Search Results

Search found 544 results on 22 pages for 'attacks'.

Page 10/22 | < Previous Page | 6 7 8 9 10 11 12 13 14 15 16 17  | Next Page >

  • Introducing Next-Generation Enterprise Auditing and Database Firewall Platform Webcast, 12/12/12

    - by Troy Kitch
    Join us, December 12 at 10am PT/1pm ET, to hear about a new Oracle product that monitors Oracle and non-Oracle database traffic, detects unauthorized activity including SQL injection attacks, and blocks internal and external threats from reaching the database. In addition, this new product collects and consolidates audit data from databases, operating systems, directories, and any custom template-defined source into a centralized, secure warehouse. This new enterprise security monitoring and auditing platform allows organizations to quickly detect and respond to threats with powerful real-time policy analysis, alerting and reporting capabilities. Based on proven SQL grammar analysis that ensures accuracy, performance, and scalability, organizations can deploy with confidence in any mode. You will also hear how organizations such as TransUnion Interactive and SquareTwo Financial rely on Oracle today to monitor and secure their Oracle and non-Oracle database environments. Register for the webcast here.

    Read the article

  • Need suggestions on what you regard as &ldquo;security&rdquo;

    - by John Breakwell
    I’m currently writing a large piece on MSMQ security and wanted to check I was covering the right areas. I have some doubts as I’ve seen the occasional MSMQ forum question where a poster has used the word “security” in different contexts to what I was expecting. So here are the areas I plan to cover: Message security encryption on the wire (SSL and IPSEC) encryption of the message (MSMQ encryption) encryption of the payload (data encryption) signing and authentication Queue security SIDs and ACLs Discoverability Cross-forest issues Storage security NTFS permissions unencrypted data Service security Ports and Firewalls DOS attacks Hardened mode (HTTP only) RPC secure channel requirement authenticated RPC requirement Active Directory object permissions Setup Administrator requirements What else would you want to see?

    Read the article

  • UK Data Breaches Up by 10 fold in 10 years.

    - by TATWORTH
    At http://www.v3.co.uk/v3-uk/news/2201863/uk-data-breaches-rocket-by-1-000-percent-over-past-five-years there is an interesting report on the increase in data breaches reported in the UK.A lot of this increase may simply a change in legislation that has made reporting a statutory obligation.Some questions to ask yourself:Are server logs checked for untoward activity?Do you have a reporting policy if something is amiss?Did you design security in for the start of your application design?Do you log for example failed logons?Do you run tools to check for code integrity?Is my defense, a strategy of defense in depth?Do you realise that 60% of hack attacks are internal?Whilst SQL Injection is a problem that affects practically all application code platforms, within Microsoft Applications do you run FXCOP? Do you run any of the other free tools for checking?

    Read the article

  • SQL Injection: How it Works and How to Thwart it

    This is an extract from the book Tribal SQL. In this article, Kevin Feasel explains SQL injection attacks, how to defend against them, and how to keep your Chief Information Security Officer from appearing on the nightly news. NEW! The DBA Team in The Girl with the Backup TattooPina colada in the disk drives! How could any DBA do such a thing? And can the DBA Team undo the damage? Find out in Part 2 of their new series, 5 Worst Days in a DBA’s Life. Read the new article now.

    Read the article

  • Is it advisable to ask employees to create 'work' GitHub accounts?

    - by fiorenti
    I've moved all our company Git repositories to GitHub and now I want to add employees to the projects. Since most employees already have personal GitHub accounts, I'm wondering whether I should ask them to create a work GitHub account. The reason that I'm thinking of doing this is to decrease the chances of unauthorized access to our code base since their personal accounts may be well publicized through their personal activity on the site, increasing chances of targeted attacks. Furthermore, if their personal account is ever compromised it won't mean the whole company code is accessible to the hijacker. Since this will bring the burden of maintaining two accounts for the employees I'm wondering whether it is the correct approach and whether it even makes sense. I would love to hear your opinions on this.

    Read the article

  • Python Class which checks input before passing to console (C) program

    - by Joseph Melettukunnel
    Hello, We are asked to write a web-frontend (in python) for a very complex (and old) console application, written in C. Since we have no access to the C Source Code, and we assume that there might be some unsafe methods, we'd like to check the input which will the passed to the console application. WebClient - Python Module - Console Application Do you have any suggestions or tips what we should check for? Right now we are only limiting the string length and filtering some (program specific) unallowed keywords. Thanks, Joseph EDIT: Will remove strings like %s because of format string attacks

    Read the article

  • practical security ramifications of increasing WCF clock skew to more than an hour

