was wondering, who still uses the traditional method of storing passwords (in envelope) in an actual physical safebox vs modern methods like password managers? what are the pros and cons of each method? thanks
dimanche 30 novembre 2014
implementation of aes algorithm with UART
implementation of aes algorithm with UART a hardware please provide me the data necessary for it. Also code. which kit suitable for it?
How do you explain to experts that a database server should not reside in the DMZ?
Our security experts, database administrators, network team and infrastructure team are all saying it's OK to have the database server located in the DMZ along with the HTTP server and middle-ware server.
Their reason:
If the database server is compromised (because of an insecure middle tier), at least the database server is outside the internal system. If it is inside our network, the hacker can then use the database server to access other systems.
What they are saying is:
- Let's not put the middle-ware server behind a second firewall and the database server behind a third firewall.
- Let's use just one firewall (the HTTP server's) in case a hacker wants to get our database's sensitive data, at least that's all they can get.
The second statement was actually said... verbatim.
Please note that this database server will hold sensitive information, including bank details.
Now, are these experts making any sense to you? I'm a software developer, and I can't get their logic. It's like, "Put the jewelry box outside the house so that robbers won't bother getting in for the TV?"
Trying to simulate attack on SaaS Layer Cloud Computing ( Web application)
i want to make a simulation attack to prove that SaaS layer in Cloud Computing (Web Application) is vulnerable... How can i do the task?
Is there any software for generating One time password?
-For MS Office documents ef Excel,Doc, Powerpoint and PDF etc -able to set read only, print,modify, copy, saving, upload, forward etc feature -wont affect virus scan -keep listing for OTP generated and doc name
How to compare security parameters of different schemes (Sign-Encrypt, Encrypt-Sign, etc)?
How can one compare the security parameters (confidentiality, integrity, non repudiation, etc.) for different schemes (Sign-Encrypt, Encrypt-Sign, Sign-Encrypt-Sign, Encrypt-Sign-Encrypt)?
- Are there particular tool for computing these?
- I can compare different schemes based on Computation time. But, how can we compare them based on security parameters?
Can banker's rounding be exploited to maliciously increases balances?
Everyone knows about the sure thing retirement strategy that is the Superman 3 exploit, but is there any way to exploit banker's rounding to grab some of the less than half pennies "floating around out there"?
Specifically, assuming that the internal accounting cannot be tampered with like in Office Space, can transactions be formed within certain constraints to recover the rounded off portions?
What's the best way to secure the responses in a single page web app after logout?
I've read some of the great responses to storing and passing session keys in a single page web application (i.e., a web "site" that runs mostly on the client-side, getting data from the server by using an API). But my question is about securing (after logout) the data which comes back in the response, of which I've seen no mention.
This data is directly accessible by just about any modern browser by clicking on the developer tools view (even when using HTTPS). Thus, the following can happen:
- Authenticated User (AU) uses the application and downloads secured information.
- AU logs out or is logged out automatically.
- Application returns to "Login" page. It looks secured, so AU does not close the tab/page.
- However, Unauthenticated (malicious) User (UU) sits at desk and opens up Developer tools. In the Network section, UU can see structured JSON objects with lots of juicy information.
This does not happen in a more traditional web application, because the data is embedded in the HTML page, which is gone when the browser redirects to the login page.
We are using AngularJS for our single page web app, which recommends using a location change feature for logout, which I have confirmed does not do an actual redirect (by design); therefore the page is not refreshed; therefore the network requests can be found in the developer section.
It seems that the way to go is to NOT use the AngularJS method, and instead to break the model and to use the pure javascript redirect to refresh the site onto the Login page. This does seem to clear the network requests. Is this the recommended method?
I realize that having access to the browser means that the UU can install keylogging, screen grabbing and all sorts of things that are even worse than this scenario, and there's nothing we can do about that, but the scenario I am describing here is a very common office scenario where casual users can sit down at a browser quickly and spy some info without really doing much work. Given that we're dealing with protected health information, it remains a concern.
Can I simulate a particular message format in NS-2 also encrypted
My question is can you implement a particular message format between two nodes in NS-2 like we create a tcp communication but if i want to send particular message eg a certificate with information inside it such as public key or type of node time, etc. i am trying to do it in wireless and want to send a certificate from one node to other which contains key, date, time, message, signed by the node
and also can it be encrypted. is there any example or sample code or snippet or tutorial you can share
Automated server security testing best practices?
