Simon Willison’s Weblog

Items tagged security in Aug

Filters: Month: Aug × security ×

Datasette 0.46 (via) I just released Datasette 0.46 with a security fix for an issue involving CSRF tokens on canned query pages, plus a new debugging tool, improved file downloads and a bunch of other smaller improvements. # 9th August 2020, 4:57 pm

Pysa: An open source static analysis tool to detect and prevent security issues in Python code (via) Interesting new static analysis tool for auditing Python for security vulnerabilities—things like SQL injection and os.execute() calls. Built by Facebook and tested extensively on Instagram, a multi-million line Django application. # 7th August 2020, 8:50 pm

James Bennett on why Django should not support JWT in core (via) The topic of adding JWT support to Django core comes up occasionally—here’s James Bennett’s detailed argument for not doing that. The short version is that the JWT specification isn’t just difficult to implement securely: it’s fundamentally flawed, which results in things like five implementations in three different languages all manifesting the same vulnerability. Third party modules exist that add JWT support to Django, but baking it into core would act as a form of endorsement and Django’s philosophy has always been to encourage people towards best practices. # 1st August 2020, 12:28 am

Most administrators will force users to change their password at regular intervals, typically every 30, 60 or 90 days. This imposes burdens on the user (who is likely to choose new passwords that are only minor variations of the old) and carries no real benefits as stolen passwords are generally exploited immediately. [...] Regular password changing harms rather than improves security, so avoid placing this burden on users. However, users must change their passwords on indication or suspicion of compromise.

UK National Cyber Security Centre # 25th August 2018, 7:57 pm

Using achievement stats to estimate sales on steam (via) Really interesting data leak exploit here: Valve’s Steam API was showing the percentage of users that gained a specific achievement up to 16 decimal places—which inadvertently leaked their exact usage statistics, since if 0.012782207690179348 percent of players get an achievement the only possible input is 8 players out of 62,587. # 9th August 2018, 9:03 am

OWASP Top 10 2007-2017: The Fall of CSRF. I was surprised to learn recently that CSRF didn’t make it into the 2017 OWASP Top 10 security vulnerabilities (after featuring almost every year since the list started). The credited reason is that web frameworks do a good enough job protecting against CSRF by default that it’s no longer a top-ten problem. Defaults really do matter. # 6th August 2018, 10:02 pm

What steps can I take to protect my data in case my laptop gets stolen?

Set up full drive encryption—that way if someone steals your laptop they won’t be able to access your data without a password.

[... 95 words]

In what circumstances should one use “magic quotes” in PHP?

Absolutely never. Magic quotes was a badly designed feature, and PHP has been trying to escape its legacy for years. If you are constructing SQL strings using string concatenation you’re asking for trouble—use prepared statements or a library that interpolates and correctly escapes variables for you.

[... 65 words]

Why do some people disable JavaScript in their browser?

For security reasons.

[... 159 words]

For those who haven’t heard the story the details were pulled from a Christian dating site which had a query parameter injection vulnerability. The vulnerability allowed you to navigate to a person’s profile by entering the user id and skipping authentication. Once you got there the change password form had the passwords in plain text. Someone wrote a scraper and now the entire database is on Mediafire and contains thousands of email/password combinations.

rossriley on Hacker News # 23rd August 2009, 10:10 am

Facebook Hacked By 4chan, Accounts Compromised. It wasn’t Facebook that got hacked: 4chan members got hold of a list of usernames and passwords from an insecure Christian dating site and started using them to raise complete hell. Yet another demonstration that storing your user’s passwords in the clear is extremely irresponsible, and also a handy reminder that regular users who “don’t have anything worth securing” actually have a great deal to lose if their password gets out. # 23rd August 2009, 10:02 am

You Deleted Your Cookies? Think Again (via) Flash cookies last longer than browser cookies and are harder to delete. Some services are sneakily “respawning” their cookies—if you clear the regular tracking cookie it will be reinstated from the Flash data next time you visit a page. # 17th August 2009, 3:23 pm

New authentication schemes such as OpenID, or Microsoft’s CardSpace, may help as adoption increases. These systems make it possible to register for one site using credentials verified by another. Instead of having many sites with poor verification procedures, the internet could have a few sites with strong verification procedures, that are then used by others. The advantage for the user is that they no longer have to jump through multiple hoops for each new site they encounter.

