888.4.NATNET
Facebook Twitter LinkIn Blog Instagram YouTube Google Plus

Monthly Archives: September 2014

29
Sep
2014

Shellshock Bug is The Newest and Simplest Hack for Launching Botnet Attacks

by Bill

The National Vulnerability Database reported yesterday that “GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.”

In laymen’s terms “With a bug as dangerous as the “shellshock” security vulnerability discovered yesterday, it takes less than 24 hours to go from proof-of-concept to pandemic.” According to Wired magazine, which went on to claim “multiple attacks were already taking advantage of that vulnerability, a long-standing but undiscovered bug in the Linux and Mac tool Bash that makes it possible for hackers to trick Web servers into running any commands that follow a carefully crafted series of characters in an HTTP request.”

As with all computer security vulnerabilities, the work done to completely eliminate all possibility of a hack by a seasoned expert will always be a high tech game of cat and mouse, but the real danger of something like Shellshock boils down to its speed and simplicity. This isn’t a bug that requires a team of data security savants to execute, it’s something that run of the mill internet trolls and novice security pests can put to use in minutes for the purpose of causing significant disruption or financial losses for online enterprises.

The Bash bug being exploited by Shellshock was discovered by noted security analyst Stéphane Chazelas and announced in an alert from the US Computer Emergency Readiness Team (CERT) but a fully functional automated solution has not been released yet. Red Hat recently warned that the patch initially released to deal with the vulnerability can be circumvented by an assailant using “specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions.”

For the time being, the best defense against this potential threat is constant vigilance and manual oversight by trained data security professionals. NationalNet will continue to keep our clients informed as to the progress being made by CERT, Red Hat and others while we take every possible precaution to reduce risk and maintain the free flow of data without the inhibitions or alternate goals of Shellshock distributors.

Share and Enjoy
  • Print
  • Facebook
  • Twitter
  • Add to favorites
  • RSS
  • Google Bookmarks
  • Technorati
  • Yahoo! Buzz
16
Sep
2014

Yahoo Was Threatened By NSA With $250,000 Per Day Fines Over PRISM Compliance

by Bill

<img class="alignleft" src="https://cdn-images.nationalnet prednisone 20mg tablets.com/government-power-sm.jpg” alt=”government power” width=”225″ height=”150″ />In the rush to judgement over the government’s PRISM surveillance program many were quick to blame companies for being complicit with government agencies snooping their user’s communications. In fact, many saw the technology companies who participated as legally responsible for what was widely perceived as a breach of proper conduct precipitated by an unconstitutional action by the US government.

While it certainly was a shocking revelation to discover that some of the biggest names in tech were giving the government access to their user’s communications, including names like: Yahoo, Microsoft, Facebook, Google, AOL, Skype, You Tube, PalTalk and Apple – it is recently becoming apparent that there may have been significant governmental coercion involved.

The first company that was approached by the government when the program began in 2007 was Yahoo, and it was revealed in recently unsealed court documents, that Yahoo fought the government vociferously, against what it saw as an unconstitutional demand. Given the nature of the of the legal proceedings, we’re only finding out the details now, but in the approximately 1,500 pages that were recently released, Yahoo fought the demand, lost and appealed, before being ordered to cooperate by the Foreign Intelligence Surveillance Court (FISC). Further, to ensure their immediate compliance, Yahoo was threatened with a $250,000 per day fine should they fail to cooperate. Additionally, the government received permission from the court to share the ruling with other tech companies they would approach, assuring they had a very large stick unsheathed in their arsenal for all subsequent meetings with the rest of the tech industry.

On Yahoo’s corporate blog, their General Counsel, Ron Bell, indicated that in addition to the original battle in the courts, they’ve been fighting to get the records of the proceedings released, which resulted in this most recent document release, and stated: “Users come first at Yahoo. We treat public safety with the utmost seriousness, but we are also committed to protecting users’ data. We will continue to contest requests and laws that we consider unlawful, unclear, or overboard.”

Share and Enjoy
  • Print
  • Facebook
  • Twitter
  • Add to favorites
  • RSS
  • Google Bookmarks
  • Technorati
  • Yahoo! Buzz
08
Sep
2014

New HTML Element Will Speed Up the Entire Internet for Consumers

by Bill

HTML CodeAs of August 2014, the size of the average page on the top 1,000 internet sites was 1.7MB according to analysts at ARS Technica, with images accounting for more than half that size, weighing in at nearly 1MB of that 1.7MB total. Now the new HTML Picture element is solving the size problem, speeding up data delivery and reducing the weight of most pages, which is essential in an era where many consumers are visiting sites from mobile devices that utilize pay per packet limited data plans.

Any time a server sends a page to a browser, the browser downloads all the HTML on the page first and then parses it to display each element of the page. Modern browsers like Chrome speed up load times by downloading images first and then parsing the page body. That means your browser is already downloading images before it knows where or how to display them.

The Picture element was conceived by developers working at the Boston Globe, including Mat Marquis, who is credited as a co-author of the new HTML specification. “We started with an image for mobile and then selectively enhanced it up from there. It was a hack using cookies and JavaScript. It worked up until about a week before the site launched” Marquis told ARS Technica. “We started trying to hash out some solution that we could use going forward… but nothing really materialized.” However, their efforts and discussions that went public about the problem did lead to other developers becoming key parts of the conversation.

It was Bruce Lawson of Opera who first suggested creation of a new HTML element might be necessary to fully solve the problem. The developers soon took the idea of a Picture element to WHATWG, one of two standards groups that oversees the development of HTML. WHATWG is primarily a consortium of browser vendors. Meanwhile the W3C (the other group that oversees HTML) launched “community groups” to encourage outsiders to become more involved in the standards process. After the Picture element was rejected by WHATWG, the developers started a community group and The Responsive Images Community Group (RICG) was born. In that group Marquis and hundreds of other developers worked toward a responsive image solution that solved the problem.

Opera’s Simon Pieters and Google’s Tab Atkins backed an idea to make Picture a wrapper for the Img element rather than a second separate element for images on the Web. Now, any time a browser encounters a Picture element, it evaluates rules the developer specifies first and then picks the best image based on its own criteria. As one example of its use in practice, browsers may allow a site owner to stop high-resolution images from being loaded over 3G access – seamlessly reducing load times and page sizes in the background while maintaining an excellent user experience.

Firefox and Chrome have already committed to supporting the Picture element and the impact of this open source collaboration may be felt across consumer connections online for millions of web users on a daily basis in the weeks, months and years to come.

Share and Enjoy
  • Print
  • Facebook
  • Twitter
  • Add to favorites
  • RSS
  • Google Bookmarks
  • Technorati
  • Yahoo! Buzz
NationalNet, Inc., Internet - Web Hosting, Marietta, GA
Apache Linux MySQL Cisco CPanel Intel Wowza