Is there a standard way of automatically testing the basic security of my web server? I've found a couple on-line services, (e.g. http://ift.tt/1Bg7m7z), and they seem ok, but I'd like to start off with the basics. Is there a go-to method for stress-testing a web server's security?
What would be a good way to create a security testing schedule?
I've been tasked with creating a formal security testing schedule / calendar for our organisation, as most of our current testing (scans, pentesting, etc) is done ad hoc.
I'm wondering if anyone has created something similar for their organisation, and what process was used in order to build this schedule.
My current thoughts are the following:
- Create a list of infrastructure, applications, hardware, etc, arranged into criticality categories (e.g. mission critical, critical, non-critical)
- Determine what needs to be determined for each criticality level through testing, and determine which tests will be done for each (e.g. Red-team testing only done on mission critical).
- Determine the regularity of tests and types of tests for each criticality category.
- Create a testing schedule.
I've not had much opportunity to think about how often tests / types of tests should be done, so I'm very open to referrals to material I could review to get a better understanding.
What is an OpenPGP Key ID collision?
Recently an Evil32 project group announced that they have found collisions for all OpenPGP keys from public keyservers (https://evil32.com/).
What does the term collision refer to?
How this specific site implementing fingerprint tracking?
I can't figure out how this site "progorod33.ru" is able to always figure out who i am even when i'm not using tor browser but clear cookies and change ip. I want such a script on my site too. Can you help me identify it?
How Regin hides running instances of itself?
I have been reading Symantec & Kaspersky Labs analysis of the Regin malware.
According to Symantec
[Stage 2] can also hide running instances of Stage 1. Once this happens, there are no remaining plainly visible code artifacts.
As I understand Stage 1 is implemented as a Windows Driver, and there exists no safe way to unload a Windows Driver without requiring a reboot (Even if so Stage 2 itself is another kernel driver as well).
Similarly, from what I can tell there exists no way (nor legitimately should there be) to intercept and manipulate the list of running Kernel drivers, the way a rootkit might for a file on the file system.
So how does Stage 2 hide running instances of Stage 1? There seems little information on this online?
Source: http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/regin-analysis.pdf - Page 9
How to verify a given signature with CA certificate in openssl?
i'm given a CA private key and I created my own CA certificate with my own values. Now I'm given a signature and I need to verify it. How can I do it using openssl?
Problem with new GPG 2.1 key
My PGP key is soon to expire so I wanted to create a new one.
GPG 2.1 came out a month ago including ECC support and I wanted to try the new key types.
So I have generated a brand new ed25519 key. Today I tried to upload it using gpg2 --send-key but then I couldn't find it. I also uploaded it manually on pgp.mit.edu and I got:
Key block added to key server database. New public keys added:
1 key(s) added successfully.
but still couldn't find it with a search.
Why? Is it unsupported?
php execution possibility in img src
I am making one of my simple application. There is an option to download generated image. For that, my php code is:
<?php
if (isset($_GET['img_name'])){
?>
<html>
<img src="<?php echo $_GET['img_name'];?> "></html>
<?php
}
?>
I know this is vulnerable for xss. But this is not the problem. Question is, is it possible for attacker to include or execute php file or code via this option ? I know that, for echo and img tag php will not execute here.
What you think researchers? Am i safe ?
Authentication protocol based on hash function
Is it possible that Alice can authenticate Bob without using encryption,hashing ONLY. If so, what is the best way to do that? I suggest a way using nonce and timestamp as shown in .the pic
Wireshark dont work after install VirtualBox
I have the following problem whit Wireshark. I function normally until I installed Oracle VM VirtualBox, after installation of said program to me at the start Wireshark occur following problem:
"No interface can be used for capturing and this system whit the current configuration."
Nevertheless, I considered the following instructions: http://wiki.wireshark.org/CaptureSetup/CapturePrivileges
The problem I still have not solved.
For your answers you in advance thank you
How can two clicks lead to better security in the context of, e.g., Twitter and Facebook share buttons?
The sharing section of Jedox's webpage has the Facebook, Twitter, Google+ and Linkedin share options in default inactive state. You need to first click it to activate and click again to get the share window.
