Search Results

Search found 22139 results on 886 pages for 'security testing'.

Page 137/886 | < Previous Page | 133 134 135 136 137 138 139 140 141 142 143 144  | Next Page >

• Some hint to program a webservice "by subscription"

  - by Eagle

  I have some web sites programmed, I know to do it with python and PHP basically. Normally they are simple web sites, but now I want to provide REST web services but only for allowed users (allowed by me). I saw that a lot of services uses the "KEY" and "SECRET_KEY" concepts, which seems to be what I need (if I understand it right). My suppositions are: If I only do a GET service to retrieve, e.g., all my clients, without anymore, anyone can retrieve my clients without limitations. I will need some KEY generator to provide keys for my allowed users, so they can use my webservices. Only with a KEY is not enough: someone can steal a KEY and supplant my user (and this is the reason because exists a SECRET_KEY, right?). If all this is right, how can I make/use a system like that in my web services? Some open source example? Or maybe there are another easy solutions I'm not considering? My objective is to allow some users to use my web services.

  Read the article

• How do you determine whether a website is a scam [closed]

  - by Tom

  What's the best way to determine if a website is a scam. For example, at first sight (no pun intended) the following website seems to be legitimate. But the price of the product is suspiciously low (all the reviews point to an RRP of approximately £1000). http://www.maxiargos.com/index.php/asus-zenbook-ux31e-dh72-13-3-inch-thin-and-light-ultrabook-silver-aluminum.html Another indication is the lack of SSL for the checkout page, and lack of useful information in the WHOIS record. Registration Service Provided By: TMDHOSTING Contact: +1.8665325635 Domain Name: MAXIARGOS.COM Registrant: PrivacyProtect.org Domain Admin ([email protected]) ID#10760, PO Box 16 Note - All Postal Mails Rejected, visit Privacyprotect.org Nobby Beach null,QLD 4218 AU Tel. +45.36946676 Creation Date: 09-Nov-2011 Expiration Date: 09-Nov-2012 Domain servers in listed order: ns1.tmdhosting410.com ns2.tmdhosting410.com Administrative Contact: PrivacyProtect.org Domain Admin ([email protected]) ID#10760, PO Box 16 Note - All Postal Mails Rejected, visit Privacyprotect.org Nobby Beach null,QLD 4218 AU Tel. +45.36946676 Technical Contact: PrivacyProtect.org Domain Admin ([email protected]) ID#10760, PO Box 16 Note - All Postal Mails Rejected, visit Privacyprotect.org Nobby Beach null,QLD 4218 AU Tel. +45.36946676 Billing Contact: PrivacyProtect.org Domain Admin ([email protected]) ID#10760, PO Box 16 Note - All Postal Mails Rejected, visit Privacyprotect.org Nobby Beach null,QLD 4218 AU Tel. +45.36946676

  Read the article

• How to Configure Windows Defender

  The existence of spyware and other unwanted irritations on the Web is so widespread that keeping your PC protected is an absolute must. Microsoft responded to this need with the inclusion of its Windows Defender program with Windows 7. Windows Defender does exactly what its name suggests, which is to defend your PC from spyware and other malicious programs. It does this first with real-time protection that notifies you if any spyware tries to run on your computer or if a program tries to change any vital settings in Windows. Windows Defender also helps to keep your computer protected thro...

