Search Results

Search found 522 results on 21 pages for 'privilege elevation'.

Page 15/21 | < Previous Page | 11 12 13 14 15 16 17 18 19 20 21  | Next Page >

  • Microsoft BizTalk Server vNext (after 2009 R2) - Feature Request

    - by Saravana Kumar
    All, This post is not a question; it’s more of asking for feed back and future request. The product team is always looking for feed back to facilitate the future direction of the product. Some of us as BizTalk Server MVP’s/partners get that privilege to work with the product team closely to give our feedback regularly based on our real world experience. But I believe there is a much wider BizTalk community out there working on closed door project that tests the strength of the product to extreme levels. I would like those passionate people to come forward and put their feature request. Let’s use the power of StackOverflow to help us here. We can vote up and down on each feature request, and see what's going to top the chart. I hope this will be a useful exercise. Updated 24th Feb: If you got more than one request, please post it as separate answers. So, its easy to vote against them.

    Read the article

  • How to call an extended procedure from a function

    - by Alan Featherston Lago
    hi im having trouble trying to get the following function to work. CREATE FUNCTION test ( @nt_group VARCHAR(128) ) RETURNS @nt_usr TABLE ( [name] [nchar](128) NULL , [type] [char](8) NULL , [privilege] [char](9) NULL , [mapped login name] [nchar](128) NULL , [permission path] [nchar](128) NULL ) AS BEGIN INSERT INTO @nt_usr EXEC master.dbo.xp_logininfo 'DOMAIN\USER', @nt_group RETURN END As far as i know i should be allowed to call an extended stored procedure, im getting the following error Mes 443, Level 16, State 14 Could it be that xp_logininfo might return different result sets depending on the parameters? When i use openquery i can overcome this by setting this: SET FMTONLY OFF. Does anyone know if there's a similar workaround for my problem?

    Read the article

  • SecurityException when trying to export a java resource

    - by thecoop
    I'm trying to get the source of a java resource stored in an oracle database using this code (connecting as SYSTEM for testing): DECLARE javalob CLOB; BEGIN DBMS_LOB.CREATETEMPORARY(javalob, false); DBMS_JAVA.EXPORT_RESOURCE('RESOURCENAME', 'SCHEMA', javalob); DBMS_OUTPUT.PUT_LINE(javalob); END; But when I try to run it I get this: Java call terminated by uncaught Java exception: java.lang.SecurityException: cannot read <Resource Handle: RESOURCENAME|SCHEMA|301> because SYSTEM does not have execute privilege on it This thing is, I'm not sure how to grant permissions on <Resource Handle: RESOURCENAME|SCHEMA|301>, as this isn't a SQL or PL/SQL object. And why doesn't SYSTEM have access to it anyway?

    Read the article

  • PowerShell script to restart a service

    - by Guy Thomas
    My mission is to press a keyboard sequence, such as Ctrl +Shift +R, to restart a Windows Service. I have a script which works fine in the PowerShell ISE, when launched with administrative privileges. When I try with a PowerShell script it fails due to insufficient Administrative Privileges. It’s galling that I can get it to work with an old-fashioned bat file, but not PowerShell. The root of the problem is that shortcuts to a PowerShell script have their Administrative privileges box greyed out. So far no work-around has overcome this privilege problem. Any ideas?

    Read the article

  • 2008 Datacenter Word Automation issue

    - by Brad
    We have an application that uses word automation. It works fine under Windows XP, but does not work on our Windows Server 2008 64-bit virtual machine running on VMware ESX unless it is running as the domain administrator. Under any other account (including a local admin), Word starts, uses a lot of CPU for 40 seconds when opening a document, and then just hangs. Our application does not access anything not on the local machine, and this machine is not being used for anything else (not a domain controller, etc). I know others have posted similar issues, with the solution of creating a Desktop folder somewhere under the windows directory. We did this, and it did not solve the problem (Word did not get as far as it did before we did this though). Please don't turn this into a thread about why I am trying to do this, whether I should do this, or whether I need to. For argument sake, I don't need to do this, but understanding what privilege a local admin does not have that is needed to do this is a legitimate concern.

    Read the article

  • Catching Oracle Errors in Django

    - by Dashdrum
    My Django app runs on an Oracle database. A few times a year, the database is unavailable because of a scheduled process or unplanned downtime. However, I can't see how to catch the error a give a useful message back to the requester. Instead, a 500 error is triggered, and I get an email (or hundreds) showing the exception. One example is: File "/opt/UDO/env/events/lib/python2.6/site-packages/django/db/backends/oracle/base.py", line 447, in _cursor self.connection = Database.connect(conn_string, **conn_params) DatabaseError: ORA-01035: ORACLE only available to users with RESTRICTED SESSION privilege I see a similar error with a different ORA number when the DB is down. Because the exception is thrown deep within the Django libraries, and can be triggered by any of my views or the built in admin views, I don't know where any exception trapping code would go. Any suggestions?

    Read the article

  • How to make if loop in grails?

