background preloader

Information Security

Facebook Twitter

Myths about /dev/urandom. There are a few things about /dev/urandom and /dev/random that are repeated again and again.

Myths about /dev/urandom

Still they are false. /dev/urandom is insecure. Always use /dev/random for cryptographic purposes. Fact: /dev/urandom is the preferred source of cryptographic randomness on UNIX-like systems. /dev/urandom is a pseudo random number generator, a PRNG, while /dev/random is a “true” random number generator. Prevent Cross-Site Request Forgery (CSRF) using ASP.NET MVC’s AntiForgeryToken() helper. Cross-site scripting (XSS) is widely regarded as the number one security issue on the web.

Prevent Cross-Site Request Forgery (CSRF) using ASP.NET MVC’s AntiForgeryToken() helper

But since XSS gets all the limelight, few developers pay much attention to another form of attack that’s equally destructive and potentially far easier to exploit. Your application can be vulnerable to cross-site request forgery (CSRF) attacks not because you the developer did something wrong (as in, failing to encode outputs leads to XSS), but simply because of how the whole Web is designed to work.

Scary! How CSRF works So, what’s it all about? Public class UserProfileController : Controller { public ViewResult Edit() { return View(); } public ViewResult SubmitUpdate() { // Get the user's existing profile data (implementation omitted) ProfileData profile = GetLoggedInUserProfile(); // Update the user object profile.EmailAddress = Request.Form["email"]; profile.FavoriteHobby = Request.Form["hobby"]; SaveUserProfile(profile); ViewData["message"] = "Your profile was updated This is all very normal.

BadUSB - On Accessories that Turn Evil by Karsten Nohl + Jakob Lell. How to Safely Store a Password in 2016 - Paragon Initiative Enterprises Blog. If you are unfamiliar with cryptography concepts or the vocabulary it uses, or especially you are looking for guidance on "password encryption", please read this page first.

How to Safely Store a Password in 2016 - Paragon Initiative Enterprises Blog

We've previously said that even security advice should carry an expiration date. So unlike most of our past blog posts, this page should be considered a living document: As requirements change and new attacks are discovered, we will update it accordingly. Semantic point: Don't store the password, store a hash of the password. (Obligatory.) Modern, Secure, Salted Password Hashing Made Simple The Problem: You want people to be able to create a unique user account, with a password, which they will use to access your application. Easiest Solution: Use libsodium, which provides a secure password hashing API in most languages. The Secret History of America’s Cyber War. On August 9, 2013, a hot, humid Friday, shortly after three in the afternoon, the laziest hour in the dreariest month for news in the nation’s capital, President Obama held a press conference in the East Room of the White House.

The Secret History of America’s Cyber War

Two months earlier, Edward Snowden, a contractor with the National Security Agency, had leaked tens of thousands of highly classified documents, revealing that the NSA was intercepting phone calls and emails of millions of Americans, in apparent violation of the law—and tapping the phones of allied leaders abroad as well. Citizens were outraged, embassies were fuming, Silicon Valley executives were worried that they’d lose foreign customers who suspected their products had “back doors” that the NSA could enter.

News

Zarp - Network Attack Tool. Zarp is a network attack tool centred around the exploitation of local networks.

Zarp - Network Attack Tool

This does not include system exploitation, but rather abusing networking protocols and stacks to take over, infiltrate, and knock out. Sessions can be managed to quickly poison and sniff multiple systems at once, dumping sensitive information automatically or to the attacker directly. Exploit Exercises. SQL Injection Attacks by Example. A customer asked that we check out his intranet site, which was used by the company's employees and customers.

SQL Injection Attacks by Example

This was part of a larger security review, and though we'd not actually used SQL injection to penetrate a network before, we were pretty familiar with the general concepts. We were completely successful in this engagement, and wanted to recount the steps taken as an illustration. "SQL Injection" is subset of the an unverified/unsanitized user input vulnerability ("buffer overflows" are a different subset), and the idea is to convince the application to run SQL code that was not intended. If the application is creating SQL strings naively on the fly and then running them, it's straightforward to create some real surprises. We'll note that this was a somewhat winding road with more than one wrong turn, and others with more experience will certainly have different -- and better -- approaches. We speculate that the underlying SQL code looks something like this: A standalone query of.