Tim Anderson (in the Guardian) # 29th August 2008, 10:01 am

Coding Horror: Protecting Your Cookies: HttpOnly. Jeff Atwood discovers the hard way that writing an HTML sanitizer is significantly harder than you would think. HttpOnly cookies aren’t the solution though: they’re potentially useful as part of a defense in depth strategy, but fundamentally if you have an XSS hole you’re going to get 0wned, HttpOnly cookies or not. Auto-escape everything on output and be extremely cautious with things like HTML sanitizers. # 29th August 2008, 2:01 am

Django snippets: Sign a string using SHA1, then shrink it using url-safe base65. I needed a way to create tamper-proof URLs and cookies by signing them, but didn’t want the overhead of a full 40 character SHA1 hash. After some experimentation, it turns out you can knock a 40 char hash down to 27 characters by encoding it using a custom base65 encoding which only uses URL-safe characters. # 27th August 2008, 10:18 pm

Tip: Configure SAX parsers for secure processing. Explains the billion laughs attack, among others. # 23rd August 2008, 11:12 am

DoS vulnerability in REXML. Ruby’s REXML library is susceptible to the “billion laughs” denial of service attack where recursively nested entities expand a single entitity reference to a billion characters (kind of like the exploding zip file attack). Rails applications that process user-supplied XML should apply the monkey-patch ASAP; a proper gem update is forthcoming. # 23rd August 2008, 11:11 am

OAuth came out of my worry that if the Twitter API became popular, we’d be spreading passwords all around the web. OAuth took longer to finish than it took for the Twitter API to become popular, and as a result many Twitter users’ passwords are scattered pretty carelessly around the web. This is a terrible situation, and one we as responsible web developers should work to prevent.

Blaine Cook # 14th August 2008, 10:01 am

The statement that the password anti-pattern “teaches users to be phished” should be rephrased “has taught users to be phished”

Me, on Twitter # 13th August 2008, 12:52 pm

Reviews of the Pownce app on the iPhone app store on Flickr. I had to stitch together a screenshot because you can’t actually link to content in the App Store (unless you don’t care that people without iTunes won’t be able to follow your link). Three out of the four reviews complain about the OAuth browser authentication step, which is frustrating because Pownce have implemented it so well. # 12th August 2008, 11:05 am

Exposure (iPhone app) behaves suspiciously. Exposure on the iPhone does OAuth-style authentication incorrectly—it asks the user to authenticate in an embedded, chromeless browser which provides no way of confirming that the site being interacted with is not a phishing attack. Ben Ward explains how the Pownce iPhone app gets it right in the comments. Exposure author Fraser Spiers also responds. # 12th August 2008, 7:47 am

Facebook Security Advice: Never Ever Enter Your Passwords On Another Site, Unless We Ask You To. Nice to see TechCrunch highlighting the hypocrisy of Facebook advising their users to never enter their Facebook credentials on another site, then asking them for their webmail provider password so they can scrape their address book. # 9th August 2008, 10:18 am

E-Voting Ballots Not Secret; Vendors Don’t See Problem. “You know things are bad when questions about a technical matter like security are answered by a public-relations firm.” # 20th August 2007, 3:19 pm

VeriSign’s SeatBelt OpenID plugin for Firefox. The first good example of browser integration for OpenID. It catches phishing attempts by watching out for rogue OpenID consumers that don’t redirect to the right place. # 17th August 2007, 5:37 pm

Bruce Schneier interviews Kip Hawley. The head of the Transportation Security Administration in conversation with one of his most eloquent critics. # 7th August 2007, 3:23 pm

DNS Pinning Explained. With diagrams. # 7th August 2007, 11:01 am

(somewhat) breaking the same-origin policy by undermining dns-pinning. This is the best technical explanation of the DNS rebinding attack I’ve seen. The linked demo worked for me in Safari but not in Camino. # 2nd August 2007, 12:53 pm

Your browser is a tcp/ip relay. Thoroughly nasty new(ish) attack that breaks the same-domain policy and allows intranet content to be stolen by a malicious site. Using virtual hosts (hence requiring the Host: header) is the best known protection. # 2nd August 2007, 12:53 pm

Side-Channel Attacks and Security Theatre. “In order to mount most of these attacks the attacker must be local [...] every good security person knows that if your attacker has the ability to run stuff on your machine, it is game over, so why are we even caring about these attacks?” # 2nd August 2007, 12:30 pm

Parsing XML can open network sockets (via) Yikes. Something to bare in mind. # 18th August 2006, 2:27 pm