[Via Videosift]
Related posts:
- Saturday Evening Fun: Is Your Son a Computer Hacker?
- Why Torchwood USA is a Terrible Idea
- 160 Greatest Arnold Schwarzenegger quotes
-
13May
-
19Apr
You’ve probably heard by now about the school district in Pennsylvania that was using webcams in school-issued laptops to spy on students. And they might never have known except for one observant administrator who saw a student engaging in behavior mistaken for pill-popping and confronted him – at which point it was revealed that those “pills” were actually candy. Unsurprisingly, the student’s parents were wondering how the school knew about something that had happened in his house – which is when it all came tumbling down.The school still maintains that the remote-webcam-activation was actually a “security feature” intended to help them recover lost or stolen laptops. Of course, the student in question didn’t have a lost or stolen laptop – just one he’d failed to pay the $55 security deposit for.
But now there’s a lawsuit, which means there’s discovery, and a motion filed by the students’ attorney last week claims that the school might have thousands of images collected by the school, many of which featured students who did not have lost or stolen (or uninsured) laptops. And according to the motion, “There were numerous webcam pictures of Blake and other members of his family, including pictures of Blake partially undressed and of Blake sleeping.” Which is just, you know, kind of creepy.
The motion itself is an attempt to get to the personal computers of school technology coordinator Carol Cafiero, who recently took the Fifth during a deposition. She was one of a very few administrators able to access the images, and the students’ attorney is calling her a “voyeur” – largely because of an email exchange between her and a colleague, who noted that seeing the webcam footage was kind of like a “soap opera” – to which Cafiero replied, “I know, I love it!”
I wrote some time ago about the iPhone tracking that some schools in Japan were implementing and noted the similarities to Cory Doctorow’s science fiction novel Little Brother. I think the comparison is even more apt here, and I think a lot of people are unsettled by the situation. The post from Threat Level on this subject included with permission one of the images that a laptop recorded, of a student sleeping. The schools might have seemed like Santa Claus, giving away laptops for free… but now they see you when you’re sleeping, they know when you’re awake, they know if you’ve been bad or good, so be good for goodness sake.
Related posts:
- High School junior gets detention for using Firefox in class — or does he?
- Using iPhones to Track Students
- School prepares for book-free library
-
14Apr
Websites are getting more and more complex everyday and there are almost no static websites being built.
Today, the simplest website has at least a contact or newsletter form and many are built with CMS systems or it may be using 3rd party plugins, services, etc. that we don't have an exact control over.Even if the website is 100% hand-coded, we trust what we created and think that it is safe, it is still possible that a special character is not sanitized or we are not aware of a new attacking technique.
So, it is really hard to say "my website is safe" without running tests over it. The good part is there are powerful and free web application security testing tools which can help you to identify any possible holes.
Before presenting them, let's remind the classic: "something can be secure as only as its weakest link" (which also tells us that it is not always the application and can still be the server it is hosted or that easy to remember FTP password).
Netsparker Community Edition (Windows)
This is the free-community edition of the powerful Netsparker which still comes with a bunch of features and also false-positive-free.
The application can detect SQL Injection + cross-site scripting issues.
Once a scan is complete, it displays the solutions besides the issues and enables you to see the browser view and HTTP request/response.
Websecurify (Windows, Linux, Mac OS X)
Websecurify is a very easy-to-use and open source tool which automatically identifies web application vulnerabilities by using advanced discovery and fuzzing technologies.
It can create simple reports (that can be exported into multiple formats) once ran.
The tool is also multilingual and extensible with the add-on support.
Wapiti (Windows, Linux, Mac OS X)
Wapiti is an open source and web-based tool that scans the web pages of the deployed web applications, looking for scripts and forms where it can inject data.
It is built with Python and can detect:
- File handling errors (Local and remote include/require, fopen, readfile…)
- Database, XSS, LDAP and CRLF injections (HTTP response splitting, session fixation…)
- Command execution detection (eval(), system(), passtru()…)
N-Stalker Free Version (Windows)
The free edition performs restricted-yet-still-powerful set of web security assessment checks compared to the paid versions of the application.
It can check up to 100 web pages at once including web server and cross-site scripting checks.
skipfish (Windows, Linux, Mac OS X)
skipfish is a fully automated and active web application security reconnaissance tool.
It is lightweight and pretty fast (can perform 2000 requests/second).
The application has automatic learning capabilities, on-the-fly wordlist creation and form autocompletion.
skipfish comes with low false positive, differential security checks which are capable of spotting a range of subtle flaws, including blind injection vectors.
