Category: security

damn, I think I got hit by a 419er

I am normally pretty careful about my on-line security and privacy. I take a lot of care to ensure that my home network is nailed down tightly and all the clients and servers on it are also nailed down as well as I know how. I don’t use software which is susceptible to the majority …

Continue reading

Permanent link to this article: https://baldric.net/2011/01/23/damn-i-think-i-got-hit-by-a-419er/

critical security update to wordpress

This blog comes to you courtesy of those excellent free open source authors who have contributed to wordpress. Unfortunately, in common with all software, wordpress inevitably has some bugs. Worse, some of the those bugs can occasionally be sufficiently bad as to make the software vulnerable to remote exploitation by ne’er do wells and other …

Continue reading

Permanent link to this article: https://baldric.net/2011/01/04/critical-security-update-to-wordpress/

professional ability

I was skimming through a series of security related sites last week when I came across an article referring to someone described as something like “A Person, M.Inst.ISP, CISM, CISSP, MBCS, CITP, BSc, Director of etc…..” and I found myself wondering what that all actually meant. Yes, I know what the letters stand for, hell …

Continue reading

Permanent link to this article: https://baldric.net/2010/09/25/professional-ability/

update to autossh – or how ServerAliveInterval makes this unnecessary

I had a couple of comments on my earlier post about autossh which suggested that I should look at alternative mechanisms for keeping my ssh tunnel up. Rob in particular suggested that setting “ServerAliveInterval” should work. Oddly I had tried this in the past whilst trying out various configuration options and I swear it didn’t …

Continue reading

Permanent link to this article: https://baldric.net/2010/08/27/update-to-autossh-or-how-serveraliveinterval-makes-this-unnecessary/

autossh – or how to use tor through a central ssh proxy

Since I first set up a remote tor node on a VPS about this time last year, I have played about with various configurations (and used different providers) but I have now settled on using two high bandwidth servers on different networks. One (at daily.co.uk) allows 750 Gig of traffic per month, the other (a …

Continue reading

Permanent link to this article: https://baldric.net/2010/08/01/autossh-or-how-to-use-tor-through-a-central-ssh-proxy/

scroogle is having a problem

I posted a note about scroogle back in January. Scroogle offered an SSL interface to the google engine, and, moreover, didn’t lumber its users with google cookies and sundry other irritations. Since then, however, google themselves have started to offer an SSL interface and, coincidentally, scroogle seem to have started to have some problems. If …

Continue reading

Permanent link to this article: https://baldric.net/2010/07/04/scroogle-is-having-a-problem/

tor server compromise

According to this post by Roger Dingledine, two tor directory servers were compromised recently. In that post Dingledine said: In early January we discovered that two of the seven directory authorities were compromised (moria1 and gabelmoo), along with metrics.torproject.org, a new server we’d recently set up to serve metrics data and graphs. The three servers …

Continue reading

Permanent link to this article: https://baldric.net/2010/01/22/tor-server-compromise/

using scroogle

For completeness, my post below should have pointed to the scroogle search engine which purportedly allows you to search google without google being able to profile you. Neat idea if you must use google (why?) but it still fails the Hal Roberts test of what to do if the intermediate search engine is prepared to …

Continue reading

Permanent link to this article: https://baldric.net/2010/01/02/using-scroogle/

where has my money gone

Like most ‘net users I know these days, I conduct most of my financial transactions on-line. But on-line banking is a high risk activity, particularly if you use the “default” OS and browser combination to be found on most PCs. I don’t, but that doesn’t make me invulnerable, just a slightly harder target. So attempts …

Continue reading

Permanent link to this article: https://baldric.net/2009/10/15/on-line-banking-security/

wordpress security

At about the time I decided to move trivia to my own VPS, there was a lot of fuss about a new worm which was reportedly exploiting a vulnerability in all versions <= 2.8.3. Even the Grauniad carried some (rather inaccurate) breathless reporting about how the wordpress world was about to end and maybe we …

Continue reading

Permanent link to this article: https://baldric.net/2009/09/20/wordpress-security/

wordpress on lighttpd

I have commented in the past how I prefer lighttpd to apache, particularly on low powered machines such as the slug. I used to be a big apache fan, in fact I think I first used it at version 1.3.0 or maybe 1.3.1, having migrated from NCSA 1.5.1 (and before that Cern 3.0) back in …

Continue reading

Permanent link to this article: https://baldric.net/2009/09/12/wordpress-on-lighttpd/

wordpress woes

As is common with many blogs, my public ramblings on this site are made possible through the ease of use and flexibility of the mysql/php based software known as wordpress.. And again, as is common to much php/mysql based software, that package has vulnerabilities – sometimes serious, remotely exploitable vulnerabilities. When vulnerabilities are made public, …

