""

"There is no such thing as a burglar-proof home. What there is, however -- using a burglar’s double criteria of speedy entry and not attracting attention-- are homes that are too difficult to break in to .

The enemies of the burglar are time and attention. The longer it takes to enter and the more noise he makes increase his chances of being seen and caught. Homes not easily and quickly broken into are most often bypassed for easier targets"

Recommends book: "Secrets of a Superthief"
other good tips

""

"The Google Authenticator project includes implementations of one-time passcode generators for several mobile platforms, as well as a pluggable authentication module (PAM). One-time passcodes are generated using open standards developed by the Initiative for Open Authentication (OATH).

These implementations support the HMAC-Based One-time Password (HOTP) algorithm specified in RFC 4226 and the Time-based One-time Password (TOTP) algorithm currently in draft.

"

"Networked entities face three major challenges today. Theft of or unauthorized access to confidential data is a constant concern. The inability to share data over a network without an increased security risk limits the ability of organizations to conduct business in the most efficient way. And the lack of a viable single sign-on framework is inhibiting the growth of electronic commerce and networked operations.

The Initiative for Open Authentication (OATH) addresses these challenges with standard, open technology that is available to all. OATH is taking an all-encompassing approach, delivering solutions that allow for strong authentication of all users on all devices, across all networks.

OATH's vision is of the network of the future: a network where consumers feel secure entering personal information online, where business partners can safely collaborate and share data across domains, and where devices constitute secure threads in a tightly-woven network fabric. We envision a network held together with standard protocols. With foresight and planning, OATH's vision is turning the dream of a secure, universal network into reality."

"CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application."

"Exploring cross-domain threats and use cases, security principles for cross-origin requests, and finally, weighing the risks for developers to enhance cross-domain access from web applications running in the browser." about xdomain

"Web application security is an essential component of any successful project, whether open source PHP applications, web services such as straight through processing, or proprietary business web sites. Hosters (rightly) shun insecure code, and users shun insecure services that lead to fraud. The aim of this Development Guide is to allow businesses, developers, designers and solution architects to produce secure web applications. If done from the earliest stages, secure applications cost about the same to develop as insecure applications, but are far more cost effective in the long run.
Unlike other forms of security (such as firewalls and secure lockdowns), web applications have the ability to make a skilled attacker rich, or make the life of a victim a complete misery. At this highest level of the OSI software map, traditional firewalls and other controls simply do not help. The application itself must be self-defending. The Development Guide can help you get there. The Development Guide has been written to cover all forms of web application security issues, from old hoary chestnuts such as SQL Injection, through modern concerns such as AJAX, phishing, credit card handling, session fixation, cross-site request forgeries, compliance, and privacy issues."

2010: http://code.google.com/p/owasp-development-guide/wiki/Introduction

"In order to facilitate a "transparent but visible" CSRF solution, developers are encouraged to adopt the Synchronizer Token Pattern (http://www.corej2eepatterns.com/Design/PresoDesign.htm). The synchronizer token pattern requires the generating of random "challenge" tokens that are associated with the user's current session. These challenge tokens are the inserted within the HTML forms and links associated with sensitive server-side operations. When the user wishes to invoke these sensitive operations, the HTTP request should include this challenge token. It is then the responsibility of the server application to verify the existence and correctness of this token. By including a challenge token with each request, the developer has a strong control to verify that the user actually intended to submit the desired requests. Inclusion of a required security token in HTTP requests associated with sensitive business functions helps mitigate CSRF attacks as successful exploitation assumes the attacker knows the randomly generated token for the target victim's session. This is analogous to the attacker being able to guess the target victim's session identifier. The following synopsis describes a general approach to incorporate challenge tokens within the request.
When a Web application formulates a request (by generating a link or form that causes a request when submitted or clicked by the user), the application should include a hidden input parameter with a common name such as "CSRFToken". The value of this token must be randomly generated such that it cannot be guessed by an attacker. Consider leveraging the java.security.SecureRandom class for Java applications to generate a sufficiently long random token. Alternative generation algorithms include the use of 256-bit BASE64 encoded hashes. Developers that choose this generation algorithm must make sure that there is randomness and uniqueness utilized in the data that is hashed to generate the random token."