Hovering the inactive button it says
Two clicks for a better data security: The first click will activate the button, the second will share your recommendation with facebook. Data is shared with third parties upon activation - see i.
So, how does two clicks make the security better?
If a phone is encrypted at a platform storage level do I need to encrypt my data stored on it?
I am writing a mobile app which would be expected to store sensitive data. It needs to be stored for offline use. I am wondering now that Android and iOS provide encryption at rest do I need to encrypt the data stored in an database within the App.
The main concern would be that the phone could be stolen. What would someone have to do to get the data from the application. Also what state would the phone have to be in, for example turned on, beyond the pin lock screen, logged into the app.
If the data is vulnerable where would I store the encryption key. If someone can root/jailbreak the phone surely the key is compromised and therefore so is the data.
Any help/advice would be really appreciated.
How can I prevent user to load other user panel with PHP?
I am developing a web page where users log in with their twitter accounts, complete a form and then they see an admin panel. I need to prevent any user load admin panel if is not log in or if his twitter account is another one.
Example:
- Twitter Account A - Log in - That person can see Account A admin panel but not any other.
- Any person - Doesn't log in - That person can't see any account admin panel
I have been thinking something related to http://php.net/manual/es/function.password-hash.php, sessions and store values in database. But I don't know what can I do to get the safest possible result.
What would you do?
Detection of pass the hash
I have researched about PTH Attacks but yet found any solid way detecting it in a network.is there a way to detect a pass the hash ? analysing the windows message from the dcs or something ?
question regarding php upload form security
I read here http://blog.insicdesigns.com/2009/01/secure-file-upload-in-php-web-applications/ and question is related with text near
However, if the attacker is able to upload files, even outside the web root, and he knows the name and location of the uploaded file, by including his uploaded file he can run arbitrary code on the server.
The solution for that is to prevent the attacker from knowing the name of the file. This can be done by randomly generating file names and keeping track of them in a database.
I fully do not understand security risk. As i understand
- attacker uploads malicious file
- At the moment my php code converts file name to something random and with that random name stores in particular directory. But the malicious user can see that random name, for example with mouse right click
Copy locationand seehttps://domain.com/images/2014-05-16/339442/VH4AGExjRlw=/something_random.jpg. So just creating random name does not help? - As understand in mysql need to record real name of file and the name that user can see in url?
Can not fully understand. Aim is to prevent situation that user uploads file and then knowing file name, can access the file?
Why protonmail mail is not receving any email from other email account
Cant receive mails from other email accounts
I just got the invitation from protonmail and i registered the account there. I can send emails to other email accounts but i can't receive emails.This is the error being generated by Notify@protonmail.ch
"Hi, User @protonmail.ch doesn't exist. Please check the email address again. Thank you! ProtonMail"
But i have already registered it and its working perfectly.
What are the pros and cons of enabling 2 factor authentication on internal user workstations of an organization?
An organization has all the regular controls you can think of for network and systems protection from the 10 security domains. External login access to the organization's services is protected with 2 factor authentication. As an improvement on security posture, it is suggested that 2 factor authentication could be enabled on all user workstations. Given the fact that security controls ranging from physical security to logging access are well implemented, what are the pros and cons of implementing 2 factor authentication on all workstations of the organization?
Corporate PKI - SHA1 deprecation
Here is the context. Suppose you have a corporate PKI with :
- AC_Root (offline in safe store - SHA1 signature)
- SubRootA ans SubrootB (offline in safe store - SHA1 signature)
- SubSubRootC, SubSubRootD, SubSubRootE... (online in HSM - SHA1 signature)
- End entities certificates (servers, users smart card, auto enrollment, Active directory)
What are the impacts due to SHA1 deprecation ? I know root certificate is not concerned, because self-signature is never verified (only presence in truststore), but what about the Subroot certificates ?
Editors like Google or Microsoft announced that browsers will print warnings and even fail when SHA1 will be used, and quite soon (2015/2016).
Is this a hot issue for mostly security reasons or for the user experience (warnings in browser, OS refusing SHA1 certificates) ?
Is it needed to organise a new key ceremony for creation of a new "SHA256" chain ? Even for offline chain (root and subroots) ? Re-issuing new end entities certificats with SHA256 ? Introducing a sliding period for key renewal ?
