SpiderLabs/ModSecurity: ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx that is developed by Trustwave's SpiderLabs. It has a robust event-based programming language which provides protection f. Linux version of RansomEXX ransomware discovered. Security firm Kaspersky said today that it discovered a Linux version of the RansomEXX ransomware, marking the first time a major Windows ransomware strain has been ported to Linux to aid in targeted intrusions. RansomEXX is a relatively new ransomware strain that was first spotted earlier this year in June. The ransomware has been used in attacks against the Texas Department of Transportation, Konica Minolta, US government contractor Tyler Technologies, Montreal's public transportation system, and, most recently, against Brazil's court system (STJ).
RansomEXX is what security researchers call a "big-game hunter" or "human-operated ransomware. " These two terms are used to describe ransomware groups that hunt large targets in search for big paydays, knowing that some companies or government agencies can't afford to stay down while they recover their systems. But over the past year, there has been a paradigm shift into how these groups operate. And, this trend appears to have already begun. Troy Hunt’s Ultimate List of Security Links - DZone Java. Sep 29, 2015 ssl,tls,https,security,ddos,encryption,xss,hacking,passwords,authentication I’ve got a heap of resources I constantly come back to in talks, workshops and just during the course of my everyday work.
Frankly, I have trouble remembering them all myself plus I reckon they’re kinda useful for other people too so I thought I’d drop them all into a post here. If you’ve got good stuff I’ve missed (and you almost certainly will), drop it into the comments below as I’d love to add to my own set of resources plus that way it gets shared with everyone.
Enjoy! DDoS Krista’s professional DDoS service – Video of an innocent teenager promoting a DDoS serviceNorse – Totally awesome real time map of DDoS attacks that’s absolutely mesmerising to watchBooter promotional video – Very professional advert for a “booter” service (complete with “Epic DDoS interface”)networkstresser.com – Example of a DDoS service… protected by CloudFlare… the world’s largest provider of DDoS defences… SQL Injection. Qualys SSL Labs - Projects / SSL Server Test. Understanding the Risk of Mixed Content Warnings. Ever see one of these? Or these? Or maybe this one? It means something is wrong with the website – very wrong – yet somehow we seem to keep building websites that do this. The problem, as you’ll see in the video below, is that it jeopardises the security of traffic going backwards and forwards over what otherwise appears to be a secure site, at least in terms of implementing SSL.
This can lead to issues such as the theft of identity data, potentially including such personal information as social security numbers. Fortunately there’s a channel to report potentially fraudulent activity except that, well, this video explains it best: Of course it’s ironic that it’s the Social Security Administration that’s made a bit of a botch of this but it’s an all too familiar scenario. That’s the risk covered, let’s focus on the fixes and they’re all dead easy: Embed external content explicitly via the HTTPS scheme. Secure Salted Password Hashing - How to do it Properly. If you're a web developer, you've probably had to make a user account system. The most important aspect of a user account system is how user passwords are protected. User account databases are hacked frequently, so you absolutely must do something to protect your users' passwords if your website is ever breached. The best way to protect passwords is to employ salted password hashing.
This page will explain why it's done the way it is. There are a lot of conflicting ideas and misconceptions on how to do password hashing properly, probably due to the abundance of misinformation on the web. IMPORTANT WARNING: If you are thinking of writing your own password hashing code, please don't!. If for some reason you missed that big red warning note, please go read it now. You may use the following links to jump to the different sections of this page. What is password hashing? Hash algorithms are one way functions. The user creates an account. How Hashes are Cracked Adding Salt Salt Reuse Short Salt. Penetration Testing Software | Metasploit. Inviting Hackers into Your Automated Home. I was at the Web Directions South conference the other day and you know what really struck me? There is a lot of very cool, very connected stuff either here now or coming very soon.
Hackable stuff! So there’s this term going around which is The Internet of Things (it has its own Wikipedia page so it must be real), or in human speak, stuff that’s connected to the web. Unusual stuff like domestic appliances and cars – literally “things” rather than devices as we know them such as PCs and phones. One of the best presentations I saw was from Tom Coates who talked extensively about all sorts of “things” that were connected to services. I harboured a brief pipedream of setting up something along the lines of RobTheHouseOfCoates.com which would provide would-be burglars with an easy notification system to identify prime periods where Tom’s house was unoccupied.
Clearly these “things” have the ability to improve our lives in all sorts of wonderful ways, but frankly, that’s a bit boring. Today's big security threat? Developer incompetence on your mobile app team. It would appear that the shorter development cycles and the rush to get up to speed on the latest mobile APIs is taking its toll on what would normally pass as standard development practices, and that's creating a massive problem that security conscious professionals should be severely worried about. I'd never code a username and password in plain text in a production system, and I'd certainly never allow sensitive information to be saved unencrypted on a device that I knew could be easily lost or stolen.
