Web Information Security

RSS Feed Homepage

Articles: 1, 2, 3, 4

Building Secure Applications: Consistent Logging
2007-03-24 11:40:00
This article examines the dismal state of application-layer logging as observed from the authors? years of experience in performing source code security analysis on millions of lines of code. It argues that effective logging is often ignored in the push for application security and demonstrates how applications can benefit from a real-time detection of attacks. An idea of a practical implementation is discussed, along with an examination of some of the associated risks and costs. read more
More About: Building , Applications , Cat , Consistent , Application

How to locate new phishing sites
2007-03-24 10:59:00
Phishing sites are easy to locate once the bad boys start spamming out thousands of mails linking to their site. But how can such sites be found before that? Here's an example. You can subscribe to alert services that will let you know when a new domain with certain keywords has been registered. Domaintools is one such service. read more
More About: How To , Cat , Phishing , Site , Sites

Security-Database releases FireCAT (Firefox Catalog of Auditing Toolbox)
2007-03-24 10:47:00
Security-Data base.com team is happy to announce its new Firefox Framework Map collection of the most useful security oriented extensions. We called the framework FireCAT. It stands for FireFox Cat alog of Audi ting Toolbox.FireFox Catalog of Auditing Toolbox read more
More About: Security

Javascript is everywhere
2007-03-22 06:11:00
DSHIELD has a published a writup about some of the places that Java Script can exist called Javascript hiding everywhere. Some of those places include - Quicktime - Flash - PDF Files - MP3's read more
More About: Everywhere , Here

Big trouble if PCI-DSS requires CSRF
2007-03-22 06:10:00
Jeremiah Grossman has a post asking the question 'what if PCI-DSS requires CSRF protection?'. Short answer, just about everybody is vulnerable (more than XSS) and making people be compliant to it is going to be almost unrealistic.

PwdHash from Stanford - Generate Passwords by Hashing the URL
2007-03-22 04:25:00
The Common Password Problem.Users tend to use a single password at many different web sites. By now there are several reported cases where attackers breaks into a low security site to retrieve thousands of username/password pairs and directly try them one by one at a high security e-commerce site such as eBay. As expected, this ... Read the full post at darknet.org.uk
More About: Ford , Word , Words , Genera

Identity theft getting physical
2007-03-22 04:23:00
Markets are powerful things. Look at how eBay changed the world by creating a market for old stuff. Over a million people reportedly make most of their income from selling stuff on eBay. I have been writing and talking about the market for identities for a year now. I think it is important to point out that this market is the biggest driver in the rise of cyber crime right now. read more
More About: Physical , Identity Theft , Theft , Identity

How to create a command-line password locker
2007-03-16 23:42:00
Like many people, I have too many passwords to remember. To keep them straight, I wrote a simple password locker script using dialog and GnuPG (GNU Privacy Guard). The script prompts the user for a master password using a dialog box, unencrypts a file that holds a list of passwords, and opens the file in a text editor. When the editor is closed, the script re-encrypts the password file. Dialog is an ncurses-based utility for providing text-based message and input boxes. GnuPG is a free implementation of the OpenPGP standard. Both applications are available as binary packages on Debian-based systems. read more
More About: How To , Word , Password , Pass , Line

Security Implications of Microsoft Windows Vista
2007-03-15 20:39:00
Windows Vista is the result of over four years of work and the investment of many billions of dollars. It is billed as the most secure version yet of the Microsoft Windows® operating system. This paper discusses not only the security technologies employed by Microsoft that justify this accolade but also how, in combination, these technologies mitigate specific classes of threats. This paper presents a high-level summary of Symantec?s research findings into the security of Windows Vista, and a set of conclusions that discuss the exposure that remains even in the face of its new security technologies. The intent of this paper is not to detract from the improvements that Microsoft has made, but rather to provide an objective and balanced view of how Windows Vista will affect the overall threat landscape. Technorati Tags: Windows read more
More About: Security , Windows , Cat , Windows Vista

Secure use of LDAP for Naming Services with Solaris
2007-03-15 20:32:00
This paper discuss some security considerations when using Lightweight Directory Access Protocol (LDAP) as a naming service for Solar is systems, that is, as a networked storage location for the information usually stored in local files, such as account and group information, automount maps etc. It will specifically discuss changes to the configuration of the Sun ONE Directory Server 5.2 product, and changes to the Solaris client configuration to help avoid some security vulnerabilities. Note that all examples use fake data. Technorati Tags: Configuration SSL Operating System read more
More About: Services , Service , With