Also considers other approaches like checking referer header

Countermeasures are defensive technologies or modules that are used to detect, deter, or deny attacks. Necessary countermeasures in an application should be identified using threat analysis to ensure that the application is protected against common types of attacks based on the threats it faces. A weakness or design flaw of a countermeasure, or the lack of a necessary countermeasure results in a vulnerability that can make the application susceptible to attacks.

"A vulnerability is a hole or a weakness in the application, which can be a design flaw or an implementation bug, that allows an attacker to cause harm to the stakeholders of an application. Stakeholders include the application owner, application users, and other entities that rely on the application. The term "vulnerability" is often used very loosely. However, here we need to distinguish threats, attacks, and countermeasures."

Some proven application security principles

Apply defense in depth (complete mediation)
Use a positive security model (fail-safe defaults, minimize attack surface)
Fail securely
Run with least privilege
Avoid security by obscurity (open design)
Keep security simple (verifiable, economy of mechanism)
Detect intrusions (compromise recording)
Don’t trust infrastructure
Don’t trust services
Establish secure defaults (psychological acceptability)

Welcome to the home of the OWASP AppSec Tutorial Series project! The OWASP AppSec Tutorial Series project provides a video based means of conveying complex application security concepts in an easily accessible and understandable way. Each video is approximately 5-10 minutes long and highlights one or more specific application security concepts, tools, or methodologies. The goal of the project is quite simple and yet quite audacious - provide top notch application security video based training... for free!

HTTP-Only to disallow client-side access to a cookie and setting the Secure option on a cookie.

Strict-Transport-Security to force SSL on repeat visits, X-Frame-Options to prevent clickjacking through frame-busting, and the (early) X-Content-Security-Policy to compartmentalize XSS vulnerabilities

HTTP Strict Transport Security is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP.

"CAS provides enterprise single sign-on service:

An open and well-documented protocol
An open-source Java server component
A library of clients for Java, .Net, PHP, Perl, Apache, uPortal, and others
Integrates with uPortal, BlueSocket, TikiWiki, Mule, Liferay, Moodle and others
Community documentation and implementation support
An extensive community of adopters" via Shree

via: ryan

" Kerchoff’s Principle states that you should assume that your adversary knows as much about the system you use as you do."

"This site uses a number of databases that have been released by hackers to the public. No passwords are stored in the ShouldIChangeMyPassword.com database."

The AlterEgo API allows app developers to verify that a passcode given by a user matches that user's current temporarily generated passcode. AlterEgo's API is structured in a semi-RESTful manner. Request data is passed to the API as GET parameters. Responses are all formatted as JSON values.

RT @sramji: Apple on Location & iPhone < one of the best pieces of corporate communication I've seen since Jobs ...

One of my favorite geek humor examples. ever.

"lets an organization take responsibility for a message while it is in transit.  The organization is a handler of the message, either as its originator or as an intermediary. Their reputation is the basis for evaluating whether to trust the message for delivery. Technically DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication."

"Grackle is a lightweight Ruby wrapper around the Twitter REST and Search APIs. It’s based on my experience using the Twitter API to build cheaptweet.com. The main goal of Grackle is to never require a release when the Twitter API changes (which it often does) or in the face of a particular Twitter API bug. As such it’s somewhat different from other Twitter API libraries. It doesn’t try to hide the Twitter "methods" under an access layer nor does it introduce concrete classes for the various objects returned by Twitter. Instead, calls to the Grackle client map directly to Twitter API URLs. The objects returned by API calls are generated as OpenStructs on the fly and make no assumptions about the presence or absence of any particular attributes. Taking this approach means that changes to URLs used by Twitter, parameters required by those URLs or return values will not require a new release. It will potentially require, however, some modifications to your code that uses Grackle."

"iTag is a FREE service to locate and protect your lost or stolen phone. View your cell phone’s location, make it ring from the website, lock the keys, back up your data, delete the information on the phone and MORE!"