    - by user3569696
    I'm beginner in Grails, please help. I have this in my gsp <div class="right66"> <g:select class="time_pick" name="pick_day" placeholder="" from="${['Dani', 'Sati', 'Minute']}" valueMessagePrefix="book.category"/> </div> In translation: Dani=Days, Sati= Hours, Minute= Minutes. I need to save data in minutes but User have privilege to choose will his input be in minutes, days or hours. So i have to do if loop. I now how if loop works but i don't know how to wite it in grails. I was thinking something like this: n=1 if(params.type=Dani){ n= 3600 }else if(params.type=Sati) { n=60 } def minute=params.minute*n but how to call that choosen input "Dani"? I can't write Params.type=Dani. Does if loop go in controller in my case?

    Read the article

  • SQL? "Show me all the Activities that can be performed by User X."

    - by Casey Fulton
    I'm at my wits end. I've searched like crazy, read plenty of database textbooks and God knows how many online guides, blogs and forums. Can someone put me out of my misery? PseudoSchema Diagram (Warning: although pretty, not in a format even remotely approaching ER diagrams! Primary keys are bold, foreign keys are italics.) Given the above set of tables relating Users to Groups to Privileges, and then a set of Activities that can each require a Privilege to perform, how do you find out this: Show me all the Activities that can be performed by User X. That is: User X is a member of groups G and F; groups G and F correlate to privileges P, Q, R and S; show me all the activities that require privileges either P, Q, R or S. How do you do this?

    Read the article

  • Replicating Active Directory - testing scenarios

    - by Naeem Sarfraz
    Replicating a production server's Active Directory is possible through a number of approaches as mentioned here and here. I'm looking for a simpler approach if one exists. I have a mixed-mode authentication site that I need to test. Quite simply AD users (internal) will have more privilege's than someone who logs in via forms (external). We have a web service that cache's an AD structure (users & groups). I'm thinking of building a module (http handler I guess?) that will pick up my specially formed URL (http://impersonateduser@localhost/mywebapp) and use the bit before the @ as the username. That will be the username I use for any subsequent operations. How does that sound? Has anyone got other proposals for testing scenarios like this?

    Read the article

  • Can you hide tables from a MySQL user in phpMyAdmin?

    - by AK
    I have a MySQL user added to a database that I would like to prevent from viewing certain tables. I can limit their privileges through MySQL by preventing them from running statements like DROP or ALTER. But is it possible to prevent them from viewing certain tables in phpMyAdmin? If there isn't a MySQL privilege that controls this (I wouldn't imagine there would be), is there a configuration in phpMyAdmin that allows this? I understand one workaround here is to move the tables to a new database that they're not added to. This isn't an option for my application.

    Read the article

  • NHibernate MySQL Enum

    - by LnDCobra
    I am trying to access the "MYSQL" database tables to create a GUI for adding users and privileges. Doing this, I have run into my first NHibernate problem. How do i map MySQL Enum's to a C# Boolean? Or if not possible then to at least a Enum? The database fields are delcared as enum('N', 'Y') These are all of the privilege fields in the database. Now is there anyway of getting this into an enum or even better, boolean in C#/NHibernate? Edit #1: In C# if I need to declare an enum it will be the following: enum YesNoEnum { Yes, No }

    Read the article

  • Advice needed for a small web application's architecture/implementation

    - by Johhny P
    I was asked to build a website where a company's employees (around 20) could login and fill in their working schedules for a present and past (if needed) month. Employees should ofcourse only be able to see their own schedules, but the manager should have the privilege to access every schedule. I have little experience in web development therefore an advice is needed. I have already created a PHP/MySql login page. Now what? How do I go about it? Just some architectural or implementational(if you will) guidance would be really appreciated.

    Read the article

  • Multiple user database design

    - by dieguitoweb
    I have to develop a basic social network for an academic purpose; but I need some tips for the users management.. The users are subdivided into 3 groups with different privilege: admins,analysts and standards users. For every user should be stored into the database the following information: name,lastname,e-mail,age,password. I'm not quite sure how I should design the database between theese two solutions: 1)one table called 'users' with the 'role' attribute that explain what a user can do and what can't do, and the permissions are managed via php 2)every application user is a database user created with the query 'CREATE ROLE' (It's a postgres database) and he has permissions on some tables granted with the 'GRANT' statement You should take into account that the project is for a database exam.. thanks

    Read the article

  • Select from multiple tables in Rails - Has Many "articles" through [table_1, table_2]?

    - by viatropos
    I'm in a situation where I need to get all articles that are tied to a User through 2 tables: article_access: gives users privilege to see an article article_favorites: of public articles, users have favorited these So in ActiveRecord you might have this: class User < ActiveRecord::Base has_many :article_access_tokens has_many :article_favorites def articles unless @articles ids = article_access_tokens.all(:select => "article_id").map(&:article_id) + article_favorites.all(:select => "article_id").map(&:article_id) @articles = Article.send(:scoped, :conditions => {:id => ids.uniq}) end @articles end end That gives me basically an articles association which reads from two separate tables. Question is though, what's the right way to do this? Can I somehow make 1 SQL SELECT call to do this?

    Read the article

  • Dynamically changing the component of webpage

    - by peril brain
    Hi, I am working for a project on disaster management sponsered by World Bank, under this project i have assigned work on CMS. and my senior has asked me to make a ASP.NET webpage where those logged with administrator privilege will be able to edit the page. like:- <div id="mydiv"><pre>+++++++MY CONTENT+++++++++++++++++++</pre></div> now if if the admin clicks on mydiv he should be able to edit the pre contents. for this i got many options such as WYSIWYG editors (but they work on textboxs only and further more they cant save the data back to server replacing the previous content) then I came to know about Webparts , but its editing capabilities was so low that my plan for implementing a WYSIWYG editor went in vain. so I m seeking help from u all is their any way to achieve the motive, it would be better if u can suggest something like incorporating WYSIWYG into webpartmanager editor... THANKS..

