Aconiac Security Group Blog
The official Aconiac company blog
Welcome to the Aconiac Security Group Blog
This blog includes company news, company statements, tutorials, guides and much more. So please add this blog to your RSS reader and let us help you to become better security professionals.
Disclaimer: The views of individual bloggers may not be the views of Aconiac as a whole.
0
Yes, Aconiac has now officially started twittering!
Now you’re probably thinking: “Why? oh why God?”. Especially if you’re the typical European or business professional. However after having looked into the matter, we have found good use of Twitter and can see how it has it’s place in the future business market – so that is really why!
So what will be twittering? Well, we thought long and hard about what content could be efficiently distributed in 140 characters, since this is, by all common standards, a very limited text amount. Ultimately we came to the conclusion, that security tips & tricks, news and facts were of most interest and it is therefore this we will be twittering in the future with our “Did you know?” posts.
If this has peaked your interest, please go to http://twitter.com/AconiacSecurity and follow our posts there.
As a final note: We’ve added a “Tweet this” button to all posts, so that you can easily post our blog posts titles and links to your Twitter account.
NOTE: This is a technical post regarding Apache on Linux with support for Ruby on Rails. Basic understanding of these concepts is necessary!
Normally you want to make sure your server doesn’t give out any information about service versions, however mod_rails doesn’t provide any easy way of doing this within the module itself. There is however a fairly easy solution. Simply use mod_headers to remove the headers in Apache.
So how is it done? Very simple, just enable the module mod_headers and add the snippet below to httpd.conf or another included configuration file in Apache. Both actions have to be done as root of course.
Enable the mod_headers module (This example is Linux Debian – it might be different for your system)
# cd /etc/apache2/mods-available/ # a2enmod headers
Add these lines to httpd.conf
Header always unset "X-Powered-By" Header always unset "X-Runtime"
Restart the Apache server (Again – this is Debian! It might be different for you)
# apache2ctl restartAnd there you go. Try making e.g. a Nikto scan on the server and see if the headers aren’t there any more.
NOTE: This news item was originally posted on February 14, 2009.
Since we often get contacted concerning different types of partnership deals, we have now chosen to create a service for this purpose.
Further description of the service can be found here.
NOTE: This news item was originally posted on January 4, 2009
Since many of our clients have turned out to be fully capable of correcting their security issues themselves or really just wanted to get their own security corrections checked, we have now launched a service that can fulfil this need.
This service is Vulnerability Testing and is basically like Security Testing, however without Aconiac correcting the security issues and without Aconiac needing to have access to specifications about the system. A vulnerability test is therefore a real simulated attack from a hacker, so that companies can find whatever security issues a hacker would have found.
The service is sold at a fixed price of 540€ excl. VAT, with the sole exception that if your system is abnormally large or complex, Aconiac may deny to do the service at the fixed price and will instead suggest other solutions, like e.g. a real security test.
Further description of the service can be found here.
NOTE: This news item was originally posted on January 2, 2009
Aconiac Password Generator has, for some time, lacked a proper and easy way of installing the application. We have therefore now released a version with the Java Web Start technology. Java Web Start makes it easy to install the application on any system and even makes automatic updates of the application for the user – ultimately resulting in a more automated and easy process. Download the application by pressing the big green button on the product page.
If, for some reason, you do not want to use the Java Web Start version, it is of course still possible to download the application from SourceForge.net
NOTE: This news item was originally posted on December 31, 2008
Aconiac Security Group wishes you a happy new year and hope you’ll get through the evening with all fingers intact.
We’ll see you in 2009!
NOTE: This news item was originally posted on December 30, 2008
2008 will soon be over and a new and exciting year lies in front of us. 2008 was an interesting year for computer security. We saw, once again, escalating threats towards companies from almost all fronts. Especially the leaks of unencrypted data in England, the automated SQL injection mass-attacks and the attacks on social network services were some of the big public problems in 2008.
But then how will 2009 be? Now, it’s obviously very hard to predict the future in such a dynamic world, however we have made an effort to come up with our ideas for what might be, the 10 biggest security threats in 2009:
- Weak economy
The economic crisis, which right now is devastating many businesses all over the world, will most likely result in companies having to cut down on expenses. In these kinds of expense cuts, typically what gets cut first is the administrative expenses like e.g. computer security and preventive measures. We can therefore expect to see an increase in the amount of security issues in software and systems developed in 2009.
