Search Results

Search found 59864 results on 2395 pages for 'application security'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 62/2395 | < Previous Page | 58 59 60 61 62 63 64 65 66 67 68 69  | Next Page >

  • SQL SERVER – Detecting guest User Permissions – guest User Access Status

    - by pinaldave
    Earlier I wrote the blog post SQL SERVER – Disable Guest Account – Serious Security Issue, and I got many comments asking questions related to the guest user. Here are the comments of Manoj: 1) How do we know if the uest user is enabled or disabled? 2) What is the default for guest user in SQL Server? Default settings for guest user When SQL Server is installed by default, the guest user is disabled for security reasons. If the guest user is not properly configured, it can create a major security issue. You can read more about this here. Identify guest user status There are multiple ways to identify guest user status: Using SQL Server Management Studio (SSMS) You can expand the database node >> Security >> Users. If you see the RED arrow pointing downward, it means that the guest user is disabled. Using sys.sysusers Here is a simple script. If you notice column dbaccess as 1, it means that the guest user is enabled and has access to the database. SELECT name, hasdbaccess FROM sys.sysusers WHERE name = 'guest' Using sys.database_principals and sys.server_permissions This script is valid in SQL Server 2005 and a later version. This is my default method recently. SELECT name, permission_name, state_desc FROM sys.database_principals dp INNER JOIN sys.server_permissions sp ON dp.principal_id = sp.grantee_principal_id WHERE name = 'guest' AND permission_name = 'CONNECT' Using sp_helprotect Just run the following stored procedure which will give you all the permissions associated with the user. sp_helprotect @username = 'guest' Disable Guest Account REVOKE CONNECT FROM guest Additionally, the guest account cannot be disabled in master and tempdb; it is always enabled. There is a special need for this. Let me ask a question back at you: In which scenario do you think this will be useful to keep the guest, and what will the additional configuration go along with the scenario? Note: Special mention to Imran Mohammed for being always there when users need help. Reference: Pinal Dave (http://blog.sqlauthority.com) Filed under: PostADay, SQL, SQL Authority, SQL Query, SQL Security, SQL Server, SQL Tips and Tricks, T SQL, Technology

    Read the article

  • Single Sign On for Web Application and Application in Virtual Directory

    - by Stefan
    To enable single sign-on for a web application and a web application in a virtual directory, I set the machinekey in both apps to the same: <machineKey validationKey="xxx" decryptionKey="yy" validation="SHA1" /> The single sign on works just fine, but existing users can't sign in any more; their passwords are rejected. The machinekey used to be this in the parent application: <machineKey validationKey="xxx,IsolateApps" decryptionKey="yy,IsolateApps" validation="SHA1" /> I tried other ways to make single sign on work, but it just won't as long as the keys contain "IsolateApps". What am I missing? I should add that the in the membership provider, passwordFormat is set to "Encrypted". So I assume the password was encrypted using the key that contained "IsolateApps" and now when it tries to validate the password it's using the key without the "IsolateApps". Still not sure how to solve that problem. Is there maybe a way that I can set the encryption keys for the password separately from the one that is used for the authentication cookie?

