-
Sick of your PC? Pulverize it
Date: 02/17/05
(Security) Keywords: security
When chewed up, a PC fits in a jar. Just ask Security Engineered Machinery. Taking paper shredding to a whole new level.
Source: http://news.zdnet.com/Sick+of+your+PC%3F+Pulverize+it/2100-1009_22-5579750.html?part=rss&tag=feed&subj=zdnn
-
Major ID theft uncovered, affecting thousands of Californians
Date: 02/17/05
(Java Web) Keywords: security
ChoicePoint is working with the California authorities on this, assuming that the impact is on Californian residents only.
However security experts diasgree.
It would be surprising if the impact is limited to California only.
Source: http://feeds.feedburner.com/AngsumansBlogOnJavaAndWebTechnologies?m=156
-
Lexus: Cabir won't infect our cars
Date: 02/17/05
(Security) Keywords: software, security, virus
In its blog, security software maker F-Secure posts excerpts from a Lexus statement defending its cars' safety from viruses.
Source: http://news.zdnet.com/Lexus%3A+Cabir+won%27t+infect+our+cars/2100-1009_22-5581162.html?part=rss&tag=feed&subj=zdnn
-
IM still a security weak spot, analysts warn
Date: 02/17/05
(Security) Keywords: security
The recent MSN Messenger fix is a reminder that instant messaging can still pose a threat to corporate security.
Source: http://news.zdnet.com/IM+still+a+security+weak+spot%2C+analysts+warn/2100-1009_22-5581019.html?part=rss&tag=feed&subj=zdnn
-
Security chiefs favor business savvy
Date: 02/18/05
(Security) Keywords: security
Chief security officers stress the need for their peers to become as business savvy as they are tech savvy.
Source: http://news.zdnet.com/Security+chiefs+favor+business+savvy/2100-1009_22-5581548.html?part=rss&tag=feed&subj=zdnn
-
Feds urged to tighten cybersecurity
Date: 02/18/05
(Security) Keywords: security
U.S. government agencies get a "D+" for computer security as experts warn that attacks will come.
Source: http://news.zdnet.com/Feds+urged+to+tighten+cybersecurity/2100-1009_22-5581502.html?part=rss&tag=feed&subj=zdnn
-
How secure is this?
Date: 02/16/05
(PHP Community) Keywords: php, security
Okay, I wrote a authorization class using cookies to access certain pages based on their category.
Now, not being the security god or anything, I wanted to check it's validity as far as a valid way to grant or deny access.
Basically, it does a DB call on every page request, based off the cookie info, but Im willing to put up with the performance hit just because you can update access permissions on the fly, and not have to worry about page cache's, etc.
But the natural language explination is this:
Get the user permissions from the table field, and put them in an array.
If you cant get an array from the information in the cookie, go to the deny message page.
If the current category ($_GET[cat]) isnt in the permissions array, go to the deny message page.
If the current page isnt in the allowed pages array, go to the deny message page.
If any part of the cookie array isnt set, go to the deny page
Here is the method that I wrote. Any and all criticisms, help, etc is much appreciated...
function authorize($page_cat){
$page_base = basename($_SERVER['PHP_SELF']);
$page = $_SERVER['REQUEST_URI'];
$ip = $_SERVER['REMOTE_ADDR'];
$date = date("m/d/y - h:iA");
$exceptionpages = str_replace(" ", "", $this->ExceptionPages);
$exceptionpages = explode(",", $exceptionpages);
$allowedpages = str_replace(" ", "", $this->AllowedPages);
$allowedpages = explode(",", $allowedpages);
if(isset($_COOKIE[$this->UserIDfield]) && isset($_COOKIE[$this->Usernamefield]) && isset($_COOKIE[$this->Passwordfield]) && isset($_COOKIE[$this->Emailfield])){
$auth = $this->getUserArray();
if (!$auth){
header("Location: $this->LogoutPageRedirect");
}
$permissions = $auth[$this->PermissionsField];
if (($page_base == $this->EntryPage) && ($_GET['action'] !== "logout")){
header("Location: $this->LoginPageRedirect");
}
if ($this->PermissionsType == "category") {
$permissions = explode(", ", $permissions);
if (in_array($this->DisabledMarker, $permissions) && $page_base !== "misc.php"){
if ($this->RecordHacks == 1){
$this->insertHack();
}
header("Location: $this->DisabledPageRedirect");
}
if (isset($page_cat)){
if (!in_array($page_cat, $permissions)) {
if ($this->RecordHacks == 1){
$this->insertHack();
}
header("Location: $this->DeniedPageRedirect");
}
}
}
}
if(!$_COOKIE[$this->UserIDfield] || !$_COOKIE[$this->Usernamefield] || !$_COOKIE[$this->Passwordfield] || !$_COOKIE[$this->Emailfield]) {
if ($page_base !== "$this->EntryPage"){
if ($this->RecordHacks == 1){
$this->insertHack();
}
header("Location: $this->LogoutPageRedirect");
}
}
}
Source: http://www.livejournal.com/community/php/260701.html
-
where to store images?
