What is a 'firewall sniffer'?
- by Craig Johnston
What is a 'firewall sniffer'?
How do they compromise the security of:
Windows firewall
Router firewall
NAT firewall
Search Results
Search found 233 results on 10 pages for 'compromise'.
Page 2/10 | < Previous Page | 1 2 3 4 5 6 7 8 9 10 | Next Page >
-
-
Take Advantage of Oracle's Ongoing Assurance Effort!
- by eric.maurice
Hi, this is Eric Maurice again! A few years ago, I posted a blog entry, which discussed the psychology of patching. The point of this blog entry was that a natural tendency existed for systems and database administrators to be reluctant to apply patches, even security patches, because of the fear of "breaking" the system. Unfortunately, this belief in the principle "if it ain't broke, don't fix it!" creates significant risks for organizations. Running systems without applying the proper security patches can greatly compromise the security posture of the organization because the security controls available in the affected system may be compromised as a result of the existence of the unfixed vulnerabilities. As a result, Oracle continues to strongly recommend that customers apply all security fixes as soon as possible. Most recently, I have had a number of conversations with customers who questioned the need to upgrade their highly stable but otherwise unsupported Oracle systems. These customers wanted to know more about the kind of security risks they were exposed to, by running obsolete versions of Oracle software. As per Oracle Support Policies, Critical Patch Updates are produced for currently supported products. In other words, Critical Patch Updates are not created by Oracle for product versions that are no longer covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. One statement used in each Critical Patch Update Advisory is particularly important: "We recommend that customers upgrade to a supported version of Oracle products in order to obtain patches. Unsupported products, releases and versions are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities." The purpose of this warning is to inform Oracle customers that a number of the vulnerabilities fixed in each Critical Patch Update may affect older versions of a specific product line. In other words, each Critical Patch Update provides a number of fixes for currently supported versions of a given product line (this information is listed for each bug in the Risk Matrices of the Critical Patch Update Advisory), but the unsupported versions in the same product line, while they may be affected by the vulnerabilities, will not receive the fixes, and are therefore vulnerable to attacks. The risk assumed by organizations wishing to remain on unsupported versions is amplified by the behavior of malicious hackers, who typically will attempt to, and sometimes succeed in, reverse-engineering the content of vendors' security fixes. As a result, it is not uncommon for exploits to be published soon after Oracle discloses vulnerabilities with the release of a Critical Patch Update or Security Alert. Let's consider now the nature of the vulnerabilities that may exist in obsolete versions of Oracle software. A number of severe vulnerabilities have been fixed by Oracle over the years. While Oracle does not test unsupported products, releases and versions for the presence of vulnerabilities addressed by each Critical Patch Update, it should be assumed that a number of the vulnerabilities fixed with the Critical Patch Update program do exist in unsupported versions (regardless of the product considered). The most severe vulnerabilities fixed in past Critical Patch Updates may result in full compromise of the targeted systems, down to the OS level, by remote and unauthenticated users (these vulnerabilities receive a CVSS Base Score of 10.0) or almost as critically, may result in the compromise of the affected systems (without compromising the underlying OS) by a remote and unauthenticated users (these vulnerabilities receive a CVSS Base Score of 7.5). Such vulnerabilities may result in complete takeover of the targeted machine (for the CVSS 10.0), or may result in allowing the attacker the ability to create a denial of service against the affected system or even hijacking or stealing all the data hosted by the compromised system (for the CVSS 7.5). The bottom line is that organizations should assume the worst case: that the most critical vulnerabilities are present in their unsupported version; therefore, it is Oracle's recommendation that all organizations move to supported systems and apply security patches in a timely fashion. Organizations that currently run supported versions but may be late in their security patch release level can quickly catch up because most Critical Patch Updates are cumulative. With a few exceptions noted in Oracle's Critical Patch Update Advisory, the application of the most recent Critical Patch Update will bring these products to current security patch level and provide the organization with the best possible security posture for their patch level. Furthermore, organizations are encouraged to upgrade to most recent versions