    Read the article

  • GC output clarification

    - by elec
    I'm running a java application with the following settings: -XX:+CMSParallelRemarkEnabled -XX:+UseConcMarkSweepGC -XX:+UseParNewGC -XX:+PrintGCApplicationStoppedTime -XX:+PrintGCApplicationConcurrentTime -XX:+PrintGCDetails -XX:+PrintGCTimeStamps -XX:+PrintGCDateStamps -XX:+PrintHeapAtGC -XX:+PrintTenuringDistribution I'm not sure how to interpret the related gc logs(below). In particular: Heap after GC invocations=31 (full 3): does this mean there were 31 minor GCs, and 3 full GCs ? What triggers the several consecutive lines of Total time for which the application threads were stopped and Application Time ? Is it possible to get the time stamps associated with each of these lines ? GC logs: Total time for which application threads were stopped: 0.0046910 seconds Application time: 0.7946670 seconds Total time for which application threads were stopped: 0.0002900 seconds Application time: 1.0153640 seconds Total time for which application threads were stopped: 0.0002780 seconds Application time: 1.0161890 seconds Total time for which application threads were stopped: 0.0002760 seconds Application time: 1.0145990 seconds Total time for which application threads were stopped: 0.0002950 seconds Application time: 0.9999800 seconds Total time for which application threads were stopped: 0.0002770 seconds Application time: 1.0151640 seconds Total time for which application threads were stopped: 0.0002730 seconds Application time: 0.9996590 seconds Total time for which application threads were stopped: 0.0002880 seconds Application time: 0.9624290 seconds {Heap before GC invocations=30 (full 3): par new generation total 131008K, used 130944K [0x00000000eac00000, 0x00000000f2c00000, 0x00000000f2c00000) eden space 130944K, 100% used [0x00000000eac00000, 0x00000000f2be0000, 0x00000000f2be0000) from space 64K, 0% used [0x00000000f2bf0000, 0x00000000f2bf0000, 0x00000000f2c00000) to space 64K, 0% used [0x00000000f2be0000, 0x00000000f2be0000, 0x00000000f2bf0000) concurrent mark-sweep generation total 131072K, used 48348K [0x00000000f2c00000, 0x00000000fac00000, 0x00000000fac00000) concurrent-mark-sweep perm gen total 30000K, used 19518K [0x00000000fac00000, 0x00000000fc94c000, 0x0000000100000000) 2010-05-11T09:30:13.888+0100: 384.955: [GC 384.955: [ParNew Desired survivor size 32768 bytes, new threshold 0 (max 0) : 130944K-0K(131008K), 0.0052470 secs] 179292K-48549K(262080K), 0.0053030 secs] [Times: user=0.00 sys=0.00, real=0.01 secs] Heap after GC invocations=31 (full 3): par new generation total 131008K, used 0K [0x00000000eac00000, 0x00000000f2c00000, 0x00000000f2c00000) eden space 130944K, 0% used [0x00000000eac00000, 0x00000000eac00000, 0x00000000f2be0000) from space 64K, 0% used [0x00000000f2be0000, 0x00000000f2be0000, 0x00000000f2bf0000) to space 64K, 0% used [0x00000000f2bf0000, 0x00000000f2bf0000, 0x00000000f2c00000) concurrent mark-sweep generation total 131072K, used 48549K [0x00000000f2c00000, 0x00000000fac00000, 0x00000000fac00000) concurrent-mark-sweep perm gen total 30000K, used 19518K [0x00000000fac00000, 0x00000000fc94c000, 0x0000000100000000) } Total time for which application threads were stopped: 0.0056410 seconds Application time: 0.0475220 seconds Total time for which application threads were stopped: 0.0001800 seconds Application time: 1.0174830 seconds Total time for which application threads were stopped: 0.0003820 seconds Application time: 1.0126350 seconds Total time for which application threads were stopped: 0.0002750 seconds Application time: 1.0155910 seconds Total time for which application threads were stopped: 0.0002680 seconds Application time: 1.0155580 seconds Total time for which application threads were stopped: 0.0002880 seconds Application time: 1.0155480 seconds Total time for which application threads were stopped: 0.0002970 seconds Application time: 0.9896810 seconds

    Read the article

  • SINGLE SIGN ON SECURITY THREAT! FACEBOOK access_token broadcast in the open/clear

