[ale] semi OT - misc security issues to think about - 07/12/12

Michael Trausch mike at trausch.us
Fri Jul 13 11:45:41 EDT 2012 

If the passwords are vulnerable even after upgrading to a version that
knows how to has the passwords, then the project doesn't take security very
seriously, IMNSHO, and should not be allowed to be used. It is trivial to
upgrade from plaintext to hashed and salted.

In any other situation (meaning, involving a password database that is
already hashed, the proper solutions is to migrate users at their next
login, because that's the only way to upgrade from one has type to another.
It is the only time that the plaintext of the password should be available
in a password-based system.
On Jul 12, 2012 4:12 PM, "Ron Frazier (ALE)" <
atllinuxenthinfo at techstarship.com> wrote:

> **
> Hi all,
>
> FWIW, here are some miscellaneous security items that you might want to be
> aware of that I heard on the latest Security Now podcast.  I haven't had
> any chance to investigate any of these in detail.
>
> * If you're a lastpass user, there is a setting in the options which
> allows you to turn on iterative password hashing.  This helps prevent brute
> force attacks on your password.  Recommended setting is 512 I believe.
> Apparently, for some accounts, it is not turned on by default.
>
> * If you're forced to use Windows, a vulnerability in Vista and Windows 7
> sidebars and gadgets has been discovered which potentially allows an
> attacker to do "remote code execution".  In other words, they can take over
> your machine.  Microsoft has released a FixIt button on their website to
> totally disable sidebars and gadgets.
>
> * The following applies if you use the Plesk website management system.
> This is a quote from the following website:
>
> http://blog.sucuri.net/2012/06/plesk-vulnerability-leading-to-malware.html
>
> "The first issue is that old versions of Plesk store passwords in *clear
> text* (yes, clear text in 2012). The second is a remote SQL vulnerability
> that has been found in old versions of Plesk allowing attackers to exploit
> those passwords."
>
> As I understand it, even if your Plesk installation has been updated, the
> passwords in the database are vulnerable until they are changed.
>
> Sincerely,
>
> Ron
>
> --
>
> (To whom it may concern.  My email address has changed.  Replying to former
> messages prior to 03/31/12 with my personal address will go to the wrong
> address.  Please send all personal correspondence to the new address.)
>
> (PS - If you email me and don't get a quick response, you might want to
> call on the phone.  I get about 300 emails per day from alternate energy
> mailing lists and such.  I don't always see new email messages very quickly.)
>
> Ron Frazier770-205-9422 (O)   Leave a message.
> linuxdude AT techstarship.com
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20120713/131993bc/attachment.html

More information about the Ale mailing list