" after answering the first question, you learn that almost everything on your profile, even if you use privacy settings to limit access, is available to the quiz."

"Service data. Service data is the data you need to give to a social networking site in order to use it. It might include your legal name, your age, and your credit card number. Disclosed data. This is what you post on your own pages: blog entries, photographs, messages, comments, and so on. Entrusted data. This is what you post on other people's pages. It's basically the same stuff as disclosed data, but the difference is that you don't have control over the data -- someone else does. Incidental data. Incidental data is data the other people post about you. Again, it's basically same same stuff as disclosed data, but the difference is that 1) you don't have control over it, and 2) you didn't create it in the first place. Behavioral data. This is data that the site collects about your habits by recording what you do and who you do it with."

great post updating Schneier's pet topic.

"This plugin searches the files on your website, and the posts and comments tables of your database for anything suspicious. It also examines your list of active plugins for unusual filenames."

Excellent advice on securing a WP installation. via @bokardo

"Reassuring people about privacy makes them more, not less, concerned. It's called "privacy salience", and Leslie John, Alessandro Acquisti, and George Loewenstein – all at Carnegie Mellon University – demonstrated this in a series of clever experiments. In one, subjects completed an online survey consisting of a series of questions about their academic behaviour – "Have you ever cheated on an exam?" for example. Half of the subjects were first required to sign a consent warning – designed to make privacy concerns more salient – while the other half did not. Also, subjects were randomly assigned to receive either a privacy confidentiality assurance, or no such assurance. When the privacy concern was made salient (through the consent warning), people reacted negatively to the subsequent confidentiality assurance and were less likely to reveal personal information."

"IE7 & go to Tools|Internet Options|Security. Highlight the Local Intranet zone and click the "Sites" button, then the "Advanced" button. Add an entry for "file://computername", using the name of the computer you're running stuff from, e.g. "file://larryXP" Security > Local intranet > Sites > Advanced > and add the computer name for jungledisk that's file://AmazonS3

"Anyone who tells you with absolute certainty which operating system is “the best” without knowing your individual needs is probably going to be wrong – and I include myself in this. The right choice for you may be Linux, or it may be Mac, or it may be Windows. Choosing is a complex dance between hardware needs, price, aesthetic preferences, application requirements, technical competence, and even “what my friends use”. I think the best piece of advice that I can give, though, is this: if you are considering switching platform, don’t expect “the other side” to be the land of milk and honey forever. Every computing platform has its pros and cons, and once the honeymoon period is over, you’ll run into them."

scaaary pdf on malware!

"XSS scanner tool that’s written in Javascript called XSS Rays for Microsoft. They have given me permission to release the tool as open source which is awesome because it can be used for other open source applications. I recommend you use it as part of the web development process to make sure you’ve filtered XSS correctly on your application. It works as a bookmarklet and scans any links, paths or forms on the target scanning page (even cross domain). You can add vectors to it quite easily and it includes some of the most common injections I’ve found on sites over the years. I’ve tested it on IE7/IE8 and Firefox but it could work in other browsers."

guide to OAuth in drupal (may require 6.x)

"to educate the American public about the law and technology of government surveillance in the United States, providing the information and tools necessary to evaluate the threat of surveillance and take appropriate steps to defend against it. Surveillance Self-Defense (SSD) exists to answer two main questions: What can the government legally do to spy on your computer data and communications? And what can you legally do to protect yourself against such spying?"

"Three of the circumvention tools — DynaWeb FreeGate, GPass, and FirePhoenix — used most widely to get around China’s Great Firewall are tracking and selling the individual web browsing histories of their users. Data about aggregate usage of users of the tools is published freely. You can see, for example, that the three sites most visited by users of these circumvention tools are live.com, google.com, and secretchina.com. Aggregate data like this is a terrific resource for those of us interested in researching circumvention tool usage, and not much of a privacy risk for the circumventing users if it is only stored (as well as displayed) in the aggregate."