as this will greatly improve their security posture. At Oracle, our security fixing policies state that security fixes are produced for the main code line first, and as a result, our products benefit from the mistakes made in previous version(s). Our ongoing assurance effort ensures that we work diligently to fix the vulnerabilities we find, and aim at constantly improving the security posture our products provide by default. Patch sets include numerous in-depth fixes in addition to those delivered through the Critical Patch Update and, in certain instances, important security fixes require major architectural changes that can only be included in new product releases (and cannot be backported through the Critical Patch Update program). For More Information: • Mary Ann Davidson is giving a webcast interview on Oracle Software Security Assurance on February 24th. The registration link for attending this webcast is located at http://event.on24.com/r.htm?e=280304&s=1&k=6A7152F62313CA09F77EBCEEA9B6294F&partnerref=EricMblog • A blog entry discussing Oracle's practices for ensuring the quality of Critical patch Updates can be found at http://blogs.oracle.com/security/2009/07/ensuring_critical_patch_update_quality.html • The blog entry "To patch or not to patch" is located at http://blogs.oracle.com/security/2008/01/to_patch_or_not_to_patch.html • Oracle's Support Policies are located at http://www.oracle.com/us/support/policies/index.html • The Critical Patch Update & Security Alert page is located at http://www.oracle.com/technetwork/topics/security/alerts-086861.htmlRead the article
-
Is java that secure?
- by abson
Will the fact that java class files can be decompiled and need of third party software for obfuscation in any way compromise security?Read the article
-
Looking for a C# implementation of (Pk) Zip32
- by bukko
I need to implement Zip32 (PK compatible) in C#. I can't just call a separate dll or exe because (1) I don't want to write the uncompressed file to disk and (2) I want to avoid the possibly that someone could wrap that library - either of these would compromise security. My ideal solution would be to find a C# implementation of the Zip32 algorithm which I could use, and just modify it so I can pass a byte array or something. Does anyone have any suggestions or (I dare but hope) examples of C# PKZip implementations?Read the article
-
What are the common maintenance tasks on ubuntu?
- by DaNieL
When i was using windows, i used to run defrags, ccleaner and revouninstaller once a month to keep the system and the registry clean. I know ubuntu (and all linux distro) has a different system structure and doesnt need defrags, but i've heard there are some mainenance tasks that help to keep the system clean (for example, sudo apt-get clean or sudo apt-get autoremove) How many of those commands/software (and please explain what they do and if they can compromise the system stability) do you know and use regularly?Read the article
-
Oracle Application in DMZ (Demilitarized Zone)
- by PRajkumar
Business Needs Large Organizations want to expose their Oracle Application services outside their private network (HTTP/HTTPS and SSL). Usually these exposures must exist to promote external communication. So they want to separate an external network from directly referencing an internal network Business Challenges · Business does not want to compromise with security information · Business cannot expose internal domain or internal URL information Business Solution DMZ is the solution of this problem. In Oracle application we can achieve this by following way – · Oracle Application consists of fleet nodes (FND_NODES) so first decide which node have to expose to public · To expose the node to public use the profile “Node Trust Level” · Set node to Public/Private (Normal -> private, External -> public) · Set "Responsibility Trust Level" profile to decide whether to expose Application Responsibility to inside or outside firewall Solution Features · Exposed web services can be accessed by both internal and external users · Configurable and can be very easily rolled out · Internal network and business data is secured from outside traffic · Unauthorized access to internal network from outside is prohibited · No need for VPN and Secure FTP server Benefits · Large Organizations having Oracle Application can expose their web services like (HTTP/HTTPS and SSL) to the internet without compromise with security information and without exposing their internal domain Possible Week Points · If external firewall is compromised, then external application server is also compromised, exposing an attack on E-Business Suite database · There’s nothing to prevent internal users from attacking internal application server, also exposing an attack on E-Business Suite database Reference Links · https://blogs.oracle.com/manojmadhusoodanan/tags/dmzRead the article
-
Large SEO Firm Versus Individual SEO Consultant
Individual SEO expert is comparatively cheap to hire. But in this case compromise on quality is very much possible. Large SEO firms charge higher fees but maintain the quality of work.Read the article