    Read the article

  • Visual Studio output file permissions?

    - by uray
    I'am using Visual Studio 2010, how to set or automatically change owner of the output file from Visual Studio (such as executable file) to user other than administrator? all output files currently is owned by Administrator (due to Visual studio is launch by administrative privilege), so sometime I can't delete those files due to access permissions. sometime visual studio itself can't delete it too (after i ran the executable) until few minutes, its really annoying when I need to rebuild those executable. anyone know what's the actual problem here? error message is : error LNK1168: cannot open [path to file].exe for writing

    Read the article

  • C# how to store those information?

    - by 5YrsLaterDBA
    I have a PrivilegeGroup table, a Privileges table and a link table because the PrivilegeGroup table and the Privileges table is a many to many relationship. I am thinking about load all contents of PrivilegeGroup table and Privilege table into memory from database at beginning when application started. I want to save them in a form easily to look up. Usually we will look up the PrivilegeCode via GroupId. Which structure is good for this purpose? array of list? dictionary?

    Read the article

  • How should I store this information?

    - by 5YrsLaterDBA
    I have a PrivilegeGroup table, a Privileges table and a link table because the PrivilegeGroup table and the Privileges table is a many to many relationship. I am thinking about load all contents of PrivilegeGroup table and Privilege table into memory from database at beginning when application started. I want to save them in a form easily to look up. Usually we will look up the PrivilegeCode via GroupId. Which structure is good for this purpose? array of list? dictionary?

    Read the article

  • MySQL features I can rely on being available

    - by xrstf
    So I'm developing a PHP/MySQL based CMS which requires PHP 5.1 and MySQL 5.0 (with InnoDB support) at least. I'm now wondering what features of MySQL I can safely use without noticing one day that "Oh, well, that crappy hoster has disabled feature X, damn, now I'm screwed." So my question is, which of these features can become problematic (= can be disabled, require special configuration, require user privilege): transactions and FKs in InnoDB (of course unavailable to MyISAM) table locking (MyISAM and InnoDB) stored procedures I just want to know once and for all what's the minimal feature set I can expect from MySQL.

    Read the article

  • The Oracle Enterprise Linux Software and Hardware Ecosystem

    - by sergio.leunissen
    It's been nearly four years since we launched the Unbreakable Linux support program and with it the free Oracle Enterprise Linux software. Since then, we've built up an extensive ecosystem of hardware and software partners. Oracle works directly with these vendors to ensure joint customers can run Oracle Enterprise Linux. As Oracle Enterprise Linux is fully--both source and binary--compatible with Red Hat Enterprise Linux (RHEL), there is minimal work involved for software and hardware vendors to test their products with it. We develop our software on Oracle Enterprise Linux and perform full certification testing on Oracle Enterprise Linux as well. Due to the compatibility between Oracle Enterprise Linux and RHEL, Oracle also certifies its software for use on RHEL, without any additional testing. Oracle Enterprise Linux tracks RHEL by publishing freely downloadable installation media on edelivery.oracle.com/linux and updates, bug fixes and security errata on Unbreakable Linux Network (ULN). At the same time, Oracle's Linux kernel team is shaping the future of enterprise Linux distributions by developing technologies and features that matter to customers who deploy Linux in the data center, including file systems, memory management, high performance computing, data integrity and virtualization. All this work is contributed to the Linux and Xen communities. The list below is a sample of the partners who have certified their products with Oracle Enterprise Linux. If you're interested in certifying your software or hardware with Oracle Enterprise Linux, please contact us via [email protected] Chip Manufacturers Intel, Intel Enabled Server Acceleration Alliance AMD Server vendors Cisco Unified Computing System Dawning Dell Egenera Fujitsu HP Huawei IBM NEC Sun/Oracle Storage Systems, Volume Management and File Systems 3Par Compellent EMC VPLEX FalconStor Fusion-io Hitachi Data Systems HP Storage Array Systems Lustre Network Appliance OCFS2 PillarData Symantec Veritas Storage Foundation Networking: Switches, Host Bus Adapters (HBAs), Converged Network Adapters (CNAs), InfiniBand Brocade Emulex Mellanox QLogic Voltaire SOA and Middleware ActiveState ActivePerl, ActivePython Tibco Zend Backup, Recovery & Replication Arkeia Network Backup Suite BakBone NetVault CommVault Simpana 8 EMC Networker, Replication Manager FalconStor Continuous Data Protector HP Data Protector NetApp Snapmanager Quest LiteSpeed Engine Steeleye Data Replication, Disaster Recovery Symantec NetBackup, Veritas Volume Replicator, Symantec Backup Exec Zmanda Amanda Enterprise Data Center Automation BMC CA Unicenter HP Server Automation (formerly Opsware), System Management Homepage Oracle Enterprise Manager Ops Center Quest Vizioncore vFoglight Pro TeamQuest Manager Clustering & High Availability FUJITSU x10sure NEC Express Cluster X Steeleye Lifekeeper Symantec Cluster Server Univa UniCluster Virtualization Platforms and Cloud Providers Amazon EC2 Citrix XenServer Rackspace Cloud VirtualBox VMWare ESX Security Management ArcSight: Enterprise Security Manager, Logger CA Access Control Centrify Suite Ecora Auditor FoxT Manager Likewise: Unix Account Management Lumension Endpoint Management and Security Suite QualysGuard Suite Quest Privilege Manager McAfee Application Control, Change ControlIntegrity Monitor, Integrity Control, PCI Pro Solidcore S3 Symantec Enterprise Security Manager (ESM) Tripwire Trusted Computer Solutions