    - by MOKANA
    Subsequent to my posting there was a remark made that this was not really a question but I thought I did indeed postulate one. So that there is no ambiquity here is the question with a lead in: Since there is no data sent from Facebook during the Canvas Load process that is not at some point divulged, including the access_token, session and other data that could uniquely identify a user, does any one see any other way other than adding one more layer, i.e., a password, sent over the wire via HTTPS along with the access_toekn, that will insure unique untampered with security by the user? Using Wireshark I captured the local broadcast while loading my Canvas Application page. I was hugely surprised to see the access_token broadcast in the open, viewable for any one to see. This access_token is appended to any https call to the Facebook OpenGraph API. Using facebook as a single click log on has now raised huge concerns for me. It is stored in a session object in memory and the cookie is cleared upon app termination and after reviewing the FB.Init calls I saw a lot of HTTPS calls so I assumed the access_token was always encrypted. But last night I saw in the status bar a call from what was simply an http call that included the App ID so I felt I should sniff the Application Canvas load sequence. Today I did sniff the broadcast and in the attached image you can see that there are http calls with the access_token being broadcast in the open and clear for anyone to gain access to. Am I missing something, is what I am seeing and my interpretation really correct. If any one can sniff and get the access_token they can theorically make calls to the Graph API via https, even though the call back would still need to be the site established in Facebook's application set up. But what is truly a security threat is anyone using the access_token for access to their own site. I do not see the value of a single sign on via Facebook if the only thing that was established as secure was the access_token - becuase for what I can see it clearly is not secure. Access tokens that never have an expire date do not change. Access_tokens are different for every user, to access to another site could be held tight to just a single user, but compromising even a single user's data is unacceptable. http://www.creatingstory.com/images/InTheOpen.png Went back and did more research on this: FINDINGS: Went back an re ran the canvas application to verify that it was not any of my code that was not broadcasting. In this call: HTTP GET /connect.php/en_US/js/CacheData HTTP/1.1 The USER ID is clearly visible in the cookie. So USER_ID's are fully visible, but they are already. Anyone can go to pretty much any ones page and hover over the image and see the USER ID. So no big threat. APP_ID are also easily obtainable - but . . . http://www.creatingstory.com/images/InTheOpen2.png The above file clearly shows the FULL ACCESS TOKEN clearly in the OPEN via a Facebook initiated call. Am I wrong. TELL ME I AM WRONG because I want to be wrong about this. I have since reset my app secret so I am showing the real sniff of the Canvas Page being loaded. Additional data 02/20/2011: @ifaour - I appreciate the time you took to compile your response. I am pretty familiar with the OAuth process and have a pretty solid understanding of the signed_request unpacking and utilization of the access_token. I perform a substantial amount of my processing on the server and my Facebook server side flows are all complete and function without any flaw that I know of. The application secret is secure and never passed to the front end application and is also changed regularly. I am being as fanatical about security as I can be, knowing there is so much I don’t know that could come back and bite me. Two huge access_token issues: The issues concern the possible utilization of the access_token from the USER AGENT (browser). During the FB.INIT() process of the Facebook JavaScript SDK, a cookie is created as well as an object in memory called a session object. This object, along with the cookie contain the access_token, session, a secret, and uid and status of the connection. The session object is structured such that is supports both the new OAuth and the legacy flows. With OAuth, the access_token and status are pretty much al that is used in the session object. The first issue is that the access_token is used to make HTTPS calls to the GRAPH API. If you had the access_token, you could do this from any browser: https://graph.facebook.com/220439?access_token=... and it will return a ton of information about the user. So any one with the access token can gain access to a Facebook account. You can also make additional calls to any info the user has granted access to the application tied to the access_token. At first I thought that a call into the GRAPH had to have a Callback to the URL established in the App Setup, but I tested it as mentioned below and it will return info back right into the browser. Adding that callback feature would be a good idea I think, tightens things up a bit. The second issue is utilization of some unique private secured data that identifies the user to the third party data base, i.e., like in my case, I would use a single sign on to populate user information into my database using this unique secured data item (i.e., access_token which contains the APP ID, the USER ID, and a hashed with secret sequence). None of this is a problem on the server side. You get a signed_request, you unpack it with secret, make HTTPS calls, get HTTPS responses back. When a user has information entered via the USER AGENT(browser) that must be stored via a POST, this unique secured data element would be sent via HTTPS such that they are validated prior to data base insertion. However, If there is NO secured piece of unique data that is supplied via the single sign on process, then there is no way to guarantee unauthorized access. The access_token is the one piece of data that is utilized by Facebook to make the HTTPS calls into the GRAPH API. it is considered unique in regards to BOTH the USER and the APPLICATION and is initially secure via the signed_request packaging. If however, it is subsequently transmitted in the clear and if I can sniff the wire and obtain the access_token, then I can pretend to be the application and gain the information they have authorized the application to see. I tried the above example from a Safari and IE browser and it returned all of my information to me in the browser. In conclusion, the access_token is part of the signed_request and that is how the application initially obtains it. After OAuth authentication and authorization, i.e., the USER has logged into Facebook and then runs your app, the access_token is stored as mentioned above and I have sniffed it such that I see it stored in a Cookie that is transmitted over the wire, resulting in there being NO UNIQUE SECURED IDENTIFIABLE piece of information that can be used to support interaction with the database, or in other words, unless there were one more piece of secure data sent along with the access_token to my database, i.e., a password, I would not be able to discern if it is a legitimate call. Luckily I utilized secure AJAX via POST and the call has to come from the same domain, but I am sure there is a way to hijack that. I am totally open to any ideas on this topic on how to uniquely identify my USERS other than adding another layer (password) via this single sign on process or if someone would just share with me that I read and analyzed my data incorrectly and that the access_token is always secure over the wire. Mahalo nui loa in advance.

    Read the article

  • Security risk of JIRA standalone installation running JRE version 1.6.0_26 vs 1.6.0_29 (latest)

    - by kayaker243
    Atlassian recently introduced a standalone installer that installs JIRA, along with its own JRE. Unfortunately the JRE Atlassian bundles with this installer is 1.6.0_26, whereas the current version of the JRE is 1.6.0_29. This is potentially concerning given there were vulnerabilities in _26 that were fixed in the subsequent versions. We are currently using the bundled-installer version of JIRA and one contractor has recommended we ditch this for the system-installed JRE. My question is this: what is the actual security risk of continuing to use the _26 version of the JRE included in the bundled installer? There is no public access to our install of JIRA (only about 20 employees and contractors can login to our JIRA) and it's only accessible on a subdomain of a domain at which there's no publicly-available website. If there's a not insignificant risk inherent in sticking with the older JRE, why hasn't Atlassian upgraded the default JRE?

    Read the article

  • Is it possible to create a read-only user account for security auditing purposes?

    - by user2529583
    An organization requires several administrators to have a role of a security auditor. They must have read-only (via network/remote) access to Windows Server 2008 / R2 systems and have permissions to view the server configuration. They must not be able to make any other changes to the server or the network, like restarting or making any configuration chanages. However I can't find any built-in settings for a user like this. The closest thing is the "Users" user group [1], however from my understanding every user in the domain is in this group and cannot view the domain server's configuration. So, what are other options of implementing a read-only user account in Windows Server 2008? [1] http://technet.microsoft.com/en-us/library/cc771990.aspx

    Read the article

  • Are there any security concerns when using Windows' default workgroup?