- Lack of education
One of the greatest threats towards security in a company is and will always be education. This has been, in our minds, the biggest issue in 2008 and actually have always been the biggest issue. Users of IT solutions do not understand the security problems in such a way, that they can effectively protect themselves. We will therefore, once again this year, probably see an increase in successful hacker attacks – attacks that largely could be prevented by increased education.
- Mobile devices
Employees are becoming more and more mobile as each day passes. One of the big things that really got a boost in 2008 was mobile broadband. This technology specifically, can lead to employees beginning to do their jobs outside of the company’s secure parameters. A trend that could ultimately lead to catastrophic data leakage, that is if it is not prevented by good policies and encryption.
- Outsourcing
Due to the economic crisis, a lot of companies will probably begin to outsource certain tasks to cheaper labor in other countries. This act however has a lot of serious security implications, since the company now no longer has control of how its data is handled. It is therefore extremely important, that companies make a proper security policy with their outsourcing partner and that this policy is actually followed.
- Espionage
The time when hackers were just small kids in a basement is, by far, over. Today several indications are showing that hacking has, in several cases, been used by e.g. China to attack government institutions in the USA. This type of attack, which for the record can have catastrophic consequences, will likely escalate in 2009, where we will see even more examples of this form of Internet warfare.
- Anonymity/Privacy
While nations all over the world are using more and more censorship and surveillance, many freedom-loving employees will begin to work harder to secure their privacy and the right to free speech. This will probably manifest itself in an increased use of software to break blocking mechanisms and hide information about the user. With this increased usage, it will become much harder for companies to identify malicious users, since it will now not only be the criminals who are attempting to hide from identification.
- Apple’s Mac OS X
While viruses and spyware are everyday fears of Windows users, Apple’s Mac OS X has up until now avoided most problems. They’ve actually avoided it so well, that many Mac users are now, mistakenly, believing Mac OS X can not be infected with malicious software, like e.g. a virus. Apple had a record high sale of Macs in 2008 and as their market share increases, so will the number of attacks on the platform increase. Sooner or later it will therefore become a security risk to have an unprotected Mac OS X on the company network and companies should therefore implement effective security policies for Mac users.
- Insecure websites
A lot of companies and government institutions still have websites with several security issues of varying types. With the increasing economic crisis and the likewise increasing amount of computer criminals, it is very likely many more companies will be attacked from the web this year. Even many more than earlier years.
- SMS Scams (SMiShing)
With the expanded use of SMSs for almost any thinkable communication, criminals will soon begin to notice the possibilities in the use of SMS to scam individuals and companies. Most do not know, that it is extremely easy to fake an SMS so that it seems as if the SMS is from “Mom” or “The Boss”. This makes it easy for criminals to scam people into wiring funds or giving out passwords.
- Social networks
Social networks are not as big of a threat as some security companies would have you believe, however there are several dangers you should take seriously as a company owner. Like e.g. in 2008 there were several attempts at spreading viruses through Facebook and especially MSN Messenger is often a target for computer criminals. All of these attacks can however generally be avoided with simple education of one’s employees. We don’t recommended blocking the access to social networks for your employees, even though we know certain companies do this today.
NOTE: This news item was orignally posted on December 3, 2008
Since our password generator has always been free and is fairly simple software, we have now decided to release the software as open source under the so called 3-clause BSD license.
This means that if you need a password generation feature for your software, you can actually take our code and use it directly in your code without paying us a dime. Just as long as you write publicly that you are using our code.
You can read more about the BSD license on Wikipedia
The code is stored on SourceForge.Net and there is a direct link to the project here on the website
NOTE: This news item was originally posted on October 14, 2008
After a longer period of time with irritating problems due to our telephone provider, we have now switched to a more stable solution and do not expect any issues with our phone systems in the future.
Our new phone number is +45 72207279.
NOTE: The news item was originally posted on May 3, 2008
Aconiac’s tool for generating random passwords has now been released and is free to download from the product page. We encourage everyone to download the tool and generate some secure passwords for the many user accounts an average user has these days.
Right now, the application is only available for Windows XP/Vista, however we expect to have a release for Linux, BSD and Mac within the next few weeks.
Back to top