Scrawlr (Windows)
Scrawlr is a free software for scanning SQL injection vulnerabilities on your web applications.
It is developed by HP Web Security Research Group in coordination with Microsoft Security Response Center.
Watcher (Windows)
It is a plugin for Fiddler (the awesome HTTP debugging proxy) and works as a passive-analysis tool for HTTP-based web applications.
Watcher runs silently in the background and interact with the web-application to apply 30+ tests (where new ones can be added) while you browse.
It will identify issues like cross-domain form POSTs, dangerous context-switching between HTTP and HTTPS, etc.
x5s (Windows)
x5s is again a plugin for Fiddler just like Watcher which is designed to find encoding and character transformation issues that can lead to XSS vulnerability.
It simply tests user-controlled input using special characters like <, >, ', and reviews how the output encodes the special characters.
Exploit-Me (Windows, Linux, Mac OS X)
Rather than using a proxy like most of the security testing tools, Exploit-Me directly integrates into Firefox.
It is a set of 3 add-ons:
- XSS-Me: for testing reflected XSS vulnerabilities
- SQL Inject Me: for testing SQL injection vulnerabilities
- Access-Me: for testing access vulnerabilities
They are all lightweight , work while you browse websites and simply inform you by adding extra styles to the objects with vulnerabilities
WebScarab (Windows, Linux, Mac OS X)
WebScarab is actually a proxy to sniff the HTTP(s) traffic and manipulate it.
However, it comes with features like "parameter fuzzer (for testing XSS and SQL injection vulnerabilities), or "CRLF injection (HTTP response splitting)" and more.
Acunetix Free Version (Windows)
This is the free and limited-featured version of a paid/pro product.
It performs a check on any website and identifies cross site scripting (XSS) vulnerabilities.
And, if you are looking to improve yourself in the area of web application security and need to play with an application legally, there is DVWA (damn vulnerable web app.) which is there for just this purpose.
Special Downloads:
Ajaxed Add-To-Basket Scenarios With jQuery And PHP
Free Admin Template For Web Applications
jQuery Dynamic Drag’n Drop
ScheduledTweetsAdvertisements:
Tags: SQL injection, XSS
FindIcons.com – Ultimate Free Icon Search Engine
SSLmatic – Cheap SSL Certificates (from $19.99/year)
Follow WebResourcesDepot At Twitter And Get More Resources!
Related posts
-
01Apr
I wish I wasn't the person to find this. I founded one of Amazon's earliest dashboards. My consultancy is on Amazon's European Customer Advisory Board. But this highlights a significant issue in the cloud today: There is a whole new user profile acting as developer and administrator. We are becoming empowered with amazing tools - and being given enough rope to really hang ourselves.
At 1:00 a.m. on Sunday morning I was doing routine maintenance on my personal Amazon Web Services account and instead found myself looking at something I had no right to be seeing: A database with 800,000 user accounts to the e-card site CardMaster.com. Along with that were the database passwords and back end of a major U.S. Public Broadcasting Service news show website (Gwen Ifill's Washington Week), including daily updates from panelists on the stories they cover.
Sponsor
Guest author Jonathan Siegel is a serial entrepreneur and founder of the cloud applications consultancy ELCTech.com as well as a handful of cloud startups. Jonathan's book, Electric Connections, is due out in June of this year.
I am an early adopter, business builder and owner of a cloud consultancy. On Sunday morning I went to clear out my personal Amazon Web Services account of excess files after seeing huge usage numbers from a report by CloudSplit. For those technically inclined, I was clearing out my S3 buckets and moving the few files that I wanted to save into an EBS disk instead.
My EBS disk ran out of space and I went to use a feature called EBS Snapshots. Snapshots are like a tape backup of your EBS disk drive. That's when I noticed something odd: My EBS Snapshot account was filled with hundreds of snapshots, when I knew I had only made a handful. I wondered, Why do I have access to these backups? Were these backups made by my teammates? Shared snapshots from Amazon? Or something else...
What I saw were backups of Enron emails, a genomics database and then two made my stomach turn - a database for 800,000 user accounts to CardMaster.com and the database and site files for the Washington Week website. Yeah, the Enron emails are a non sequitur and the genomics database was likely meant to be public. But the other two, there's no way they were intended for the public, yet here they were - marked as public and available to me or any other Amazon cloud user.
How Did This Happen?