    - by koiyu
    Are there any security concerns one should be aware of if you're using Windows' default workgroup as the workgroup? (Or is worrying just tinfoiling?) Should it be commonplace to rename the workgroup to something personal/unique after Windows installation? Are there any other benefits in renaming the workgroup from the default besides making it to look more describing? Ie. is renaming worth the hassle as it makes the workgroup generally less accessible? It is used in local area network after all.

    Read the article

  • Building NanoBSD inside a jail

    - by ptomli
    I'm trying to setup a jail to enable building a NanoBSD image. It's actually a jail on top of a NanoBSD install. The problem I have is that I'm unable to mount the md device in order to do the 'build image' part. Is it simply not possible to mount an md device inside a jail, or is there some other knob I need to twiddle? On the host /etc/rc.conf.local jail_enable="YES" jail_mount_enable="YES" jail_list="build" jail_set_hostname_allow="NO" jail_build_hostname="build.vm" jail_build_ip="192.168.0.100" jail_build_rootdir="/mnt/zpool0/jails/build/home" jail_build_devfs_enable="YES" jail_build_devfs_ruleset="devfsrules_jail_build" /etc/devfs.rules [devfsrules_jail_build=5] # nothing Inside the jail [root@build /usr/obj/nanobsd.PROLIANT_MICROSERVER]# sysctl security.jail security.jail.param.cpuset.id: 0 security.jail.param.host.hostid: 0 security.jail.param.host.hostuuid: 64 security.jail.param.host.domainname: 256 security.jail.param.host.hostname: 256 security.jail.param.children.max: 0 security.jail.param.children.cur: 0 security.jail.param.enforce_statfs: 0 security.jail.param.securelevel: 0 security.jail.param.path: 1024 security.jail.param.name: 256 security.jail.param.parent: 0 security.jail.param.jid: 0 security.jail.enforce_statfs: 1 security.jail.mount_allowed: 1 security.jail.chflags_allowed: 1 security.jail.allow_raw_sockets: 0 security.jail.sysvipc_allowed: 0 security.jail.socket_unixiproute_only: 1 security.jail.set_hostname_allowed: 0 security.jail.jail_max_af_ips: 255 security.jail.jailed: 1 [root@build /usr/obj/nanobsd.PROLIANT_MICROSERVER]# mdconfig -l md2 md0 md1 md0 and md1 are the ramdisks of the host. bsdlabel looks sensible [root@build /usr/obj/nanobsd.PROLIANT_MICROSERVER]# bsdlabel /dev/md2s1 # /dev/md2s1: 8 partitions: # size offset fstype [fsize bsize bps/cpg] a: 1012016 16 4.2BSD 0 0 0 c: 1012032 0 unused 0 0 # "raw" part, don't edit newfs runs ok [root@build /usr/obj/nanobsd.PROLIANT_MICROSERVER]# newfs -U /dev/md2s1a /dev/md2s1a: 494.1MB (1012016 sectors) block size 16384, fragment size 2048 using 4 cylinder groups of 123.55MB, 7907 blks, 15872 inodes. with soft updates super-block backups (for fsck -b #) at: 160, 253184, 506208, 759232 mount fails [root@build /usr/obj/nanobsd.PROLIANT_MICROSERVER]# mount /dev/md2s1a _.mnt/ mount: /dev/md2s1a : Operation not permitted UPDATE: One of my colleagues pointed out There are some file systems types that can't be securely mounted within a jail no matter what, like UFS, MSDOFS, EXTFS, XFS, REISERFS, NTFS, etc. because the user mounting it has access to raw storage and can corrupt it in a way that it will panic entire system. From http://www.mail-archive.com/[email protected]/msg160389.html So it seems that the standard nanobsd.sh won't run inside a jail while it uses the md device to build the image. One potential solution I'll try is to chroot from the host into the build jail, rather than jexec a shell.

    Read the article

  • Post-compromise security scan; anything else?

    - by IVR Avenger
    Hi, all. My girlfriend checked her Gmail yesterday morning, and then found, later on in the day, that it would no longer accept her password. She also found that this happened to her Hotmail and Yahoo! accounts. She's only checked these accounts from her work and home PC, and I've spent the day checking the home PC for problems. A full AVG scan revealed a couple of installers for her webcam software that had questionable security signatures, and a full Windows Defender scan brought back nothing. Assuming that her home PC was compromised, somehow, is there anything else I should use to check it for some sort of lingering malicious app before I tell her it's okay to login to her accounts, again? Furthermore, she's going through the GMail "account recovery" process as the account appears to have been disabled. Does anyone know if this actually works? Thanks so much. IVR Avenger

    Read the article

  • Is giving read permissions on /etc/shadow to apache user a wise decision from security point of view?