    Read the article

  • Toorcon14

    - by danx
    Toorcon 2012 Information Security Conference San Diego, CA, http://www.toorcon.org/ Dan Anderson, October 2012 It's almost Halloween, and we all know what that means—yes, of course, it's time for another Toorcon Conference! Toorcon is an annual conference for people interested in computer security. This includes the whole range of hackers, computer hobbyists, professionals, security consultants, press, law enforcement, prosecutors, FBI, etc. We're at Toorcon 14—see earlier blogs for some of the previous Toorcon's I've attended (back to 2003). This year's "con" was held at the Westin on Broadway in downtown San Diego, California. The following are not necessarily my views—I'm just the messenger—although I could have misquoted or misparaphrased the speakers. Also, I only reviewed some of the talks, below, which I attended and interested me. MalAndroid—the Crux of Android Infections, Aditya K. Sood Programming Weird Machines with ELF Metadata, Rebecca "bx" Shapiro Privacy at the Handset: New FCC Rules?, Valkyrie Hacking Measured Boot and UEFI, Dan Griffin You Can't Buy Security: Building the Open Source InfoSec Program, Boris Sverdlik What Journalists Want: The Investigative Reporters' Perspective on Hacking, Dave Maas & Jason Leopold Accessibility and Security, Anna Shubina Stop Patching, for Stronger PCI Compliance, Adam Brand McAfee Secure & Trustmarks — a Hacker's Best Friend, Jay James & Shane MacDougall MalAndroid—the Crux of Android Infections Aditya K. Sood, IOActive, Michigan State PhD candidate Aditya talked about Android smartphone malware. There's a lot of old Android software out there—over 50% Gingerbread (2.3.x)—and most have unpatched vulnerabilities. Of 9 Android vulnerabilities, 8 have known exploits (such as the old Gingerbread Global Object Table exploit). Android protection includes sandboxing, security scanner, app permissions, and screened Android app market. The Android permission checker has fine-grain resource control, policy enforcement. Android static analysis also includes a static analysis app checker (bouncer), and a vulnerablity checker. What security problems does Android have? User-centric security, which depends on the user to grant permission and make smart decisions. But users don't care or think about malware (the're not aware, not paranoid). All they want is functionality, extensibility, mobility Android had no "proper" encryption before Android 3.0 No built-in protection against social engineering and web tricks Alternative Android app markets are unsafe. Simply visiting some markets can infect Android Aditya classified Android Malware types as: Type A—Apps. These interact with the Android app framework. For example, a fake Netflix app. Or Android Gold Dream (game), which uploads user files stealthy manner to a remote location. Type K—Kernel. Exploits underlying Linux libraries or kernel Type H—Hybrid. These use multiple layers (app framework, libraries, kernel). These are most commonly used by Android botnets, which are popular with Chinese botnet authors What are the threats from Android malware? These incude leak info (contacts), banking fraud, corporate network attacks, malware advertising, malware "Hackivism" (the promotion of social causes. For example, promiting specific leaders of the Tunisian or Iranian revolutions. Android malware is frequently "masquerated". That is, repackaged inside a legit app with malware. To avoid detection, the hidden malware is not unwrapped until runtime. The malware payload can be hidden in, for example, PNG files. Less common are Android bootkits—there's not many around. What they do is hijack the Android init framework—alteering system programs and daemons, then deletes itself. For example, the DKF Bootkit (China). Android App Problems: no code signing! all self-signed native code execution permission sandbox — all or none alternate market places no robust Android malware detection at network level delayed patch process Programming Weird Machines with ELF Metadata Rebecca "bx" Shapiro, Dartmouth College, NH https://github.com/bx/elf-bf-tools @bxsays on twitter Definitions. "ELF" is an executable file format used in linking and loading executables (on UNIX/Linux-class machines). "Weird machine" uses undocumented computation sources (I think of them as unintended virtual machines). Some examples of "weird machines" are those that: return to weird location, does SQL injection, corrupts the heap. Bx then talked about using ELF metadata as (an uintended) "weird machine". Some ELF background: A compiler takes source code and generates a ELF object file (hello.o). A static linker makes an ELF executable from the object file. A runtime linker and loader takes ELF executable and loads and relocates it in memory. The ELF file has symbols to relocate functions and variables. ELF has two relocation tables—one at link time and another one at loading time: .rela.dyn (link time) and .dynsym (dynamic table). GOT: Global Offset Table of addresses for dynamically-linked functions. PLT: Procedure Linkage Tables—works with GOT. The memory layout of a process (not the ELF file) is, in order: program (+ heap), dynamic libraries, libc, ld.so, stack (which includes the dynamic table loaded into memory) For ELF, the "weird machine" is found and exploited in the loader. ELF can be crafted for executing viruses, by tricking runtime into executing interpreted "code" in the ELF symbol table. One can inject parasitic "code" without modifying the actual ELF code portions. Think of the ELF symbol table as an "assembly language" interpreter. It has these elements: instructions: Add, move, jump if not 0 (jnz) Think of symbol table entries as "registers" symbol table value is "contents" immediate values are constants direct values are addresses (e.g., 0xdeadbeef) move instruction: is a relocation table entry add instruction: relocation table "addend" entry jnz instruction: takes multiple relocation table entries The ELF weird machine exploits the loader by relocating relocation table entries. The loader will go on forever until told to stop. It stores state on stack at "end" and uses IFUNC table entries (containing function pointer address). The ELF weird machine, called "Brainfu*k" (BF) has: 8 instructions: pointer inc, dec, inc indirect, dec indirect, jump forward, jump backward, print. Three registers - 3 registers Bx showed example BF source code that implemented a Turing machine printing "hello, world". More interesting was the next demo, where bx modified ping. Ping runs suid as root, but quickly drops privilege. BF modified the loader to disable the library function call dropping privilege, so it remained as root. Then BF modified the ping -t argument