Hackers compromise official PHP website, infect visitors with malware (updated)

Maintainers of the open-source PHP programming language have locked down the php.net website after discovering two of its servers were hacked to host malicious code designed to surreptitiously install malware on visitors' computers.

The compromise was discovered Thursday morning by Google's safe browsing service, which helps the Chrome, Firefox, and Safari browsers automatically block sites that serve drive-by exploits. Traces of the malicious JavaScript code served to some php.net visitors were captured and posted to Hacker News here and, in the form of a pcap file, to a Barracuda Networks blog post here. The attacks started Tuesday and lasted through Thursday morning, PHP officials wrote in a statement posted late that evening.

Eventually, the site was moved to a new set of servers, PHP officials wrote in an earlier statement. There's no evidence that any of the code they maintain has been altered, they added. Encrypted HTTPS access to php.net websites is temporarily unavailable until a new secure sockets layer certificate is issued and installed. The old certificate was revoked out of concern that the intruders may have accessed the private encryption key. User passwords will be reset in the coming days. At press time, there was no indication of any further compromise.

Read 8 remaining paragraphs | Comments


    






A (relatively easy to understand) primer on elliptic curve cryptography

Cloudflare

Author Nick Sullivan worked for six years at Apple on many of its most important cryptography efforts before recently joining CloudFlare, where he is a systems engineer. He has a degree in mathematics from the University of Waterloo and a Masters in computer science with a concentration in cryptography from the University of Calgary. This post was originally written for the CloudFlare blog and has been lightly edited to appear on Ars.

Readers are reminded that elliptic curve cryptography is a set of algorithms for encrypting and decrypting data and exchanging cryptographic keys. Dual_EC_DRBG, the cryptographic standard suspected of containing a backdoor engineered by the National Security Agency, is a function that uses elliptic curve mathematics to generate a series of random-looking numbers from a seed. This primer comes two months after internationally recognized cryptographers called on peers around the world to adopt ECC to avert a possible "cryptopocalypse."

Elliptic curve cryptography (ECC) is one of the most powerful but least understood types of cryptography in wide use today. An increasing number of websites make extensive use of ECC to secure everything from customers' HTTPS connections to how they pass data between data centers. Fundamentally, it's important for end users to understand the technology behind any security system in order to trust it. To that end, we looked around to find a good, relatively easy-to-understand primer on ECC in order to share with our users. Finding none, we decided to write one ourselves. That is what follows.

Be warned: this is a complicated subject, and it's not possible to boil it down to a pithy blog post. In other words, settle in for a bit of an epic because there's a lot to cover. If you just want the gist, here's the TL;DR version: ECC is the next generation of public key cryptography, and based on currently understood mathematics, it provides a significantly more secure foundation than first-generation public key cryptography systems like RSA. If you're worried about ensuring the highest level of security while maintaining performance, ECC makes sense to adopt. If you're interested in the details, read on.

Read 88 remaining paragraphs | Comments


    






Netfirms Running Over Seven Years Out of Date Version of phpMyAdmin

One of the most basic measures for keeping websites secure is to keep software running the website up to date, this is something that web hosts know and tell their customers. Unfortunately, many web hosts don’t seem to feel that they need to heed their own advice and run out of date software on their servers. This put their clients at risk of being hacked though exploitation of a known vulnerability in that software. Web hosts use of outdated software also a warning sign that they may not be handling the rest of the security properly as well.

When we do work on a client’s website we do a check of what version of some common software (PHP, MySQL, phpMyAdmin, etc.) is running of the server. This is partly so that we can see how well web hosts are doing at keeping that software up date and also so that we can alert the clients when severely out of date software is in use. We were recently doing work on a website hosted with Netfirms and we found that the server was using over seven years out of date version of phpMyAdmin, 2.8.0.1:

Netfirms is Running phpMyAdmin 2.8.0.1That version was released on March 8 of 2006 and the next version, 2.8.0.2, was released eight days later. phpMyAdmin provides a page that provides a listing of all security announcements for the software (something that other software developers should also be providing). Based on just the announcements for 2006 and 2007, the version of phpMyAdmin Netfirms is using probably contains 16 serious severity security issues and 1 considered “quite dangerous”.

If you want to check if web hosts you or your clients use are running an outdated version of phpMyAdmin you can check with our phpMyAdmin Version Check extension, which is available for Firefox and Chrome.

It is not just phpMyAdmin that Netfirms doesn’t keep up to date. They are using PHP 5.3.13, which is over a year out of date and also has known security vulnerabilities (including ones that were fixed in the very next release).

Amazingly the fact that they have some pretty obvious security problems hasn’t stop the security company SiteLock from declaring that Netfirms is secure, as can been seen in the footer of Netfirms website:

SiteLock SECURE Badge Shown on Netfirms Website

Apple Releases Apple Remote Desktop 3.7

Original release date: October 24, 2013

Apple has released Apple Remote Desktop 3.7 to address multiple vulnerabilities. These vulnerabilities could allow a remote attacker to execute arbitrary code or obtain sensitive information.

US-CERT encourages users and administrators to review Apple Support Article HT5998 and follow best practice security policies to determine which updates should be applied.

 


This product is provided subject to this Notification and this Privacy & Use policy.