-
Use controller in view in MVC
- by gavri
I have a problem convincing my team mates why we shouldn't use (directly reference) the controller in the view when developing components in the spirit of MVC. I have invoked decoupling and natural intuition, but still those arguments didn't get through. They say, in their defense, that this is a normal compromise. What arguments are convincing? Or they are right? How can the practice of using the controller in the view could affect a project on the long run?Read the article
-
Hackers Breached Google's Password Hub: Report
New report cites source close to investigation claiming that hackers in China were able to compromise the password service that acts as gateway to Google's Web products and services.Read the article
-
The Lure of Simplicity in IT
A deceptively simple solution to a business re-engineering problem can beguile companies into selecting a compromise that doesn't actually meet all their needs. Simple is great, but not at the expense of functionality. Some IT solutions are complex because the problem is complex, but they can be made conceptually clearer. Get smart with SQL Backup ProGet faster, smaller backups with integrated verification.Quickly and easily DBCC CHECKDB your backups. Learn more.Read the article
-
Hide usernames shown on Windows Server 2008 Remote Desktop login screen
- by user38553
When I remote desktop to my Windows Server 2008 (a hosted virtual server) I see a login screen showing an icon for each user in the system. I can click on a user then enter a password and login. This is a terrible security oversight in my opinion as it gives anyone that might want to compromise my server a full list of valid usernames. Is there a way to revert to the old style of login screen requiring both username and password? ThanksRead the article
-
Microsoft Security Essentials Vs. Avast Home [Free] Edition on a netbook [closed]
- by Sarath
I am using Avast Home Edition in my Dell Mini 10v. As you know the notebook is using an under powered processor which is not really suitable for browsing some rich internet websites. So I am in the middle of improving the performance. Will uninstalling Avast and using Microsoft Security Essentials will improve the performance? the memory usage of avast is quite low but I can't compromise security. Is Security essentials a good bet?Read the article
-
La Commission européenne examine le rachat de McAfee par Intel et craint une position de monopole pour la sécurité des processeurs
La Commission européenne examine le rachat de McAfee par Intel, et craint une position de monopole pour la sécurité des processeurs Mise à jour du 20.12.2010 par Katleen L'acquisition de McAfee par Intel pourrait être compromise. La Commission européenne examine actuellement le dossier et émet quelques réserves. Car si Intel occupe pour l'instant une place importante sur la scène des processeurs, et que ce rachat ne lui octroierait donc aucunement une position de monopole dans le domaine de la sécurité, Bruxelles veut voir plus loin. Les instances européennes pensent à l'avenir, et craignent que le visage du marché de la sécurité informatique ne soit modifié. Certains spécialistes pens...Read the article
-
How to achieve a Gaussian Blur effect for shadows in LWJGL/Slick2D?
- by user46883
I am currently trying to implement shadows into my game, and after a lot of searching in the interwebs I came to the conclusion that drawing hard edged shadows to a low resolution pass combined with a Gaussian blur effect would fit best and make a good compromise between performance and looks - even though theyre not 100% physically accurate. Now my problem is, that I dont really know how to implement the Gaussian blur part. Its not difficult to draw shadows to a low resolutions buffer image and then stretch it which makes it more smooth, but I need to add the Gaussian blur effect. I have searched a lot on that and found some approachs for GLSL, some even here, but none of them really helped it. My game is written in Java using Slick2D/LWJGL and I would appreciate any help or approaches for an algorithm or maybe even an existing library to achieve that effect. Thanks for any help in advance.Read the article
-
REST API rule about tunneling
- by miku
Just read this in the REST API Rulebook: GET and POST must not be used to tunnel other request methods. Tunneling refers to any abuse of HTTP that masks or misrepresents a message’s intent and undermines the protocol’s transparency. A REST API must not compromise its design by misusing HTTP’s request methods in an effort to accommodate clients with limited HTTP vocabulary. Always make proper use of the HTTP methods as specified by the rules in this section. [highlights by me] But then a lot of frameworks use tunneling to expose REST interfaces via HTML forms, since <form> knows only about GET and POST. My most recent example is a MethodRewriteMiddleware for flask (submitted by the author of the framework): http://flask.pocoo.org/snippets/38/. Any ways to comply to the "Rule" without hacks or add-ons in web frameworks?Read the article
-
What's the importance of the "title" tag?
