Privacy Protection From Big Brother (Google and Other Corporations) Google wants to know whether you change your underwear everyday. It’s that simple. They want to know everything about you. Part of your online security is not letting Google or others know everything about you. Why you may ask? Because they can sell that information to employers who want to conduct a background investigations, serve you targeted ads enticing you, and who knows what else. While arguably this generates revenue to improve their products and services, it can also be considered an invasion of your privacy. Individuals involved in activism, or other activities may have their physical security put be at risk (such as police informants). Your information being available online may be considered a high-risk. Geo Location Sniffing You may also notice some websites immediately requests to know your location when you visit them. Well, the truth is that websites…
IT Security
Introduction The Alexa Top Websites (https://www.alexa.com/topsites) can be used to monitor the popularity trend of a website and compare the popularity of different websites (WikiPedia). In order to gauge the security posture of the internet as a whole mapping information from the Alexa Top Sites is useful. AlexaCheck.py assists by building a PostgreSQL database that stores header information from each website, the first listed resolved IP address, HTTP response code, and MX records. The header information also includes cookies that are passed during an initial connection. This approach was used to examine security of the Alexa Top Websites in a research paper CookiExt: Patching the Browser Against Session Hijacking Attacks. AlexaCheck.py can also accept a list of other domains you want to check for forced TLS encryption and inspect cookies and other header information. Specific HTTP Security Risks SSL/TLS Enforcement The Alexa Check database allows analysis of a particular website…
Session cookies constitute one of the main attack targets against client authentication on the Web. To counter these attacks, modern web browsers implement native cookie protection mechanisms based on the HttpOnly and Secure flags. … Our analysis of the Alexa-ranked top 1000 popular websites gives clear evidence that such risks are far from remote, as the HttpOnly and Secure flags appear as yet to be largely ignored by web developers. – CookiExt: Patching the Browser Against Session Hijacking, Journal of Computer Security (2015). Summary of Session-hijacking attacks When you login into a website, the web-server creates a “session” to identify your identity by sending the client browser a session cookie. Cookies have functions other than sessions, but perhaps the most important use of cookies from a security perspective managing your “state” or “session-state”. This is because a single IP address may have many clients connecting to the server, so…
This article attempts to give an overview of how IT vulnerabilities are categorized during their life-cycle. Understanding the terms related to the various stages of IT security vulnerabilities can allow a better understanding of what a proper security policy framework should include. First lets cover the stages: Unknown – vulnerabilities that exist but nobody knows about them. The vulnerability is not designed in put into the software or hardware by a malicious actor. These vulnerabilities are caused by poor implementation. Software coding standards and software development guidelines attempt to prevent these types of vulnerabilities from happening, but complex constructs in software programming languages are difficult to implement properly can be a large source of vulnerabilities. Unknown vulnerabilities may be discovered through static code analysis and “fuzzing” (automated testing) by malicious actors, bug hunters, or security threat hunters. Known – once the vulnerability has been discovered, it may fall into…
If you are responsible for securing a network, you should know that monitoring reliable IT security news is now critical to mitigating threats on your precious goods. Prioritizing that news landscape and rolling out a timely response is also critical to a solid recipe for security. While it is not realistic to expect security architects to have that kind of response time, if you are ignoring IT security news, you might need those backups you have been diligently maintaining or worse. Building a solid incoming information pipeline requires an analysis of the IT security news landscape. The most fundamental elements of this landscape includes threat advisories & guidelines, updates to best-practices and standardization recommendations, and changing legal requirements if they apply to your organizational assets. Threat analysis reports and newly released Common Vulnerability Exposure details (CVEs) are critical secondary elements that relay more detailed information about vulnerabilities affecting specific software. …