    - by Czar
    I have to use PAM authentication for DAV SVN, but when everything is configured as specified in mod_auth_pam documentation, authentication does not work. After some research I realized, that for this to work, httpd should be running under root user (which I don't like and won't implement) or apache user (under which httpd is running by default) should have permissions to read /etc/shadow file. So there is a pair of questions connected to each other which I want to ask: Is giving this permition to apache user a wise decision from security point of view? If answer to the first question is "yes", what is the correct way to do so? For now I've done following: groupadd shadow usermod -G shadow apache chmod g+r /etc/shadow Another way I can come up with is using acl: setfacl -m u:apache:r /etc/shadow Note: OS is Fedora 14 x86_64 (kernel: 2.6.35.11) httpd v2.2.17 mod_auth_pam v1.1.1

    Read the article

  • any security tips for my first server? (complete beginner)

    - by Haroldo
    I'm paying for a VPS and hoping to launch my first website on it in the next few days. I'm worried there might be some glaringly obvious security holes in the standard setup, so I'm keen to get some tips About the only thing i know is turn off error reporting in PHP and create users/privilages for MySQL... any more stuff along those lines? I'm using: cpanel and WHM centos 5 php mysql google apps as mail server (so maybe i should disable built in mailer server somehow?!!) This is my first post of Server Fault (i use stack overflow alot), I hope i'm posting this in the right place, with the right tags - please feel free to edit if i'm wrong. Thanks guys!

    Read the article

  • What type of security problems are mitigated by this .NET architecture?

    - by Jonno
    Given the following physical layout for a .NET web application: DB (sql server, windows) - No public route (no table access, only stored procs) Web Service DAL (iis, windows) - No public route (can be accessed by web server via port 80 and 443) Web Server (iis, windows) - Public route (only via port 80 and 443) What type(s) / examples of attack could be used to compromise the public web server but would be blocked by the Web Service DAL? i.e. can you think of concrete attack types that the DAL stops? Please note, I am interested only in the security aspect, not scaling / fault tolerance / performance / etc. In my mind if the web server has been compromised using an attack over port 80/443, then the same attack would work over port 80/443 to the Web Service DAL box.

    Read the article

  • Is “Application Programming Interface” a bad name?

    - by Taylor Hawkes
    Application programming interface seems like a bad name for what it is. Is there a reason it was named such? I understand that people used to call them Advanced Programming Interfaces and then renamed to Application Programming Interface. Is that why it is poorly named? Why is it not named Application (to) Programmer Interface. I guess I'm just confused of the meaning behind that name? I write more about my confusion around the name here: BREAKING DOWN THE WORD “APPLICATION PROGRAMMING INTERFACE” This is a very confusing word. We mostly understand what the word Interface means, but “Application Programming”, what even is that. Honestly I'm confused. Is that suppose to be two words like “Application”, “Programming” and then the “Interface” is suppose to mean between the two? Like would a “Computer Human Interface” be an interface between a “Computer” and a “Human” (monitor , keyboard, mouse ) or is a “Computer Human” a real thing - perhaps the terminator. So a CHI is our boy Kyle Reese who is the only way we are able to work with the computer human. I think more likely “Application Programming Interface” was simply poorly named and doesn't really make sense. It was originally called an “Advanced Programming Interface” , but perhaps being a bit to ostentatious merged into the now wildly accepted “Application Programming Interface”. So now, not wanting to change an acronym has confused the living heck out everyone.... Any thoughts or clarification would be great, I'm giving a lecture on this topic in a month, so I would prefer not to BS my way through it.

    Read the article

  • Redirection loop problem at facebook iframe application

    - by Sniff
    I do IFrame application for facebook. Problem is: any link inside it causes redirect loop Link is: http://mydomain/mypage?fb_sig=[what I got from $_GET['fb_sig']] (to test I link to the same page as my loaded canvas is loaded from) when I click on it, my server returns: <script type="text/javascript"> top.location.href = "http://www.facebook.com/login.php?api_key=5dc632fcef992470341178f492f79b93&v=1.0&next=http%3A%2F%2Fthiismydomain%2Ffacebook%2F%3Ffb_sig%3D96a5c47f133eadcfbba4abf82e5311e0%26page%3D1"; </script> then it goes to corresponding page, and facebook returns Location: http://thisismydomain/facebook/?fb_sig=96a5c47f133eadcfbba4abf82e5311e0&page=1&auth_token=ce4cf4968f91cace5b3e915f5b658984 then, my server replies with <script type="text/javascript"> top.location.href = "http://www.facebook.com/login.php?api_key=5dc632fcef992470341178f492f79b93&v=1.0&next=http%3A%2F%2Fthisismydomain%2Ffacebook%2F%3Ffb_sig%3D96a5c47f133eadcfbba4abf82e5311e0%26page%3D1%26auth_token%3Dce4cf4968f91cace5b3e915f5b658984"; </script> and back, facebook replies: Location: http://thisismydomain/facebook/?fb_sig=96a5c47f133eadcfbba4abf82e5311e0&page=1&auth_token=ce4cf4968f91cace5b3e915f5b658984&auth_token=77df653b7949ca39c1a226c82cce8add and it goes on and one without end. Should I say that this redirect responce from my server is generated automately (most probaby my facebook php lib) I have no more ideas why this happends. Any ideas?