  Read the article

• Designing An ACL Based Permission System

  - by ryanzec

  I am trying to create a permissions system where everything is going to be stored in MySQL (or some database) and pulled using PHP for a project management system I am building.  I am right now trying to do it is an ACL kind of way.  There are a number key features I want to be able to support: 1.  Being able to assign permissions without being tied to a specific object. The reason for this is that I want to be able to selectively show/hide elements of the UI based on permissions at a point where I am not directly looking at a domain object instance.  For instance, a button to create a new project should only should only be shown to users that have the pm.project.create permission but obviously you can assign a create permission to an domain object instance (as it is already created). 2.  Not have to assign permissions for every single object. Obviously creating permissions entries for every single object (projects, tickets, comments, etc…) would become a nightmare to maintain so I want to have some level of permission inheritance. *3.  Be able to filter queries based on permissions. This would be a really nice to have but I am not sure if it is possible.  What I mean by this is say I have a page that list all projects.  I want the query that pulls all projects to incorporate the ACL so that it would not show projects that the current user does not have pm.project.read access to.  This would have to be incorporated into the main query as if it is a process that is done after that main query (which I know I could do) certain features like pagination become much more difficult. Right now this is my basic design for the tables: AclEntities id - the primary key key - the unique identifier for the domain object (usually the primary key of that object) parentId - the parent of the domain object (like the project object if this was a ticket object) aclDomainObjectId - metadata about the domain object AclDomainObjects id - primary key title - simple string to unique identify the domain object(ie. project, ticket, comment, etc…) fullyQualifiedClassName - the fully qualified class name for use in code (I am using namespaces) There would also be tables mapping AclEntities to Users and UserGroups. I also have this interface that all acl entity based object have to implement: IAclEntity getAclKey() - to the the unique key for this specific instance of the acl domain object (generally return the primary key or a concatenated string of a composite primary key) getAclTitle() - to get the unique title for the domain object (generally just returning a static string) getAclDisplayString() - get the string that represents this entity (generally one or more field on the object) getAclParentEntity() - get the parent acl entity object (or null if no parent) getAclEntity() - get the acl enitty object for this instance of the domain object (or null if one has not been created yet) hasPermission($permissionString, $user = null) - whether or not the user has the permission for this instance of the domain object static getFromAclEntityId($aclEntityId) - get a specific instance of the domain object from an acl entity id. Do any of these features I am looking for seems hard to support or are just way off base? Am I missing or not taking in account anything in my implementation? Is performance something I should keep in mind?

  Read the article

• MCrypt Module, Rijndael-256

  - by WernerCD

  An outside company is redoing our company Intranet. During some basic usage I disovered that the "User Edit" screens, with the "Password: *" boxes have the password in plain text, with the text box "type=password" to "hide" the password. The passwords are not store in the database as plain text, they are stored encrypted using "rijndael-256" cypher using the mcrypt module. I know that if I encrypt a password with SHA*, the password is "Unrecoverable" via one-way encryption. Is the same of MCrypt Rijndael-256 encryption? Shouldn't an encrypted password be un-recoverable? Are they blowing smoke up my rear or just using the wrong technology?

  Read the article

• How to protect own software from copying [closed]

  - by Zzz

  Possible Duplicate: How do you prevent the piracy of your software? Is possible to protect some file from copying if you are administrator of machine? I heard some story about some behavior: one software developer sells his software in some way. He is installing it on every client's computer and this software does not work on other computers or cannot be copied physically. How to implement the first and second protection. Is it effectively protection if software costs about $100 for all copies across client's company?

  Read the article

• My computer may have been compromised, what should I do?

  - by InkBlend

  A few weeks ago, my machine (lets call it "main") was logged into wirelessly from an unauthorized host, probably using ssh. I did not detect the intrusion until a few days ago, and my machine is completely shut down. I found the login using this line from last: myusername pts/1 ipad Tue Oct 15 22:23 - 22:25 (00:02) Needless to say, not only does no one in my family own an iPad, but almost none of my friends do, either. This makes me suspect that whoever was behind this changed the hostname of their machine. Additionally, I discovered this line in the last output on another machine of mine ("secondary"): myusername pts/2 :0 Tue Oct 15 22:23 - 22:23 (00:00) This line coincides with the timestamp from main, which has password-less ssh access (through keys) to secondary. Is it possible that whoever broke in to main has also rooted secondary? How can I prevent this from happening again? Are there logs that I can look through to determine exactly how main was accessed (I am the only user on the system and have a very strong password)? Is it at all possible that this is just a weird bug that occurred? Should I, and where should I start looking for rootkits and/or keyloggers? In short, what should I do?

  Read the article

• Why can't non-admin users install software?

  - by fiftyeight

  This is probably something I don't understand since I am used to Windows and am only starting out with Ubuntu. I know that software in linux comes in packages what I don't understand is why can't non-admin users install software. I mean, every application is run by a specific user, and that user will only be able to run that applciation with his privilages, so if he has no admin privileges, the application also won't be able to access unauthorized directories etc. I want most of the time to work on my PC with a non-admin user since it seems more safe to me, most of the time I have no need for admin privileges. and even though I know viruses in linux are uncommon I still think the best practice is to work on the computer in a state that you yourself can't make any changes to important files, that way viruses also can't harm any important files, but I need to install software for programming and web-design etc. and first of all I don't want to switch users all the time. But also it sounds safer to me that everything being done on the PC will be done through the non-admin user. I'll be glad to know what misunderstanding I have here, cause something here doesn't sound right.

