Home
David Corking's Library tagged → View Popular
Facebook Launches OpenID Support – Users Can Now Login With Gmail Accounts | May 2009
This is great - I need to log in to Yahoo! once, and I can use Facebook. I guess if someone gets my Yahoo! password, they can send spam from my Facebook profile too.
-
Facebook has become the largest OpenID relying party on the web.
Maximum Security A Hacker's Guide to Protecting Your Internet Site and Network-- Table of Contents
e-book of a 1998 history and analysis of internet security - worth a browse
Mark's Software Forums :: View topic - Scanning all user folders as admin
simple cron script accomplishes this
-
/usr/local/clamXav/bin/clamscan -r /Path/To/File/Or/Folder/
General Security on Mac OS X - Archive
This site went off the air, but the article gives a gentle orientation in locking down a Mac OS X desktop.
Do you really need anti-virus on your Apple Mac? | Graham Cluley's blog | 2008
Do the (mis-named) anti-virus applications have fingerprints for these Trojan horses or their nefarious root kits?
BackTrack penetration testing Live CD - Remote-Exploit.org
-
#1 Security Live Distribution by insecure.org. Security professionals as well as new comers are using BackTrack
Schneier on Security: Cloud Computing
straightforward interview
-
Outsourcing is the future of computing. Eventually we'll get this right, but you don't want to be a casualty along the way.
hackademix.net » Mikeyy's StalkDaily Twitter Worm vs NoScript | April, 2009
Interesting NoScript tip here (it is in the appearance tab of options):
'However most tech savvy users do understand this issue and switch “Full domains” or “Full address” view (I use the former, and I guess therube does as well).'
Aral Balkan - A site dedicated to crossdomain.xml
-
For example, I cringe whenever I see ActionScript that contains database connection information -- you might as well not use a password if you're going to do that. This also applies to any private keys you may be using to access a web service. Don't forget that anyone can disassemble a SWF to get at any information that's included in it.
Cross-domain policy file specification | Adobe Developer Connection
I am clearly not getting something here, as it seems to give permission to the client to access privileged data, yet does not appear to prohibit the same thing being requested by a malicious client that doesn't care if it has permission or not. In theory the malicious client is in control of a person who has authenticated, so perhaps my concern is not relevant.
Jeremiah Grossman: I used to know what you watched, on YouTube | 2008
Fixed (phew!) But other sites could make similar errors.
-
So if an authenticated YouTube user visited an attacker-controlled page anywhere on the Web, the attacker could SRC in the google.com hosted SWF, and use it compromise the victims YouTube username, email address, first/last name, viewing history, and even comment or post/delete videos.
Jeremiah Grossman: I know if you're logged-in, anywhere | 2006
JS history scan
-
If these URL’s are dynamically loaded into a <* script src=””> tag, they will cause the JS Console to error differently because the response is HTML, not JS.
CSS History Hack | 2007
This proof of concept attack on your browser is slightly evil.
Jeremiah Grossman: I still know where you've been, without JavaScript | 2007
Ach!
-
The hack still relies up the a:visited component of CSS,
-
mitigated in many ways by SafeHistory (Firefox)
GUYA.NET » Blog Archive » Malicious camera spying using ClickJacking | Oct 2008
-
Some of the clicks are real game clicks other are jacked clicks. Every time the click is needed to be jacked the content simply move behind the iframe using z-index
[whatwg] Dealing with UI redress vulnerabilities inherent to the current web
This is nasty, not as sophisticated as the Flash security settings hijack discovered the following month, but harder to protect against.
-
Problem definition: a malicious page in domain A may create an IFRAME
pointing to an application in domain B, to which the user is currently
authenticated with cookies. The top-level page may then cover portions of
the IFRAME with other visual elements to seamlessly hide everything but a
single UI button in domain B, such as "delete all items", "click to add
Bob as a friend", etc. It may then provide own, misleading UI that implies
that the button serves a different purpose and is a part of site A,
Clickjacking - Wikipedia, the free encyclopedia
Essay about countermeasures
-
However, both Framekillers and IE8's mitigation approach require web developers to actively protect vulnerable pages by modifying their content or the way they are served, and even on "protected" pages they cannot prevent plugin-based Clickjacking variants, which don't need frames. Therefore the NoScript add-on for Firefox still remains the only free product providing automatic client-side protection, with no need for awareness and cooperation from the web site authors.
Selected Tags
Related Tags
Sponsored Links
Top Contributors
Groups interested in Security
Highlighter, Sticky notes, Tagging, Groups and Network: integrated suite dramatically boosting research productivity. Learn more »
Join Diigo