    Read the article

  • Oracle Key Vault - Hardware Security Modul für TDE und mehr

    - by Heinz-Wilhelm Fabry (DBA Community)
    Anfang August hat Oracle ein neues Produkt namens Oracle Key Vault (OKV) zum Einsatz freigegeben. Es handelt sich dabei um ein Hardware Security Modul (HSM) - also um ein Stück Hardware zum Speichern von Schlüsseln, Passwörtern und Dateien, die Schlüssel und Passwörter enthalten. Oracle Datenbank Installationen nutzen die zuletzt genannte Form des Speicherns von Passwörtern und Schlüsseln in Dateien für Oracle Advanced Security Transparent Data Encryption (TDE) und external password stores. Die Dateien werden in den Versionen 10 und 11 der Datenbank als Wallets bezeichnet, in der Version 12 als Keystores. Allerdings gibt es auch schon seit der Datenbankversion 11.2 beim Einsatz von TDE die Möglichkeit, statt der Wallets / Keystores HSMs einzusetzen. Da Oracle selbst kein eigenes HSM Produkt anbieten konnte, haben Unternehmenskunden dann auf Produkte anderer Anbieter zurückgegriffen. Das kann sich mit OKV nun ändern. Abhängig vom Bedrohungsszenario kann die Entscheidung gegen den Einsatz von Wallets / Keystores und für den Einsatz eines HSMs durchaus sinnvoll sein, denn ein HSM bietet mehr Sicherheit: Eine Betriebssystemdatei kann leichter gestohlen (kopiert) werden, als ein HSM, das in der Regel als speziell gesicherte Steckkarte in einem Rechner eingebaut ist oder als eigenes Gerät geschützt in einem Rechenzentrum steht. ein HSM kann anders als ein Wallet / Keystore systemübergreifend verwendet werden. Das erlaubt eine gemeinsame Nutzung von Schlüsseln - was wiederum zum Beispiel den Einsatz von TDE auf RAC Installationen perfekt unterstützt. ein HSM kann von mehreren Anwendungen genutzt werden. Das erleichtert das Konsolidieren und Verwalten von Passwörtern und Schlüsseln. Im aktuellen Tipp wird als Einführung in das neue Produkt dargestellt, wie OKV für TDE genutzt werden kann.

    Read the article

  • Facebook Application Parse Error CSS

    - by madphp
    Hi, Im getting some parse erros when loading in my facebook app through the canvas. Its in an iframe. Can anyone tell me where I can start to look for documentation regarding this? Errors whilst loading page from application Parse errors: CSS Error (line 40 char 36): Error in parsing value for property.: 'font' Declaration dropped. CSS Error (line 183 char 18): Expected declaration. Skipped to next declaration. CSS Error (line 272 char 65): Unknown property.: '-webkit-border-radius' Declaration dropped. CSS Error (line 272 char 110): Unknown property.: 'border-radius' Declaration dropped. CSS Error (line 272 char 135): Unknown property.: '-webkit-box-shadow' Declaration dropped. CSS Error (line 272 char 181): Unknown property.: '-moz-box-shadow' Declaration dropped. CSS Error (line 272 char 221): Unknown property.: 'box-shadow' Declaration dropped. CSS Error (line 317 char 23): Unknown property.: '-webkit-border-radius' Declaration dropped. CSS Error (line 319 char 15): Unknown property.: 'border-radius' Declaration dropped. Thanks --Mark

    Read the article

  • MVP Pattern Philsophical Question - Security Checking in UI

    - by Brian
    Hello, I have a philosophical question about the MVP pattern: I have a component that checks whether a user has access to a certain privilege. This privilege turns on or off certain UI features. For instance, suppose you have a UI grid, and for each row that gets bound, I do a security check to see if certain features in the grid should be enabled or disabled. There are two ways to do this: have the UI/view call the component's method, determine if it has access, and enable/disable or show/hide. The other is have the view fire an event to the presenter, have the presenter do the check and return the access back down to the view through the model or through the event arg. As per the MVP pattern, which component should security checks fit into, the presenter or the view? Since the view is using it to determine its accessibility, it seems more fitting in the view, but it is doing database checks and all inside this business component, and there is business logic there, so I can see the reverse argument too. Thoughts? Thanks.

    Read the article

  • Beginners Guide to Client Application Services

    - by mbcrump
    What is it? Client application services make it easy for you to create Windows-based applications that use the ASP.NET AJAX login, roles, and profile application services included in the Microsoft ASP.NET 2.0 AJAX Extensions. These services enable multiple Web and Windows-based applications to share user information and user-management functionality from a single server.   What can you do with it? Authenticate a user. You can use the authentication service to verify a user's identity. Determine the role or roles of an authenticated user. You can use the roles service to change the user interface of your application depending on the user's role. For example, you can provide additional features for users who are in an administrator role. Store and access per-user application settings located on the server. You can use the Web settings service (also known as the profile service) to share settings across multiple applications and locations. Client application services take advantage of the Web services extensibility model through client service providers that you can specify in your application configuration files. These service providers include offline functionality that uses a local cache for authentication, roles, and settings data when a network connection is unavailable. Give me an example of where I would use this! Sharing login and user role information between a Windows Form application and a ASP.NET application. How do I configure it? Click Here

