tags: security

Action executed in 0.000

Each Tag

security

Common tags - number of posts

smart card (6), web (4), breach (3), server (3), data (3), technology (2), privacy (2), SSL (2), application (1), messaging (1), AD (1), Active Directory (1), research (1), https (1), op-ed (1), education (1), OpenLDAP (1), Laura (1), government (1), LDAP (1), WhatsApp (1), mock (1), information (1), encryption (1), airport (1), computer (1), development (1), protection (1), risks (1), tracker (1), hack (1), wordpress (1), Let's Encrypt (1), Java (1), think tank (1), browser (1), health (1), policy (1), economy (1), Linux (1), internet (1),

2 way join

breach, security, data, security, privacy, security, security, server, security, smart card, SSL, security, security, technology, security, web

3 way join

breach, data, security

Mocking Active Directory with OpenLDAP

OpenLDAP logo

For work, our production server uses Active Directory (AD) for authentication and authorization to use our app. Users may belong to several groups to be granted access to different parts of the app. To mock this out for development I installed OpenLDAP and extended the schema enough to match what we need.

Our code queries the sAMAccountName attribute of users, which belongs to the Microsoft securityPrincipal objectClass. Instead of enabling the entire schema, which gave me errors, I enabled just the objectClass and attributes my application needs.

attributetype ( 1.2.840.113556.1.4.221
    NAME 'sAMAccountName'
    EQUALITY caseIgnoreMatch
    SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
    SINGLE-VALUE )

attributetype ( 1.2.840.113556.1.2.102
    NAME 'memberOf'
    EQUALITY caseIgnoreMatch
    SYNTAX '1.3.6.1.4.1.1466.115.121.1.15')

objectclass ( 1.2.840.113556.1.5.6
    NAME 'securityPrincipal'
    SUP top
    AUXILIARY
    MUST (sAMAccountName)
    MAY (memberOf))

This says there's attribute named sAMAccountName of type (SYNTAX) string which occurs once. Checking equality will ignore case. There's also a memberOf attribute, but it's permitted multiple times. Finally there's an objectclass called securityPrincipal which MUST contain sAMAccountName and MAY contain memberOfs.

Create this file and save it in /etc/ldap/schema/ms.schema.

Create a file schema_convert.conf like this.

include /etc/ldap/schema/ms.schema

Follow the steps here: Modifying the slapd Configuration Database.

Using phpLDAPadmin, add Generic: User Account, save, then edit. Add object class securityPrincipal. This will prompt you to fill out sAMAccountName. In our application we set the username part of our Kerberos principals. Then "Add new attribute" and select memberOf. Finally set the name of the group the member belongs to.

Now or app may perform the queries it needs, just as it would in production.

// Find the user
ldap_search( $ad, $basedn,"(samaccountName={$samaccountname})", array('dn;) );
// Get their groups
ldap_read( $ad, $userdn, '(objectclass=securityPrincipal)', 'memberof' );

How To Install and Configure OpenLDAP and phpLDAPadmin on Ubuntu 16.04 is an excellent article for reference.

●●●●●○○○

CryptoParty

CryptoParty

CryptoParties are free and open for everyone, but especially ​those without prior knowledge, who haven't yet attended one.

CryptoParty is a decentralized movement with events happening all over the world. The goal is to pass on knowledge about protecting yourself in the digital space. This can include encrypted communication, preventing being tracked while browsing the web, and general security advice regarding computers and smartphones.

url: https://www.cryptoparty.in/

type: unknown, format: wiki

●●●●●○○○

The Threat | Edge.org

Ross Anderson

People who are able to live digitally enhanced lives, in the sense that they can use all the available tools to the fullest extent, are very much more productive and capable and powerful than those who are still stuck in meatspace. It’s as if you had a forest where all the animals could see only in black and white and, suddenly, along comes a mutation in one of the predators allowing it to see in color.

url: https://www.edge.org/conversation/ross_anderson-the-threat

type: article, format: blog

●●●●●○○○

New America

logo

Founded in 1999, New America is a think tank and civic enterprise committed to renewing American politics, prosperity, and purpose in the Digital Age. We generate big ideas, bridge the gap between technology and policy, and curate broad public conversation.

url: https://www.newamerica.org/

type: unknown, format: page

●●●●●○○○

WhatsApp vulnerability allows snooping on encrypted messages | Technology | The Guardian

The WhatsApp vulnerability calls into question the privacy of messages sent across the service used around the world, including by people living in oppressive regimes.

A security vulnerability that can be used to allow Facebook and others to intercept and read encrypted messages has been found within its WhatsApp messaging service.

Facebook claims that no one can intercept WhatsApp messages, not even the company and its staff, ensuring privacy for its billion-plus users. But new research shows that the company could in fact read messages due to the way WhatsApp has implemented its end-to-end encryption protocol.

url: https://www.theguardian.com/technology/2017/jan/13/whatsapp-backdoor-allows-snooping-on-encrypted-messages

type: none, format: none

●●●●●○○○

7 Security Measures to Protect Your Servers | DigitalOcean

tags: security, server
7 Security Measures to Protect Your Servers

When setting up infrastructure, getting your applications up and running will often be your primary concern. However, making your applications to function correctly without addressing the security needs of your infrastructure could have devastating consequences down the line.