  Read the article

• How do you go about checking your open source libraries for keystroke loggers?

  - by asd

  A random person on the internet told me that a technology was secure(1), safe to use and didn't contain keyloggers because it is open source. While I can trivially detect the key stroke logger in this open source application, what can developers(2) do to protect themselves against rouge committers to open source projects? Doing a back of the envelope threat analysis, if I were a rogue developer, I'd fork a branch on git and promote it's download since it would have twitter support (and a secret key stroke logger). If it was an SVN repo, I'd create just create a new project. Even better would be to put the malicious code in the automatic update routines. (1) I won't mention which because I can only deal with one kind of zealot at a time. (2) Ordinary users are at the mercy of their virus and malware detection software-- it's absurd to expect grandma to read the source of code of their open source word processor's source code to find the keystroke logger.

  Read the article

• Hacked by our own hosting company!

  - by dazhall

  OK, so our hosting company decided to clone our site and database onto a new serve. Without our knowledge or permission they then edited our code to point to the new database. The old server was left running, still pointing at the original database. The DNS was changed to reflect the new IP address of the server. Obviously during the propagation customers were hitting both the new and old servers, resulting in orders coming in to both databases, sometimes being split between the two. We're now attempting to reconcile the two databases. The question I have is is it still hacking if it was done by your own hosting company?! I'm fairly sure they shouldn't have edited our code! If they had left it as it was the site would have stayed pointed at the original database and we wouldn't be in this mess! I'm thinking that legal advice is need but just wanted to know if anyone had ever come across this situation before?!

  Read the article

• Blocking path scanning

  - by clinisbut

  I'm seeing in my access log a number of request very suspicious: /i /im /imaa /imag /image /images /images/d /images/di /images/dis They part from a known resource (in the above example /images/disrupt.jpg). All comming from same IP. Requests varies from 1/sec to 10/sec, seems somewhat random. It's obviously they are trying to find something and seems they are using a script. How do I block this kind of behaviour? I though of blocking the IP request, at least for a given time. Keeping in mind that: Request intervals seems legitimate (at least I think so). I don't want to end blocking a search engine bot, which may find 404 urls too (and that's a different problem, I know). ¿Do they use always same IP?

  Read the article

• Avoiding "double" subscriptions

  - by john smith

  I am working on a website that requires a bit of marketing; let me explain. This website is offering a single, say, iTunes 50$ voucher to a lucky winner. To be entered in the draw, you need to invite (and has to join) at least one friend to the website. Pretty straightforward. Now, of course it would be easy for anyone to just create a fake account and invite that account so, I was thinking of some other way to somehow find out of possible cheating. I was thinking of an IP check on the newly subscribed (invited) user, and if there is the same IP logged in the last 24 hours, and if that's the case, investigate more about it. But I was thinking that maybe there is a more clever way around this issue. Has anyone ever though about this? What other solutions did you try? Thanks in advance.

  Read the article

• Identify "non-secure" content IE warns about [on hold]

  - by Doug Harris

  As many know, if you serve a page over https and the content loads resources (images, stylesheets, js, SWF objects, etc) over http, older versions of Internet Explorer will show the user a warning saying "This page contains both secure and non-secure items". This is discomforting to many non-technical users. Usually, I can look at the HTML source and identify which item(s) are triggering this error. Sometimes a Flash object will load something else or some embedded javascript will put a new object in the DOM and trigger this. What tools are good for quickly tracking down the source of the warning?

  Read the article

• Is file permission secured when it transferred from Ubuntu to Windows?

  - by Gaurav_Java

  I am having 9GB text file which is encrypted . This file contains some confidential data . Which is on my system(Ubuntu) and my external HDD (ntfs) . This file get daily updated and then encrypted . But it has to be shared among 2-3 (Windows) person. I defined permission so that no other person can even read this file(chmod 660). It is too large file, so I can't upload it anywhere and it get updated daily basis. But this file travel on Windows OS and Ubuntu also. Even I am having copy of this on my personal computer. Recently it was deleted by some other user over Windows . I just want to know how can I set permission over that file so that it cannot be deleted from any other operating system. If someone delete this file, then I am having data old for couple of days, which is only on my system. I gone through this question it says there is nothing. And from this question I am not able to understand how can I protect it. Can I do anything for preventing this file from being deleted. Then how can I secure this files from getting deleted any suggestion or software or ideas. Maybe I sound silly or this is stupid question. Please don't close it, thanks for any suggestion or solution.

