The basic policy for Actionscript is very close to the Javascript same-origin policy: A Flash object can only access content from the domain it originated from. There are exceptions, which I'll get into another time, but they actually aren't particularly important. This flash behavior is known and documented, but is not particularly well-understood, even within the Web Application Security community. The important difference, of course, is that flash objects are not web pages. A flash object does not need to be injected into a web page to execute- simply loading the content is enough. Let's consider the implications of this policy for a moment: If I can get a Flash object onto your server, I can execute scripts in the context of your domain.

This is a frighteningly Bad Thing. How many web sites allow users to upload files of some sort? How many of those sites serve files back to users from the same domain as the rest of the application? Nearly every one of them is vulnerable.

A five-year research programme, called Project Indect, aims to develop computer programmes which act as "agents" to monitor and process information from web sites, discussion forums, file servers, peer-to-peer networks and even individual computers.

Its main objectives include the "automatic detection of threats and abnormal behaviour or violence".

Both the jmx-console and web-console are standard servlet 2.3 deployments and can be secured using J2EE role based security. Both also have a skeleton setup to allow one to easily enable security using username/password/role mappings found in the jmx-console.war and web-console.war deployments in the corresponding WEB-INF/classes users.properties and roles.properties files.

Port Knocking and Single Packet Authorization are new techniques in the network security field that provide a mechanism to have all ports of a server closed and open them to clients that issue specific sequences of connection attempts or specially crafted packets that contain the appropriate authentication credentials. Aldaba is a command-line tool for Linux systems that implements a PK and SPA client and server that provides secure stealthy authentication and remote firewall rules manipulation using TCP/IP covert channels.

Among the toughest questions posed to the Chicago bid team this week in Copenhagen was one that raised the issue of what kind of welcome foreigners would get from airport officials when they arrived in this country to attend the Games. Syed Shahid Ali, an I.O.C. member from Pakistan, in the question-and-answer session following Chicago’s official presentation, pointed out that entering the United States can be “a rather harrowing experience.”

ID theft is often considered a “white-collar” crime because it is committed during the course of normal employment duties (e.g., a bank employee gathering personal information), or the crime does not usually involve any physical harm. Identity thieves are often portrayed as sophisticated computer specialists, hackers, or organized networks. But, is this the reality?

A recent research report by Heith Copes (U Alabama at Birmingham) and Lynne Vieraitis (U Texas at Austin) has shed some light on this issue.

A proposal by the Homeland Security Advisory Council, unveiled late Tuesday, recommends removing two of the five colors, with a standard state of affairs being a “guarded” Yellow. The Green “low risk of terrorist attacks” might get removed altogether, meaning stay prepared for your morning subway commute to turn deadly at any moment.

...

The new system, if approved by the agency, would consist solely of Yellow, Orange and Red.

HADOPI 2 also preserves an earlier attempt to outlaw the "open WiFi defense" under which an accused file-sharer simply makes clear that anyone could have used his connection. Under the new law, all Internet users must keep their connections "secure" and are responsible for what happens on them.

Companies continue to store and sometimes release vast databases of "anonymized" information about users. But, as Netflix, AOL, and the State of Massachusetts have learned, "anonymized" data can often be cracked in surprising ways, revealing the hidden secrets each of us are assembling in online "databases of ruin."

The playkey, unlike the title folder, can't be copied—but it can be moved. To give your friends and family access to the file in question, you can send them a copy but must also provide a link to the playkey. Under the DPP system, though, anyone who can access the playkey can also decide to move it to their own digital vault—in essence, anyone can take the content from you, and you would no longer have access to the media files in question if they did so.

|< First   < Previous   127–136 (198)   Next >   Last >|