499 items tagged “security”
2007
Details of Google’s Latest Security Hole. For a brief while you could use Blogger Custom Domains to point a Google subdomain at your own content, letting you hijack Google cookies and steal accounts for any Google services.
The JavaScript alert(), confirm() and prompt() functions in Firefox, Opera and MSIE (but not Safari) will truncate the message after any null character. So an unsuspecting programmer who inserts user-provided text into one of these dialog boxes opens up an opportunity for the user to rewrite the bottom of the dialog box.
The Adobe PDF XSS Vulnerability. If you host a PDF file anywhere on your site, you’re vulnerable to an XSS attack due to a bug in Acrobat Reader versions below 8. The fix is to serve PDFs as application/octet-stream to avoid them being displayed inline.
Choosing Secure Passwords. Bruce Schneier describes the state of the art in password cracking software.
If you are subject to an XSS, the same domain policy already ensures that you're f'd. An XSS attack is the "root" or "ring 0" attack of the web.
Why don't we have a .bank or .bank.country_code TLD that's regulated by the same people that regulate the banks themselves?
2006
How is Google giving me access to this page?
Google have an open URL redirector, so you can craft a link that uses that:
[... 35 words]A Cost Analysis of Windows Vista Content Protection (via) Vista’s content protection is a nightmare for hardware manufacturers and consumers alike. It’s far worse than even BoingBoing readers would expect.
Rogues are very keen in their profession, and know already much more than we can teach them
Never store passwords in a database! The reddit.com developers just learnt this the hard way. It might be time to change some of your passwords.
Real-World Passwords. Random passwords phished from MySpace are surprisingly decent.
BT acquires Counterpane Internet Security (via) They just bought Bruce Schneier.
Better Metrics for Security—Understanding the Symantec Internet Security Threat Report. Mozilla defends against yet more spurious bug count reports.
Parsing XML can open network sockets (via) Yikes. Something to bare in mind.
Bruce Schneier Facts. “SSL is invulnerable to man-in-the-middle attacks. Unless that man is Bruce Schneier.”
Schneier on Security: New Airline Security Rules. “I’m sure glad I’m not flying anywhere this week” says Bruce. Now I wish I wasn’t!
On the total nondisclosure of the 8/9/06 [Rails] security vulnerability. The best argument I’ve seen in favour of full disclosure.
Rails 1.1.5: Mandatory security patch. Upgrade now, and spread the word.
Why is XSS so common? Because dev tools don’t escape things by default.
Don’t serve JSON as text/html. Another sneaky XSS trick.
Mozilla causing XSS in Livejournal. Their recent worm attack was caused by the -moz-binding CSS property.
Xanga Hit By Script Worm (in December) (via) Description of an XSS worm that hit Xanga last month.
DHS Funding Open Source Security. Paying for “source code analysis technology” coverage of Linux, Apache, PostgreSQL and more.
2005
Chris Shiflett: Google XSS Example (via) UTF-7 is a nasty vector for XSS.
Don’t be eval()
JavaScript is an interpreted language, and like so many of its peers it includes the all powerful eval() function. eval() takes a string and executes it as if it were regular JavaScript code. It’s incredibly powerful and incredibly easy to abuse in ways that make your code slower and harder to maintain. As a general rule, if you’re using eval() there’s probably something wrong with your design.
Zero-Day Exploit Targets IE (via) Remote code execution. No patch yet; disable Active Scripting instead.
Social engineering and Orange
I had a call on my mobile earlier today from a lady claiming to be from Orange (my phone service provider) who told me that my contract was about to expire. She asked me for my password.
[... 311 words]Understanding the Greasemonkey vulnerability
If you have any version of Greasemonkey installed prior to 0.3.5, which was released a few hours ago, or if you are running any of the 0.4 alphas, you need to go and upgrade right now. All versions of Greasemonkey aside from 0.3.5 contain a nasty security hole, which could enable malicious web sites to read any file from your hard drive without you knowing.
[... 809 words]Cross-site request forgery (CSRF). Somehow this vulnerability is news to me.
Fighting RFCs with RFCs
Google’s recently released Web Accelerator apparently has some scary side-effects. It’s been spotted pre-loading links in password-protected applications, which can amount to clicking on every “delete this” link — bypassing even the JavaScript prompt you carefully added to give people the chance to think twice.
[... 353 words]