edit /tmp/.rc_firewall
iptables -t nat -A PREROUTING -s
iptables -t nat -A PREROUTING -s
Monday, January 25, 2010
Transparent proxy on dd-wrt
Using dd-wrt firmware v24-sp2
edit /tmp/.rc_firewall
iptables -t nat -A PREROUTING -s -d client_ip_address $(nvram get lan_ipaddr) -p tcp --dport 80 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -s client_ip_address -p tcp --dport 80 -j DNAT --to proxy_ip_address:proxy_port
edit /tmp/.rc_firewall
iptables -t nat -A PREROUTING -s
iptables -t nat -A PREROUTING -s
So starter for ten,what's wrong with this URL?hXXp://www.facebook.com/l/14f37;bit.ly/6pe9H9 other than the hxxp partlink not safe for work!
Sunday, January 24, 2010
Tuesday, January 19, 2010
Microsoft issues "Quick Security References" Guides
Microsoft issues new security guides, first two on SQL injection and XSS attacks.
http://www.microsoft.com/downloads/details.aspx?FamilyID=79042476-951f-48d0-8ebb-89f26cf8979d&displaylang=en
http://www.microsoft.com/downloads/details.aspx?FamilyID=79042476-951f-48d0-8ebb-89f26cf8979d&displaylang=en
Wednesday, January 13, 2010
Sunday, January 10, 2010
'God' Mode in Windows 7
God Mode in Windows 7
A little trick allows to open a secret control panel in Windows 7 with lots of settings combined by categories in one convenient place.
You will get it in seconds. Just create a new folder in any place on your hard drive with any name, then rename it to:
GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}
Note the new icon appears on this folder. Now, when you open it, you get a long list of more than 280 system settings.
Secure, or not, USB drives
Taken from https://blogs.sans.org/appsecstreetfighter/2010/01/07/client-side-input-validation-is-evil/
Client Side Input Validation is Evil
Filed under Uncategorized
I said it before, and will say it again: All users are evil. Case in point: The recent secure USB key vulnerability.
These USB keys encrypt data stored on the USB key. Great idea! So now, if you loose the key, you no longer have to worry about your top secret image collection getting viewed by minors.
What was the flaw in the implementation? In order to unlock the device, you have to enter your password into software installed on your laptop / desktop. You would expect the software hashes or encrypts the password, sends it to the device, the device uses the hash to decrypt the files stored on the device. WRONG.
In this case, the client software validates the password by encrypting a specific block of data on the drive. Sadly, this block doesn’t change. So these researchers replaced the software with their own tool that just sends this fixed block of data back to the device (they actually just patched the existing software in memory to bypass the password check). To add insult to injury, these scheme was certified as FIPS-140-2 compliant. The FIPS-140 standard is used by the US federal government to certify encryption devices and FIPS-140-2 compliant USB sticks may be used in some government systems that prohibit regular USB devices. Many companies implement similar policies.
As a web developer, this reminded me of input validation using JavaScript on the client. It is nice for user convenience, but should never in lieu of server side input validation. Or using a simple “admin=Y” cookie to identify a user as administrator. Did I mention all users are evil and out to get you?
The original announcement about the USB issue can be found here: http://www.syss.de/fileadmin/ressources/040_veroeffentlichungen/dokumente/SySS_knackt_Kingston_USB-Stick.pdf