Debugging a Service on Windows Vista
2007-03-15 20:22:00
This is a great post about debugging a service on Vista platform.   I recently picked up John Robbins' excellent Debugging Microsoft .NET 2.0 Applications and was flipping through it to discover just what new things I would learn and/or remind myself of. His brilliant description of setting up a local symbol server could not have been more well-timed - I spoke with a customer literally the next day who a symbol server was the perfect solution for, and rather than having them wade through the documentation to understand exactly how to do this, I could just lift up the book (as I said, it was litterally the next day, so it was still in my bag) and say "get this and go to this chapter." Saved me a lot of time, and solved a serious customer isue. Technorati Tags: Wind ows read more
More About: Windows Vista , Service

Writing Software Security Test Cases
2007-03-14 20:33:00
Putting security test cases into your test plan By Robert Auger 1/5/2007 Part of software testing involves replicating customer use cases against a given application. These use cases are documented in a test plan during the quality assurance phase in the development cycle to act as a checklist ensuring common use cases aren't missed during the testing phase. People within the quality assurance community are starting to understand that checking an application for security issues (defects) isn't just the responsibility of the security department (if one exists), or the software architects. While typical QA Engineers don't understand the scope or inner working of specific software vulnerabilities, they do go about testing an application in a similar fashion to how the penetration testing community does. Unlike typical penetration testing QA has access to internal documents and insider information giving them advantages to aide in the testing of an application. In additio...
More About: Software , Security , Writing , War , Ware

Testing Fault Injection in Local Applications
2007-03-14 20:27:00
This article is an excerpt from the book, "The Art of Software Security Testing ," and focuses on the approach and techniques used to test the security of local applications. It begins by describing local resources and interprocess communication, which make up a local application?s attack surface. After describing how to enumerate the local resources an application depends on, the text then describes methods of testing several of those types of resources. It also describes how to test ActiveX objects, command-line programs, and applications? use of local files and shared memory. Technorati Tags: Logging Operating System Windows read more
More About: Applications , Cat , Local , Sting

15 Security Questions to Ask Your Software Vendor
2007-03-14 20:24:00
Developers are more focused on making software work than on making it secure. This is not a criticism; it's just a fact of life. -- BY ALLAN HOLMES  Security Innovation, a risk assessment consultancy, provides questions you can ask a software vendor about its development processes. The answers you get will tell you just how much effort is put into security. It's up to you how much risk you want to assume. 1. Do you review security at each phase of the software development lifecycle? A good answer: Yes, we have integrated reviews into our product development lifecycle, from requirements definition to code development and testing. Technorati Tags: read more
More About: Software , Question , Questions , War

Securestring - Encrypting the data in memory .NET v2.0
2007-01-22 20:47:01
Learn to use SecureString to manage secure string data properly by having the data encrypted in memory and immutable.   Language: C# (csharp) Author: Kelly S. Elias If you have an application that takes user passwords and your storing them in regular strings those passwords are not very safe. The data is held in plain-text in memory, the .NET Framework manages the strings and can make several copies of it. The data can go into swap files and is generally unsecure. The .NET Framework v2 introduced a SecureString class to solve this. This class encrypts the value of the string it contains so that the memory cannot be read. You can make the string immutable so it is effectively read-only and pin the location in memory so the .NET Framework doesn't move it around and make copies etc... When your done with the SecureString and call the Dispose() method the memory is wiped cleaning out the encrypted value of the string to help ensure the security of the data. Technorati Tags: SQL Inj...
More About: Memory , Data , Ring , Rest , Memo

Password Hashing with salting
2007-01-22 20:47:01
Password Hashing by James McGlinn In this article I'm going to cover password hashing, a subject which is often poorly understood by newer developers. Recently I've been asked to look at several web applications which all had the same security issue - user profiles stored in a database with plain text passwords. Password hashing is a way of encrypting a password before it's stored so that if your database gets into the wrong hands, the damage is limited. Hashing is nothing new - it's been in use in Unix system password files since long before my time, and quite probably in other systems long before that. In this article I'll explain what a hash is, why you want to use them instead of storing real passwords in your applications, and give you some examples of how to implement password hashing in PHP and MySQL. Technorati Tags: Authentication Asymmetric (Public) Database PHP read more
More About: Word , With , Password , Salt , Pass

