security

< < < <

Get flash to fully experience Pearltrees

Practical Padding Oracle Attacks This paper discusses how cryptography is misused in the security design of a large part of the Web. Our focus is on ASP.NET, the web application framework developed by Microsoft that powers 25% of all Internet web sites.

research - The ASP.NET Vulnerability - POET attack - BEAST SSL/TLS attack

Password Safe

15 June 2011: LPS-Remote Access was certified by AFNIC to connect to the GIG for general telecommuting use. Lightweight Portable Security (LPS) creates a secure end node from trusted media on almost any Intel-based computer (PC or Mac). LPS boots a thin Linux operating system from a CD or USB flash stick without mounting a local hard drive.

Software Protection Initiative - Lightweight Portable Security

Qualys SSL Labs - Projects / SSL Server Test

If some device was not following the WiFi Alliance WPA specification by not hashing the entire printable ASCII character set correctly, it would end up with a different 256-bit hash result than devices that correctly obeyed the specification. It would then be unable to connect to any network that uses the full range of printable ASCII characters. Since we have heard unconfirmed anecdotal reports of such non-compliant WPA devices (and since you might have one), this page also offers "junior" WPA password strings using only the "easy" ASCII characters which even any non-fully-specification-compliant device would have to be able to properly handle.

Ultra High Security Password Generator

pmcma

Password Secrets of Popular Windows Applications

How to Secure Your Apache Web Server

How to Secure Your Apache Web Server Installing and maintaining a secure web server on Linux can be a challenge. It requires in-depth knowledge of Linux, Apache , and PHP server-side options.

A Better Way to Sign In

Dooble Web Browser

LogSurfer - Real Time Log Monitoring and Alerting

LogSurfer Software and Resources Contents Introduction Logsurfer recent features Download Documentation Configuration examples Links Introduction Logsurfer is a program for monitoring system logs in real-time, and reporting on the occurrence of events. It is similar to the well-known swatch program on which it is based, but offers a number of advanced features which swatch does not support.

Ncrack - High-speed network authentication cracker

Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. Security professionals also rely on Ncrack when auditing their clients. Ncrack was designed using a modular approach, a command-line syntax similar to Nmap and a dynamic engine that can adapt its behaviour based on network feedback.

WebInject - (HTTP) Web Application and Web Services Test Tool

wfuzz - Web application bruteforcer

Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP,etc), bruteforce Forms parameters (User/Password), Fuzzing,etc. It's very flexible, here are some functionalities: Multiple Injection points capability with multiple dictionaries Recursion (When doing directory bruteforce) Post, headers and authentication data brute forcing Output to HTML Colored output Hide results by return code, word numbers, line numbers, regex.

The Bro Network Security Monitor

Introduction Bro is a policy-controlled, event-based distributed intrusion detection system. Bro nodes can exchange events, policy state, network packets, and other information amongst each other.

http://www.icir.org/christian/broccoli/index.html

Broccoli — The Bro client communications library

Python Bindings for Broccoli

Scapy

Security Power Tools was out in August 2007. I wrote a complete chapter on Scapy Scapy trainings at CanSecWest, EuSecWest, PacSec. NEXT SESSION: CanSecWest march 7th and 8th, 2011 I can give trainings on many subjects ( Scapy , networks, shellcoding, exploit writing, etc.). Contact me directly: phil @ secdev . org About Scapy

NetSecL

forensics

htshells - Just Another Hacker

http://www.justanotherhacker.com/projects/htshells/

htshells is a series of web based attacks based around the .htaccess files. Most of the attacks are centered around two attack categories. Remote code/command execution and information disclosure. These attacks are intended for use during penetration tests or security assessments.

Gpg4win - Secure email and file encryption with GnuPG for Windows

Gamja : Web vulnerability scanner | Download Gamja : Web vulnerability scanner software for free at SourceForge

blogs

Qubes

Works instantly, no need to re-type pass codes from a device Works on Windows, Mac, Linux, iPad, Firefox, Chrome, etc Identified as a USB-keyboard, no client software or drivers needed Minimized size; 2 mm thin, 3 grams Practically indestructible; waterproof, crush safe, no battery Integration within minutes with free and open source server software Two slots for multiple configurations: OATH, Challenge-Response etc Also available with NFC (NEO) and minimized form factor (Nano) Manufactured in USA and Sweden with best practice security processes Lowest total cost of ownership for strong two-factor authentication How it works With a simple touch of the gold disc, the YubiKey sends a One Time Password (OTP) as if it was typed in from a keyboard.

YubiKey - The key to the cloud - Yubico

Yubikey : la petite clé qui assure

Yubikey, c’est une petite clé USB un peu spéciale. Une petite pastille tactile sur le dessus permet de générer un mot de passe à usage unique , qu’un service distant saura utiliser pour vous identifier ou non. C’est pratique, c’est sûr (si c’est bien utilisé), et c’est assez geek pour qu’on en parle. Le problème Les mots de passe se multiplient comme des petits pains, surtout chez les geeks.

VPN

Un VPN (Virtual Private Network) est un réseau virtuel s'appuyant sur un autre réseau (Internet par exemple). Il permet de faire transiter des informations, entre les différents membres de ce VPN, de manière sécurisée. Le VPN est un concept, on ne peut pas généraliser les VPN. Pour schématiser, on peut considérer qu'une connexion VPN revient à se connecter en LAN en utilisant Internet. On peut ainsi communiquer (ping, tous protocoles IP) avec les machines de ce LAN en appelant leurs IP locales (la plupart du temps, elles ressemblent à ça : 192.168.X.X ou bien 10.X.X.X ou bien 172.16.X.X, etc...). Il existe plusieurs types de VPN fonctionnant sur différentes couches réseau , voici les VPN que nous pouvons mettre en place sur un serveur dédié ou à la maison :

VPN Service - Surf anonymous

VPNTunnel est un service VPN permettant d'accéder à Internet de manière complètement anonyme. Comme tous les services de VPN en ligne, il propose de créer une liaison chiffrée entre votre machine et des serveurs (ici localisés en Suède) qui ne garderons aucunes informations sur votre trafic. Nous allons voir dans ce billet comment configurer une machine sous Ubuntu pour la rendre invisible à Hadopi aux mouchards d'Internet...