Date: 02/16/05
(PHP Community) Keywords: database, security, google
Because xinu is too busy working in production environments, I spent about 15 minutes reading through different articles Google found on the subject. Here's a brief result:
extremeexperts article summary: if the images are small and need security, use a DB. If the images are big or requested frequently, use the filesystem. The article also has a link regarding the TerraServer, which stores all its images (8 terabytes) in a database.
Here are some fetch statistics, too.
Community memories would come in handy, if the admin ever felt so inclined. *hinthint*
Source: http://www.livejournal.com/community/php/260494.html
-
Captcha and authentication/hash/crypt
Date: 02/20/05
(PHP Community) Keywords: php, database, java, security
In building my nice little blog system, I'm running into the following two problems:
Problem 1:
Currently I cannot run image magick as my wonderous site admin has not installed it. This is - apparently - preventing me from using Text_CAPTCHA from PEAR. I need a captcha solution that does not require said image manipulation libraries. Alternatively, if someone knows of a way I can install image magick into my userspace, and NOT have to convince my admin to recompile php, please let me know.
Problem 2:
Additionally, my authentication for administration interface is currently being done via plaintext passwords. This is - for obvious reasons - insecure. I was attempting to find a solution using a client-side javascript that would create an md5 hash of the password and a randomly generated "key", send same to php processing form via post, and then the php form processor would use the same randomly generated "key" (I'm currently using "mt_rand()") and the user's password (retreived from the database), combine/hash and compare. I ran into problems with transmitting the "key" to client side, and maintaining the SAME key (without sending it back, in the clear) on the server side.
The major problems I'm running into, though is the transmission of the key, no matter how I find a way to do it, it still shows up clearly in going to the client side ($rnd = mt_rand() will still show the number client-side when echo $rnd, and therefore it is being clearly transmitted). Hmm, perhaps I could hash it server side, and then reverse the hash? But md5 hashes are one-way, yes? I'd need a crypt for that, and despite my best tries haven't located a good one. ARRGH.
Security is a bitch when you're not using pre-written. ...ESPECIALLY when you're a beginner.
Source: http://www.livejournal.com/community/php/264266.html
-
SP2 issues, hanging computer, cd/dvd issues, Help????
Date: 09/06/04
(Software) Keywords: security, virus
My mother has a computer that we ordered from tiger direct (www.tigerdirect.com) last year online, summertime. When i originally got the computer, one of the memory slots was bad so i sent it back and got a replacement. The new board has been working alright but lately there have been more and more problems popping up and i'm wondering if this is the fault of the mobo.
Various problems include:
-DVD drive occasionally will not spin up and read disks
-CD burner refuses to burn cds
-computer randomly hangs in the middle of varying tasks
Also, upon installation of service pack 2 to winXP, it now hangs on boot and doesn't get to the logon screen. It doesn't happen all the time and it seems kind of random as to when it decides not to work. All the cables are firmly plugged in and there are no issues that i can see. Computer is definately virus free.
I'm not sure if this is all mobo related or what, but any suggestions/helpful hints/places to post these problems again would be appreciated.
Specs:
P4 3.06Ghz w/hyperthreading
Via p4x400 chipset
1GB DDR333 RAM
GeForce 4 Ti4200
cd drive
dvd drive
300 Watt PSU
The RAM is 2x512 sticks in the 1st 2 settings. Originally i got a mobo that had a faulty 1st slot and i got it replaced with the new mobo. it was fine for a couple months then started going bad. The vid driver is a NVIDIA GeForce Ti4200 version 4.2.3.0 The BIOS is the original version, not updated.
I have 2 80Gig drives in the machine as well, each has their own windows XP installation. Today, after installing windows SP2 on one of the drives, it killed windows. and by killed i mean after it tells you to restart it hung on boot on the windows XP splash screen with the little bar running along the bottom. so after backing up all the data, the drive is still readable, just can't run windows off it, i tried installing SP2 on the other drive, with the 1st drive unplugged. same problem. reinstalled windows on the 1st drive and it now works, but is horribly out of date and behind on security updates. i'm scared to now update to SP2 on this machine. Updated to SP2 on 3 other machines without a problem. Any dieas for any of these issues?
X-posted
Source: http://www.livejournal.com/community/software/41611.html
-
Security in websites, part deux....
Date: 01/02/05
(PHP Development) Keywords: php, html, database, sql, java, security, web
alright, so, i finally got around to designing my 'security system' for my family's website. here's how it'll work:
- user enters their username and password into an html form. a javascript function will confirm that both are between 6 and 16 characters long
- if they, are, they'll be passed to login.php which will double check the lenghts of the two strings, and then confirm that neither one contains anything but letters and numbers. if they don't pass muster, the user gets rerouted to the html login form.
- if the above two criteria evaluate to true, then a SQL query will run to see if there's a matching username and password row in a database.
- IF SO, the script calls session_start() and $_SESSION['UsrIsLogdIn']=true;. the script then redirects them to the rest of the site.
now, each page on the rest of the site will do a check like this:
if ($_SESSION['UsrIsLogdIn']!==true) {
header("Location:index.php");
exit();
}
do you all think that this is good security? do you see any problems, loopholes, other ways in or ways to emulate the session variable being set to true? is there anything else i should add or make the pages check for?
thanks for your help :)
[Edit: oh, and what do you think is the best way to handle the user logging out? just setting $_SESSION['UsrIsLogdIn'] to false?]
