Tag: san

Mar 26

ZATAZ Magazine » Test : piratage de carte bancaire sans contact

ZATAZ Magazine » Test : piratage de carte bancaire sans contact.

Feb 07

CWE – 2011 CWE/SANS Top 25 Most Dangerous Software Errors

CWE – 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

Jan 20

Priv8 :: Add-ons for Firefox

What is priv8? This is a Firefox addon that uses part of the security model of Firefox OS to create sandboxed tabs. Each sandbox is a completely separated world: it doesn t share COOKIEs, storage, and a lots of other stuff with the rest of Firefox, but just with other tabs from the same sandbox. Each sandbox has a NAME and a color, therefore it will be always easy to identify which tab is sandboxed. Also, these sandboxes are permanent! So, when you OPEN one of them the second time, maybe after a restart, that sandbox will still have the same COOKIEs, same storage, etc – as you left the previous time. You can also switch between sandboxes using the cONTEXT menu for the tab. Here an example: with priv8 you can read your gmail webmail in a tab, and another gmail webmail in another tab at the same time. Still, you can be logged in on Facebook in a tab and not in the others. This is nice! Moreover, if you are a web developer and you want to test a website using multiple accounts, priv8 gives you the opportunity to have each account in a sandboxed tab. Much easier then have multiple profiles or login and logout manung>ally every time! Is it stable? I don t know : It works but more test must be done. Help needed! Known issues: window.OPEN doesn t work from a sandbox and e10s is not supported yet. Priv8 is released under Mozilla Public License.

via Priv8 :: Add-ons for Firefox.

Jan 20

TextSecure sans Google Play | jp.fox

TextSecure sans Google Play | jp.fox.

Jan 18

ForeSafe Online Scanner

ForeSafe Online Scanner is a free service that performs deep static analysis of the Android applications, to detect any malicious or dangerous activity within the apps.

Once analysed online, the submitted app is then forwarded to ForeSafe SandBox to be analysed dynamically on a back-end processing server. ForeSafe SandBox analysis reports are available here.

By submitting the APK (Android app) file, you consent to our Terms of Service.

Press ‘Select’ button to choose the file – upload process will start automatically:

via ForeSafe Online Scanner.

Oct 28

Une entreprise de terrorisme médiatique (notamment) | BUG BROTHER

En matière de cryptographie, elle entraîna la création d’un Centre Technique d’Assistance (ou CTA) visant à permettre aux services de renseignement d’essayer de décrypter les mails chiffrés qu’ils auraient interceptés. La LSQ considéra par ailleurs l’utilisation de logiciels de chiffrement comme une circonstance aggravante, la loi prévoyant en effet de punir de trois ans d’emprisonnement et de 45 000 euros d’amende “le fait, pour quiconque ayant connaissance de la convention secrète de déchiffrement d’un moyen de cryptologie susceptible d’avoir été utilisé pour préparer, faciliter ou commettre un crime ou un délit, de refuser de remettre ladite convention aux autorités judiciaires ou de la mettre en oeuvre, sur les réquisitions de ces autorités”.

via Une entreprise de terrorisme médiatique (notamment) | BUG BROTHER.

Oct 27

AdNauseam – Clicking Ads So You Don’t Have To

As online advertising is becoming more automatic, universal and unsanctioned, AdNauseam works to complete the cycle by automating all ad-clicks universally and blindly on behalf of the target audience. Working in coordination with Ad Block Plus, AdNauseam quietly clicks every blocked ad, registering a visit on the ad networks databases. As the data gathered shows an omnivorous click-stream, user profiling, targeting and surveillance becomes futile.

via AdNauseam – Clicking Ads So You Don’t Have To.

Oct 27

Watch That Windows Update: FTDI Drivers Are Killing Fake Chips

The FTDI FT232 chip is found in thousands of electronic baubles, from Arduinos to test equipment, and more than a few bits of consumer electronics. It’s a simple chip, converting USB to a serial port, but very useful and probably one of the most cloned pieces of silicon on Earth. Thanks to a recent Windows update, all those fake FTDI chips are at risk of being bricked. This isn’t a case where fake FTDI chips won’t work if plugged into a machine running the newest FTDI driver; the latest driver bricks the fake chips, rendering them inoperable with any computer.

via Watch That Windows Update: FTDI Drivers Are Killing Fake Chips.

Oct 26

Malwr – Malware Analysis by Cuckoo Sandbox

What is Malwr?