Thanks in advance for your advices, I am quite septic about this.
Editing a file through bind shell
I have managed to successfully attack a windows XP server running PCMan server. I have caused the buffer overflow and gained the root access I need. This is done on y own network for testing.
At this point im trying to cover my tracks.
I need to edit the Logs.txt file and delete the appropriate logs.
I don't know how to open the file in command prompt to change it.
I know on Linux machines VI is used.
Is the a alternate command to do this in windows.
Suspicious files in my Windows
While I am doing a quick scan for virus on Norton 360, I noticed a long stop at some files. Their names are very very suspicious. Although I can't recall all of them, one of them, which I clearly remember, is Backdoor.Rustock.A. I searched this on the Internet, and the results are... Pretty shocking. It turned out to be a little virus-like stuff. I tried to remove it but, I can't even FIND the file. Why does Norton skips that file instead of treating it like a virus and removes it? What should I do to remove it, or is it even harmful?
Thank you!
Example of PHP code hashing securely a password
I need an example of PHP code hashing securely a password, using salts, good hash algorithms, etc.
samedi 29 novembre 2014
Is SSL dying? Should I buy SSL certificates for my sites any more?
I'm planning to purchase a SSL certificate for one of my sites when I was concerned about points made in these articles:
http://www.wiredtree.com/blog/the-most-significant-issue-with-ssl-and-how-to-solve-it/ http://www.techrepublic.com/article/poodle-vulnerability-hastens-the-death-of-ssl-3-0/ https://www.openssl.org/~bodo/ssl-poodle.pdf http://www.infosecisland.com/blogview/16627-IPv6-The-Death-of-SSL.html
Is SSL secure any more? What are they talking about? I thought SSL was bullet-proof, but now I'm confused.
If SSL is not secure any more, with regard to safeguarding the information exchanged between my clients and my server via HTTP, what are my options other than a SSL certificate?
Cannot get simple shellcode runner to work
I'm just trying to execute shellcode directly from the command line. I send a simple 0x90 NOP and get a segmentation fault?
root@server:~# gcc shellcode.c -o shellrun -fno-stack-protector
root@server:~# ./shellrun `perl -e 'print "\x90"'`
Segmentation fault (core dumped)
root@server:~# more shellcode.c
int main(int argc, char *argv[])
{
(*(void(*)())argv[1])();
return 0;
}
If I send 4mbps of data to a friend with 4mbps connection, will I DDoS him?
Suppose my friend has a connection of 4mbps. If I just send him 4mpbs of random data with my server, wouldn't it block his connection? Even if the router has firewalls and closed ports, isn't enough for me to send random data continuosly to his router, in order to block it?
I've found some scripts on the internet (like this) and I tried to block my own connection with my server, but nothing happened.
ElGamal for ECC - Not working with Edwards curves (ed25519)
I know the usual way of using encryption/decryption with ECC is DH, however, this only works with two keypairs of exactly the same kind, for example two curve25519- or two p256-keypairs.
With ElGamal, one can get a symmetric key for a recipients public key no matter which kind of key they are using themselves.
This works great if users don't have the same kinds of keys, and it doesn't use the same shared secret each time.
However, it only seems to work for Short type curves - NIST, SECG, brainpool and so on. (My javascript implementation(1) is based on SJCL's implementation, but uses "elliptic" as a library, which supports Short, Montgomery and Edwards curves.)
Is there any change to make it work with Edwards type curves like ed25519? Or is there any reason this actually isn't possible?
Reasearching on this topic doesn't bring much detailed information(, unless you get the exact math behind Edwards curves, which I don't at the moment, I'm just using the elliptic library for a simple app).
Thank you for your answers :)
(1) Some pseudocode (simplified):
Get a symmetric key for a known public key (to get a symmetric key only the recipient will be able to find out knowing a public key):
ec = curveobject(curve_the_pubkey_is_on);
secret = random_secret_key();
tag = ec.g.mul(secret); // pass along with the message
key = public_key.mul(secret); // use for symmetric encryption
Get a symmetric key for a known tag (to get the symmetric key knowing the tag
and own private key):
key = tag.mul(private_key); // can decrypt message with
Is there a way to verify a signed XML in Java
.NET has this great way to sign and then verify the signature of an XML file. Is there a way in Java to verify an XML file that .NET has signed this way?
thanks - dave
VPN Tunnel Routing Question
I'm a little confused about how VPNs work ... I read that they provide an end-to-end encrypted tunnel between you and whoever you're trying to connect to but is that actually the case?
