Biometrics commercial web resources ..
Jun 29, 2008 in Biometrics, Security
Archive for June, 2008
Security web resources ..
Jun 29, 2008 in Security
Secure coding standards:
http://www.owasp.org/index.php/Secure_Coding_Principles
http://www.infosecinstitute.com
http://www.ntbugtraq.com
http://www.computer-forensic.com
Java secure coding:
http://java.sun.com/security/seccodeguide.html
selinux configuration notes..
Jun 28, 2008 in Fedora, Linux, Security
When attempting to access a resource protected by selinux, the
console will look something like this:
To see the selinux attributes of a file:
$ ls -aZ info.php -rw-r--r-- root root system_u:object_r:httpd_sys_content_t:s0 info.php $ ls -aZ wiki/index.php -rwxr-xr-x root root system_u:object_r:fusefs_t:s0 wiki/index.php
To set the security attribute – as “httpd content”, this example :
$ chcon -R -t httpd_sys_content_t /var/www/html/wiki $ ls -aZ wiki/index.php -rwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 wiki/index.php
Config for selinux is here:
$ ls /etc/selinux/ config restorecond.conf semanage.conf targeted
To disable/enable selinux:
$ /usr/sbin/setenforce [0|1]
For modules, the manager might show this:
If you trust /usr/lib/php/modules/pgsql.so to run correctly, you can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t '/usr/lib/php/modules/pgsql.so'" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t '/usr/lib/php/modules/pgsql.so'" The following command will allow this access:chcon -t textrel_shlib_t '/usr/lib/php/modules/pgsql.so' If you want httpd to allow database connections you need to turn on the httpd_can_network_connect_db boolean: "setsebool -P httpd_can_network_connect_db=1" The following command will allow this access: setsebool -P httpd_can_network_connect_db=1
To restore configuration:
$ restorecon [-F] [-vv] [file|folder]
The ‘-F’ option forces context restoration.
‘restorecon’ (on Fedora rel 8 – Werewolf) is a link to ‘setfiles’.
PostgreSQL installation notes..
Jun 26, 2008 in Database, PostgreSQL
On Linux:
1. $ [/sbin/]service postgresql initdb
2. $ [/sbin/]service postgresql start
3. The “initdb” procedure will create user “postgres”.
4. Change /var/lib/pgsql/data/pg_hba.conf
from this:
# "local" is for Unix domain socket connections only local all all ident sameuser # IPv4 local connections: host all all 127.0.0.1/32 ident sameuser # IPv6 local connections: host all all ::1/128 ident sameuser
to this:
# "local" is for Unix domain socket connections only #local all all ident sameuser local all all trust # IPv4 local connections: #host all all 127.0.0.1/32 ident sameuser host all all 127.0.0.1/32 trust # IPv6 local connections: #host all all ::1/128 ident sameuser host all all ::1/128 trust
5. Restart postgres
$ [/sbin/]service postgresql restart
6. Test access:
psql -U postgres (no password)
Useful Excel tips website ..
Jun 25, 2008 in Microsoft, Office
Many useful bits of info.. like ‘Results without a formula’, ‘Generate random numbers’, ‘Add hidden text to formulas’ (add notes) and more..
Design Patterns – Factory pattern (Creational) basic example..
Jun 20, 2008 in Engineering, Software
This pattern allows the application to defer to runtime the decision of which
object from a related set to instantiate .
From http://en.wikipedia.org/wiki/Factory_method_pattern
abstract class Pizza {
public abstract double getPrice();
}
class HamAndMushroomPizza extends Pizza {
public double getPrice() {
return 8.5;
}
}
class DeluxePizza extends Pizza {
public double getPrice() {
return 10.5;
}
}
class HawaiianPizza extends Pizza {
public double getPrice() {
return 11.5;
}
}
class PizzaFactory {
public enum PizzaType {
HamMushroom,
Deluxe,
Hawaiian
}
public static Pizza createPizza(PizzaType pizzaType) {
switch (pizzaType) {
case HamMushroom:
return new HamAndMushroomPizza();
case Deluxe:
return new DeluxePizza();
case Hawaiian:
return new HawaiianPizza();
}
throw new IllegalArgumentException("The pizza type " + pizzaType + " is not recognized.");
}
}
class PizzaLover {
/*
* Create all available pizzas and print their prices
*/
public static void main (String args[]) {
for (PizzaFactory.PizzaType pizzaType : PizzaFactory.PizzaType.values()) {
System.out.println("Price of " + pizzaType + " is " + PizzaFactory.createPizza(pizzaType).getPrice());
}
}
}
CISSP TOC – Part 3 ..