- by Matteo Mosca
Talking with some other people recently, it came up an interesting topic. The core question at hand is: What's the real importance and weight of the <title> tag in a web site? For instance, what are the consequences if a site has the same <title> tag on all the pages, reporting only the site name? Or better (or worse) no title tag at all? Will that be a little/medium/huge SEO problem? How will the pages appear on search engines? Will fixing it in a later stage be problematic since pages have already been indexed? How does it compromise the overall usability/accessibility/experience? Is that a "feature" that can be omitted, or it can't even be considered a "feature" but a core element? I have quite my opinion on this topic, but I'd really love to hear what other experts (you) think about it.Read the article
-
Should your client be able to view your project management board?
- by bizso09
We're making a bespoke software for our client and use Codebase for our project management. Is it a good idea to let our client view our project management board? The advantages that we thought of are that this would enhance the cooperation between the client and the dev team, following agile practices. He would essentially become part of our team. It would also reduce communication overhead and make sure we're on the same page. The client could track the progression of the system and make suggestions along the way on the user stories. In addition, he could submit bugs or feature requests. The disadvantages that we though of are that some aspects of the board might be too technical to the client. He would suggest changes to the user stories too often and he might view some content that we normally wouldn't want our client to see. For example, when we compromise on technology or functionality, the client might question that and insist on doing things one way or the other.Read the article
-
First blog post from Surface RT using Microsoft Word 2013
- by Enrique Lima
One of the concerns I had in using a Surface RT was the need I have to be able to post.Recently, and not so recently, I have stopped posting. Between getting busy, carrying different devices. Well, it has been hard to do. Tried doing that with an iPad, and I can't say it didn't work, it just didn't work for me. Again, back to the concern with the Surface RT. But, looking at the App Store I started getting that same frustration I had with other platforms that left me with a feeling of "I have to compromise because I am on a SubText platform". So, I stuck to posting from Windows Live Writer (great tool!). This whole situation made me think and rethink my strategy, and then … a big DUH! What about using Microsoft Word 2013 for that? Would it work? So, here is the test!Read the article
-
Advice on how to understand in general and in practice IT Infrastructure
- by Luca
My IT knowledge resides mainly in SW development. I have just some basic know how about networks. On the net I tried to get information and read books in order to better understand the overall IT infrastrcuture, but all the sources I found are too generic or, mainly, too detailed in just one aspect, making me lost. Could anyone suggest some books or web resources as good compromise in details? My goal would be able to understand the network issues and security threats when, for example, two remote system have to be setup and put in connection each other. Considering this scenario there are several aspects to consider: firewalls, intranet/internet interconnections, certificates for httpS, etc. The argument is quite wide, therefore I was looking for something that might help to start to understand this subject without going too deep in details (Computer Networks from A.Tanenbaum is a wonderful milestone, but way too specific for my scope). ThanksRead the article
-
How to secure Ubuntu for a non-technical user? (your mom)
- by Gil
My mother will be traveling for a while and I need to provide her with a secure laptop so she can work. A windows laptop is out of the question because: she'll be logging into dodgy hotel wireless networks and conference networks price of the windows license to install on a netbook I've installed libreoffice, media players and skype on it. Also enabled SSH so I can intervene but I am worried that I might not be in a position to do so. Possible threats: web browsing USB sticks insecure networks prone to intrusions malware SSH/VNC vulnerabilites Skype vulnerabilities All the "securing Ubuntu" guides out there assume the user has a certain level of technical knowledge but this is not the case with moms in general. If a malware can gain even user level access it might compromise her files.Read the article
-
Python lower_case_with_underscores style convention: underscores not popular?
