A Russian hacker dramatically demonstrated one of the most common security weaknesses in the Ruby on Rails web application language. By doing so, he took full control of the databases GitHub uses to distribute Linux and thousands of other open-source software packages.

Egor Homakov exploited what’s known as a mass assignment vulnerability in GitHub to gain administrator access to the Ruby on Rails repository hosted on the popular website. The weekend hack allowed him to post an entry in the framework’s bug tracker dated 1,001 years into the future. It also allowed him to gain write privileges to the code repository. He carried out the attack by replacing a cryptographic key of a known developer with one he created. While the hack was innocuous, it sparked alarm among open-source advocates because it could have been used to plant malicious code in repositories millions of people use to download trusted software.

It’s a vulnerability that’s on by default so developers can turn it off if they don’t use it, but I agree with Homakov – it should be off by default and enabled when needed.

via Hacker commandeers GitHub to prove Rails vulnerability.

I like his ideas, but I imagine they will be tricky to implement.  It is difficult enough to create secure web apps, much less honey-pot enabled web-apps.

Cyber attackers have long embraced deception by deploying tactics, such as social engineering help-desk employees to install trojans or obtain users’ credentials. Even the famed hacker, Kevin Mitnick, wrote a book called “The Art of Deception.” If deception can be used to attack, can it also be used in cyber defense?

via Deception and the art of cyber security – SC Magazine.

While it’s idiotic to refrain from updating your servers, it is doubly-idiotic to refuse to update your servers after they’ve been hacked.

Under the terms of the provisioning service that the servers were provided under, Fleishman-Hilliard was responsible for the administration and security of the servers, including operating system updates, software installations and backups, and had set up the servers—but “had chosen not to update their applications,” Brubeck said.

via After first Anon hack, PR firm failed to update other .gov websites.

With this great opening:

There’s a delicious irony in some of the testimony on cybersecurity that the Senate Homeland Security and Governmental Affairs Committee will hear today (starting at 2:30 Eastern — it’s unclear from the hearing’s page whether it will be live-streamed). Former National Security Agency general counsel Stewart Baker flubs a basic mathematical concept.

If Congress credits his testimony, is it really equipped to regulate the Internet in the name of “cybersecurity”?

Baker’s written testimony (not yet posted) says, stirringly, “Our vulnerabilities, and their consequences, are growing at an exponential rate.” He’s stirring cake batter, though. Here’s why.

Jim Harper then expounds on the difference between exponential and linear growth, the difference between “threats” and “vulnerabilities,” and deliciously illustrates why government fearmongering is as misguided and unhelpful as ever.

Politicians rarely understand what they are legislating on, and it is unfortunate how they never let that affect their judgement.

In closing:

Do your representatives in Congress get the math involved here? Do they know the difference between exponential growth and linear growth? Do they “get” risk management? Chances are they don’t. They may even parrot the “statistic” that Baker is putting forth. How well equipped do you suppose a body like that is for telling you how to do your cybersecurity?

via Should a Congress that Doesn’t Understand Math Regulate Cybersecurity? | Cato @ Liberty.

via Crypto shocker: four of every 1,000 public keys provide no security (updated):

An astonishing four out of every 1,000 public keys protecting webmail, online banking, and other sensitive online services provide no cryptographic security, a team of mathematicians has found. The research is the latest to reveal limitations in the tech used by more than a million Internet sites to prevent eavesdropping.

Which is bad – collisions are supposed to be rare, or else it’s much easier to guess the key.

“Our only conclusion is that there is not just one cause for all of these problems,” Hughes said. “This leads to our conclusion that unless you can totally trust your random number generator, RSA is not a good algorithm to choose.”

I thought computer RNGs couldn’t be trusted to be random.

If your site is hosted, make sure your host and CMS keep patches current:

Cryptome founder John Young said in an e-mail that he believes the attackers were able to infect his website with a poisoned PHP file by exploiting a weakness in security or server software provided by Network Solutions, which hosts the Cryptome website.

via Breaches galore as Cryptome hacked to infect visitors with malware.

Anonymous again demonstrates the importance of strong passwords:

Along with the release of these e-mails, Anonymous also exposed the passwords of 78 accounts on the Ministry’s servers. Of the passwords revealed, 31 were “12345″ and a number were minor variations on that. Some of the other passwords in the set included:

• iloveyou
• 123vivasyria
• system
• honda2011
• testing

via Anonymous exposes e-mails of Syrian presidential aides.

Follow the news; keep informed.  Unfortunately, although the sponsors of the bill have “backed off” a bit, they’ve already decided they want pass these laws.  Although the DNS-blocking portion of SOPA has been removed, it can be amended back in later, or easily added to another bill when nobody’s looking.

Today is SOPA Resistance Day at Ars. Sites across the ‘Net, from reddit to the Internet Archive, from Wikipedia to Google, are protesting the excesses of the Stop Online Piracy Act. SOPA remains a flawed bill that treats piracy as an existential threat to the US economy and to a sacred class of rightsholders—and in doing so loses all perspective on appropriate remedies. The discussion is absolutely unbalanced.

Many sites have chosen to go dark (i.e., offline) today, a stance we respect—but it’s not the right path for us. Ars Technica has, for 14 years, tried to be an information resource, and the most appropriate response from Ars is to provide even more information on the legislation, how you can fight it, and what’s really at stake.

via SOPA Resistance Day begins at Ars.

via Top German cop uses spyware on daughter, gets hacked in retaliation: It’s sad how frequently law enforcement officials bend or break the law to achieve their ends.

Problem 1: This guy forgot he was a father, and treated his kid as just another suspect.

Problem 2: The story reveals the Germans have a program for tracking individuals’ locations via cell phone and car GPS systems, and they had to take it offline because this guy’s home security sucked so hard.

Fortunately for connoisseurs of the weird, Der Spiegel revealed a stranger story in its magazine yesterday. According to the report, a top German security official installed a trojan on his own daughter’s computer to monitor her Internet usage. What could possibly go wrong?

Nothing—well, at least until one of the daughter’s friends found the installed spyware. The friend then went after the dad’s personal computer as a payback and managed to get in, where he found a cache of security-related e-mails from work. The e-mails, in turn, provided the information necessary for hackers to infiltrate Germany’s federal police.

Just before the holiday weekend, as their final act of defiance in 2011, AntiSec supporters published nearly a million records taken during the Christmas Eve attack on Strategic Forecasting Inc. The Tech Herald has examined the list of 860,160 passwords hashes that were leaked, and the results of our tests were both expected and pitiful.

We’re sorry to report that the state of password management and creation is still living in the Dark Ages.

via Report: Analysis of the Stratfor Password List.

The first half of the report describes their methodology, and the latter half describes the passwords they’ve cracked.

Do your employees or customers use passwords like these?  How do you know?