VPNs let you route through different countries right? - So is it an encrypted tunnel between you and the VPN service providers server ... then the connection gets decrypted and goes out in plain text? - Or does the connection route through the VPN server then to the destination still encrypted in it's tunnel?
[me in UK?] ----- [VPN server in USA?] ----- [cnn.com]
In the diagram above at what point does the request get decrypted? and does the request have the IP address of the VPN server us me? - Does the request leave the encrypted tunnel so the VPN server an read it ... then go back into the tunnel until it reaches CNN.com?
What's a least-privilege way to allow node.js to access network adapters on Linux?
Linux naturally restricts all but superuser from pulling traffic directly from network adapters. In the case of Wireshark/dumpcap, setuid root is used ONLY for dumpcap, restricting the privileges needed for Wireshark run by the user:
Wireshark has implemented Privilege Separation which means that the Wireshark GUI (or the tshark CLI) can run as a normal user while the dumpcap capture utility runs as root. This can be achieved by installing dumpcap setuid root. The advantage of this solution is that while dumpcap is run as root the vast majority of Wireshark's code is run as a normal user (where it can do much less damage).
In the case of node_pcap , a similar issue occurs: the node.js process needs superuser to listen to the adapter, but that's a poor choice.
What's a sensible way to give a node process just enough privilege to capture packets and nothing else outside of the account running it?
What does running nmap on a server reveal about your computer?
If you run the nmap command on a server eg. nmap espn.com or nmap -Pn espn.com what information does that reveal to the server about you (eg. ip address or MAC address)? Does using a private vpn reduce what is revealed?
Injection SQL for educational purposes
I'm trying to exploit some web vulnerabilities in a sample website running inside a VM (it is not available on the web - only for educational purposes). I have a search criteria field and I write 'all' for display all products, or write or a specific product.
I tried inject code in field to search but doesn't work.
I tested:
' or 'UPDATE' 'products' 'SET' 'price'='0' 'where' 'price'='1000'--' ' or 'UPDATE products SET price=0 where price=1000'--'; all' or DROP TABLE products # (...) but typically return a message:
SQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' ORDER BY PRICE' at line 1
SQL Statement: SELECT pcode,price,description FROM products WHERE description like '%' or 'UPDATE products SET price=0 where price=1000'%' ORDER BY PRICE
Any "cleaned" virus that's been successfully re-released?
Anti-malware software has to keep track of all bad software there is. To ease this load, it seems like a good idea to stop looking for threats that's been dead for years.
Is there any example of some malware that was "big", cleaned enough to be removed from anti-malware software and then re-released by someone or left on some offline infected computer for some time or similar, that actually got a noticable second spread?
SMTP login history hotmail
I have a question about SMTP and ip address. After looking at my hotmail history login, I see there were hundred's of failed attempts by browser SMTP.
On normal attempts, I can see my browser(chrome), and my OS, but all the failed attempts are by SMTP(browser/app) according to hotmail login history.
The odd thing is it uses same IP address where I assessed the email from. What's the reason for this? I did not initiate the failed attempts at all.
List of entry level certifications?
Hello i want to get into IT (information technology) filed and want to know if there is any entry level certs.
thank you in advance.
TLS - Are signatures still needed?
The story:
I'm currently writing a web service that allows for communications to be made remotely via TCP/IP.
I first thought about signing each packet using HMAC-SHA1 with a password, appending the signature to the start of the packet and then have the server (which also knows the password) verify the packet sent.
However, this means that the server would store the passwords as-is (without hashing it), making it very dangerous indeed for anyone who gain unauthorized access to the database. Furthermore, any sensitive information (such as a 'change password' packet's new password) can be hijacked via a man-in-middle attack.
I then read about TLS/SSL and decided to use it to prevent any man-in-middle attacks.
The TL;DR:
Do I still need to sign my packets when sending it over TLS? Or can I just send my packets over as-is? I read that it is not a good idea to send plain passwords (or their hashes) over networks. As such, I'm not sure if with TLS, it's better to simply send passwords over to the server for authentication, or to sign each packet with the passwords instead of sending them over.