    Read the article

  • Fuzzing for Security

    - by Sylvain Duloutre
    Yesterday, I attended an internal workshop about ethical hacking. Hacking skills like fuzzing can be used to quantitatively assess and measure security threats in software.  Fuzzing is a software testing technique used to discover coding errors and security loopholes in software, operating systems or networks by injecting massive amounts of random data, called fuzz, to the system in an attempt to make it crash. If the program contains a vulnerability that can leads to an exception, crash or server error (in the case of web apps), it can be determined that a vulnerability has been discovered.A fuzzer is a program that generates and injects random (and in general faulty) input to an application. Its main purpose is to make things easier and automated.There are typically two methods for producing fuzz data that is sent to a target, Generation or Mutation. Generational fuzzers are capable of building the data being sent based on a data model provided by the fuzzer creator. Sometimes this is simple and dumb as sending random bytes, swapping bytes or much smarter by knowing good values and combining them in interesting ways.Mutation on the other hand starts out with a known good "template" which is then modified. However, nothing that is not present in the "template" or "seed" will be produced.Generally fuzzers are good at finding buffer overflow, DoS, SQL Injection, Format String bugs etc. They do a poor job at finding vulnerabilites related to information disclosure, encryption flaws and any other vulnerability that does not cause the program to crash.  Fuzzing is simple and offers a high benefit-to-cost ratio but does not replace other proven testing techniques.What is your computer doing over the week-end ?

    Read the article

  • Top 25 security issues for developers of web sites

    - by BizTalk Visionary
    Sourced from: CWE This is a brief listing of the Top 25 items, using the general ranking. NOTE: 16 other weaknesses were considered for inclusion in the Top 25, but their general scores were not high enough. They are listed in the On the Cusp focus profile. Rank Score ID Name [1] 346 CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting') [2] 330 CWE-89 Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') [3] 273 CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') [4] 261 CWE-352 Cross-Site Request Forgery (CSRF) [5] 219 CWE-285 Improper Access Control (Authorization) [6] 202 CWE-807 Reliance on Untrusted Inputs in a Security Decision [7] 197 CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') [8] 194 CWE-434 Unrestricted Upload of File with Dangerous Type [9] 188 CWE-78 Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') [10] 188 CWE-311 Missing Encryption of Sensitive Data [11] 176 CWE-798 Use of Hard-coded Credentials [12] 158 CWE-805 Buffer Access with Incorrect Length Value [13] 157 CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') [14] 156 CWE-129 Improper Validation of Array Index [15] 155 CWE-754 Improper Check for Unusual or Exceptional Conditions [16] 154 CWE-209 Information Exposure Through an Error Message [17] 154 CWE-190 Integer Overflow or Wraparound [18] 153 CWE-131 Incorrect Calculation of Buffer Size [19] 147 CWE-306 Missing Authentication for Critical Function [20] 146 CWE-494 Download of Code Without Integrity Check [21] 145 CWE-732 Incorrect Permission Assignment for Critical Resource [22] 145 CWE-770 Allocation of Resources Without Limits or Throttling [23] 142 CWE-601 URL Redirection to Untrusted Site ('Open Redirect') [24] 141 CWE-327 Use of a Broken or Risky Cryptographic Algorithm [25] 138 CWE-362 Race Condition Cross-site scripting and SQL injection are the 1-2 punch of security weaknesses in 2010. Even when a software package doesn't primarily run on the web, there's a good chance that it has a web-based management interface or HTML-based output formats that allow cross-site scripting. For data-rich software applications, SQL injection is the means to steal the keys to the kingdom. The classic buffer overflow comes in third, while more complex buffer overflow variants are sprinkled in the rest of the Top 25.

    Read the article

  • Recommend me an architecture for this Facebook application

    - by andybaird
    Firstly, this question is subjective. There is not a right answer for this question and it really depends on what works for you. I'm hoping to use this thread as a breeding ground for ideas. I hope this is acceptable in this medium. I'm working on building a Facebook app that will be replacing an already popular app that gets ~50k hits a day. The original app is using a very typical LAMP setup with help from some Zend libraries for database layer extraction. For the most part the app worked well, except to solve a lot of issues I ended up fragmenting tables to speed things up. As a result, I couldn't do a lot of things with the app that I wanted to (namely any processing using aggregate data that needed to be returned quickly) So I'm starting to design plans for the next version of this application, and I have a whole bunch of new and cool features that I know would choke my current setup. I'm looking for technological recommendations of data storage methods that scale well. The database does not necessarily need to be relational, simple key/value storage would suffice (although at present time I know little to nothing about KV stores) What's your recommendation? How would you tackle this? I'd like to take a completely free approach to this -- although I am most familiar and comfortable using PHP, I want to leave all technical options open.

