Content tagged security
delicious
Benlog » Don’t Hash Secrets
"But all of that’s ok. Because without Steve Jobs’ Apple the world would be a less colorful place. The man is a living legend and deserves his place in history. This Thanksgiving, Steve Jobs is one of the things that I’m thankful for. And I bet you are too."
Part2 - browsersec - Browser Security Handbook, part 2 - Project Hosting on Google Code
Really great, comprehensive, encyclopedic information nominally about browser security, but actually covers a lot of details about browser quirks and general web behaviour. "Trivia: as hinted earlier, ETag / If-None-Match, as well as Last-Modified / If-Modified-Since header pairs, particularly in conjunction with Cache-Control: private, max-age=... directives, may be all abused to store persistent tokens on client side even when HTTP cookies are disabled or restricted. These headers generally work the same as the Set-Cookie / Cookie pair, despite a different intent."
Keyczar
"Keyczar is an open source cryptographic toolkit designed to make it easier and safer for developers to use cryptography in their applications. Keyczar supports authentication and encryption with both symmetric and asymmetric keys."
What Israel can teach us about security - thestar.com
'"Israelis, unlike Canadians and Americans, don't take s--- from anybody. When the security agency in Israel (the ISA) started to tighten security and we had to wait in line for – not for hours – but 30 or 40 minutes, all hell broke loose here. We said, `We're not going to do this. You're going to find a way that will take care of security without touching the efficiency of the airport.'"'
Why do so many terrorists have engineering degrees? - By Benjamin Popper - Slate Magazine
Matt Blaze: Notes from the No Lone Zone
"If you can climb a fifteen foot ladder and fit through a two foot diameter hole, you can, with a bit of advance planning, take an extensive "top-to-bottom" tour of a Titan II ICBM launch complex, complete with missile silo and missile. Best of all, you no longer have to trespass or join the Air Force to do it."
The OpenID and OAuth Flow: Playing with UX · Ben Ward
Examples of how the OpenID and OAuth "login" process could be improved.
Cross-domain policy file usage recommendations for Flash Player | Adobe Developer Connection
To avoid CSRF problems, it's best to lock down your crossdomain.xml to only allow access from trusted domains.
Authenticating REST Requests
How requests to Amazon's S3 service need to be signed. Good example of this sort of thing: very clear terminology and definitions.
HMAC - Wikipedia, the free encyclopedia
Surprisingly, hash(secret + message) is not a good way to authenticate messages--attackers may be able to generate a suitable hash after observing message + hash. hash(message + secret) is better, but better still is to use hmac-sha1() or similar.
PHP Tutorials Examples Filtering Data with PHP
Billion laughs - Wikipedia, the free encyclopedia
simple xml entity expansion in a small document results in a very very long string that could take down xml parsers
RFC 4086 - Randomness Requirements for Security
"This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements." includes information on entropy sources, mixing functions (combining entropy sources).
Google Online Security Blog: Reducing XSS by way of Automatic Context-Aware Escaping in Template Systems
example of some html template code that requires four different types of filtering, because variables are used in different ways.
AppleInsider | Pwn2Own contest winner: Macs are safer than Windows
... well, with a lot of caveats. Winner says FF or IE8 on Vista is very secure.
http://www.usenix.org/events/hotsec07/tech/full_papers/florencio/florencio.pdf
longer passwords do nothing to help with phishing or keylogging issues; maybe it's better to increase the number of bits in the username component of the username/password pair?
Questions for Pwn2Own hacker Charlie Miller | Zero Day | ZDNet.com
"Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don’t do. Hacking into Macs is so much easier. You don’t have to jump through hoops and deal with all the anti-exploit mitigations you’d find in Windows."
McSweeney's Internet Tendency: Secure Website Authentification Questions.
philosecurity » Blog Archive » Interview with an Adware Author
Ajaxian » Microsoft Live Labs Web Sandbox
microsoft tool takes html + js, returns sandboxed js that can safely (maybe) be embedded in a page.
[whatwg] Dealing with UI redress vulnerabilities inherent to the current web
"Problem definition: a malicious page in domain A may create an IFRAME pointing to an application in domain B, to which the user is currently authenticated with cookies. The top-level page may then cover portions of the IFRAME with other visual elements to seamlessly hide everything but a single UI button in domain B, such as "delete all items", "click to add Bob as a friend", etc. It may then provide own, misleading UI that implies that the button serves a different purpose and is a part of site A, inviting the user to click it. Although the examples above are naive, this is clearly a problem for a good number of modern, complex web applications."
Adobe - Developer Center : Exploring full-screen mode in Flash Player 9
"All keyboard input and key-related ActionScript is disabled while in full-screen mode" (for security reasons)
sample code to restrospectively protect against csrf attacks
AppleInsider | Apple's secret "Back to My Mac" push behind IPv6
how apple is able to push ipv6 by making the both network hardware and the apps that can use it
bunnyhero dev » Scaring people with fullScreen
trigger flash fullscreen, obscure the "hit esc to exit" message, display bsod. this should be fixed.
The problem(s) with OpenID « The Identity Corner
Jeremiah Grossman: Crossdomain.xml Invites Cross-site Mayhem
Automatic Patch-Based Exploit Generation
automatically generate security exploits by comparing the original binary and the patched binary
UW CSE and ICSI Web Integrity Checker
have the pages you view been modified in transit?
Photo Matt » SecurityFocus SQL Injection Bogus
wordpress is going to require security updates for the forseeable future, make sure you can update easily (paraphrased)
VPN Evolved: Gain Secure Remote Access with LogMeIn Hamachi
free p2p vpn, supports os x and windows
TidBITS Safe Computing: Should Mac Users Run Antivirus Software?
"no"
Dr Nic » Zero Sign On - 1 better or Infinitely better than Single Sign On?
single sign on works--now!--via myopenid and client certificates (don't seem to be able to password protect single certificates, though)
shimmer
"shimmer is a pair of small programs (a client and a server) that provide an alternative to port knocking program such as tumbler and are used to hide a valuable port (such as a hidden web server or SSH) on a public IP address."
Coding Horror: Has CAPTCHA Been "Broken"?
Yahoo! 360° - Douglas Crockford's The Department of Style - No Script
Matasano Chargen » A Roundup Of Leopard Security Features
Web Application Security - Joe Walker's Blog
Wish-It-Was Two-Factor - Worse Than Failure
LM hash - Wikipedia, the free encyclopedia
Security and Risk Management Strategies Blog: WHAT IS OPENID FOR?
ostensibly a post about openid, but it's a nice list of questions to ask about the security of any service. "what is the threat model?", etc.
The Identity Corner » The problem(s) with OpenID
i think most of the outlined problems are due to not appreciating what problems it doesn't solve. it's okay for comment systems, logins to systems you don't 100% care about. (about as secure as standard email?)
Cross-site request forgery - Wikipedia, the free encyclopedia
Implementation Limits For SQLite
nice discussion of software security, and sqlite's approach: "Unfortunately, the no-limits policy has been shown to create problems. Because the upper bounds where not well defined, they were not tested, and bugs (including possible security exploits) whe
ocr research team
mostly captcha research
IEBlog : IE7 in Windows Vista: Configuring Your View Source Editor
why ie7 on vista pops up a security warning when you try to view source. (also, how to change the view source editor.)
Information Security News: Hackers Shortcut Hotmail Password Reset Protections
oreilly.com -- Online Catalog: Building Scalable Web Sites
Weak security in our daily lives@Everything2.com
LinuxDevCenter.com: How Shellcodes Work
XSS (Cross Site Scripting) Cheat sheet: Esp: for filter evasion - by RSnake