Continue reading

Permanent link to this article: https://baldric.net/2009/08/26/wordpress-woes/

zf05

I really missed the old phrack magazine. Some of the “loopback” entries in particular are superb examples of technical nous, complete irreverance and deadpan humour. One of my favourites (from phrack 55) appears in my blogroll under “network (in)security”. I am particularly fond of the observation that details of how to exploit old vulnerabilities are …

Continue reading

Permanent link to this article: https://baldric.net/2009/08/02/zf05/

tor on a vps

I value my privacy – and I dislike the increasing tendency of every commercial website under the sun to attempt to track and/or profile me. Yes, I know all the arguments in favour of advertising, and well targeted advertising at that, but I get tired of the Amazon style approach which assumes that just because …

Continue reading

Permanent link to this article: https://baldric.net/2009/07/05/tor-on-a-vps/

bad science and worse

I’m a big fan of Ben Goldacre’s “bad science” column in the Guardian. He is particularly scathing about quackery and spurious medical science. His views of “Dr” Gillian McKeith in particular are well worth reading. Whilst I was reading one of his columns recently, I was reminded of another “Dr” who seems to get away …

Continue reading

Permanent link to this article: https://baldric.net/2009/03/29/bad-science-and-worse/

and yet more DNS lunacy

A company called Unified Root is offering to register new top level domains in advance of the proposed ICANN changes. The company describes itself in the following terms: “UnifiedRoot (Unified Root) is an independent, privately owned company, based in Amsterdam, which makes corporate and public top-level domains (TLDs) available worldwide. Through our own efforts and …

Continue reading

Permanent link to this article: https://baldric.net/2008/12/24/and-yet-more-dns-lunacy/

more DNS silliness

I came across an interesting post on Avert labs site recently. That post pointed to an earlier SANS posting, which in turn, referenced a Symantec discussion of a new Trojan called Trojan.Flush.M. This trojan is an interesting variant of a class of trojans which hijack local DNS settings to force the compromised machine to use …

Continue reading

Permanent link to this article: https://baldric.net/2008/12/24/more-dns-silliness/

gun, foot, shoot

As a chartered member of the British Computer Society (BCS) I recently received through the post my voting forms for the 2008 AGM. The process gives me the option of voting electronically using a website run by Electoral Reform Services. My security codes (two separate numeric IDs, one of six characters, the other of four) …

Continue reading

Permanent link to this article: https://baldric.net/2008/09/25/gun-foot-shoot/

webanalytics – just say no

I have just built myself a new intel core 2 duo based machine to replace one of my older machines which was beginning to struggle under the load of video transcoding I was placing upon it. The new machine is based on an E8400 and is nice and shiny and fast. Because it is a …

Continue reading

Permanent link to this article: https://baldric.net/2008/09/12/webanalytics-just-say-no/

trusting DNS

Dan Kaminsky has (quite rightly) been hitting the press a lot in the weeks since 8 July when he announced the work done to fix a flaw he had discovered in DNS. The vulnerability itself was new, but its impact (cache poisoning) was not. Indeed, we’ve known about the dangers of poisoned DNS caches for …

Continue reading

Permanent link to this article: https://baldric.net/2008/08/10/trusting-dns/

implementing mailman and postfix with lighttpd on debian

I recently needed to set up a mailing list for a group of friends (my bike club). I had become tired of mail bounces and failures because we were all relying on an out of date list of addresses originally cobbled together by one member. That list of addresses was routinely used in “reply all” …

Continue reading

Permanent link to this article: https://baldric.net/2008/07/22/implementing-mailman-and-postfix-with-lighttpd-on-debian/

backtrack 3 released

Any half decent sysadmin will routinely test the security of his or her own systems. A good, and sensible, sysadmin will follow up those tests with an independent security audit by a professional company – preferably one which is a member of a recognised industry body (such as CREST). Finding the holes in your security …

Continue reading

Permanent link to this article: https://baldric.net/2008/06/20/backtrack-3-released/

dental dos

On Tuesday 17 June, Craig Wright, supposedly “Manager of Risk Advisory Services” in an Australian Company called “BDO Kendalls”, posted a rather odd note to Bugtraq and a few other security related lists titled “Hacking Coffee Makers”. In that posting he said that the Jura F90 Coffee maker (which can apparently be networked) was vulnerable …

Continue reading

Permanent link to this article: https://baldric.net/2008/06/19/dental-dos/

xkcd on the openssl fiasco

I’ve had my attention drawn to Randall Munroe’s take on the openssl coding change problem. Beautiful.

Permanent link to this article: https://baldric.net/2008/06/05/xkcd-on-the-openssl-fiasco/