    Read the article

  • Security in Robots and Automated Systems

    - by Roger Brinkley
    Alex Dropplinger posted a Freescale blog on Securing Robotics and Automated Systems where she asks the question,“How should we secure robotics and automated systems?”.My first thought on this was duh, make sure your robot is running Java. Java's built-in services for authentication, authorization, encryption/confidentiality, and the like can be leveraged and benefit robotic or autonomous implementations. Leveraging these built-in services and pluggable encryption models of Java makes adding security to an exist bot implementation much easier. But then I thought I should ask an expert on robotics so I fired the question off to Paul Perrone of Perrone Robotics. Paul's build automated vehicles and other forms of embedded devices like auto monitoring of commercial vehicles on highways.He says that most of the works that robots do now are autonomous so it isn't a problem in the short term. But long term projects like collision avoidance technology in automobiles are going to require it.Some of the work he's doing with his Java-based MAX, set of software building blocks containing a wide range of low level and higher level software modules that developers can use to build simple to complex robot and automation applications faster and cheaper, already provide some support for JAUS compliance and because their based on Java, access to standards based security APIs.But, as Paul explained to me, "the bottom line is…it depends on the criticality level of the bot, it's network connectivity, and whether or not a standards compliance is required."

    Read the article

  • Invalid Html Response and JS Errors when you open your Application in Visual Studio 2013

    - by imran_ku07
     I was working on an application which uses Telerik controls. The application was working fine for a while. Suddenly, the application stopped working. I mean lot of my application pages becoming very very ugly. I found JavaScript errors on every Browser's console. When I check the page view-source, the generated HTML was messy and invalid. This was only happening with my local machine. If someone else on my network accesses my application pages, he will get the correct HTML and no JavaScript errors. My mind was blowing because the same page was generating invalid HTML(and JavaScript errors) when I access the page using a local browser but generate correct HTML(and no JavaScript errors) when someone else access my application page remotely. Then I realized that I the only change I made last was opening my application in Visual Studio 2013 RTM which I installed few days ago. I closed the Visual Studio 2013, everything work like a charm. Then I became100% sure that this is only happening due to new Visual Studio 2013 feature called Browser Link. I just open the application again and add this in web.config. Everything become fine Happy coding :)   <add key="vs:EnableBrowserLink" value="false" />

    Read the article

  • thick client migration to web based application

    - by user1151597
    This query is related to application design the technology that I should consider during migration. The Scenario: I have a C#.net Winform application which communicates with a device. One of the main feature of this application is monitoring cyclic data(rate 200ms) sent from the device to the application. The request to start the cyclic data is sent only once in the beginning and then the application starts receiving data from the device until it sends a stop request. Now this same application needs to be deployed over the web in a intranet. The application is composed of a business logic layer and a communication layer which communicates with the device through UDP ports. I am trying to look at a solution which will allow me to have a single instance of the application on the server so that the device thinks that it is connected as usual and then from the business logic layer I can manage the clients. I want to reuse the code of the business layer and the communication layer as much as possible. Please let me know if webserives/WCF/ etc what i should consider to design the migration. Thanks in advance.

    Read the article

  • Updating an application OTA

    - by Bostjan
    I'm developing an application that will be available from a website (market probably as well). The problem I'm having at the moment is how to handle the updates to the app. I know how to check the version against the current one and I know if I need to update it. Question is...how? Is there a way I can download an APK from the website and start the install process? The user will have to confirm of course, but I just want to be able to start it for him. At the moment I'm doing this: private void doUpgrade() { // TODO Auto-generated method stub Builder builder = new AlertDialog.Builder(this); builder.setTitle(getString(R.string.upgrade)); builder.setIcon(R.drawable.help); builder.setMessage(getString(R.string.needUpgrade)); builder.setPositiveButton(getString(R.string.ok), new DialogInterface.OnClickListener() { @Override public void onClick(DialogInterface dialog, int which) { // TODO Auto-generated method stub Map<String, String> data = new HashMap<String, String>(); try { HttpResponse re = Registration.doPost("http://www.android-town.com/appRelease/AndroidTown.apk",data); int statusCode = re.getStatusLine().getStatusCode(); closeApp(); } catch (ClientProtocolException e) { e.printStackTrace(); Toast.makeText(getApplicationContext(), getString(R.string.noURLAccess), Toast.LENGTH_SHORT).show(); closeApp(); } catch (IOException e) { e.printStackTrace(); Toast.makeText(getApplicationContext(), getString(R.string.noURLAccess), Toast.LENGTH_SHORT).show(); closeApp(); } } }); builder.setNegativeButton(getString(R.string.cancel), new DialogInterface.OnClickListener() { @Override public void onClick(DialogInterface dialog, int which) { // TODO Auto-generated method stub dialog.cancel(); closeApp(); } }); builder.show(); } But it doesn't really do anything...should I open a webView with the URL? A new runnable thread? Any other way? Please help :) Cheers

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 58 59 60 61 62 63 64 65 66 67 68 69  | Next Page >