In this guide, we will talk about some basic security practices that are best to configure before or as you set up your applications.

url: https://www.digitalocean.com/community/tutorials/7-security-measures-to-protect-your-servers?utm_medium=social&utm_source=facebook&utm_campaign=7_measures_server_security_tut&utm_content=image

type: article, format: blog

●●●●●○○○

Top 10 2013 - OWASP

OWASP logo

The goal of the Top 10 project is to raise awareness about application security by identifying some of the most critical risks facing organizations. The Top 10 project is referenced by many standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, FTC, and many more. This release of the OWASP Top 10 marks this project’s tenth anniversary of raising awareness of the importance of application security risks.

url: https://www.owasp.org/index.php/Top_10_2013

type: project, format: wiki

●●●●●○○○

Certbot

Certbot

Certbot is an easy-to-use automatic client that fetches and deploys SSL/TLS certificates for your webserver. Certbot was developed by EFF and others as a client for Let’s Encrypt and was previously known as “the official Let’s Encrypt client” or “the Let’s Encrypt Python client.” Certbot will also work with any other CAs that support the ACME protocol.

url: https://certbot.eff.org/

type: project, format: page

●●●●●○○○

The most innovative and damaging hacks of 2015 | Network World

The most innovative and damaging hacks of 2015 The year's most significant attacks highlight how hackers are changing tactics -- and how IT security must evolve in the year ahead

Not a week went by in 2015 without a major data breach, significant attack campaign, or serious vulnerability report. Many of the incidents were the result of disabled security controls, implementation errors, or other basic security mistakes, highlighting how far organizations have to go in nailing down IT security basics.

url: http://www.networkworld.com/article/3018594/security/the-most-innovative-and-damaging-hacks-of-2015.html

type: article, format: blog

●●●●●○○○

DataLossDB

dataloss db logo DataLossDB was founded in 2015 and was the original data breach tracking project. DataLossDB's aim was to provide unbiased, high quality data regarding data loss and in doing so the goal was to accomplish the following...

url: http://datalossdb.org/

type: project, format: blog

●●●●●○○○

DataBraches.net

tags: security, breach, data
Office of Inadequate Security logo

This site began life in 2009 as a spinoff from PogoWasRight.org after the number of breaches in 2008 made me realize I needed a separate site just for breaches.

This site receives no funding or financial support and that’s the way I intend to keep it. If you like the site and find it valuable, drop me a note to let me know.

url: http://www.databreaches.net/

type: project, format: blog

●●●●●○○○

Surveillance Self-Defense | Tips, Tools and How-tos for Safer Online Communications

Home

Modern technology has given the powerful new abilities to eavesdrop and collect data on innocent people. Surveillance Self-Defense is EFF's guide to defending yourself and your friends from surveillance by using secure technology and developing careful practices.

url: https://ssd.eff.org/

type: project, format: page

●●●●●○○○

Main - browsersec - Browser Security Handbook landing page - Browser Security Handbook - Google Project Hosting

tags: web, browser, security
Google Logo

This document is meant to provide web application developers, browser engineers, and information security researchers with a one-stop reference to key security properties of contemporary web browsers. Insufficient understanding of these often poorly-documented characteristics is a major contributing factor to the prevalence of several classes of security vulnerabilities.

url: https://code.google.com/p/browsersec/wiki/Main

type: project, format: none

●●●●●●○○

Smartcard Focus :: Home

Smartcard Focus logo

from text Smartcard Focus is a value-added retailer of products in the field of smartcard technology. As the retail arm of smartcard experts

from text founded 1997, Smartcard Focus provides end users with access to all the major brands and manufacturers in the smartcard industry including ACS, HID, Omnikey and SCM Micro.

url: http://www.smartcardfocus.com/

type: company, format: none

●●●●○○○○

www.cryptoshop.com

cryptoshop logo

Nowadays information is a major factor of production, which has to be available and which hast to be secured. This is reflecting also in laws (both in Germany or Austria and Great Britain and USA) which holds CEOs and managers responsible for their risk management. Not only of physical values resp. damage because of fire, water or vandalism also loss because of data destruction, manipulation or disclosure.

url: http://www.cryptoshop.com/

type: company, format: none

●●●●●●○○

Gooze

Gooze logo

Gooze provides tutorials to help you implement PKI, CA and SSO free software solutions under GNU/Linux, Mac OS X and Windows.

