IT Resource

There is often a requirement to block/deny user access to certain websites and this post shows how administrators can utilise Squid to achieve this:

Squid is a popular open source web proxy server and web caching software. It has a wide variety of uses, from speeding up a web server by caching repeated requests, to caching web, DNS and other network lookups for groups of people sharing network resources and (which is of most interest to us for the purposes of this post) by aiding security via traffic filtering. It was originally inteneded for Unix/Linux but has been ported to a number of platforms.

Squid has powerful ACL (access control list). The primary use of the ACL system is to implement simple access control. This can be used to deny a user from accessing particular site.

In order to do this we have to edit the Squid configuration file.

e.g. # vi /etc/squid/squid.conf

Search for `Access Controls’ and append the following lines (in this example we are blocking access to ‘nastysite.com’):
acl badsite dstdomain .nastysite.com
http_access deny badsite

Save and close the file, and then restart Squid:
# /etc/init.d/squid restart

 If required, you can specify more than one site to be blocked:
acl badsite dstdomain .nastysite.com  .anothernastysite.com
http_access deny badsite

You can also use regex expressions to block access to more than one website. for example,  if you would like to deny access for any sites where the URL contains the word “twitter”, use the following ACL lines:
acl badsitegroup url_regex -i twitter
http_access deny badsitegroup

More information on Squid commands can be found at: http://wiki.squid-cache.org/FrontPage

There’s been some wild and panicky stuff in some of the Tech press lately about a potential exploit that could bypass Vista’s security model. It all sounds pretty drastic but please bear in mind that most reports have been pretty sensationalist about it.

A ZDNet blog post contains a bit more ‘measured’ information about it along with responses from one of the guys who reported the exploit.

The August upate from Microsoft is likely to contain a number of critical and major fixes.

The update will include seven items rated as ‘critical’, the highest of Microsoft’s security alert levels. All of these will address issues that may allow an attacker to remotely execute code on a targeted system.

Four of the critical fixes relate to Office issues, one addresses critical flaws in Windows 2000, XP and Server 2003, another fixes a critical issue in Windows Media Player while the last addresses a critical vulnerability in Internet Explorer.

Also planned are five fixes rated as ‘important’. The patches include two remote code execution flaws in Windows and one in Office. The other two updates address information disclosure vulnerabilities found in Windows Messenger, Outlook Express and Windows itself.

The company plans to release the update on Tuesday 12th August. The release will also include non-security updates for the Windows Malicious Software Removal Tool and the Windows Update, Microsoft Update and Software Update Services

A quick note to warn you that the first code sample has been released to try and exploit the recently announced DNS cache poisoning vulnerability. While most users will be relying on their ISP etc to ensure they have patched the hole, you should also make sure that you have applied any required OS patches/updates (e.g. Windows MS Security Bulletin  MS08-037).

Also – you should note that while attackers may be able to redirect you to a bogus IP, they will not be able to replicate a digitally trusted security certificate. So if you go to your online banking site and see that you are on an ‘http’ page or if you get the IE7 warning page about untrusted/mismatched certificates then you should be careful. Of course, many sites use Shared certificates so it is quite common to see this warning message but you shouldn’t expect to see it when using online banking or similar.

Research in Motion, makers of the Blackberry, has warned businesses to disable the function which allows a BlackBerry to read PDF files, after a security flaw was found in the software.

A “high” severity flaw affecting how BlackBerry Enterprise Server (BES) opens PDF files may be used to compromise a network. RIM disclosed the flaw last week but is yet to issue a patch, stating that no timeframe for a fix was available.

Until then, customers asre advised to disable the BlackBerry Attachment Service, which allows BES to process PDF attachments for users to view on their BlackBerry devices. The flaw relates to how the service processes PDF files, which can be exploited via a maliciously crafted PDF.

Vulnerable systems include BES software version 4.1 Service Pack 3 (4.1.3) through to 4.1 Service Pack 5 (4.1.5). RIM has given the advisory a “high” severity rating.

“If a BlackBerry smartphone user on a BlackBerry Enterprise Server opens and views the specially crafted PDF file attachment on the BlackBerry smartphone, the arbitrary code execution could compromise the computer,” RIM states on its advisory.

According to Sense of Security’s principal consultant, Jason Edelstein, this means that corporate networks are at risk due to the flaw. Most organisations place the BES within key networks, such as email servers, giving it privileged access to other computers on that network.

“Most organisations put the BES on an internal server on the network, which actually is a conduit between the internal server and RIM’s servers based in Canada,” he said.

“If someone loses their device and it’s not locked in some way, you could browse internally to that company’s Web-based resources,” he said.

“The way the end user can determine if they are vulnerable is to try to open the browser on the BlackBerry and attempt to access your intranet resources — if it comes up on the BlackBerry and you know it’s not published on the internet, that should raise alarm bells.”

Blackberry/RIM Knowledgebase article