Source: http://www.livejournal.com/community/php_dev/51178.html
-
security in websites
Date: 12/29/04
(PHP Development) Keywords: php, mysql, browser, database, sql, security, web
i am preparing to design a website for my family. i'd like it to have a secure log-in, which references usernames and passwords in a mysql database. i'd like the rest of the website to be secure, meaning, if you're not logged in, you're redirected to the index. i'm planning to use sessions with cookies. as i'm relatively new to security in web design, i'd like some advice.
i know the login.php script will check the username and password against a corresponding user table. if the login succeeds, a call will be made to session_start(). session_start() will be called on all subsequent pages, as well as a check to see if the login status is true (or something like that). herein is my first question:
what should each subsequent page of the site check for?
do i need to turn SSL on or will sessions, cookies and a database be enough? (it doesn't need to be super tight--mainly, some of my aunts and uncles don't want the pictures of their bikini clad daughters from our beach trips accessible to just anyone over the net.)
... i guess i'm not entirely sure what else to ask. i suppose that i'll need to make each page check to see if the above mentioned login status variable is set to true, but how do i set it to false? do i just design the session or cookie to expire when the browser is closed?
any help or feedback is appreciated. if you know of a good site (that's easy to understand) which goes over what you need to do to design s secure site, please let me know.
ah, by the way, the environment i'm designing this site for is a RedHat server with PHP4.3.9 and MySQL4.0
thanks for your help
Source: http://www.livejournal.com/community/php_dev/50687.html
-
Spyware infiltrates blogs
Date: 02/24/05
(Security) Keywords: security, web
Vulnerabilities plague self-publishing Web tools, security experts warn, exposing users to attacks.
Source: http://news.zdnet.com/Spyware+infiltrates+blogs/2100-1009_22-5587710.html?part=rss&tag=feed&subj=zdnn
-
Adware maker joins federal privacy board
Date: 02/24/05
(Web Technology) Keywords: security
Homeland Security taps executive from Claria, aka Gator, a company once dubbed a "parasite" by online publishers.
Source: http://news.zdnet.com/Adware+maker+joins+federal+privacy+board/2100-9588_22-5587653.html?part=rss&tag=feed&subj=zdnn
-
Payroll site closes on security worries
Date: 02/24/05
(Security) Keywords: security
PayMaxx shutters part of its site after a security researcher claims it exposed data on more than 25,000 people.
Source: http://news.zdnet.com/Payroll+site+closes+on+security+worries/2100-1009_22-5587859.html?part=rss&tag=feed&subj=zdnn
-
U.K. to issue public virus alerts
Date: 02/24/05
(Security) Keywords: security, virus, web
British government creates a Web site with virus alerts and security advice for home PC users and small businesses.
Source: http://news.zdnet.com/U.K.+to+issue+public+virus+alerts/2100-1009_22-5588756.html?part=rss&tag=feed&subj=zdnn
-
Take three: Antivirus apps could spread infection
Date: 02/25/05
(Security) Keywords: software, security, virus
A flaw in Trend Micro's software lets attackers run a virus instead of stopping it, in the third such security hole found this month.
Source: http://news.zdnet.com/Take+three%3A+Antivirus+apps+could+spread+infection/2100-1009_22-5589439.html?part=rss&tag=feed&subj=zdnn
-
PHP Blogging Script
Date: 02/27/05
(PHP Community) Keywords: php, blogging, html, security
I hope you don't mind me asking this here (seems a good a place as any, in my opinion), but I've got a quick question.
Can anyone offer some suggestions on a good PHP-based blogging script? It just needs to work for me (meaning it doesn't have to be community-oriented). All I really need is a subject, entry, basic archives, comments, post icons, html formatting (but auto newlines would be handy), music, moods, screening (security), and ... that's about it. Sounds longer when you write it out.
I've looked over Bloxsom, and it looks good, but it's only in Perl. I've seen a couple of Bloxsoms in PHP, but not sure what to use...
I've also seen PHPBBlog, or whatever it's called. Anyone have an opinion on that?
Of course, like a true PHP Guru, I suppose I should build one myself.
Source: http://www.livejournal.com/community/php/266519.html
-
Report: Holiday sales boomed amid phishing threat
Date: 02/28/05
(Security) Keywords: security
Online merchants saw 88 percent rise in revenue as they turned to automated tools to fend off security risks, according to VeriSign.
Source: http://news.zdnet.com/Report%3A+Holiday+sales+boomed+amid+phishing+threat/2100-1009_22-5590946.html?part=rss&tag=feed&subj=zdnn
-
NIST releases final security guidelines
Date: 03/01/05
(Security) Keywords: security
Standards group document provides road map for federal agencies to bolster computer system security.
Source: http://news.zdnet.com/NIST+releases+final+security+guidelines/2100-1009_22-5593256.html?part=rss&tag=feed&subj=zdnn