Bookmark
Flash Origin Policy Issues
www.foregroundsecurity.com/MyBlog/flash-origin-policy-issues.html, posted 2009 by peter in development flash security webdesign
The basic policy for Actionscript is very close to the Javascript same-origin policy: A Flash object can only access content from the domain it originated from. There are exceptions, which I'll get into another time, but they actually aren't particularly important. This flash behavior is known and documented, but is not particularly well-understood, even within the Web Application Security community. The important difference, of course, is that flash objects are not web pages. A flash object does not need to be injected into a web page to execute- simply loading the content is enough. Let's consider the implications of this policy for a moment: If I can get a Flash object onto your server, I can execute scripts in the context of your domain.
This is a frighteningly Bad Thing. How many web sites allow users to upload files of some sort? How many of those sites serve files back to users from the same domain as the rest of the application? Nearly every one of them is vulnerable.
Bookmark
EU funding 'Orwellian' artificial intelligence plan to monitor public for "abnormal behaviour" - Telegraph
www.telegraph.co.uk/news/uknews/6210255/EU-funding-Orwellian-artificial-intelligence-plan-to-monitor-public-for-abnormal-behaviour.html, posted 2009 by peter in ai eu fascism politics privacy security toread
A five-year research programme, called Project Indect, aims to develop computer programmes which act as "agents" to monitor and process information from web sites, discussion forums, file servers, peer-to-peer networks and even individual computers.
Its main objectives include the "automatic detection of threats and abnormal behaviour or violence".
Bookmark
SecureTheJmxConsole - JBoss Community
www.jboss.org/community/wiki/SecureTheJmxConsole, posted 2009 by peter in development java reference security
Both the jmx-console and web-console are standard servlet 2.3 deployments and can be secured using J2EE role based security. Both also have a skeleton setup to allow one to easily enable security using username/password/role mappings found in the jmx-console.war and web-console.war deployments in the corresponding WEB-INF/classes users.properties and roles.properties files.
Bookmark
Aldaba Knocking Suite | Port Knocking and SPA system for Linux
www.aldabaknocking.com/, posted 2009 by peter in networking security software toread
Port Knocking and Single Packet Authorization are new techniques in the network security field that provide a mechanism to have all ports of a server closed and open them to clients that issue specific sequences of connection attempts or specially crafted packets that contain the appropriate authentication credentials. Aldaba is a command-line tool for Linux systems that implements a PK and SPA client and server that provides secure stealthy authentication and remote firewall rules manipulation using TCP/IP covert channels.
Bookmark
Chicago’s Loss: Is Passport Control to Blame? - In Transit Blog - NYTimes.com
intransit.blogs.nytimes.com/2009/10/02/chicagos-loss-is-passport-control-to-blame/, posted 2009 by peter in business fascism msm politics security toread travel usa
Among the toughest questions posed to the Chicago bid team this week in Copenhagen was one that raised the issue of what kind of welcome foreigners would get from airport officials when they arrived in this country to attend the Games. Syed Shahid Ali, an I.O.C. member from Pakistan, in the question-and-answer session following Chicago’s official presentation, pointed out that entering the United States can be “a rather harrowing experience.”
Bookmark
Andrew Patrick » Identity theft is usually an equal opportunity, unsophisticated crime
www.andrewpatrick.ca/security-and-privacy/id-theft-criminals, posted 2009 by peter in privacy security toread
ID theft is often considered a “white-collar” crime because it is committed during the course of normal employment duties (e.g., a bank employee gathering personal information), or the crime does not usually involve any physical harm. Identity thieves are often portrayed as sophisticated computer specialists, hackers, or organized networks. But, is this the reality?
A recent research report by Heith Copes (U Alabama at Birmingham) and Lynne Vieraitis (U Texas at Austin) has shed some light on this issue.
Bookmark
Color-Coded Threat Level Advisory Under Attack | Threat Level | Wired.com
www.wired.com/threatlevel/2009/09/threatleveladvisory/, posted 2009 by peter in humor politics propaganda security terrorism usa
A proposal by the Homeland Security Advisory Council, unveiled late Tuesday, recommends removing two of the five colors, with a standard state of affairs being a “guarded” Yellow. The Green “low risk of terrorist attacks” might get removed altogether, meaning stay prepared for your morning subway commute to turn deadly at any moment.
...
The new system, if approved by the agency, would consist solely of Yellow, Orange and Red.
Bookmark
France passes harsh anti-P2P three-strikes law (again) - Ars Technica
arstechnica.com/tech-policy/news/2009/09/france-passes-harsh-anti-p2p-three-strikes-law-again.ars, posted 2009 by peter in copyright dinosaurism eu fascism p2p security
HADOPI 2 also preserves an earlier attempt to outlaw the "open WiFi defense" under which an accused file-sharer simply makes clear that anyone could have used his connection. Under the new law, all Internet users must keep their connections "secure" and are responsible for what happens on them.
Bookmark
"Anonymized" data really isn't—and here's why not - Ars Technica
arstechnica.com/tech-policy/news/2009/09/your-secrets-live-online-in-databases-of-ruin.ars, posted 2009 by peter in privacy recovery security
Companies continue to store and sometimes release vast databases of "anonymized" information about users. But, as Netflix, AOL, and the State of Massachusetts have learned, "anonymized" data can often be cracked in surprising ways, revealing the hidden secrets each of us are assembling in online "databases of ruin."
Bookmark
Goodbye, DRM; hello "stealable" Digital Personal Property - Ars Technica
arstechnica.com/tech-policy/news/2009/09/goodbye-drm-hello-stealable-digital-personal-property.ars, posted 2009 by peter in copyright dinosaurism media propaganda security
The playkey, unlike the title folder, can't be copied—but it can be moved. To give your friends and family access to the file in question, you can send them a copy but must also provide a link to the playkey. Under the DPP system, though, anyone who can access the playkey can also decide to move it to their own digital vault—in essence, anyone can take the content from you, and you would no longer have access to the media files in question if they did so.
|< First < Previous 151–160 (222) Next > Last >|