- by squirrel
PEP8 recommends using lowercase, with words separated by underscores as necessary to improve readability for variable and function names. I've seen this interpreted as lower_case_with_underscores by most people, although in practice and in Python's native methods it seems like lowercasewithoutunderscores is more popular. It seems like following PEP8 strictly would be awkward since it seems to suggest mixing both lower_case_with_underscores and lowercasewithoutunderscores, which would be inconsistent. What is your interpretation of PEP8's variable names, and what do you actually use in practice? (Personally, I like lowerCamelCase as a compromise between readability and ease of typing.)Read the article
-
Immutable design with an ORM: How are sessions managed?
- by Programmin Tool
If I were to make a site with a mutable language like C# and use NHibernate, I would normally approach sessions with the idea of making them as create only when needed and dispose at request end. This has helped with keeping a session for multiple transactions by a user but keep it from staying open too long where the state might be corrupted. In an immutable system, like F#, I would think I shouldn't do this because it supposes that a single session could be updated constantly by any number of inserts/updates/deletes/ect... I'm not against the "using" solution since I would think that connecting pooling will help cut down on the cost of connecting every time, but I don't know if all database systems do connection pooling. It just seems like there should be a better way that doesn't compromise the immutability goal. Should I just do a simple "using" block per transaction or is there a better pattern for this?Read the article
-
Adode confirme une attaque de son site Connectusers.com, ayant entraîné une fuite de 150 000 fichiers sur les utilisateurs
Adode confirme une attaque de son site Connectusers.com ayant entrainé une fuite de 150 000 fichiers sur les utilisateurs Adode a confirmé que la base de données de son forum Connectusers.com a été compromise, exposant les mots de passe des utilisateurs. Cette réaction fait suite à la publication par un hacker du pseudo de « Virus HimA » sur le site Pastebin des informations sur les utilisateurs du forum. Ce hacker a déclaré qu'il avait à sa disposition près de 150 000 fichiers contenant des informations personnelles sur les clients, le personnel et les partenaires de l'éditeur. Pour appuyer ses propos, celui-ci a publié les fichiers contenant les adresses mails, identifiants et autres do...Read the article
-
How to report abuse to website hosting company (GoDaddy)
- by lgratian
I'm not sure if this is the right place to ask such a question... Let's say that a website posted a picture of me, without my consent, and I want to be removed (it's something private, could compromise my career if it's seen by someone that shouldn't). I sent them an email asking nicely that they should remove it, but they didn't respond and the picture is still there. Using 'Whois' I found that the website is hosted by GoDaddy. Is there a way (an email address, for ex.) to report to GoDaddy that one of the sites they're hosting does something illegal and to force them to remove the photo? I searched the site and found nothing about such a thing. Thnaks in advance!Read the article
-
How do I avoid the complexity concerns of frameworks while keeping my team marketable?
- by Desolate Planet
When deciding upon how to design a software project with my colleagues, most suggestions tend to be for using specific frameworks "because it's popular in the job market" or "that's the framework that gets recruiters on the phone," and never what I'm looking for which is, "because it's a good fit for the project as it makes the system more adaptive to future changes and makes life easier for developers." I didn't start looking at projects in this way until I started reading up on domain-driven design. I've found that the actual domain is hidden deep under the frameworks used and it's hard to learn the business processes that have been implemented by the software product. Is there a way to marry the two competing goals: getting exposure as a development team while still being able to avoid complexity? Are frameworks that compromise, or are there other solutions out there?Read the article