Amazon is the largest and longest running public cloud computing platform. It has pushed the boundaries of technology infrastructure for us users. In fact, it has given us tools that are more powerful than anything we previously had available in our own small datacenters. This is great, because before we needed to hire trained Cisco or NetApp administrators in order to do basic tasks as our websites scaled. This was expensive and added another step - a delay - to our deployments. Amazon's infrastructure commoditizes much of this technology into simple Web calls; paste some XML to Amazon and your website gets a full incremental backup to live-networked NAS. But as Stan Lee has warned us: With great power comes great responsibility.
By giving programmers control of the network and storage, we've empowered developers to take on system administration chores. This power has come too quickly or is being digested too lightly - as my discovery has shown.
In the case of PBS's Washington Week there was quick acceptance of the issue. "It was human error and nothing personal was exposed," said Kevin Dando, PBS's Director of Digital Communications. "Although we weren't aware of the issue initially, it was easily corrected. Because of Amazon's strong audit capabilities we could pinpoint the error and fix it quickly."
Despite numerous attempts we were unable to reach CardMaster.com.
This highlights a deeper issue in the cloud today: Despite what you may think, cloud security is not sexy. We are seeing products that address the baseline needs of cloud functionality, like Amazon's dashboard and the support sites for the cloud. They focus on the sexy: deploying mobile apps, auto-scaling, grid processing and other buzz-word-friendly features. But the dirty truth is that the cloud has a whole new user profile acting as administrator and needs a new set of tools and expectation management to ensure that little mistakes make little problems and not big ones.
Remember: This is not something that Amazon did wrong. This is an intentional switch thrown by Amazon's users that allowed their data to be public to any other Amazon user. The users did not mean to hit that switch and it's unclear whether those users would have found this issue without my notification.
This is the switch in Amazon's Web Console. It can be more subtle when packaged deep within cloud-assisting tools:
And Why Me?
A spokesperson for Amazon pointed out that snapshots were private by default and users must choose to share them. According to Amazon, "in general users understand this feature very well as this is no different than users explicitly choosing to share their data by any means." However, as we've seen, users are obviously making their data inadvertently public. Amazon said they were updating their documentation "to provide more explicit guidance on this feature," and that they would be "reaching out to the few who may be unknowingly sharing their snapshots."
The question, though, is: Is it too easy to accidentally make your data public - and whose role is it to play data cop?
This leads to me, at 1 a.m., and finding security leakage with Amazon's cloud customers while doing unrelated housekeeping. Look, I'm anything but an IT Security guy; I've got enough on my plate to worry about. For god's sakes, I have 6 kids! Moreover, I'm an outspoken supporter for moving companies to the cloud - and I exclusively recommend Amazon's cloud because of its reliability and features. Why is it me that finds this security issue - one that has been open since January of this year if the Snapshot dates are accurate.
This tells me that there is a pattern about to be replayed: That the users on the cloud today are a motley crew. That we need more supervision and hand-holding - whether we like it or not. That powerful services like CloudKick and CloudSplit need to be encouraged to add security as a top-priority feature. And we need to budget for their services and embrace their boring, yet hyper-important role as perimeter guard and security inspector.
If I were to try to keep this security problem in the bag - and avoid alerting the community - I would be fostering a sense of complacency that is antithetical to the marketplace needs. The cloud is so young that when we find a problem we need to admit it and find real, workable solutions. Since the cloud represents new ways of doing things, it gives us new ways of getting in trouble, and we need a lively forum for nipping these issues in the bud and laying a framework for ongoing success.
What Now?
If you are on Amazon's cloud, I can't stress enough that you need to immediately go to your AWS Management Console. Check at a minimum that your Snapshots, for every Region, are marked PUBLIC only if you mean them to be available to ALL other Amazon Web Services users. I've already checked mine. If you find data that you did not intend to make public, you need to engage your security team to remove the snapshots from the public and mitigate any data exposure.
Hopefully this gets chalked on the wall as a lesson learned - and we continue our march to the cloud with a deeper appreciation of our security support needs. This isn't about calling people out. I work in the cloud and am passionate about its development. These mistakes could very well have been ones I made - or any other cloud user. To move the cloud forward we need to encourage a dialog about our new found power, new paradigms and new needs in the cloud.
Discuss
-
25Mar
A fascinating talk by Neil deGrasse Tyson about the current state of science and its relation to kids in the 21st century.
For those who wish to listen to the whole 72-minute presentation, you can do so right here. Enjoy!
Related posts:
- Neil deGrasse Tyson on 2012 – The Movie
- Neil deGrasse Tyson Lectures us on Saturn V
- Neil deGrasse Tyson’s worst science movie of all time? Titanic.