Protecting Your Laptop
2007-01-22 20:47:01
Author: Derek Melber Steps to take to protect your laptop. Have you ever considered what would happen to your laptop if you were to lose it? Would it be on Ebay the next day? Would the data be scraped off and show up on some MySpace Web site within the week? Would the data that you store on it be used in a hostile take over of your company? Certainly all of these scenarios should be considered. Is There Any Risk? With over 600,000 laptops stolen every year, the possibility of not having your laptop tomorrow is pretty good. According to Gartner, the chances of your laptop being stolen this year is 1 in 10. That is a 10% chance that your laptop will be stolen. What about losing it or misplacing it? That surely takes your chances up to about 20% or so. Technorati Tags: Configuration read more
More About: Laptop , Your , Prot

by Jaswinder S. Hayre, CISSP, and Jayasankar Kelath, CISSP
2007-01-14 02:43:03
by Jaswinder S. Hayre, CISSP, and Jaya sankar Kelath, CISSP 1. Introduction Ajax technologies have been very visible on the web over the past year, due to their interactive nature. Google Suggest and Google Maps [ref 1] are some of the notable early adopters of Ajax. Companies are now thinking of how they too can leverage it, web developers are trying to learn it, security professionals are thinking of how to secure it, and penetration testers are thinking of how to hack it. Any technology that can improve the throughput of servers, produce more fluid page transitions, and make web application even richer for the end user is bound to find a place in the industry. Technorati Tags: Cross-Site Scripting (XSS) Input Validation AJAX read more
More About: Wind , Winder

A comprehensive look at password hashes Roger A. G
2007-01-14 02:43:03
A comprehensive look at password hashes Roger A. Grimes (InfoWorld) 11/01/2007 12:36:33  Many of today's computer passwords are stored and transmitted in a cryptographic hashed form. A strong password hash algorithm ensures that if the password hash is obtained by unauthorized parties that it is non-trivial to convert the hash back to the original plain text password (assuming the password is not trivial to guess at in the first place). Technorati Tags: Authentication Cryptography read more
More About: Word , Comp , Ashes , Password , Pass

Firefox offers nowadays much more than browsing the web, bu
2007-01-14 02:43:03
Fire fox offers nowadays much more than browsing the web, but auditing the targets. A lot of extensions (and much more to come) exist and lead security auditors to reveal hidden or misc information undetected by traditional application scanners. The fact is that firefox and its extensions act as an in-between layer collecting all traffic sent and received from the targets. Here are some useful extensions we used to play with during our application security assessment.  FoxyProxy : FoxyProxy is an advanced proxy management tool that completely replaces Firefox?s proxy configuration. It offers more features than SwitchProxy, ProxyButton, QuickProxy, xyzproxy, ProxyTex, etc Technorati Tags: read more
More About: Browsing , The Web , Offers

PCI Data Security Standard Calls for Next-Generation Networ
2007-01-14 02:43:03
PCI Data Security Standard Calls for Next-Generation Network Security - The widespread use of credit cards for virtually all of our financial transactions has increased exponentially with the rapid adoption of e-commerce throughout the worldwide economy. With the increased use of credit cards comes the increased risk of fraud through credit card information theft and misuse. Stolen credit card data now has a monetary value on the street, and determined thieves have capitalized on failures to protect the data networks of businesses that process credit card transactions. The need to secure credit card transaction data at every level of business has never been greater, and a new set of security and privacy requirements, known as the Payment Card Industry (PCI) Data Security Standard, has created a compliance challenge for all companies that accept credit cards. Technorati Tags: PCI Securityread more

Kelly Martin: PHP apps: Security's Low-Hanging Fruit -
2007-01-14 02:43:03
Kelly Mart in: PHP apps: Security 's Low-Hanging Fruit - PHP apps: Security's Low-Hanging Fruit PHP has become the most popular application language on the web, but common security mistakes by developers are giving PHP a bad name. Here's how PHP coding errors have become the new low-hanging fruit for attackers, contributing to the phishing problems on the web. PHP became one of my favorite languages because of how quickly one can write a highly functional, standards-based web application with a database back-end. Unfortunately, attackers are taking these applications even faster than they appear. Technorati Tags: PHP read more
More About: Php

Prepared statements in MySQL and PHP, (Sat, Jan 6th) - Star
2007-01-14 02:43:03
Prepared statements in MySQL and PHP, (Sat, Jan 6th) - Star ting with version 4.1, MySQL offers prepared statements. A prepared statement is a great way to avoid SQL insertion issues. However, frequently prepared statements are not used as they require a bit more typing. So I would like to take this opportunity to show off a few tricks to make it easier to use prepared statements. First of all, what is a prepared statement:Without prepared statements to help you, a SQL query is assembled as a string and then passed to the database. You will typically find code like this: $sQuery="select id from users where email='$sEmail'";$hResult=my sql_query($sQuery); The big problem here is SQL injection. What if we don't validate $sEmail well and end up with Mr. '; drop table users; registering? Technorati Tags: Input Validation SQL Injection Database MySQL PHP read more
More About: Php , Men , Red State , State