    - by Andrew Patterson
    I have written a WCF service that returns 'semi-private' data concerning peoples name, addresses and phone numbers. By semi-private, I mean that there is a username and password to access the data, and the data is meant to be secured in transit. However, IMHO noone is going to expend any energy trying to obtain the data, as it is mostly available in the public phone book anyway etc. At some level, the security is a bit of security 'theatre' to tick some boxes imposed on us by government entities. The client end of the service is an application which is given out to registered 'users' to run within their own IT setups. We have no control over the IT of the users - and in fact they often tell us to 'go jump' if we put too many requirements on their systems. One problem we have been encountering is numerous users that have system clocks that are not accurate. This can either be caused by a genuine slow/fast clocks, or more than likely a timezone or daylight savings zone error (putting their machine an hour off the 'real' time). A feature of the WCF bindings we are using is that they rely on the notion of time to detect replay attacks etc. <wsHttpBinding> <binding name="normalWsBinding" maxBufferPoolSize="524288" maxReceivedMessageSize="655360"> <reliableSession enabled="false" /> <security mode="Message"> <message clientCredentialType="UserName" negotiateServiceCredential="false" algorithmSuite="Default" establishSecurityContext="false" /> </security> </binding> </wsHttpBinding> The inaccurate client clocks cause security exceptions to be thrown and unhappy users. Other than suggesting users correct their clocks, we know that we can increase the clock skew of the security bindings. http://www.danrigsby.com/blog/index.php/2008/08/26/changing-the-default-clock-skew-in-wcf/ My question is, what are the real practical security ramifications of increasing the skew to say 2 hours? If an attacker can perform some sort of replay attack, why would a clock skew window of 5 minutes be necessarily safer than 2 hours? I presume performing any attack with security mode of 'message' requires more than just capturing some data at a proxy and sending the data back in again to 'replay' the call? In a situation like mine where data is only 'read' by the users, are there indeed any security ramifications at all to allowing 'replay' attacks?

    Read the article

  • Javascript Injection and Sql Script injection

    - by Pranali Desai
    Hi All, I am writing an application and for this to make it safe I have decided to HtmlEncode and HtmlDecode the data to avoid Javascript Injection and Paramaterised queries to avoid Sql Script injection. But I want to know whether these are the best ways to avoid these attacks and what are the other ways to damage the application that I should take into consideration.

    Read the article

  • Network Security [closed]

    - by kapilg
    I have been a .net developer for the past three yrs. Just curious to know about the network security field. What kind of work does the developers working in these area do? I really have not much idea about network security but what my understanding is these people are involved in securing network, preventing attacks on network as obvious. Could any one please give me some details about this field and also what does it take to move to this field.

    Read the article

  • Looking for DOS/DDOS protection tools and strategies

    - by Alexandre Victoor
    I am working on a java application that exposes webservices for a flash client. Any idea on how to prevent DOS/DDOS attacks ? I cannot use mechanism unfriendly for the end user such as captcha. So far I have found mod_evasive, an apache module which looks quite promising... Any suggestions, best practices, tools I might use ? Thanks in advance

    Read the article

  • SQL Server stored procedures - update column based on variable name..?

    - by ClarkeyBoy
    Hi, I have a data driven site with many stored procedures. What I want to eventually be able to do is to say something like: For Each @variable in sproc inputs UPDATE @TableName SET @variable.toString = @variable Next I would like it to be able to accept any number of arguments. It will basically loop through all of the inputs and update the column with the name of the variable with the value of the variable - for example column "Name" would be updated with the value of @Name. I would like to basically have one stored procedure for updating and one for creating. However to do this I will need to be able to convert the actual name of a variable, not the value, to a string. Question 1: Is it possible to do this in T-SQL, and if so how? Question 2: Are there any major drawbacks to using something like this (like performance or CPU usage)? I know if a value is not valid then it will only prevent the update involving that variable and any subsequent ones, but all the data is validated in the vb.net code anyway so will always be valid on submitting to the database, and I will ensure that only variables where the column exists are able to be submitted. Many thanks in advance, Regards, Richard Clarke Edit: I know about using SQL strings and the risk of SQL injection attacks - I studied this a bit in my dissertation a few weeks ago. Basically the website uses an object oriented architecture. There are many classes - for example Product - which have many "Attributes" (I created my own class called Attribute, which has properties such as DataField, Name and Value where DataField is used to get or update data, Name is displayed on the administration frontend when creating or updating a Product and the Value, which may be displayed on the customer frontend, is set by the administrator. DataField is the field I will be using in the "UPDATE Blah SET @Field = @Value". I know this is probably confusing but its really complicated to explain - I have a really good understanding of the entire system in my head but I cant put it into words easily. Basically the structure is set up such that no user will be able to change the value of DataField or Name, but they can change Value. I think if I were to use dynamic parameterised SQL strings there will therefore be no risk of SQL injection attacks. I mean basically loop through all the attributes so that it ends up like: UPDATE Products SET [Name] = '@Name', Description = '@Description', Display = @Display Then loop through all the attributes again and add the parameter values - this will have the same effect as using stored procedures, right?? I dont mind adding to the page load time since this is mainly going to affect the administration frontend, and will marginly affect the customer frontend.