Yet in the mobile development world, these inane practices seem to be commonplace, and the buck stops at the incompetent application developers who allow it to happen. At AnDevCon 2012 in San Francisco, TheServerSide spoke with Godfrey Nolan, founder of RIIS and author of both Decompiling Java and Decompiling Android, and he had some sobering insights into just how bad the security problem has become. And yes, I said ‘decompiling.’ So, what needs to be done? Why passwords have never been weaker—and crackers have never been stronger. In late 2010, Sean Brooks received three e-mails over a span of 30 hours warning that his accounts on LinkedIn, Battle.net, and other popular websites were at risk. He was tempted to dismiss them as hoaxes—until he noticed they included specifics that weren't typical of mass-produced phishing scams.
The e-mails said that his login credentials for various Gawker websites had been exposed by hackers who rooted the sites' servers, then bragged about it online; if Brooks used the same e-mail and password for other accounts, they would be compromised too. The warnings Brooks and millions of other people received that December weren't fabrications. Within hours of anonymous hackers penetrating Gawker servers and exposing cryptographically protected passwords for 1.3 million of its users, botnets were cracking the passwords and using them to commandeer Twitter accounts and send spam.
Newer hardware and modern techniques have also helped to contribute to the rise in password cracking. Is Stack Overflow “secure”? Kind of… I had an interesting question pop up on my “SSL is not about encryption” blog post this weekend: I have a question about logging to site like StackOverflow which doesn't use SSL at all. If I am login to SO via Google. Is this secure in this case? This is actually a very good question for a number of reasons so I thought it deserved a little more attention than just the short response I gave on the blog. The reality is that there are a few more twists to it than that and Stack Overflow in particular is an interesting case study due to their use of a third party authentication provider.
Stack Overflow and the role of OpenID I’ve followed the evolution of Stack Overflow from the very early days and one thing that Jeff Atwood was always adamant about was the role of OpenID. There are opponents of OpenID, but the arguments are more about the logistics of implementing it and dealing with customers having accounts with all sorts of different providers. Stack Overflow and HTTPS Hey, look at that! Secure Password Storage - Lots of Don'ts, a Few Dos, and a Concrete Java SE Example. We Recommend These Resources As software developers, one of our most important responsibilities is the protection of our users' personal information. Without technical knowledge of our applications, users have no choice but to trust that we're fulfilling this responsibility. Sadly, when it comes to passwords, the software development community has a spotty track record.While it's impossible to build a 100% secure system, there are fortunately some simple steps we can take to make our users' passwords safe enough to send would-be hackers in search of easier prey.
If you don't want all the background, feel free to skip to the Java SE example below. The Don'ts First, let's quickly discuss some of the things you shouldn't do when building an application that requires authentication: Don't store authentication data unless you really have to. The Dos Okay, enough lecturing on what not to do. Finally, a concrete example Okay, here's some code to encrypt passwords using PBKDF2. References. OWASP Enterprise Security API. An Illustrated Guide to Cryptographic Hashes. With the recent news of weaknesses in some common security algorithms (MD4, MD5, SHA-0), many are wondering exactly what these things are: They form the underpinning of much of our electronic infrastructure, and in this Guide we'll try to give an overview of what they are and how to understand them in the context of the recent developments.
But note: though we're fairly strong on security issues, we are not crypto experts. We've done our best to assemble (digest?) The best available information into this Guide, but we welcome being pointed to the errors of our ways. A "hash" (also called a "digest", and informally a "checksum") is a kind of "signature" for a stream of data that represents the contents. The closest real-life analog we can think is "a tamper-evident seal on a software package": if you open the box (change the file), it's detected. Let's first see some examples of hashes at work. The avalanche effect can be best seen by hashing two files with nearly identical content. . #! Secure DNS. Protocolv2Spec - google-safe-browsing - Client specification for the Google Safe Browsing v2.2 protocol - protect users from malicious web pages.
Status: CURRENT as of 2009/3/10. This specification is not yet for general use. Do not use this protocol without explicit written permission from Google. Copyright 2007 Google Inc. All Rights Reserved. Authors: Garrett Casto, Oliver Fisher, Raphaël Moll, Marria Nazif, and Dan Born Notes: The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119. Google provides data for the anti-phishing feature implemented in Firefox 2 and Google Desktop. Note: This document assumes the reader is familiar with the anti-phishing service.