to execute the -t filename as root. It's best to show what this modified ping does with an example: $ whoami bx $ ping localhost -t backdoor.sh # executes backdoor $ whoami root $ The modified code increased from 285948 bytes to 290209 bytes. A BF tool compiles "executable" by modifying the symbol table in an existing ELF executable. The tool modifies .dynsym and .rela.dyn table, but not code or data. Privacy at the Handset: New FCC Rules? "Valkyrie" (Christie Dudley, Santa Clara Law JD candidate) Valkyrie talked about mobile handset privacy. Some background: Senator Franken (also a comedian) became alarmed about CarrierIQ, where the carriers track their customers. Franken asked the FCC to find out what obligations carriers think they have to protect privacy. The carriers' response was that they are doing just fine with self-regulation—no worries! Carriers need to collect data, such as missed calls, to maintain network quality. But carriers also sell data for marketing. Verizon sells customer data and enables this with a narrow privacy policy (only 1 month to opt out, with difficulties). The data sold is not individually identifiable and is aggregated. But Verizon recommends, as an aggregation workaround to "recollate" data to other databases to identify customers indirectly. The FCC has regulated telephone privacy since 1934 and mobile network privacy since 2007. Also, the carriers say mobile phone privacy is a FTC responsibility (not FCC). FTC is trying to improve mobile app privacy, but FTC has no authority over carrier / customer relationships. As a side note, Apple iPhones are unique as carriers have extra control over iPhones they don't have with other smartphones. As a result iPhones may be more regulated. Who are the consumer advocates? Everyone knows EFF, but EPIC (Electrnic Privacy Info Center), although more obsecure, is more relevant. What to do? Carriers must be accountable. Opt-in and opt-out at any time. Carriers need incentive to grant users control for those who want it, by holding them liable and responsible for breeches on their clock. Location information should be added current CPNI privacy protection, and require "Pen/trap" judicial order to obtain (and would still be a lower standard than 4th Amendment). Politics are on a pro-privacy swing now, with many senators and the Whitehouse. There will probably be new regulation soon, and enforcement will be a problem, but consumers will still have some benefit. Hacking Measured Boot and UEFI Dan Griffin, JWSecure, Inc., Seattle, @JWSdan Dan talked about hacking measured UEFI boot. First some terms: UEFI is a boot technology that is replacing BIOS (has whitelisting and blacklisting). UEFI protects devices against rootkits. TPM - hardware security device to store hashs and hardware-protected keys "secure boot" can control at firmware level what boot images can boot "measured boot" OS feature that tracks hashes (from BIOS, boot loader, krnel, early drivers). "remote attestation" allows remote validation and control based on policy on a remote attestation server. Microsoft pushing TPM (Windows 8 required), but Google is not. Intel TianoCore is the only open source for UEFI. Dan has Measured Boot Tool at http://mbt.codeplex.com/ with a demo where you can also view TPM data. TPM support already on enterprise-class machines. UEFI Weaknesses. UEFI toolkits are evolving rapidly, but UEFI has weaknesses: assume user is an ally trust TPM implicitly, and attached to computer hibernate file is unprotected (disk encryption protects against this) protection migrating from hardware to firmware delays in patching and whitelist updates will UEFI really be adopted by the mainstream (smartphone hardware support, bank support, apathetic consumer support) You Can't Buy Security: Building the Open Source InfoSec Program Boris Sverdlik, ISDPodcast.com co-host Boris talked about problems typical with current security audits. "IT Security" is an oxymoron—IT exists to enable buiness, uptime, utilization, reporting, but don't care about security—IT has conflict of interest. There's no Magic Bullet ("blinky box"), no one-size-fits-all solution (e.g., Intrusion Detection Systems (IDSs)). Regulations don't make you secure. The cloud is not secure (because of shared data and admin access). Defense and pen testing is not sexy. Auditors are not solution (security not a checklist)—what's needed is experience and adaptability—need soft skills. Step 1: First thing is to Google and learn the company end-to-end before you start. Get to know the management team (not IT team), meet as many people as you can. Don't use arbitrary values such as CISSP scores. Quantitive risk assessment is a myth (e.g. AV*EF-SLE). Learn different Business Units, legal/regulatory obligations, learn the business and where the money is made, verify company is protected from script kiddies (easy), learn sensitive information (IP, internal use only), and start with low-hanging fruit (customer service reps and social engineering). Step 2: Policies. Keep policies short and relevant. Generic SANS "security" boilerplate policies don't make sense and are not followed. Focus on acceptable use, data usage, communications, physical security. Step 3: Implementation: keep it simple stupid. Open source, although useful, is not free (implementation cost). Access controls with authentication & authorization for local and remote access. MS Windows has it, otherwise use OpenLDAP, OpenIAM, etc. Application security Everyone tries to reinvent the wheel—use existing static analysis tools. Review high-risk apps and major revisions. Don't run different risk level apps on same system. Assume host/client compromised and use app-level security control. Network security VLAN != segregated because there's too many workarounds. Use explicit firwall rules, active and passive network monitoring (snort is free), disallow end user access to production environment, have a proxy instead of direct Internet access. Also, SSL certificates are not good two-factor auth and SSL does not mean "safe." Operational Controls Have change, patch, asset, & vulnerability management (OSSI is free). For change management, always review code before pushing to production For logging, have centralized security logging for business-critical systems, separate security logging from administrative/IT logging, and lock down log (as it has everything). Monitor with OSSIM (open source). Use intrusion detection, but not just to fulfill a checkbox: build rules from a whitelist perspective (snort). OSSEC has 95% of what you need. Vulnerability management is a QA function when done right: OpenVas and Seccubus are free. Security awareness The reality is users will always click everything. Build real awareness, not