Interacting with Honeyd Services
I'm playing around with the Honeyd honeypot and i've setup a few service scripts and they seem to be up and running but they don't do very much. Is there anyway to interact with the running scripts or would I need a higher interaction honeypot?
Would it be possible to do anything like brute forcing the mysql service password with honeyd?
So far the only thing I can find to do with it is scan it with Nmap and perform a banner grab, I've looked online but there is a distinct lack of tutorials and guides when it comes to scripts bit.
Is it possible to link the honeyd services to actual services on my machine to be able to do a bit more with it?
Is it a considered a CSRF if it requires a unique identifier which is not a CSRF token - not tied to the user session?
Consider an end point such as below. Let's imagine that this endpoint updates an address of the signed in user, changing the zip code. The address to update is identified by the address ID (kUj3Nkg10).
http://foo.com/address-update/kUj3Nkg10/?zipCode=1234
Importantly, the identifier is an alphanumeric string, not an incremental integer. If it was an incremental integer, then it feasibly could be predicted. The alphanumeric can't reasonably be predicted or guessed.
Argument for considering it a CSRF
A CRSF token only lives and remains valid for the current session (or possibly even shorter). The unique ID in question remains the same (probably forever). Therefore a CSRF token should be used. It's possible that the identifier could be used elsewhere in the app, and made available for another user to see.
Argument for not considering it a CSRF
The attacker is unlikely to ever obtain the unique ID. It could be close to being as difficult to obtaining an actual CSRF token itself.
OWASP defines a CSRF as:
Any application that accepts HTTP requests from an authenticated user without having some control to verify that the HTTP request is unique to the user's session.
I think the above example satisfies the OWASP definition, because the address ID is not unique to the user's session.
Is there vulnerabilities that are inherent to the concept of an open source antivirus?
I read that antivirus opensource software would be a good idea since the database could be informed and mainained by lots of capable people. However I have also read arguments to the contrary but none really explaining why.
Is an open source antivirus for windows a bad idea or a good idea?
How are Cloud based HSMs used for Encryption by an application that is on premise (behind the enterprise firewall)?
Amazon CloudHSM (It is Safenet in the backend), Safenet Luna HSM SaaS version and other cloud HSM providers provide Key Management and encryption services on device in the cloud.
From my research, I understand that they can be used to encrypt some data and get the encrypted blob for storage in DB / disk either on - the CLOUD (Amazon RDS / Amazon S3) or - On Premise behind the firewall (Local Database / Local File System)
(CloudHSM) <===== talking to ====> (On Premise / Behind the Firewall application)
- What are the Security concerns w.r.t this model ?
- Any specific recommendations from Network Security point of view ?
- Is this even a valid model in the first place.
Tecniques to make a login page safe without using SSL
I am developing a web page where people can write and comment things (no personal informations required) and I need to put a log in form so users can see all their actions on my web page. My idea is to program a log in form without SSL and also allow people to log in with Facebook if they prefer. The page will load completely only if JavaScript is enabled.
My first problem is making sure that nobody can steal the user credential by acting like a man in the middle. I thought of solving it with a first hashing on client side with JavaScript and then on the server side, if I receive hashed values(in case someone deletes some JavaScript), a second hashing and store those hashed values in the user database. Is it a safe way to implement it? Also, are there any chances that some data get lost? If so how can I know if the received data is not compromised?
Protect from dictionary and brute force attacks. I would solve it by counting the number of failed log in attempts associated to that user account and if it is more than 8-10 in row show a CAPTCHA at each of the next log in and also implement a time delay between successive log in attempts. I think in this way IP changes are not going to be a problem because I am counting the number of failed log ins on the server side (I would set a user variable in PHP).
The Log In form. I implemented it in this way (without the hashing for now):
<input id="username" name="userName" placeholder="Username" type="text"> <input id="password" name="pass" placeholder="Password" type="password">But when the form is sent on the URL I can read the password like: /LogIn.php?userName=user&pass=pass How can I hide the password?
What could be other good advices, to achieve as much security as I can without using SSL?
Can a questionnaire to account holders on both ends (for example, to an entire office) reveal a spoofing or MIM attack?
