A few frequently used SSL commands

Every year, we will propose a challenge to coders to solve a simple data processing problem, but with covert malicious behavior. Examples include miscounting votes, shaving money from financial transactions, or leaking information to an eavesdropper. The main goal, however, is to write source code that easily passes visual inspection by other programmers.

Anyone operating a server on any scale should want a digital certificate to encrypt data between clients and services, whether for personal, office, or public use. Ars tells you how to obtain and install one, for free.

The guys at gravatar.com offer a nice service: for website owners, they let you automatically associate an avatar to your users, through the user's email address. The users who register to gravatars.com are able to change their gravatar and the change will be visible on all gravatar-enabled websites where they registered with the same email.

...

There is a piece of information which must be made public, though. It's this 32 char string which serves as a token for your web browser to retrieve the right image. How much information are we leaking to the bad people inhabiting the internet? Can that key be used to retrieve our email?

The basic policy for Actionscript is very close to the Javascript same-origin policy: A Flash object can only access content from the domain it originated from. There are exceptions, which I'll get into another time, but they actually aren't particularly important. This flash behavior is known and documented, but is not particularly well-understood, even within the Web Application Security community. The important difference, of course, is that flash objects are not web pages. A flash object does not need to be injected into a web page to execute- simply loading the content is enough. Let's consider the implications of this policy for a moment: If I can get a Flash object onto your server, I can execute scripts in the context of your domain.

This is a frighteningly Bad Thing. How many web sites allow users to upload files of some sort? How many of those sites serve files back to users from the same domain as the rest of the application? Nearly every one of them is vulnerable.

A five-year research programme, called Project Indect, aims to develop computer programmes which act as "agents" to monitor and process information from web sites, discussion forums, file servers, peer-to-peer networks and even individual computers.

Its main objectives include the "automatic detection of threats and abnormal behaviour or violence".

Both the jmx-console and web-console are standard servlet 2.3 deployments and can be secured using J2EE role based security. Both also have a skeleton setup to allow one to easily enable security using username/password/role mappings found in the jmx-console.war and web-console.war deployments in the corresponding WEB-INF/classes users.properties and roles.properties files.

Port Knocking and Single Packet Authorization are new techniques in the network security field that provide a mechanism to have all ports of a server closed and open them to clients that issue specific sequences of connection attempts or specially crafted packets that contain the appropriate authentication credentials. Aldaba is a command-line tool for Linux systems that implements a PK and SPA client and server that provides secure stealthy authentication and remote firewall rules manipulation using TCP/IP covert channels.

Among the toughest questions posed to the Chicago bid team this week in Copenhagen was one that raised the issue of what kind of welcome foreigners would get from airport officials when they arrived in this country to attend the Games. Syed Shahid Ali, an I.O.C. member from Pakistan, in the question-and-answer session following Chicago’s official presentation, pointed out that entering the United States can be “a rather harrowing experience.”

ID theft is often considered a “white-collar” crime because it is committed during the course of normal employment duties (e.g., a bank employee gathering personal information), or the crime does not usually involve any physical harm. Identity thieves are often portrayed as sophisticated computer specialists, hackers, or organized networks. But, is this the reality?

A recent research report by Heith Copes (U Alabama at Birmingham) and Lynne Vieraitis (U Texas at Austin) has shed some light on this issue.