compliance driven checkbox, and have it integrated into the culture. Pen test by crowd sourcing—test with logging COSSP http://www.cossp.org/ - Comprehensive Open Source Security Project What Journalists Want: The Investigative Reporters' Perspective on Hacking Dave Maas, San Diego CityBeat Jason Leopold, Truthout.org The difference between hackers and investigative journalists: For hackers, the motivation varies, but method is same, technological specialties. For investigative journalists, it's about one thing—The Story, and they need broad info-gathering skills. J-School in 60 Seconds: Generic formula: Person or issue of pubic interest, new info, or angle. Generic criteria: proximity, prominence, timeliness, human interest, oddity, or consequence. Media awareness of hackers and trends: journalists becoming extremely aware of hackers with congressional debates (privacy, data breaches), demand for data-mining Journalists, use of coding and web development for Journalists, and Journalists busted for hacking (Murdock). Info gathering by investigative journalists include Public records laws. Federal Freedom of Information Act (FOIA) is good, but slow. California Public Records Act is a lot stronger. FOIA takes forever because of foot-dragging—it helps to be specific. Often need to sue (especially FBI). CPRA is faster, and requests can be vague. Dumps and leaks (a la Wikileaks) Journalists want: leads, protecting ourselves, our sources, and adapting tools for news gathering (Google hacking). Anonomity is important to whistleblowers. They want no digital footprint left behind (e.g., email, web log). They don't trust encryption, want to feel safe and secure. Whistleblower laws are very weak—there's no upside for whistleblowers—they have to be very passionate to do it. Accessibility and Security or: How I Learned to Stop Worrying and Love the Halting Problem Anna Shubina, Dartmouth College Anna talked about how accessibility and security are related. Accessibility of digital content (not real world accessibility). mostly refers to blind users and screenreaders, for our purpose. Accessibility is about parsing documents, as are many security issues. "Rich" executable content causes accessibility to fail, and often causes security to fail. For example MS Word has executable format—it's not a document exchange format—more dangerous than PDF or HTML. Accessibility is often the first and maybe only sanity check with parsing. They have no choice because someone may want to read what you write. Google, for example, is very particular about web browser you use and are bad at supporting other browsers. Uses JavaScript instead of links, often requiring mouseover to display content. PDF is a security nightmare. Executible format, embedded flash, JavaScript, etc. 15 million lines of code. Google Chrome doesn't handle PDF correctly, causing several security bugs. PDF has an accessibility checker and PDF tagging, to help with accessibility. But no PDF checker checks for incorrect tags, untagged content, or validates lists or tables. None check executable content at all. The "Halting Problem" is: can one decide whether a program will ever stop? The answer, in general, is no (Rice's theorem). The same holds true for accessibility checkers. Language-theoretic Security says complicated data formats are hard to parse and cannot be solved due to the Halting Problem. W3C Web Accessibility Guidelines: "Perceivable, Operable, Understandable, Robust" Not much help though, except for "Robust", but here's some gems: * all information should be parsable (paraphrasing) * if not parsable, cannot be converted to alternate formats * maximize compatibility in new document formats Executible webpages are bad for security and accessibility. They say it's for a better web experience. But is it necessary to stuff web pages with JavaScript for a better experience? A good example is The Drudge Report—it has hand-written HTML with no JavaScript, yet drives a lot of web traffic due to good content. A bad example is Google News—hidden scrollbars, guessing user input. Solutions: Accessibility and security problems come from same source Expose "better user experience" myth Keep your corner of Internet parsable Remember "Halting Problem"—recognize false solutions (checking and verifying tools) Stop Patching, for Stronger PCI Compliance Adam Brand, protiviti @adamrbrand, http://www.picfun.com/ Adam talked about PCI compliance for retail sales. Take an example: for PCI compliance, 50% of Brian's time (a IT guy), 960 hours/year was spent patching POSs in 850 restaurants. Often applying some patches make no sense (like fixing a browser vulnerability on a server). "Scanner worship" is overuse of vulnerability scanners—it gives a warm and fuzzy and it's simple (red or green results—fix reds). Scanners give a false sense of security. In reality, breeches from missing patches are uncommon—more common problems are: default passwords, cleartext authentication, misconfiguration (firewall ports open). Patching Myths: Myth 1: install within 30 days of patch release (but PCI §6.1 allows a "risk-based approach" instead). Myth 2: vendor decides what's critical (also PCI §6.1). But §6.2 requires user ranking of vulnerabilities instead. Myth 3: scan and rescan until it passes. But PCI §11.2.1b says this applies only to high-risk vulnerabilities. Adam says good recommendations come from NIST 800-40. Instead use sane patching and focus on what's really important. From NIST 800-40: Proactive: Use a proactive vulnerability management process: use change control, configuration management, monitor file integrity. Monitor: start with NVD and other vulnerability alerts, not scanner results. Evaluate: public-facing system? workstation? internal server? (risk rank) Decide:on action and timeline Test: pre-test patches (stability, functionality, rollback) for change control Install: notify, change control, tickets McAfee Secure & Trustmarks — a Hacker's Best Friend Jay James, Shane MacDougall, Tactical Intelligence Inc., Canada "McAfee Secure Trustmark" is a website seal marketed by McAfee. A website gets this badge if they pass their remote scanning. The problem is a removal of trustmarks act as flags that you're vulnerable. Easy to view status change by viewing McAfee list on website or on Google. "Secure TrustGuard" is similar to McAfee. Jay and Shane wrote Perl scripts to gather sites from McAfee and search engines. If their certification image changes to a 1x1 pixel image, then they are longer certified. Their scripts take deltas of scans to see what changed daily. The bottom line is change in TrustGuard status is a flag for hackers to attack your site. Entire idea of seals is silly—you're raising a flag saying if you're vulnerable.

