PATHS FOR SECURITY: Securing Your Messaging Infrastructure These resources provide guidance on securing your messaging infrastructure, including best practices for message hygiene technologies and configuration strategies. You'll also get an in-depth look at the Microsoft Forefront line of business security products, which help protect application servers such as Microsoft Exchange Server 2007, Microsoft Office SharePoint Server 2007, and Microsoft Office Communications Server 2007. http://list.windowsitpro.com/t?ctl=4CFBC:57B62BBB09A69279E815B5C43101D5A9 === PRODUCTS =================================================== by Renee Munshi, products@private Assess Your Data Vulnerability Scentric announced the availability of the Data Privacy Assessment Tool, which you can download and use for 30 days if you register on the Scentric Web site. The tool classifies files on laptops, desktops, and file servers, discovering data from several preset categories, including confidential, copyright, credit cards, Social Security numbers, payroll, and health. After you determine your level of vulnerability, you can use Scentric Destiny Enterprise Suite for Data Privacy to enforce policies. The Destiny Enterprise Suite includes a classification engine, support for major file types including Microsoft Exchange email, and prebuilt rule sets that provide automated operations and a foundation for protecting sensitive information. For more information, go to http://list.windowsitpro.com/t?ctl=4CFC8:57B62BBB09A69279E815B5C43101D5A9 WANTED: your reviews of products you've tested and used in production. Send your experiences and ratings of products to whatshot@private and get a Best Buy gift certificate. === RESOURCES AND EVENTS ======================================= For more security-related resources, visit http://list.windowsitpro.com/t?ctl=4CFBD:57B62BBB09A69279E815B5C43101D5A9 Every business faces risk. Have you properly assessed your company's risk and put a focus on business continuity? Attend this free, on- demand Web seminar to learn how you can ensure seamless recovery of your key systems and keep your users continuously connected. http://list.windowsitpro.com/t?ctl=4CFAA:57B62BBB09A69279E815B5C43101D5A9 Because a secure email and messaging infrastructure is fundamental to your business, every organization needs to plan from the start for three fundamental email and messaging management services: security, availability, and control services. This eBook explains how to implement those services in a Microsoft-centric email and messaging environment. Download now! http://list.windowsitpro.com/t?ctl=4CFAC:57B62BBB09A69279E815B5C43101D5A9 Windows + UNIX/Linux = You Need TechX World! If you work in an environment that includes Windows plus UNIX or Linux, TechX World is the place to go for practical strategies and resources to add to your toolkit. This one-day technical training event will teach you how to make the most of open-source tools on Windows and how to manage and sync multiple directories. Register today! http://list.windowsitpro.com/t?ctl=4CFB7:57B62BBB09A69279E815B5C43101D5A9 === FEATURED WHITE PAPER ======================================= Do you want to block unwanted or undesirable email? Download this free white paper to learn how to manage the content of messages traveling your network. http://list.windowsitpro.com/t?ctl=4CFAD:57B62BBB09A69279E815B5C43101D5A9 === ANNOUNCEMENTS ============================================== Introducing a Unique Security Resource Security Pro VIP is an online information center that delivers new articles every week on topics such as perimeter security, authentication, and system patches. Subscribers also receive tips, cautionary advice, direct access to our editors, and a host of other benefits! Order now at an exclusive charter rate and save up to $50! http://list.windowsitpro.com/t?ctl=4CFB1:57B62BBB09A69279E815B5C43101D5A9 Grab Your Share of the Spotlight! Nominate yourself or a peer to become IT Pro of the Month. This is your chance to get the recognition you deserve! Winners will receive over $600 in IT resources and be featured in Windows IT Pro. It's easy to enter--we're accepting April nominations now, but only for a limited time! Submit your nomination today: http://list.windowsitpro.com/t?ctl=4CFC2:57B62BBB09A69279E815B5C43101D5A9 ================================================================ Security UDPATE is brought to you by the Windows IT Pro Web site's Security page (first URL below) and Security Pro VIP (second URL below). http://list.windowsitpro.com/t?ctl=4CFBF:57B62BBB09A69279E815B5C43101D5A9 http://list.windowsitpro.com/t?ctl=4CFC6:57B62BBB09A69279E815B5C43101D5A9 Subscribe to Security UPDATE at http://list.windowsitpro.com/t?ctl=4CFB3:57B62BBB09A69279E815B5C43101D5A9 Be sure to add Security_UPDATE@private to your antispam software's list of allowed senders. To contact us: About Security UPDATE content -- letters@private About technical questions -- http://list.windowsitpro.com/t?ctl=4CFC5:57B62BBB09A69279E815B5C43101D5A9 About your product news -- products@private About your subscription -- windowsitproupdate@private About sponsoring Security UPDATE -- salesopps@private View the Windows IT Pro privacy policy at http://list.windowsitpro.com/t?ctl=4CFB2:57B62BBB09A69279E815B5C43101D5A9 Windows IT Pro, a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538 Attention: Customer Service Department Copyright 2007, Penton Media, Inc. All rights reserved. _________________________________________ Visit the InfoSec News Security Bookstore http://www.shopinfosecnews.org
This archive was generated by hypermail 2.1.3 : Thu Mar 08 2007 - 01:17:49 PST