Password Insecurity – Wordlists/Dictionaries
You might as well throw away your secure code, packed under a secure connection (SSL), because the users who use it will have one word, easy to remember password.
Malware: a common threat
Malware represents a common threat for all users out there surfing the web. It doesn’t have ethics or a message to spread, like viruses used to have (not all had dangerous payloads).
Secure PHP configuration
A web application written on top of an insecurely configured PHP parser is as good as an account with a weak password.
Adobe Reader may doom you
In the last period of time malware authors started focusing more and more on exploiting Adobe Reader (and ultimately users computers) via maliciously crafted documents. And vulnerabilities in Adobe Reader have been quite a few lately.
Adobe Reader oriented attack was also the malicious injection on my last hosting service…
(continue)
TwitPic – modern Twitter backdoor
For those of you who don’t use Twitter I should specify that Twitter has long time moved away from “what are you doing” principle and today is more of a base framework (Twitter API) for many new (and innovative?) web applications.
Due to this direction that Twitter is adopting (involuntarily) dozens of web applications have sprung up; from url shortening services to web applications like: WeFollow, TwitterSheep, TwitterTag, TwitVid, YFrog, TwitPic and many more…
PHP 5.2+ Data Filtering Extension = BAD?
Yesterday while browsing some security tagged discussions on stackoverflow.com I’ve noticed someone mentioned some filter_ prefixed PHP functions. At first I thought they were some custom written ones, but on a quick check it turned out that there really where this functions. I was shocked. Anyway, let’s digg into it…
Web 2.0 Security & Privacy
When submitted my last article to reddit a user suggested an interesting paper from the Web 2.0 Security & Privacy Conference 2008, mainly the <input type=”password”> must die! paper, which suggests new methodologies for user authentication. I already mentioned a couple of times about password insecurities (if we may call them so) here and here, not necessarily suggesting a replacement for them.
This new methodology mentioned earlier is slightly different from OpenID because it suggests its implementation directly into the browser. Implementation that would be highly welcome, but unlikely to be found native in current browsers, and those soon to come. Another interesting paper I’ve read was Web Authentication by Email Address which takes the OpenID concept and brings it closer to the user, because a user is more accommodated in using an email address as an identifier instead of an url.
For more papers from the W2SP conference check out the 2007 or the 2008 papers.
Password Madness
Ok so this is a subject I just can’t let go. The first article I wrote about passwords was Password Insecurity – Wordlists/Dictionary where I stated that everybody should use pass phrases instead of regular 8 character passwords. I think that was the most notable thing about the article. While in this article will go further with password malpractice.
DVL 1.5 (Infectious Disease)
Today DamnVulnerableLinux version 1.5 was released, linux distribution that offers a learning environment directly out of the box.
.htaccess 101
Since I moved my blog to the self hosted domain I said I will write my .htaccess file, especially for the mod_rewrite rules; you know, create a simple WAF. Well that didn’t work out, or better said I was too lazy till know to do it.
Anyway, you’re came here for other reasons. I found today a comprehensive article on .htaccess files, which you can (and highly recommend) read it here. Also you might be interested in a mod rewrite cheat sheet and a regular expression cheat sheet.