    Read the article

  • A Few Words from Oracle’s Channel Chief

    - by Meghan Fritz-Oracle
    As Oracle enters a new fiscal year, I want to take a moment and reflect on my time at Oracle thus far. The technology industry is currently at an inflection point trying to figure out where growth will come from. When you look at Oracle’s portfolio of products, it's a complete stack from applications to disc, offering differentiation in the marketplace. I was initially drawn to Oracle’s leadership, strategy, and world-class technology. Since joining the Oracle team in October 2013, I’ve had the privilege of traveling around the globe visiting our partners and customers, and wanted to share several common themes that came up during these meetings. Cloud: Many partners are trying to figure out how to build a business around the cloud. Oracle partners can currently resell or refer our cloud services. We saw over 300 percent growth from cloud resale last quarter. Engineered Systems: Hardware and software integrated together to simplify IT allows our joint customers to focus on the innovation they need to compete in a complex marketplace. We're seeing great success in a several areas, with more partners saying, “Let’s start with Oracle on Oracle.” The Internet of Things: This is the next big opportunity for device manufacturers and ISV‘s to capture market share in what is projected to be a mulit-trillion-dollar opportunity, according to Gartner.  Competition: We've got a tremendous middleware platform and a tremendous database install base. We’re not just a database company; we are a complete provider. So looking ahead, what are my priorities for fiscal 2015? Oracle PartnerNetwork has some very exciting plans on the horizon. There’s a lot more leadership and announcements to unfold, especially at this year’s Global Partner Kickoff taking place on June 25 + 26 depending on your region and time zone. I along with several other Oracle executives will be shedding light on Oracle’s strategy for the upcoming year, the latest opportunities within the OPN Specialized Program and sales strategies that will help you to continue to grow and profit with Oracle. Stay tuned for registration information next week.We also have Oracle OpenWorld and JavaOne to look forward to. These conferences are taking place in San Francisco from September 28 – October 2. We’ll have a variety of partner-specific activities for you at OPN Central @ OpenWorld including the OPN keynote, the famed AfterDark networking reception, access to the OPN Lounge and more.In the meantime, I hope that everyone has a great end to fiscal 2014.Best regards,Rich Geraffo Senior Vice President, Worldwide Alliances and Channels

    Read the article

  • ASP.NET 4 Hosting :: How to Debug Your ASP.NET Applications

    - by mbridge
    Remote debugging of a process is a privilege, and like all privileges, it must be granted to a user or group of users before its operation is allowed. The Microsoft .NET Framework and Microsoft Visual Studio .NET provide two mechanisms to enable remote debugging support: The Debugger Users group and the "Debug programs" user right. Debugger Users Group When you debug a remote .NET Framework-based application, the Debugger on your computer must communicate with the remote computer using DCOM. The remote server must grant the Debugger access, and it does this by granting access to all members of the Debugger Users group. Therefore, you must ensure that you are a member of the Debugger Users group on that computer. This is a local security group, meaning that it is visible to only the computer where it exists. To add yourself or a group to the Debugger Users group, follow these steps: 1. Right-click the My Computer icon on the Desktop and choose Manage from the context menu. 2. Browse to the Groups node, which is found under the Local Users and Groups node of System Tools. 3. In the right pane, double-click the Debugger Users group. 4. Add your user account or a group account of which you are a member. Debug Programs User Right To debug programs that run under an account that is different from your account, you must be granted the "Debug programs" user right on the computer where the program runs. By default, only the Administrators group is granted this user right. You can check this by opening Local Security Policy on the computer. To do so, follow these steps: 1. Click Start, Administrative Tools, and then Local Security Policy. 2. Browse to the User Rights Assignment node under the Local Policies node. 3. In the right pane, double-click the "Debug programs" user right. 4. Add your user account or a group account of which you are a member.

