Currently Viewing Posts Tagged security

Google Nexus 7 (2013) Got a OTA Update

Google start its monthly security update since November 2015.  November Security Update here. December Security Update here.

The Android version is still 6.0.1. The date of Android security patch level was changed. Build number was changed when update too.

Before January update, the Nexus 7 information is shown as below.

2016-01-12 21.07.43

The update notice looks like only 2.2MB

2016-01-12 21.07.20 Continue reading “Google Nexus 7 (2013) Got a OTA Update”

Upgrade Dir-850L router firmware to v1.13

It is time to upgrade router firmware.

There is a alert notice on the support.dlink.ca

Security Advisory: New firmware has been released that fixes the latest HNAP Privilege Escalation Vulnerability. Please ensure to upgrade your router to the latest firmware version. Click on on the Downloads tab below.

What kind of vulnerability this time?

Here is a detailed information page about it. http://www.dlink.com/uk/en/support/support-news/2015/april/13/hnap-privilege-escalation-command-injection

 

An attacker who wishes to gain access to the router sends an unprivileged HNAP command such as GetDeviceSettings, they append to the command an additional command separated with an “/”, which is used as a separator between commands.  Any command(s) after the first will be executed unauthenticated.  Additionally, additional commands will be passed directly to the underlying Linux system, allowing the injection of arbitrary system commands.

The GetDeviceSettings HNAP Command is used to indicate some very common parameters (e.g. the domain name of the HNAP device), as well as to define which HNAP commands are available.

Continue reading “Upgrade Dir-850L router firmware to v1.13”

Linode has a security updates

Received an email from Linode about the security updates. It happened on yesterday.

The Email said:

Linode recently received several Xen Security Advisories (XSAs) that require us to perform updates to our host servers. In order to apply the updates, hosts and the Linodes running on them must be rebooted. The XSAs will be publicly released by the Xen project team on March 10th, therefore we must complete the updates before that date.

These updates are required to protect the security and safe operations of not only our infrastructure, but yours as well. We understand that a disruption with such limited notice is inconvenient, and we hope you understand that these measures are warranted due to the severity of the XSAs.

Your Linodes have been assigned a maintenance window in which a reboot will occur. These times are listed within the Linode Manager[1] in the timezone set in your user’s My Profile[2]. Your schedule in UTC timezone is as follows:

* 2015-03-08 3:00:00 PM UTC – linodexxxxxx

During the maintenance window Linode instances will be cleanly shut down while we perform the updates. Your Linode will be inaccessible during this time. A two-hour window is allocated, however the actual downtime can be much less. After the maintenance, each Linode will then be booted. See our Reboot Survival Guide[3] for tips and hints on configuring and testing that your Linode services boot properly after the maintenance.

Unfortunately, due the logistical demands of this effort, your assigned windows are not changeable and the host reboots are mandatory.

 

It is about one hour sever down time on my VPS.

xen-security

http://xenbits.xen.org/xsa/

Disable SSLv2 and SSLv3 in Apache

As we always disable SSLv2 in Apache. Now it is SSLv3 turn. The recent news about the SSL 3 vulnerability is so important that I have to disable it as well.

So just modify the ssl.conf of Apache

[ssh]SSLProtocol All -SSLv2 -SSLv3[/ssh]

The web site still has TLS 1.0, TLS 1.1 and TLS 1.2. For most of the browser working on the users computer, TLS is good enough. The only exception is IE 6.0 on Windows XP.

I am not worrying about it. Just forget the users who are still using IE 6.

ie6-disable

Refer to Security Labs article.

 

Reset your Adobe password to protect yourself

Got an email from Adobe, it recommend me to reset the password of Adobe ID. There is an security incident happened this month early. So to minimize the potential harm to user account, it is better to reset password.

Important Password Reset Information
To view this message in a language other than English, please click here.

As we announced on October 3, 2013, we recently discovered that an attacker illegally entered our network and may have obtained access to your Adobe ID and encrypted password. We currently have no indication that there has been unauthorized activity on your account.

To prevent unauthorized access to your account, we have reset your password. Please visit www.adobe.com/go/passwordreset to create a new password. We recommend that you also change your password on any website where you use the same user ID or password. In addition, please be on the lookout for suspicious email or phone scams seeking your personal information.

We deeply regret any inconvenience this may cause you. We value the trust of our customers and are working aggressively to prevent these types of events from occurring in the future. If you have questions, you can learn more by visiting our Customer Alert page, which you will find here.

Adobe Customer Care

I entered my email address of my Adobe ID into the password reset page. It confirmed an email sent to me.
adobe-reset
Then, I checked email and found the email with reset link. I click the link and enter the new password. It confirmed there is another email to confirm the password is changed.

So everything is simple. Just follow the instruction of email to do reset your Adobe password to protect yourself.

How to config PHP to secure Web Server

There are certain PHP configuration tat affect security features.  The following recommended security configuration options is for production servers.

  • register_globals set to off
  • safe_mode set to off
  • error_reporting set to off
  • disable these functions: system(), exec(), passthru(), shell_exec(), proc_open(), and popen()
  • open_basedir set for both the /tmp directory and the web root so that scripts cannot access files outside a selected area
  • expose_php set to off
  • allow_url_fopen set to off

Continue reading “How to config PHP to secure Web Server”

Windows Update 2013-07

It is time to update Windows.
Here is the list of Windows Update 2013 July on my Windows 7 64bit.

There are  six security updates

  • Vulnerabilities in .NET Framework and Silverlight Could Allow Remote Code Execution (2861561) 
  • Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851)
  • Vulnerability in GDI+ Could Allow Remote Code Execution (2848295)
  • Cumulative Security Update for Internet Explorer (2846071)
  • Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (2845187)
  • Vulnerability in Windows Media Format Runtime Could Allow Remote Code Execution (2847883)

winupdate201307

Continue reading “Windows Update 2013-07”

  • Archives