security

Nikto – Open Source web server security scanner

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs, checks for outdated versions of over 1200 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software.

PHP exposure via easter egg

Here is an interesting easter egg in PHP. Check if your php.ini file has expose_php setting turned on like so:

; Decides whether PHP may expose the fact that it is installed
; on the server (e.g. by adding its signature to the Web
; server header). It is no security threat in any way, but it
; makes it possible to determine whether you use PHP on your
; server or not.
; http://www.php.net/manual/en/ini.core.php#ini.expose-php
expose_php = On

If it’s on, then you can see PHP Credits page, which includes PHP authors and contributors, as well as authors and contributors to the PHP modules that you have installed. To see the page add the secret parameter to any of the PHP pages on your server, like so: http://localhost/index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000. You’ll see a long page that starts like so:

Kudos to Chris for pointing it out to me. I’ve since disabled the setting on my server.

London Olympics security craze – surface to air missiles

Yet another story from Slashdot:

I have to admit, when I first read about this I thought it was a hoax, but unfortunately it’s true. The UK government is considering placing surface-to-air missiles on residential buildings in London for the duration of the London Olympics. From the article: ‘The Ministry of Defence is considering placing surface-to-air missiles on residential flats during the Olympics. An east London estate, where 700 people live, has received leaflets saying a “Higher Velocity Missile system” could be placed on a water tower. A spokesman said the MoD had not yet decided whether to deploy ground based air defence systems during the event.

Once again proving to every TV watching idiot that “we are winning the war on terror“. Congratulations!

All your base are belong to … USA

Slashdot reports:

The European Parliament has approved the controversial data transfer agreement, the bilateral PNR (passenger name register), with the US which requires European airlines to pass on passenger information, including name, contact details, payment data, itinerary, email and phone numbers to the Department of Homeland Security. Under the new agreement, PNR data will be ‘depersonalized’ after six months and would be moved into a ‘dormant database’ after five years. However the information would still be held for a further 15 years before being fully ‘anonymized.’

I’m so glad that I managed to visit the USA before it became a paranoid concentration camp. The way things go, I don’t think I’ll live long enough to visit it again, without being worried for an arrest and endless detention.

P.S.: And some people still talk about privacy. What privacy?

Google : 60,000 dollars for a bug report

I’m a Google fan, there is no reason to hide it. And this is one of the reasons. They are setting a good example to follow.

Open sourcing company products changes the way code is written. The moment programmers know someone else will be looking at their code, they start paying more attention as to what and how they write. Paying money to outsiders for discovering bugs with company code is like the next level of Open Source Software. Just open source gives the possibility to review. Money provide a good incentive to.