    Read the article

  • Taking AIIM at Social

    - by Christie Flanagan
    Today we are pleased to have a guest post from Christian Finn (@cfinn).  Christian is Senior Director of Product Management for Oracle WebCenter and heads up the WebCenter evangelist team.Last week I had the privilege of speaking at AIIM’s new conference in San Francisco.  AIIM, for those of you not familiar with it, is a global community of information professionals and got its start with ECM and imaging long ago. With 65,000+ members, AIIM has now set about broadening its scope to focus more on the intersection between systems of record (think traditional ECM) and systems of engagement (think social solutions).  So AIIM’s conference is a natural place to be for WebCenter types like me, who have a foot in both of those worlds.AIIM used to have their name on a very large tradeshow, but have changed direction now to run a small, intimate conference.  The lineup of keynotes was terrific, including David Pogue of The New York Times, Clay Shirky, author of Here Comes Everybody, and Ted Schadler, author of Empowered among many thought-provoking and engaging speakers. (Note: Ted will soon be featured in our Social Business webcast series. Stay tuned.)John Mancini and his team at AIIM did a fabulous job running the event and the engagement from the 450 attendees was sustained over the two and a half days.  Our proudest moment was having three finalists up for AIIM awards including: San Joaquin County, CA, for a justice case management system using WebCenter Content and Oracle BPM; Medtronic and Fishbowl Solutions for their innovative iPad solutions on WebCenter Content, and the government of Louisville, Kentucky/Jefferson County for their accounts payable solution using WebCenter Content’s Image & Process Management.  The highlight of the awards night was San Joaquin winning the small organization award against some tough competition.In addition to the conversations sparked at the show, AIIM promoted the whitepapers their industry task forces have produced on the impact and opportunities created by systems of engagement and systems of record. The task forces were led by: Geoffrey Moore, the renowned high tech marketing guru and author of Crossing The Chasm; and Andrew McAfee, who coined the term and wrote the book, Enterprise 2.0. (Note: Andy will also be featured soon on the Social Business webcast series.)  These free papers make short, excellent reading and you can download them on the AIIM website: Moore highlights the changes to Enterprise IT that the social revolution will engender, and McAfee covers where and how organizations are finding value in using social techniques to foster innovation, to scale Q&A across the organization, and to connect sales and marketing for greater efficiency and effectiveness. Moore’s whitepaper is here and McAfee’s whitepapers are available here. For the benefit of those who did not get a chance to attend the AIIM conference, I’ll be posting the topics of my AIIM presentation, “Three Principles for Fixing Your Broken Organization,” here on the WebCenter blog over the rest of this week and next in a series of posts.  

    Read the article

  • Meet Peter, 80 years old today

    - by AdamRG
    You have to arrive at the office early in the morning to meet Peter. He arrives at 5am and by 8:30am he's gone. Peter has been a cleaner here for several years. He is 80 years old today. Peter was born only a couple of km from our office in Cambridge, England and was for many years an Engineer for Pye Electronics. I'm lucky enough to arrive in the office early enough to catch Peter, dressed smarter than most of us in shirt and tie, and he tells stories of how Cambridge was years ago. He says the site of our office is on land between what would have been a prisoner of war camp (camp 1025), and a few hundred metres North, a camp of American allies. In February 1944, Peter was 13 years old. One night, a Dornier Do 217 heavy bomber heading towards London was hit by anti-aircraft fire and the crew of four parachuted from the plane. The plane however, continued on autopilot for over 50km. Gradually dropping lower and lower, narrowly missing the spires of Cambridge, it eventually came to land, largely intact, in allotment gardens by Peter's house near Milton Road. He told me that he was quick to the scene, along with some other young lads, and grabbed parts of the plane as souvenirs. It's one of many tales that Peter recounts, but I happened to discover a chapter about this particular plane crash in a history book called the War Torn Skies of Great Britain by Julian Evan-Hart. It reads: 'It slid to a halt in the allotment gardens of Milton Road. The cockpit ended up crumpled against a wooden fence and several incendiary bombs that had broken loose from their containers in the ruptured bomb bay were strewn over the ground behind the Dornier.' I smiled when I read the following line: 'Many residents came to see the Dornier in the allotments. Several lads made off with souvenirs' It seems a young Peter has been captured in print! For his birthday, among other things, we gave him a copy of the book. Working for a software company and rushing headlong through the 21st century, it's easy to forget even our recent history, or what feet stood on the same ground before us. That aircraft crashed only 700 metres from where our office now stands. The disused and overgrown railway line that runs down the side of the office closed to passengers 30 years ago. The industrial estate the other side was the site of a farm, Trinity Hall Farm, as recently as 60 years ago. Roman rings and Palaeolithic handaxes have been unearthed nearby. I suppose Peter will be one of the last people I'll ever hear talking first-hand about Cambridge during the war. It's a privilege to know him. Happy birthday Peter.

    Read the article

< Previous Page | 11 12 13 14 15 16 17 18 19 20 21  | Next Page >