The explosion in internet usage over the last 10 years has
2007-01-14 02:43:03
The explosion in internet usage over the last 10 years has ensured that from the biggest Fortune 500 companies to small one-man startups, almost every company now has a vital IT component (whether they know it or not). Every business, including yours, has valuable IT assets such as computers, networks, and data. And protecting those assets, requires that companies big and small conduct their own IT security audits in order to get a clear picture of the security risks they face and how to best deal with those threats. The following are 10 steps to conducting your own basic IT security audit. While these steps won't be as extensive as audits provided by professional consultants, this DIY version will get you started on the road to protecting your own company. Technorati Tags: Authentication Authorization Configuration Input Validation Logging Cryptography Database Operating System Programming read more
More About: Internet , Inter , Last , Explosion , Over

The huge adoption of wireless technologies over recent year
2007-01-14 02:43:03
The huge adoption of wireless technologies over recent years has placed wireless data (or Wi-Fi) networks, based on the 802.11 specifications, as one of the major attack vectors for organizations nowadays. Incident handlers and law enforcement have been forced to deal with the complexity associated with these technologies when managing and responding to security incidents. This two-part series looks at the issues associated with collecting and analyzing network traffic from wireless networks in an accurate and comprehensive way; a discipline known as wireless forensics. Tech no rati Tags: Wireless Forensics Wifi Trafficread more
More About: Adoption , Technologies

Host multiple SSL sites on a single network card with IP ali
2006-12-30 08:40:01
John Yao-An Liao, Senior Technical Architect, Capital Group CompaniesJim Miles, UNIX System Administrator, Capital Group Companies  The interest in using SSL and name-based virtual hosts together is on the increase. Some people will tell you that such a thing is impossible, but you can implement virtual hosts in Apache through IP-based virtual hosts. In this article, John Liao and Jim Miles show you how."); } } } //--> Technorati Tags: Configuration SSL Apache Linux Operating System Web Server read more
More About: Card , Work , Network , Site , With

Firm: Seven steps for a more secure network
2006-12-30 08:40:01
IT security professionals should rely on personal vigilance and implemented methodologies - not just the slew of new products hitting the marketplace - to protect their networks in 2007. Perimeter eSecurity, a Milford, Conn. based email security firm released its seven New Year's resolutions for end users and network security pros this week, urging them to change their own behavior to help protect networks. Andrew Greenawalt, Perimeter eSecurity founder, said in a news release that organizational steps can help to secure a network without time consumption. Technorati Tags: Configuration Operating System read more
More About: Work , Network , Seven , More , Step

Top Ten Threats for 2007
2006-12-30 08:40:01
Top Ten Threat s for 2007 by ZDNet's Richard Stiennon -- I had some time last week to think ahead a bit. I was on a twelve hour round trip flight to Maui just to get frequent flier points with Northwest. I know it sounds like a horrible waste but you do crazy things when you are facing a year of commuting from Detroit to California in coach class. One miserable evening will help me avoid a year of shooting pains in my knees. So, thinking ahead to next year I created my predictions for the Top Ten Threats of 2007........ Technorati Tags: Configuration Input Validation Database Operating System read more

Strong Password Security Practices
2006-12-29 20:39:01
Strong passwords: How to create and use them: Your passwords are the keys you use to access personal information that you've stored on your computer and in your online accounts. If criminals or other malicious users steal this information, they can use your name to open new credit card accounts, apply for a mortgage, or pose as you in online transactions. In many cases you would not notice these attacks until it was too late. Technorati Tags: Authentication Authorization Windows Pass word Security read more
More About: Word , Practice

Why Information Security is Hard - An Economic Perspective
2006-12-29 20:39:01
by Paul A. Karger and Roger R. Schell   Almost thirty years ago a vulnerability assessment of Multics identified significant vulnerabilities, despite the fact that Multics was more secure than other contemporary (and current) computer systems. Considerably more important than any of the individual design and implementation flaws was the demonstration of subversion of the protection mechanism using malicious software (e.g., trap doors and Trojan horses). A series of enhancements were suggested that enabled Multics to serve in a relatively benign environment. These included addition of "Mandatory Access Controls" and these enhancements were greatly enabled by the fact the Multics was designed from the start for security. However, the bottom-line conclusion was that "restructuring is essential" around a verifiable "security kernel" before using Multics (or any other system) in an open environment (as in today's Internet) with the existence of we...
More About: Security , Information , Info , Inform , Hard