Simon Willison’s Weblog

383 items tagged “security”

2004

It’s only going to get worse

This analysis of the spread of the witty worm is fascinating for a whole bunch of different reasons.

[... 395 words]

XP Service Pack 2 Review. Several welcome security improvements for those still suffering on Windows ;) # 21st March 2004, 9:14 pm

Bizex

I’m going to try not to turn this in to a blog about Windows security exploits but this one is genuinely interesting in that it actively tries to steal financial information and important passwords. Bizex spreads itself by spamming messages over ICQ advising the recipient to visit a specific URL. When they visit it, Internet Explorer exploits are used to download and execute the main payload which then infects their ICQ program and uses it to message their contacts. The worm also scans their hard drive for information relating to a number of well known financial services which it then uploads to a server via FTP, and it apparently snoops on their browser for any passwords travelling over HTTPS connections as well.

[... 216 words]

Novel security measures

An article on SecurityFocus led me to this site about Port Knocking. Port Knocking is an interesting security technique in which a box sits online with no ports open to connections and awaits a specific sequence of connection attempts. A user wishing to connect to the box must first attempt to initiate connections to ports in a specific, secret order. Once they do, the box starts up the required service (such as an SSH daemon) on a designated port and allows the user to connect properly.

[... 145 words]

“I’m Brian and so’s my wife”

I’m subscribed to a whole bunch of mailing lists, mostly as a lurker as I have a hard enough time just keeping up with some of them. One of those lists is Bugtraq, which is pretty much required reading for anyone with sysadmin responsibilities for a server connected to the public internet. Bugtraq is the central hub of the “public disclosure” security community and is actually surprisingly low traffic with only twenty or so messages a day. It’s fascinating to watch the latest exploits for all manner of popular software packages tick by on an hourly basis.

[... 285 words]

Slouching toward Big Brother (via) Security is a trade-off # 30th January 2004, 7:18 pm

Election boxes easy to mess with (via) More on Diebold’s ludicrous security # 30th January 2004, 7:11 pm

Defending web applications against dictionary attacks

Over at Reflective Surface, Ronaldo M. Ferraz discusses the usability of an authentication system that locks down an account for a certain period of time after three failed login attempts. Ronaldo sees this as a trade off between usability and security, but I see it more as an added security issue in that it allows malicious third parties to lock other user’s accounts armed only with their username.

[... 398 words]

non-consensual http user tracking using caches. Interesting security issue involving HTTP caching headers # 20th January 2004, 10:37 pm

2003

Blaster and the great blackout (via) Bruce Schneier writes for Salon.com # 17th December 2003, 3:10 am

Microsoft Security FAQ (via) Point your less technical friends here # 17th December 2003, 2:50 am

Nasty new IE vulnerability

Most people reading are probably aware of the common trick whereby spammers and other assorted ne’er-do-wells publish URLs with usernames that look like hostnames to fool people in to trusting a malicious site—for example, http://www.microsoft.com&session%123123123@simon.incutio.com. This trick is frequently used by spammers to steal people’s PayPal accounts, by tricking them in to “resetting” their password at a site owned by the spammer but disguised as PayPal.com.

[... 164 words]

Debian’s Response. Praise for Debian’s handling of their recent security incident # 9th December 2003, 3:16 am

Hacked for Spam

From the New York Times:

[... 636 words]

Silly JavaScript Security. “Sorry, you do not have permission to press this key,” # 5th December 2003, 10:42 pm

High security is low security

Via Crypto-Gram, a great piece from Bruce Tognazzini about how tough security measures can actively reduce the security of a system:

[... 225 words]

Signing comments on blogs

Adrian Holovaty has implemented reserved comment names in his blog, a feature that prevents anyone apart from him from using the names “Adrian”, “Adrian H.” or “Adrian Holovaty” when posting a comment. François Nonnenmacher suggests extending the idea to allow people to “confirm” their authorship of comments on any blog using a TrackBack sent to their site that in turn causes them to be sent an alert email, which they can then use to confirm their comment. I like his idea of authentication based on URLs (email addresses are no good; they should not be publically displayed for fear of spam harvesters) but I think I’ve come up with an alternative authentication scheme that removes the need for the user to manually confirm authorship. This is pretty complicated, so bare with me.

[... 762 words]

Hashing client-side data

Via Scott, a clever PHP technique for ensuring data sent to the browser as a cookie or hidden form variable isn’t tampered with by the user:

[... 248 words]

2002

Security and coding style

A couple of good web development security resources:

[... 127 words]

Remembering passwords

Via Scott, an article with some great tips on remembering your passwords. It includes the following vitally important tip:

[... 273 words]

XML security on SitePoint

Getting Started with XML Security is a SitePoint article of epic proportions. I had never really looked at any of the XML security applications but this article appears to cover the lot.

[... 33 words]

OWASP Security guide

The Open Web Application Security Project (OWASP) have a free guide to building secure web applications, which covers a large range of common problems such as cross site scripting and SQL injection vulnerabilities. The report is a 60 page PDF and although I haven’t had time to go through it yet it looks like an excellent read.

[... 74 words]

Palladium

Via Boing Boing: Seth Schoen’s notes on Palladium after a meeting with Microsoft. Cory Doctorow points out that Seth is probably the most knowledgeable tech person to have been briefed on Palladium by MSFT without signing an NDA and his post certainly makes interesting reading. Palladium has had a lot of coverage since the Newsweek article announcing it first broke, with Robert Cringely providing some of the best analysis (in my opinion at least). The Register also has a story about Palladium which introduces some more information and guestimates on a shipping schedule.

[... 115 words]