    Read the article

  • BDD for C# NUnit

    - by mjezzi
    I've been using a home brewed BDD Spec extension for writing BDD style tests in NUnit, and I wanted to see what everyone thought. Does it add value? Does is suck? If so why? Is there something better out there? Here's the source: https://github.com/mjezzi/NSpec There are two reasons I created this To make my tests easy to read. To produce a plain english output to review specs. Here's an example of how a test will look: -since zombies seem to be popular these days.. Given a Zombie, Peson, and IWeapon: namespace Project.Tests.PersonVsZombie { public class Zombie { } public interface IWeapon { void UseAgainst( Zombie zombie ); } public class Person { private IWeapon _weapon; public bool IsStillAlive { get; set; } public Person( IWeapon weapon ) { IsStillAlive = true; _weapon = weapon; } public void Attack( Zombie zombie ) { if( _weapon != null ) _weapon.UseAgainst( zombie ); else IsStillAlive = false; } } } And the NSpec styled tests: public class PersonAttacksZombieTests { [Test] public void When_a_person_with_a_weapon_attacks_a_zombie() { var zombie = new Zombie(); var weaponMock = new Mock<IWeapon>(); var person = new Person( weaponMock.Object ); person.Attack( zombie ); "It should use the weapon against the zombie".ProveBy( spec => weaponMock.Verify( x => x.UseAgainst( zombie ), spec ) ); "It should keep the person alive".ProveBy( spec => Assert.That( person.IsStillAlive, Is.True, spec ) ); } [Test] public void When_a_person_without_a_weapon_attacks_a_zombie() { var zombie = new Zombie(); var person = new Person( null ); person.Attack( zombie ); "It should cause the person to die".ProveBy( spec => Assert.That( person.IsStillAlive, Is.False, spec ) ); } } You'll get the Spec output in the output window: [PersonVsZombie] - PersonAttacksZombieTests When a person with a weapon attacks a zombie It should use the weapon against the zombie It should keep the person alive When a person without a weapon attacks a zombie It should cause the person to die 2 passed, 0 failed, 0 skipped, took 0.39 seconds (NUnit 2.5.5).

    Read the article

  • Fail2Ban - Log to mysql

    - by user319660
    Hi! We have a few servers with SSH public (using sFTP). Obviously, the attacks ar too many. We want put the banned logs into a MySQL DB for make stats and etc. Have anyone tryied this? Thanks

    Read the article

  • Do I only have to worry about XSS and Sql injection?

    - by Pranali Desai
    Hi All, I am writing an application and for this to make it safe I have decided to HtmlEncode and HtmlDecode the data to avoid Javascript Injection and Paramaterised queries to avoid Sql injection. But I want to know whether these are the best ways to avoid these attacks and what are the other ways to damage the application that I should take into consideration.

    Read the article

  • To HTMLENCODE or not to HTMLENCODE user input on web form (asp.net vb)

    - by Phil
    I have many params making up an insert form for example: x.Parameters.AddWithValue("@city", City.Text) I had a failed xss attack on the site this morning, so I am trying to beef up security measures anyway.... Should I be adding my input params like this? x.Parameters.AddWithValue("@city", HttpUtility.HtmlEncode(City.Text)) Is there anything else I should consider to avoid attacks? Thanks

    Read the article

  • Sanitizing input for display in view when using simple_format

    - by Eric
    Hi, I'm trying to figure out the right way to display comments such that newlines and links are displayed. I know that usually, you should display user-inputs only when escaping html with h(). That of course won't display newlines or links, so I found the simple_format and auto_link methods. What I am now doing is: simple_format(santize(auto_link(comment.text))) Is this the right way to do this, and is it still safe from XSS attacks? Thanks! Eric

    Read the article

  • Does this PHP function protect against SQL injection?

    - by George Edison
    I have this function I'm using and I want to be sure that it fully protects against SQL injection attacks: function MakeSafeForQuery($string) { // replace all of the quote // chars by their escape sequence $ret = str_replace("\\","\\\\",$string); $ret = str_replace("'","\\'",$ret); $ret = str_replace("\"","\\\"",$ret); return $ret; } Am I missing anything serious?

    Read the article

  • adobe air google app engine session security

    - by iamgopal
    i am creating a ria in adobe air with google app engine based server side. i am using google client login for user login purpose. which is working , but how do i maintain session securely ? ( i.e. from man-in-middle attacks etc ) . what are the best practice in this kind of applications ?

    Read the article

  • ColdFusion Security

    - by Andrew
    What are the best practices for securing a coldfusion webpage from malicious users? (including, but not limited to, sql injection attacks) Is cfqueryparam enough?

    Read the article

  • SQL Injection When Using MySQLi Prepared Statements

    - by Sev
    If all that is used to do any and all database queries is MySQLi prepared statements with bound parameters in a web-app, is sql injection still possible? Notes I know that there are other forms of attack other than sql-injection, but my question is specific to sql-injection attacks on that particular web application only.

    Read the article

< Previous Page | 6 7 8 9 10 11 12 13 14 15 16 17  | Next Page >