...and if so what would be on it
Since there would be some differences between what account holders actually sent and what is received, it seems possible to detect a MIM or Spoofing attack with a questionnaire to both/all parties. What kinds of questions would you put on that questionnaire?
http://en.wikipedia.org/wiki/Questionnaire
How much two outdoor dbi should be to have a good connection?
I have two outdoor devices one act as an access point and the other one as a repeater my question is how much the signal strength should be( at least ) to have a good connection?
I can measure the strength between them both in (dbi) in the control panel of both devices
I got maximun strength between them 56 dbi and It works fine but I lost connection on the opposite side of the device
so if the connection between them both was like 35 or 30 dbi is it a good signal or what???
Is a MIM (Man in the Middle Attack) by definition an altered or injected communication on an encrypted communication?
If so, what is it called when someone alters or interjects into un-encrypted communications? Is that email spoofing? How is it resolved?
End users probably are more concerned with the fast resolution of the current disruption to their work than with the technical prevention.
How would an account holder even know to speak with a security person since the recipient of a negative injected message is unlikely to respond or be open to printing copies for comparison with sent messages.
(Joe says "I love cats". The recipient receives the message "I hate cats", becomes angry and doesn't respond. Joe then says "Do you want me to babysit your kitten?". Recipient responds with "Piss Off". Joe says "You piss off!!!!!") The MIM is buried in the middle of several other authentic messages.
How would you know?
exploits and its relevant payload
how can i find out what payload(s) can be use/executed along with an exploit?
for example, i can use an exploit called exploit/windows/smb/ms08_067_netapi. Right after that i set the payload to windows/adduser. what other payload can i use here. how can i find out this information or is there a specific command in metasploit that i can run to figure this out?
I am not asking specifically for ms08_067_netapi exploit.
thank you
is my js vulneurable to dom xss?
I have the following Javascript code:
my_js.js
I call it like this:
<!DOCTYPE html>
<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<script src="my_js.js" type="text/javascript"></script>
<script>
var l=window.location+'';
_IFPC.processRequest(l.substring(l.indexOf('#')+1));
</script>
<title></title>
</head>
<body>
</body>
</html>
Please help me.
Is this code vulneurabel to DOM Xss? everyone is telling me this it is vulneurable! but i don't know how?
Can any one help me develop a poc for me (like `alert(2)) , please suggest a way. Thank you.
vendredi 28 novembre 2014
How do you explain to experts that a Database Server should not reside in the DMZ?
Our security experts, DBAs, network team and infrastructure team are all saying it's ok to have the DB server located in the DMZ along with the HTTP server and middle-ware server.
Their reason:
If the database server is compromised (because of an insecure middle tier), at least the DB server is outside the internal system. If it is inside our network, the hacker can then use the DB server to access other systems.
What they are saying is:
- Let's not put the middle-ware server behind a 2nd firewall and the DB server behind a 3rd firewall.
- Let's use just one firewall (the HTTP server's) in case a hacker wants to get our DB's sensitive data, at least that's all they can get.
The 2nd statement was actually said... verbatim.
Please note that this DB Server will hold sensitive information, including bank details.
Now, are these experts making any sense to you? I'm a software developer and I can't get their logic. It's like, "Put the jewelry box outside the house so that robbers won't bother getting in for the TV?"
How does firefox sync password recovery work?
According to Mozilla Sync-new-security-model, Firefox servers are not able to decrypt your sync data without your password. So I figured that, the browser generates a key from your password, encrypts the data and sends it over the wire without the key.
But if I forget my password, I can still recover it, by having firefox send a password reset email. According to this page: ive-lost-my-firefox-sync-account-information, you can't recover your sync password without your email.
- How does password reset work?