Version 1 of the update protocol is inefficient and not scalable. It does not support partial list updates unless a client has a recent version of the list already fully downloaded. Note: This is not a license to use the defined protocol. Version 2 of the update protocol is designed with the following characteristics: 3.2. 3.2.1. Example: PhishTank | Join the fight against phishing. Sebastian Kübeck's Weblog. Detecting and Preventing ReDoS Vulnerabilities, Part 2 In my previous post on ReDoS, I tried to explain the problem and proposed a solution for fixing regular expression engines by reducing the execution time and recursion depth of the execution.
Now I want to explain some strategies to detect vulnerable expressions. In general, there are three approaches to achieve this: Fuzzing;Generating sample inputs for the expression from the syntax and testing those against the engine;Static analysis of the expression syntax. All approaches have their pros and cons and I will dig into them in more detail.
Fuzzing Fuzzing is a very simple approach by which the execution of an expression is tested against random samples of input. Generating Sample Inputs from the Expression Syntax This approach is similar to model checking, a technique used in program validation. In the case of regular expressions, all we need to do is parse the expression and generate an abstract syntax tree. ^a(b|c)$ ab ac abX acX. Sebastian Kübeck's Weblog. Detecting and Preventing ReDoS Vulnerabilities Regular expressions are omnipresent in today's applications, they are used for input validation and parsing in web applications, web frameworks (in the browser and on the server side) and especially in security related applications, tools and libraries. Today's regular expression engines are pretty well tuned for performance.
Even complex expressions are usually executed extremely fast. However, there are some combinations of expressions and input that slow down execution drastically and this can be abused by attackers for very effective (D)DoS attacks also called ReDoS (Regular Expression Denial of Service) attacks. The Problem ReDoS vulnerabilities were first described in a talk by Crosby & Wallach at USENIX 2003 (unfortunately, the paper isn't online any more) and received more attention recently as various researchers discovered those vulnerabilities in numerous programming libraries and security related applications. (a|aa)*O (a+)+ Nikto2 | CIRT.net. Sebastian Kübeck's Weblog. Malware Alert on ThoughtWorks.com Today, Martin Fowler reported that there are indications that malware was found on ThoughtWorks.com. Our biggest sign of it is via google. Google reported our site on Jan 7th as having problems, we looked into it, didn’t find anything, and Google’s complaint went away very quickly.
The flag went up again on Jan 31st and this time they emailed our webmaster. Note that this could be a false positives but the rare occurrence of this indicates that this could be something serious. Malware in websites often exploit browser vulnerabilities to infect the browsers of visitors. Here is an (incomplete) list of most common causes for malware in websites: Injection Flaws Last year, several European sites suffered automatized attacks of that kind from Chinese hackers.
Detection You can check if you got hacked by scanning the database tables that contain web content for suspicious html elements such as IFrames and Script-Tags. Countermeasures Remove the malware. Conclusions. Web-based DNS Randomness Test | DNS-OARC. US-CERT's Vulnerability Note VU#800113 describes deficiencies in the DNS protocol and implementations that can facilitate cache poisoning attacks. The answers from a poisoned nameserver cannot be trusted. You may be redirected to malicious web sites that will try to steal your identity or infect your computers with malware. Working exploits for this issue are already widely circulated! Upgrade your nameservers ASAP if you haven't done so already! On August 7, 2008, Dan Kaminsky will release additional details about these poisoning attacks. The essence of the problem is that DNS resolvers don't always use enough randomness in their transaction IDs and query source ports. This page exists to help you learn if your ISP's nameservers are vulnerable to this type of attack.
The test takes a few seconds to complete. See porttest for another way to check your resolver from a Unix commandline. Automatically run vpn on login. Security in 2020. Sebastian Kübeck's Weblog. Dm-crypt. SocialAuth - Java Library for seamless authentication for oAuth and OpenID providers - TheServerSide.com. Sebastian Kübeck's Weblog. StartCom Free SSL Certification Authority.
Livebox. Hackademix.net. Cthulhubuntu | leeds.scifi.me.uk. Java 2 Evil Edition - Wcw. Ulimit(1): set/get shells resource usage limits. Hasan's Weblog ~ Experiences @ workspace. Sebastian K. Sebastian K. Rob Williams' Blog. Ecrans - Les fournisseurs d'acc. Sebastian K. "123456" ou bien "azerty" ? L'enfer des mots de passe. CWE - 2010 CWE/SANS Top 25 Most Dangerous Programming Errors. Top 25 Most Dangerous Software Errors - 2011. Reports. 20 ways to Secure your Apache Configuration. Sebastian Nohn - Removing the Apache "Server" Header. More Must Be Done to Prepare US for Cyber Attack | The New New I. Sebastian Kübeck's Weblog. Public vulnerabilities. Comment pirater la facture EDF de vos voisins ou salariés | Eco8.
Ultra High Security Password Generator. jBCrypt - strong password hashing for Java.