Gooze is also a community, which means that when you buy products, you are able to interact with users and free sofware communities, including writing or commenting documentation and sharing experience.

url: http://www.gooze.eu/

type: project, format: none

●●●●●○○○

SafeNet - The Foundation of Information Security

safenet logo

SafeNet is the largest company exclusively focused on the protection of high-value information assets.

from text SafeNet is the largest company exclusively focused on the protection of high-value information assets.

url: http://www.safenet-inc.com/

type: company, format: none

●●●●●○○○

CrypToken - secure eBusines, Authentication, Email, Encryption, USB-Token | MARX CryptoTech

marx cryptotech logo The CrypToken is a perfect foundation for your authentication needs. Here we compiled a small selection of what can be achieved by combining our hardware with well established software products: Securing eBusiness SSL Client Authentication Email Encryption and Signature Business Development

url: http://www.cryptoken.com/

type: company, format: none

●●●●●○○○

Athena Smartcard Solutions - Smart Card & Reader Technology for Enterprise and Government

athena logo

Athena ASECard Smart Card is first to Acquire Microsoft� V6, Smart Card Minidriver Certification

Athena's IDProtect Smart Card and Middleware Approved for US Government PIV/HSPD-12 Deployment

url: http://athena-scs.com/

type: company, format: none

●●●●●○○○

OpenVAS - OpenVAS - Open Vulnerability Assessment System Community Site

tags: server, security
OpenVAS logo

OpenVAS stands for Open Vulnerability Assessment System and is a network security scanner with associated tools like a graphical user front-end. The core component is a server with a set of network vulnerability tests (NVTs) to detect security problems in remote systems and applications.

url: http://www.openvas.org/

type: project, format: none

●●●●●○○○

Category:OWASP WebGoat Project - OWASP

Wasp logo

WebGoat is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints...

url: http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

type: project, format: none

●●●●●○○○

Information Security Certification - GIAC

GIAC Information Security Certification

The Global Information Assurance Certification (GIAC) was founded in 1999 to validate the real-world skills of IT security professionals. GIAC's purpose is to provide assurance that a certified individual has practical security awareness, knowledge and skills in key areas of computer security, network security and software security. GIAC offers certifications for over 20 job-specific responsibilities that reflect the current practice of information security.

url: http://www.giac.org/

type: none, format: none

●●●●●○○○

Security Musings » Blog Archive » How does SSL work anyway?

tags: Laura, security, SSL
Gemini Security Solutions Logo

We talk a lot about how SSL is useful, but how exactly does it work? Most systems today use SSL v3/TLS v1 rather than “SSL”, and the nitty gritty details are found in RFC 2246. However, that’s only part of what goes on, and certificate validation and path building (RFC 4158) and X.509 certificates (RFC 5280) are also important. This post is only concerned with the SSL/TLS protocol itself, and when the other RFCs are needed “magic happens.” ...

url: http://securitymusings.com/article/1095/how-does-ssl-work-anyway

type: none, format: none

●●●●●●○○

Securing WordPress 2 Admin Access With SSL | no wow

WordPress 2.0 still does not support HTTPS access to the admin area when the rest of the blog is served via normal HTTP and I still do not like logging in to my server over unencrypted connections, especially not when using public WLANs. Getting around this WordPress limitation requires quite a few steps:

url: http://blog.blackdown.de/2006/01/22/securing-wordpress-2-admin-access-with-ssl/

type: article, format: unknown

Response to "I Hate Airport Security"

Here's my response to [Si]dragon's I Hate Airport Security. In summary, he's entitled to his opinion, even if it's just vacuous hot air.

"Dirty looks from the TSA meat-heads..."

Were they really giving you dirty looks or did you just expect them to? You just think they are; it's in your head. Here's a better question: Did they give dirty looks to just you or everyone?? BTW, do you think they really stopped to fully read your shirt? The truth of the matter is there are lots of people that look like you. And contrary to what you believe, i doubt the TSA really cares about you.

The older gentleman in perfectly “normal” everyday-fashion plain-clothes who breezes right through the checkpoint

Wrong. People are selected randomly before they are seen. Stop thinking of just yourself. You're making these statements without justification. Also put your emotions in check, get the facts, and learn why these security measures -- as opposed to others -- are put in place. What sort of expert are you to decide what's safer?

back-pack full of unidentified chemicals

Your property was checked for dangerous compounds, as they swabbed and tested it. Were you too busy observing their glaring looks to see this?

Regarding the matches, my guess is that the seats and everything else on the plane are not flamable.

Regarding the fourth ammendment, this has generally be accepted as applying to our homes in scope. Anything outside of that is fair game, as you are already in public.

Thus, protection of the home is at the apex of Fourth Amendment...

FindLaw: U.S. Constitution: Fourth Amendment: Annotations pg. 1 of 6

I embrace this security, because i care less about my privacy and more about dying. I want everyone on that plane inspected, including all personnel. The El Al airline has had these measures in place for a long time now, and my Israeli American friends appreciate them.

I agree with chickenfat in the spirit of Hanlon's Razor:

Never attribute to malice what can be adequately explained by stupidity. -- Robert J. Hanlon

(reading on... oh that's funny he/she beat me too it.)

I placed a copy of the Fourth Amendment in my check-in luggage

You see, you're anticipating problems. I'd say this is more a cause of problems than a prevention.

Is your blog intended for anything beside complaining? For now it's getting probation status in my book.