"provide[s] web application developers, browser engineers, and information security researchers with a one-stop reference to key security properties of contemporary web browsers"

"a hosted virtual private network. Our service creates an encrypted link between your computer and our servers and then forwards all of your internet traffic through this link. For example this prevents local eavesdroppers from listening in on your web communication at a public WIFI hotspot. Furthermore unlike many other commercial VPN's that may be blocked by firewalls our program can work on any Internet connection that allows you to browse web sites. The service is provided for free by showing advertising at the top of web pages that you view while you are using the AlwaysVPN network."

To enable NLA in XP machines; first install XP SP3, then edit the registry settings on the XP client machine to allow NLA • Configure Network Level Authentication 1. Click Start, click Run, type regedit, and then press ENTER. 2. In the navigation pane, locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa 3. In the details pane, right-click Security Packages, and then click Modify. 4. In the Value data box, type tspkg. Leave any data that is specific to other SSPs, and then click OK. 5. In the navigation pane, locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders 6. In the details pane, right-click SecurityProviders, and then click Modify. 7. In the Value data box, type credssp.dll. Leave any data that is specific to other SSPs, and then click OK. 8. Exit Registry Editor. 9. Restart the computer.

turns out it's possible

allows a user to automatically upgrade the wordpress installation to the latest one provided by wordpress.org using the 5 steps provided in the wordpress upgrade instructions.

1st hand account of traveling without an id. excellent points about why requiring id isn't protecting anyone.

"After running a system scan once at installation, Tiny Watcher checks the registry and system folders to see what's changed since it was last run, as well as offering options to "Remove," "Disable," and search the web for information on system processes and common Windows changes. You have to be really cautious, of course, before deleting or disabling things you don't fully understand, but it's a great way of checking just when and why that mysterious folder at your hard drive root was created, without digging through logs or keeping a monitor open." via:lifehacker

nice intro to setting permissions in *nix

scan the links on your website, and on the pages that your website is linking to, and flag possible problem areas.

Scans your WordPress installation for security vulnerabilities and suggests corrective actions.

Remove version info from generated html: add this line to your functions.php file in the WordPress themes folder. <?php remove_action('wp_head', 'wp_generator'); ?>

plugin searches the files and database of your website for signs of suspicious activity... scans db and files.

generates secret keys for your wp-config.php

guidelines for how to stay safe while living the portable apps life

cameras are everywhere, and we can still see them. Ten years ago, cameras were much rarer than they are today. And in 10 years, they'll be so small you won't even notice them.

allows two peers behind two separate NATs with NO port forwarding and NO DMZ setup on their routers to directly communicate with each other.

enables you to encrypt a file or a folder. After installation, right-click on a file/folder and select Encrypt with Flexcrypt folder, make up a password, thats it. Decryption is done by double-clicking on the encrypted file and enter the correct password.

The feeling and reality of security tend to converge when we take notice, and diverge when we don't. People notice when 1) there are enough positive and negative examples to draw a conclusion, and 2) there isn't too much emotion clouding the issue.

just had to relearn this frustrating process... argh.

With the help of U.S. defense contractors, China is building the prototype for a high-tech police state. It is ready for export.

lets you generate and use single-use credit cards in order to make PayPal payments at sites you might not want to give your credit card information to

Good overview here. interesting bit on how TC undermines the GPL.

"There exists a database of Americans, who, often for the slightest and most trivial reason, are considered unfriendly, and who, in a time of panic, might be incarcerated.

presents the original URL rather than taking you there (via a cookie pref).

At one time or another someone connected to a real ad-hoc WiFi network that had the SSID “Free Public WiFi”. They added this network to their preferred network list. They then traveled to a location where this WiFi SSID didn’t exist..." thanks Windo

someone is addressing openid usability issues (finally!)

Firefox extension which automatically switches an internet connection across one or more proxy servers based on URL patterns you define.

a preliminary build of TrueCrypt for Nokia Internet Tablets running OS2008.

checks whether you have known vulnerabilities in your applications

wow, tying Facebook into opensource hotspot router firmware to authenticate internet access based on social connections.