- How is Firefox able to
decryptyour data on their servers without your old key and send it back to your browser for syncing? - Does it stores the old key somewhere or is there some weird
cryptomagic going on?
secure private key storage
in recent light of badusb
storing private keys on a usb flash drive is not the best way
what about writing private keys to a cd?
what i am worried about is whenever i plug my private key storage device into the machine, it opens up the possibility that any rouge process may take over and steal the keys
i have a private key used to encrypt all my other passwords and keys. this way i have a single key to worry about protecting. but it also opens up a single point of failure
how can i securely store this key?
i was thinking that a qr code printed on paper may be a great way to password protect a private key
but then that leads to how to securely decode the qr code and decrypt the private key
google recaptcha V2 on apache shared server: How to get it to work with SSL
I implemented google's reCAPTCHA V2 on http:// on the remote apache shared server and it worked 100%. I then changed the protocol to my shared server SSL using the same script as the non-SSL script. The older version of reCaptcha had an SSL 'false' to 'true' SSL parameter, whereas I can't find one for V2. I had to use htaccess to redirect the example.com to the shared SSL server https: //serverid.net/example/ which works perfectly without recCAPTCHA. I incorporated reCAPTCHA V2 and the error message where the reCAPTCHA image should be shows "ERROR: Invalid domain for site key".
Here's the htaccess: RewriteEngine On RewriteCond %{HTTP_HOST} ^(.)example.com [NC] RewriteCond %{SERVER_PORT} 80 RewriteRule ^(.)$ http://ift.tt/1FDP6SC$1 [R,L]
Here's the recaptchalib.php code in case that helps:
(http://ift.tt/1ysehXT)
Anyone know how to make this work?
Difference between SSL connection and SSL session
What is the difference between SSL connection and SSL session ???
This is what my lecture notes has to say which I makes no sense to me ( I am new to SSL)
SSL Connection:
- A transient peer-to-peer communications link.
- Each connection is associated with one SSL session.
SSL Session:
- A session is an association between client and server.
- It is created by the Handshake Protocol.
- It defines a set of security parameters.
- It may be shared by multiple SSL connections.
- It is useful to avoid expensive negotiations of security parameters for each connection. Single session has many connections. Every connection has a different key
I tried googling for it but the results dont show up anything useful.
The only thing I know is that a single SSL session can have multiple SSL connections.
Can someone explain to me what the differences are in simple terms ??
W3af and automated vulnerability scanners vs manual testing
How effective are tools such as w3af in looking for web app vulnerabilities compared to looking for vulnerabilities manually? Are they able to find all vulnerabilities from OWASP top 10 such as reflected xss, persistent xss, sqli, lfi/rfi, and unrestricted file upload? Or will some vulnerabilities fall through the cracks and remain undiscovered?
Nmap from Kali Linux and from Amazon EC2 instance - vastly differing results
I'm running a basic scan using nmap from
1) a VM of Kali Linux running on personal machine
2) an instance of Amazon Linux, running on Amazon's EC2 cloud
These two runs (against any target) are producing vastly different results, with the personal Kali run always producing much more and more detailed results (more IPs found, more ports in each IP). Does anyone have any explanation for this? I think that something in the cloud setup is affecting the scan. I have also tried running scan from Kali in cloud and nothing changed, so it isn't Kali vs non-Kali that is affecting results. My security group for my EC2 instance is configured to allow all inbound and outbound traffic. My instance is running on VPC, not classic, and I don't know if possibly there is a NAT or something intercepting the traffic but I don't think so. Also, I have received permission from Amazon and all targets of my scans to conduct this testing. Any input is appreciated. Thanks
google reCAPTCHA V2 "Use of undefined constant .."
I'm implementing google's reCAPTCHA V2. It works almost perfectly except for the following error located in the recaptchalib.php:
Notice: Use of undefined constant success - assumed 'success' in (script location)
Anyone got an idea how to fix this?
Windows CTF/war games/reverse engineering/exploit challenges
War Games are fun but mainly deal with Linux reverse engineering.
Example: http://ift.tt/1uT1DeH
Does anyone know of similar online games for Windows security?
How to put WLAN card in promisc mode?
My WLAN card driver is ath9k and using CentOs 7. I used ifconfig wlp1s0 promisc to set it in promisc mode. When using tcpdump I am only able to see unicast traffic to my pc.
How can I set my card to promisc mode. ? And how can I confirm that the card is in pomisc mode, is there any flag which can display this. ?
Cloud based SaaS with large database - what should we ensure we have in place?
We are developing software which will be cloud based and have a hopefully massive database once we get users in. Now, I am the founder with very basic knowledge, so I am asking the basic question. What should we have in place to ensure a high level of security for our customers data. I'm hoping for suggestions and advice for user accounts, site and database hosting, everything basically.
Apologies in advance for what may seem to some as a very basic question.
E
Inscription à :
Articles (Atom)