Websites are as vulnerable as ever, according to a survey of Web application security professionals who test sites for security holes. The survey, conducted by researcher Jeremiah Grossman on his blogsite, polled more than 60 security pros, 63 percent who work for vendors or consultants, 23 percent for enterprises, 5 percent for government, and 10 percent for other types of organizations. These are the guys in the trenches who hammer on Websites regularly -- 53 percent said all or almost all of their job is dedicated to Web app security (versus development, general security, and incident response); 28 percent said about half; and 20 percent said "some."
There's no dearth of Linux distributions to choose from. With so many to choose from, one might think it's as easy as picking up the Linux kernel, throwing in a few applications, setting up respositories, making ISOs and you've got a shiny new Linux distro. Well, there's more to a Linux distro than assembling applications and making sure everything works. A lot of time and effort, at least for major distros, is spent on making the distribution secure and getting updates out in a timely fashion.
To start with, all major distributions have security teams that collaborate with the main release team to ensure no vulnerable packages make their way into the final release. For example, Chris Gianelloni, release engineering strategic lead of Gentoo says that the release engineering team works with Gentoo's security team and individual architecture teams to make sure Gentoo doesn't have security vulnerabilities when Gentoo is released.
There are two philosophies in which to protect against cross-site scripting (XSS) attacks: input encoding and output encoding. Input encoding means that the application takes whatever the user gives it and then encodes it so that when the information is outputted it has already been sanitized. Output encoding means that the application takes whatever data is given to it in whatever form it takes and stores it. Once it is ready for output it is sanitized before being shown to the user. I've heard people say that output encoding is the right way to deal with HTML injection and XSS attacks as well. There's one concept I haven't bought off on personally. Let's take an example where you have a single input, which is your name.
Security is an important issue in computing. Unfortunately, many computers allow a cracker to gain access to them and retrieve sensitive information, or just make life hard. This article will review the basics in general security and explain how to apply it to two Linux distributions--Ubuntu and Kubuntu. This article assumes that you know how to install programs on either Ubuntu or Kubuntu. It also assumes that you have some knowledge of basic computer networking principles. If you do not know how to install programs on Ubuntu, go tohttps://help.ubuntu.com/community/InstallingSoftware. If you do not know much about networking, go to http://www.faqs.org/docs/linux_network/x-087-2-intro.html. This article also assumes that you are using Ubuntu or Kubuntu 6.06(Dapper Drake), but the Firewall section can be adapted for any recent Linux distribution.
The Internet is a seemingly limitless source of information. It provides the power of collective knowledge and information to a vast array of users who access innumerable resources for countless reasons. These resources are typically accessed by using a human readable name designed to be easily remembered, thus increasing the usability of the resource. These human readable names, as the very term implies, are for the sake of the human users. Network devices, however, find each other by using a number, referred to as IP (Internet Protocol) addresses. The Domain Name System is the service that maps the human readable names to device specific IP addresses creating the user friendly nature of networked systems.
Longtime Linux admins know that SSH, the "Secure Shell" protocol, is one of the most handy and potentially critical utilities in their software toolbox. Using multiple terminal emulators in an X Windows environment on a workstation, or via the Screen utility, a sysadmin for Linux or other Unix-based OS servers can manage several systems simultaneously with ease. Network administration shell or Perl scripts can make use of SSH to perform automated tasks on multiple servers at once simply and securely.
Network shell utilities like RSH have been around longer than SSH, of course. But SSH adds strong encryption and data compression to its functionality and most modern SSH implementations also provide SFTP and SCP in the same convenient package, for secure file transfers over the network.
Source: PCPro.co.uk - Posted by Benjamin D. Thomas
SPs could provide the answer to combatting DDoS attacks according to BT, providing customers with DDoS mitigation at a price far cheaper than buying it in directly.
According to Mick Creane, Head of Managed Security Strategy at BT, ISPs are in a unique position to be able to make DDoS mitigation affordable for its customers, and it's something BT is already considering. 'We're looking at technology in the core of our network that would direct traffic through a "scrubbing centre". This terminates requests, checks if they are valid and if they are not, drops them. Where they are valid, they are forwarded to the original destination,' said Creane. 'It's expensive, but with BT you have economies of scale. So we would divert traffic as necessary [rather than route everything through the "scrubbing centre"].'
Web 2.0 applications are a combination of several technologies such as Asynchronous JavaScript and XML (AJAX), Flash, JavaScript Object Notation (JSON), Simple Object Access Protocol (SOAP), Representational State Transfer (REST). All these technologies, along with cross-domain information access, contribute to the complexity of the application. We are seeing a shift towards empowerment of an end-user's browser by loading libraries. All these changes mean new scanning challenges for tools and professionals.
Web 2.0 is the novel term coined for new generation Web applications. start.com, Google maps, Writely and MySpace.com are a few examples. The shifting technological landscape is the driving force behind these Web 2.0 applications. On the one hand are Web services that are empowering server-side core technology components and on the other hand are AJAX and Rich Internet Application (RIA) clients that are enhancing client-end interfaces in the browser itself. XML is making a significant impact at both presentation and transport (HTTP/HTTPS) layers. To some extent XML is replacing HTML at the presentation layer while SOAP is becoming the XML-based transport mechanism of choice.
.htaccess files provides us with ways to make configuration changes on a per-directory basis. This file works well in Apache Web Server and on Linux/Unix. Also, it works on Windows based system with Apache Web server. There are several things that developers, site owners and webmasters can do by using .htaccess file. Let’s look at some of them: Prevent directory browsing, Redirect visitors from one page or directory to another, Password protection for directories, Change the default index page of a directory, Prevent hot-linking of images from your website.