Jun 19, 2008 in CISSP, Security
Chapter 9. Law, Investigation, and Ethics 4
Intellectual Property Law 8
Patents 8
Copyrights 9
Trade Secrets 9
Sale and Licensing 9
Privacy Law 10
Government Regulations 11
Criminal Law and Computer Crime 12
Computer Security Incidents 15
Advance Planning 15
Computer Crime Investigation 16
Legal Evidence 19
Credibility or Weight of Evidence 19
Proof of Authenticity 20
Hearsay 20
Best Evidence Rule 20
Chain of Evidence 21
The Fourth Amendment 22
Computer Forensics 22
Computer Ethics 28
Case Study: Cross-Examining the Forensics Expert 30
Case Study: Proving Copyright Infringement 31
Chapter 10. Physical Security 45
Classifying Assets to Simplify Physical Security Discussions 49
Vulnerabilities 51
THEFT AS THE MOST LIKELY PHYSICAL SECURITY ISSUE 52
Selecting, Designing, Constructing, and Maintaining a Secure Site 53
Site Location and Construction 53
Physical Access Controls 54
Active Physical Access Controls 55
Passive Controls 55
Power 57
Power Issues: Spikes, Surges, and Brownouts 57
Minimizing Power Problems 58
Environmental Controls: Air Conditioning, Humidity, and Temperature 59
Water Exposure Problems 60
Fire Prevention and Protection 60
Tape and Media Library Retention Policies 63
Document (Hard-Copy) Libraries 64
Waste Disposal 66
Physical Intrusion Detection 69
Table 10.2. Sensors and Other Detection Mechanisms 69
10.1. The Airports Council International Exercise 75
Weigand access control tech ..
Jun 18, 2008 in Security
What is Weigand technology? Some sort of access control system..
Here is a note on this:
http://www.securakey.com/docs/tcard.html#WEIGAND
While searching for info on Weigand, found notes on hacking these types of devices:
http://blog.wired.com/27bstroke6/2007/08/badge-hack-at-d.html
http://www.hackaday.com/2007/08/04/defcon-15-exploiting-authentication-systems
CISSP Resources ..
Jun 17, 2008 in CISSP, Security
Ch. 1 – Access Control
Ch. 2 – Telecommunications and Network Security
Ch. 3 – Security Management and Practices
Ch. 4 – Applications and Systems Development Security
Ch. 5 – Cryptography
Ch. 6 – Security Architecture and Models
Ch. 7 – Operations Security
Ch. 8 – Bus Cont Planning (BCP) and Disaster Recovery
Ch. 9 – Law, Investigation, and Ethics
Ch. 10 – Physical Security
http://www.freepracticetests.org
Tools:
From http://en.wikipedia.org/wiki/Libpcap
* tcpdump, a tool for capturing and dumping packets for further analysis, and WinDump, the Windows port of tcpdump.
* Wireshark (formerly Ethereal), a graphical packet-capture and protocol-analysis tool.
* Snort, a network-intrusion-detection system.
* ssldump, an SSLv3/TLS analyzer. It decodes SSL records and displays them to stdout.
* Nmap, a port-scanning and fingerprinting network utility
* the Bro IDS and network-monitoring platform.
* justniffer, a tcp/http packet sniffer. It can log network traffic in a ‘standard’ (web server like) or in a customized way.
* URL Snooper, locate the URLs of audio and video files so that they can be recorded.
* Kismet, for 802.11 wireless LANs
* L0phtCrack, a password auditing and recovery application.
* NetworkMiner, a network forensic tool that extracts transferred files and identifies operating systems.
* Xplico, open source Network Forensic Analysis Tool (NFAT).
* iftop, a tool for displaying bandwidth usage (like top for network traffic)
* EtherApe, a graphical tool for monitoring network traffic and bandwidth usage in real time.
* Bit-Twist, a libpcap-based Ethernet packet generator and editor for BSD, Linux, and Windows.
Also..
* Tripwire
* Backtrack
*