www.privoxy.org
crunch-server-header
Typical use:
Remove a server header Privoxy has no dedicated action for.
Effect:
Deletes every header sent by the server that contains the string the user supplied as parameter.
Monday, May 31, 2010
Monday, May 17, 2010
.htaccess setup on apache2
Set Apache Password Protected Directories With .htaccess File
Step # 1: Make sure Apache is configured to use .htaccess file
Options Indexes Includes FollowSymLinks MultiViews
AllowOverride AuthConfig
Order allow,deny
Allow from all
Save the file and restart Apache
# /etc/init.d/apache-perl restart
Step # 2: Create a password file with htpasswd
htpasswd -c password-file username
Create directory outside apache document root, so that only Apache can access password file. The password-file should be placed somewhere not accessible from the web. This is so that people cannot download the password file:
# mkdir -p /home/secure/
Add new user called remote
# htpasswd -c /home/secure/apasswords remote
Now allow apache user www-data to read our password file:
# chown www-data:www-data /home/secure/apasswords
# chmod 0660 /home/secure/apasswords
Create .htaccess file using text editor:
# cd /var/www/
# vi .htaccess
Add following text:
AuthType Basic
AuthName "Restricted Access"
AuthUserFile /home/secure/apasswords
Require user remote
Save file and exit to shell prompt.
Step # 3: Test your configuration
Fire your browser type url http://ip-address/
When prompted for username and password please supply username remote and password.
Troubleshooting
If password is not accepted or if you want to troubleshoot authentication related problems, open and see apache access.log/error.log files:
# tailf -f /var/log/apache2/access.log
# tailf -f /var/log/apache2/error.log
Step # 1: Make sure Apache is configured to use .htaccess file
Options Indexes Includes FollowSymLinks MultiViews
AllowOverride AuthConfig
Order allow,deny
Allow from all
Save the file and restart Apache
# /etc/init.d/apache-perl restart
Step # 2: Create a password file with htpasswd
htpasswd -c password-file username
Create directory outside apache document root, so that only Apache can access password file. The password-file should be placed somewhere not accessible from the web. This is so that people cannot download the password file:
# mkdir -p /home/secure/
Add new user called remote
# htpasswd -c /home/secure/apasswords remote
Now allow apache user www-data to read our password file:
# chown www-data:www-data /home/secure/apasswords
# chmod 0660 /home/secure/apasswords
Create .htaccess file using text editor:
# cd /var/www/
# vi .htaccess
Add following text:
AuthType Basic
AuthName "Restricted Access"
AuthUserFile /home/secure/apasswords
Require user remote
Save file and exit to shell prompt.
Step # 3: Test your configuration
Fire your browser type url http://ip-address/
When prompted for username and password please supply username remote and password.
Troubleshooting
If password is not accepted or if you want to troubleshoot authentication related problems, open and see apache access.log/error.log files:
# tailf -f /var/log/apache2/access.log
# tailf -f /var/log/apache2/error.log
Sunday, May 16, 2010
Timeline tool
Just a reminder to the tool
http://simile.mit.edu/wiki/Timeline
as i always have trouble tracking it down
UPDATE
Now moved to http://www.simile-widgets.org/
Example of the sort of things it can do
http://www.simile-widgets.org/timeline/examples/jfk/jfk.html
http://simile.mit.edu/wiki/Timeline
as i always have trouble tracking it down
UPDATE
Now moved to http://www.simile-widgets.org/
Example of the sort of things it can do
http://www.simile-widgets.org/timeline/examples/jfk/jfk.html
Tuesday, May 4, 2010
Threat Modelling Process
A general high level overview of common steps in the defensive perspective threat modeling are:
* Define the application requirements:
o Identify business objectives
o Identify user roles that will interact with the application
o Identify the data the application will manipulate
o Identify the use cases for operating on that data that the application will facilitate
* Model the application architecture
o Model the components of the application
o Model the service roles that the components will act under
o Model any external dependencies
o Model the calls from roles, to components and eventually to the data store for each use case as identified above
* Identify any threats to the confidentiality, availability and integrity of the data and the application based on the data access control matrix that your application should be enforcing
* Assign risk values and determine the risk responses
* Determine the countermeasures to implement based on your chosen risk responses
* Continually update the threat model based on the emerging security landscape.
* Define the application requirements:
o Identify business objectives
o Identify user roles that will interact with the application
o Identify the data the application will manipulate
o Identify the use cases for operating on that data that the application will facilitate
* Model the application architecture
o Model the components of the application
o Model the service roles that the components will act under
o Model any external dependencies
o Model the calls from roles, to components and eventually to the data store for each use case as identified above
* Identify any threats to the confidentiality, availability and integrity of the data and the application based on the data access control matrix that your application should be enforcing
* Assign risk values and determine the risk responses
* Determine the countermeasures to implement based on your chosen risk responses
* Continually update the threat model based on the emerging security landscape.
Sunday, May 2, 2010
Protecting Against Password Reset Attacks
Protecting Against Password Reset Attacks
from Security Bloggers Network by Randy Abrams
As I previously blogged today, the hacker who broke into Sarah Palin’s Yahoo account was convicted on two charges. The way that David Kernall gained access to Palin’s email account was by trying to log into her account, saying “I forgot my password” and then he correctly answered the password reset questions. Some of the questions had answer’s that were public information and others were easily guessed.
When you have to choose a password reset question, always use the wrong answer. There is typically only one correct answer to the questions and often times the answer is known by others. There are an infinite number of wrong answers so it is extremely difficult for an attacker to correctly answer the rest questions if you use the wrong answer.
Now, here’s the tricky part… How do YOU remember the wrong answers? You can write them down. You can use tricks such as a theme. For example, if you like Star Wars, then perhaps your first car was the Millennium Falcon. You first pet was a wookie. For me, I use the comment field in Password Corral.
The password reset attack is a fairly easy attack, but fortunately the defense is also quite easy too!
from Security Bloggers Network by Randy Abrams
As I previously blogged today, the hacker who broke into Sarah Palin’s Yahoo account was convicted on two charges. The way that David Kernall gained access to Palin’s email account was by trying to log into her account, saying “I forgot my password” and then he correctly answered the password reset questions. Some of the questions had answer’s that were public information and others were easily guessed.
When you have to choose a password reset question, always use the wrong answer. There is typically only one correct answer to the questions and often times the answer is known by others. There are an infinite number of wrong answers so it is extremely difficult for an attacker to correctly answer the rest questions if you use the wrong answer.
Now, here’s the tricky part… How do YOU remember the wrong answers? You can write them down. You can use tricks such as a theme. For example, if you like Star Wars, then perhaps your first car was the Millennium Falcon. You first pet was a wookie. For me, I use the comment field in Password Corral.
The password reset attack is a fairly easy attack, but fortunately the defense is also quite easy too!