-
21Feb
When she calls Leo Laporte’s show claiming her Wi-Fi Internet access has suddenly “disappeared”, a lady gets served a lesson in security and good manners by the tech guy himself.
Related posts:
- A Lesson in Password Security
- Content Filters Should Be Used for Security
- Villains steal arrogant businessman’s social security number
-
17Feb
Computer experts are warning that a dangerous new cyber-worm that works late at night could cost consumers billions of dollars. Apparently, individuals with upcoming bachelor parties or afterwork get-togethers are especially vulnerable to this online threat.
Related posts:
- Worm Causes Computer to Crash
- Should using a computer require a geek license?
- Worm could bring down US power grid
-
12Feb
The card payment industry has rejected claims by British researchers that a system used for validating in-person payments has a major security flaw.
Computer scientists at Cambridge University have been investigating the “chip and pin” system. That’s a branding name used in the country for EMV (Europay, Mastercard and Visa), a technology used increasingly around the world which combines a microchip on a debit or credit card with a card reading terminal which requires a four-digit PIN code. The idea is that a card can’t be cloned as the microchip can’t be duplicated.
The researchers say the flaw they’ve discovered is arguably the biggest payment system loophole of the past 25 years. While they’ve obviously not revealed the precise details, it takes advantage of the way that, if a card can’t be read, the user is often allowed to sign for the transaction (as was done before chips were introduced).
To carry out the scam, the crook would put the stolen card into a modified card-reader and carry it in a bag. The card-reader is then hooked up wirelessly to a laptop running the software needed for the scam.
The crook then presents a fake card for payment, typing any four-digit number into the keypad. The software and the card-reader in the bag send out signals which cause the shop’s terminal to believe the genuine has been used and verified with a PIN. However, the stolen card receives a signal which makes it believe the card hasn’t been recognized in the card-reader and the user has instead signed for the transaction.
The BBC show Newsnight demonstrated how the attack would work:
A spokesman for the UK Cards Association says the attack is technically possible but was too complicated to carry out in practice. He also said such attacks would be detected as fraudulent.
The researchers stand by their claims and say the most worrying aspect of the security flaw is that it could mean genuine claims for a refund by victims of card theft could be dismissed on the grounds that their PIN had been used in the fraudulent transaction.
Related posts:
- Cell Phone Payment: A Cash Machine in your Pocket
- Generous thieves?
- Amazon PayPhrase offers alternative payment service login
-
14Jan
A discarded rocket section crashing into Earth and causing major damage would have made for a great story. Unfortunately for journalists, and fortunately for the rest of us, that’s not what happened today.
An asteroid discovered on Monday and named 2010 AL30 caused some brief interest thanks to a couple of intriguing features. It was somewhere around 36 feet (11 meters) wide and was calculated to be orbiting the Sun on a cycle of not far off one Earth year. That created some briefly held theories that the object might be man-made.
However, that idea was rejected yesterday by NASA’s Paul Chodas who noted that the trajectory of the asteroid didn’t match up with that used for spacecraft departing the Earth. He also noted there were no signs of other objects following behind the asteroid, which might have been expected with man-made space debris. And he also calculated that the asteroid would have been nowhere near Earth during the launch periods of most major space missions.
It seems most likely then that the one-year orbit cycle is just a coincidence. In the event, the asteroid passed the Earth today at a distance of around 80,000 miles (130,000 kilometers). That put it near enough to be viewable by amateur photographers and the general attitude of space experts seems to be that the distance was notable but not particularly unusual.
Had the asteroid hit Earth, it wouldn’t have been much fun if it landed on your house. But in any case, it wasn’t classed as a serious risk: that label is limited to asteroids of at least 100 meters in diameter. Indeed, assuming 2010 AL30 was a stony asteroid, it would most likely have burnt up in Earth’s atmosphere anyway.
Related posts:
- Asteroid Nearly Misses Earth Monday
- The world is ending: Meteorite on track to hit earth next week
- NASA Tests Ares I Rocket
-
22Dec
This thing is destined to go viral, it’s inevitable! It currently sits with 17,000 views on Youtube, but if you check back in 48 hours, I’m pretty sure it’ll have over a hundred thousand.
Oh, and while being on the subject of cats, we’ve got one more cat video for all you cat-loving geeks out there right after the jump.
Related posts:
- Apple to Mac users: No anti-virus software? Get it now!
- RapidShare CAPTCHA will drive you crazy
- A Virus Walks Into a Bar… and Other Science Jokes
