HDIV (HTTP Data Integrity Validator) is a Java Web Application Security Framework. HDIV extends web applications’ behaviour by adding Security functionalities, maintaining the API and the framework specification. This implies that we can use HDIV in applications developed in Struts 1.x, Struts 2.x, Spring MVC and JSTL in a transparent way to the programmer and without adding any complexity to the application development. It is possible to use HDIV in applications that don’t use Struts 1.x, Struts 2.x, Spring MVC or JSTL, but in this case it is necessary to modify the application (JSP pages).
What do you think is the state of Java Web security is. If you do any Java Web development you might want to take a look at HDIV (HTTP Data Integrity Validator). This article gives the reader information on what this Security Framework can do.
Perhaps someday it will be considered discrimination against a sentient, but these days a way to distinguish between programs and humans is required for many web-based applications. Keeping spambots from posting comments in weblogs or other bots from signing up for a web service are two of the most common applications for separating humans and bots. As has often been the case in the past, though, when the stakes are high enough, attackers will find ways to circumvent barriers like this.
How secure to you think Captcha on you website is? Do you think it can be improved?
This article goes into detail on some of the security issues with Captcha technologies.
Source: The Register - Posted by Eckie Silapaswang
Researches have unearthed what they say is the biggest botnet ever. It comprises over 400,000 infected machines, more than twice the size of Storm, which was previously believed to be the largest zombie network.
Machines from at least 50 Fortune 500 companies have been observed to be running the malicious software that's at the heart of "Kraken," the botnet that security firm Damballa has been tracking for the last few weeks. So far, only about 20 percent of the anti-virus products out there are detecting the malware. Just as a con artist might throw off detectives by changing his hair color or other physical characteristics, Kraken's ability to morph its code base has allowed it to evade the majority of malware detectors.
Only twenty percent of all AVs currently out there have any ability to counter this surge of malware and spam. What suggestions or ideas do you have to counter morphing code in botnets?
Before we proceed, it would be best to cover some basic user administration topics that will be very useful in later chapters. Adding Users
One of the most important activities in administering a Linux box is the addition of users. Here you'll find some simple examples to provide a foundation for future chapters. It is not intended to be comprehensive, but is a good memory refresher. You can use the command man useradd to get the help pages on adding users with the useradd command or the man usermod to become more familiar with modifying users with the usermod command
Most Linux user's have used sudo before but do you know how to use it to increase your security? This article does a great job at explaining everything you need to know about sudo.
ProxyStrike is an active Web Application Proxy, is a tool designed to find vulnerabilities while browsing an application. It was created because the problems faced in the pentests of web applications that depends heavily on Javascript, not many web scanners did it good in this stage, so ProxyStrike was born.
Read on for further detail into how ProxyStrike helps you realize just what is happening behind the scenes as you browse sites. See if the sites you frequent are doing anything malicious behind your back!
Source: Information Week - Posted by Eckie Silapaswang
So now that Ubuntu Linux was "last man standing" in the PWN to OWN contest at CanSecWest, does this mean open source has it all over the competition when it comes to security? It can, and it ought to -- but it's not a guarantee. And we need to not think it is.
The writer brings up several valid points in this article - even though the Linux computer outlasted the Apple and Windows machines, any successful exploitation of the machine resulted in true "spoils of war" - they got to keep the laptop! Can the "success" of Linux at CanSecWest be a result of "security through obscurity" and the fact that you could win a shiny new MacBook Air through cracking it?
Server virtualization technologies offer significant performance, cost and manageability breakthroughs for innovative data centers. Through the intelligent coordination of virtualization and security elements, data center administrators can protect critical resources, enhance user satisfaction, reduce operating expenses and ensure regulatory compliance. While virtualized environments raise tough new network security concerns, emerging technologies and best practices can help organizations meet these challenges effectively and efficiently.
This article includes a comprehensive checklist of questions one should have answers to if they ever consider virtualization as a data storage solution for any size company. Run through the list and see if this constantly improving technology is at a point you can use today!
In the field of IT systems security, concept of” port knocking” is relatively new. However with the passage of time, it is getting popular day by day among system and security administrators.
Port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of pre-specified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specified port (s).
Checkout this article about port knocking. It's any important security practice that every system administrator should know about.
Uncle Milton Industries has been selling ant farms to children since 1956. Some years ago, I remember opening one up with a friend. There were no actual ants included in the box. Instead, there was a card that you filled in with your address, and the company would mail you some ants. My friend expressed surprise that you could get ants sent to you in the mail.
I replied: "What's really interesting is that these people will send a tube of live ants to anyone you tell them to."
Read on for an interesting observation from Bruce Schneier about the mindset of security professionals. There is emphasis put on a certain college course which focuses on this way of thinking - it's amazing what a last name can grant you these days!
In this article I share some of the basics of setting up a Linux firewall using the iptables tool. It's important to note that configuring firewalls is slightly different depending on which flavour you use.
If you are just starting out and need to enable a firewall on your Linux system, I suggest you try a basic tool such as lokkit (which is available in major flavours including Fedora/RedHat and Ubuntu). It is a very simple tool that walks you through a configuration. To use this, run the command: gnome-lokkit
The jobs of a Linux server administration are too many to list but server security should be towards the top of the list. This articles walks the user through some of the more important Linux security practices.