Malwr is a free malware analysis service and community launched in January 2011. You can submit files to it and receive the results of a complete dynamic analysis back.

Mission

Existing online analysis services are all based on closed and commercial technologies, often with intents to leverage people’s data to own profit and with no real transparency on how the data is being used. We are researchers ourselves and felt the need of an alternative solution.

Our mission is to provide a powerful, free, independent and non-commercial service to the security community, independent or academic researchers with no other goal than facilitating everyone’s daily work and give a contribution to the community.

Independent

Malwr is operated by volunteer security professionals with the exclusive intent to help the community. It’s not associated or influenced by any commercial or government organization of any sort.

Non-Commercial

We do not profit on your data. The files you submit, the information you provide and any other use you make of the website is not commercialized in any way. We create and use open source technology. We’re not advertising any commercial product, we are not collecting data to enrich any existing product.

via Malwr – Malware Analysis by Cuckoo Sandbox.

Jul 08

Top 10 Secure Coding Practices – Secure Coding – CERT Secure Coding Standards

Top 10 Secure Coding Practices

Validate input. Validate input from all untrusted data sources. Proper input validation can eliminate the vast majority of software vulnerabilities. Be suspicious of most external data sources, including command line arguments, network interfaces, environmental variables, and user controlled files [Seacord 05].

Heed compiler warnings. Compile code using the highest warning level available for your compiler and eliminate warnings by modifying the code [C MSC00-A, C++ MSC00-A]. Use static and dynamic analysis tools to detect and eliminate additional security flaws.

Architect and design for security policies. Create a software architecture and design your software to implement and enforce security policies. For example, if your system requires different privileges at different times, consider dividing the system into distinct intercommunicating subsystems, each with an appropriate privilege set.

Keep it simple. Keep the design as simple and small as possible [Saltzer 74, Saltzer 75]. Complex designs increase the likelihood that errors will be made in their implementation, configuration, and use. Additionally, the effort required to achieve an appropriate level of assurance increases dramatically as security mechanisms become more complex.

Default deny. Base access decisions on permission rather than exclusion. This means that, by default, access is denied and the protection scheme identifies conditions under which access is permitted [Saltzer 74, Saltzer 75].

Adhere to the principle of least privilege. Every process should execute with the the least set of privileges necessary to complete the job. Any elevated permission should be held for a minimum time. This approach reduces the opportunities an attacker has to execute arbitrary code with elevated privileges [Saltzer 74, Saltzer 75].

Sanitize data sent to other systems. Sanitize all data passed to complex subsystems [C STR02-A] such as command shells, relational databases, and commercial off-the-shelf (COTS) components. Attackers may be able to invoke unused functionality in these components through the use of SQL, command, or other injection attacks. This is not necessarily an input validation problem because the complex subsystem being invoked does not understand the context in which the call is made. Because the calling process understands the context, it is responsible for sanitizing the data before invoking the subsystem.

Practice defense in depth. Manage risk with multiple defensive strategies, so that if one layer of defense turns out to be inadequate, another layer of defense can prevent a security flaw from becoming an exploitable vulnerability and/or limit the consequences of a successful exploit. For example, combining secure programming techniques with secure runtime environments should reduce the likelihood that vulnerabilities remaining in the code at deployment time can be exploited in the operational environment [Seacord 05].

Use effective quality assurance techniques. Good quality assurance techniques can be effective in identifying and eliminating vulnerabilities. Fuzz testing, penetration testing, and source code audits should all be incorporated as part of an effective quality assurance program. Independent security reviews can lead to more secure systems. External reviewers bring an independent perspective; for example, in identifying and correcting invalid assumptions [Seacord 05].

Adopt a secure coding standard. Develop and/or apply a secure coding standard for your target development language and platform.

Bonus Secure Coding Practices

Define security requirements. Identify and document security requirements early in the development life cycle and make sure that subsequent development artifacts are evaluated for compliance with those requirements. When security requirements are not defined, the security of the resulting system cannot be effectively evaluated.

Model threats. Use threat modeling to anticipate the threats to which the software will be subjected. Threat modeling involves identifying key assets, decomposing the application, identifying and categorizing the threats to each asset or component, rating the threats based on a risk ranking, and then developing threat mitigation strategies that are implemented in designs, code, and test cases [Swiderski 04].

 

via Top 10 Secure Coding Practices – Secure Coding – CERT Secure Coding Standards.