adric: books icon (c) 2004 adric.net (Default)
Some discussion with coworker yesterday provoked this tonight while I was riding a crowded train into work. I welcome your input. I expect that anyone on our team at work would be able to 'pass' this quiz and that a few would do better than I. The Linux section is almost complete and the Windows section is stubbed. It's wiki of course and I've tried to make the HTML work... Cut for length and horror factor.Web Security quiz, comments appreciated )
adric: (Hacker)
So I install a new piece of security software I've been hearing about, the OSSEC HIDS, on my server, and once I get the thing started up the first thing it tells me is:

2008 Jul 13 02:45:08 Rule Id: 1002 level: 2
Location: dev->/var/log/syslog
Unknown problem somewhere in the system.
Jul 12 22:45:07 dev kernel: audit(1215917107.286:40025): avc: denied { getattr } for pid=3203 comm="ossec-syscheckd" path="/sbin/setfiles" dev=md0 ino=227587 scontext=user_u:system_r:pam_console_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file

and as the log/screen is filling up with these I start laughing, because
punchline screened, for those who are not already chuckling )

*chortle* Oh, right, i did tell it it could send me mail. Hehehehehe....
adric: (Hacker)
At lunch today I read over a whitepaper from 2002 called "Thirty Years Later: Lessons from the Multics Security Evaluation". It's only eight pages including the references and I recommend any interested party to look it over. Even skimming the few really technical bits, the points are clear in passages such as those I quote below. I got the link to the PDF of the paper was from Crypto-gram, Schneier's newletter: http://www.schneier.com/crypto-gram.html .
Skip a bit for length.. )
In the nearly thirty years since the report, it has been
demonstrated that the technology direction that was
speculative at the time can actually be implemented and
provides an effective solution to the problem of malicious
software employed by well-motivated professionals. Un-
fortunately, the mainstream products of major vendors
largely ignore these demonstrated technologies. In their
defense most of the vendors would claim that the market-
place is not prepared to pay for a high assurance of secu-
rity. And customers have said they have never been of-
fered mainstream commercial products that give them
such a choice, so they are left with several ineffective
solutions collected under marketing titles like “defense in
depth”.


That's right folks. The reason your OS (`uname`) is not secure-able against attacks that have been documented for 35 years is because no one ever offered to pay for it, and the reason you can't get it that way (if you ask) is ... because no one ever does. Somehow, I think this is all Microsoft's fault, but they had a lot of help. But hey, the new Mac System release (Leopard) has a shiny new Dock, right? *sigh* Ed: Actually MS Vista has much better advances in security than Leopard, but the system is so large and complicated that is difficult to manage, much less secure.
adric: (Bug)
To:webmaster@americanexpress.com
Greetings,

On the bottom of the main American Express.com website, if loaded with Adobe Flash or JavaScript enabled, a message displays:

" JavaScript is either disabled or not supported by your browser. To best view your American Express® account, you should
download the Flash plug-in and/or enable javascript by changing your browser options with these easy instructions.

If you do not wish to download the Flash plug-in and/or enable JavaScript you may continue on this page to manage your
American Express® Card account; however, it will not be the optimal experience."
excepted from https://home.americanexpress.com/home/fallback.shtml?aexp_nav=05

This is a pleasant and thoughtful sentiment which I would like to rely on. Unfortunately, on that main page, the login (left pane) entry button is a JavaScript function: javascript:validateform(1); Thus, login is impossible without JavaScript. There are similar problems throughout the site, such as on the Contact Us page.

I do apologize for using the webmaster alias. Several minute of scouring the 'Contact Us' and 'Help' pages produced neither a form nor an email address (save one for DMCA complaints). Please let me know if I can provide any more information or be of any use in correcting this error. JavaScript is not a reliable or secure platform for an important international financial institution to rely or or require. Additionally, many web-capable devices do have or fully implement JavaScript.

Thanks,
[name]
[phone]
Green cardholder since 2005

March 2014

S M T W T F S
      1
2345678
9 101112131415
16171819202122
23242526272829
3031     

Syndicate

RSS Atom

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated 22 October 2017 04:50 am
Powered by Dreamwidth Studios