  Read the article

• Is this safe? <a href=http://javascript:...>

  - by KajMagnus

  I wonder if href and src attributes on <a> and <img> tags are always safe w.r.t. XSS attacks, if they start with http:// or https://. For example, is it possible to append javascript: ... to the href and src attribute in some manner, to execute code? Disregarding whether or not the destination page is e.g. a pishing site, or the <img src=...> triggers a terribly troublesome HTTP GET request. Background: I'm processing text with markdown, and then I sanitize the resulting HTML (using Google Caja's JsHtmlSanitizer). Some sample code in Google Caja assumes all hrefs and srcs that start with http:// or https:// are safe -- I wonder if it's safe to use that sample code. Kind regards, Kaj-Magnus

  Read the article

• How to secure Ubuntu for a non-technical user? (your mom)

  - by Gil

  My mother will be traveling for a while and I need to provide her with a secure laptop so she can work. A windows laptop is out of the question because: she'll be logging into dodgy hotel wireless networks and conference networks price of the windows license to install on a netbook I've installed libreoffice, media players and skype on it. Also enabled SSH so I can intervene but I am worried that I might not be in a position to do so. Possible threats: web browsing USB sticks insecure networks prone to intrusions malware SSH/VNC vulnerabilites Skype vulnerabilities All the "securing Ubuntu" guides out there assume the user has a certain level of technical knowledge but this is not the case with moms in general. If a malware can gain even user level access it might compromise her files.

  Read the article

• Setting to protect gnome-terminal from key logging

  - by yanychar

  Looks like it is easy to log keystrokes of all processes of the same user. A basic keylogger is 'xinput'. xinput test-xi2 The command generates log of all key-presses. Unfortunately, this includes passwords in gnome-terminal. Googling suggested that grabbing keyboard may prevent other windows from capturing key strokes. Is there a way to prevent XI2 logging in gnome-terminal? Or is there an X terminal that has this feature?

  Read the article

• Help writing server script to ban IP's from a list

  - by Chev_603

  I have a VPS that I use as an openvpn and web server. For some reason, my apache log files are filled with thousands of these hack attempts: "POST /xmlrpc.php HTTP/1.0" 404 395 These attack attempts fill up 90% of my logs. I think it's a WordPress vulnerability they're looking for. Obviously they are not successful (I don't even have Wordpress on my server), but it's annoying and probably resource consuming as well. I am trying to write a bash script that will do the following: Search the apache logs and grab the offending IP's (even if they try it once), Sort them into a list with each unique IP on a seperate line, And then block them using the IP table rules. I am a bash newb, and so far my script does everything except Step 3. I can manually block the IP's, but that's tedious and besides, this is Linux and it's perfectly capable of doing it for me. I also want the script to be customizable so that I (or anyone else who wants to use it) can change the variables to suit whatever situation I/they may deal with in the future. Here is the script so far: #!/bin/bash ##IP LIST GENERATOR ##Author Chev Young ##Script to search Apache logs and list IP's based on custom filters ## ##Define our variables: DIRECT=~/Script ##Location of script&where to put results/temp files LOGFILE=/var/log/apache2/access.log ## Logfile to search for offenders TEMPLIST=xml_temp ## Temporary file name IP_LIST=ipstoban ## Name of results file FILTER1=xmlrpc ## What are we looking for? (Requests we want to ban) cd $DIRECT if [ ! -f $TEMPLIST ];then touch $TEMPLIST ##Create temp file fi cat $LOGFILE | grep $FILTER1 >> $DIRECT/$TEMPLIST ## Only interested in the IP's, so: sed -e 's/\([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\).*$/\1/' -e t -e d $DIRECT/$TEMPLIST | sort | uniq > $DIRECT/$IP_LIST rm $TEMPLIST ## Clean temp file echo "Done. Results located at $DIRECT/$IP_LIST" So I need help with the next part of the script, which should ban the IP's (incoming and perhaps outgoing too) from the resulting $IP_LIST file. I don't care if it utilizes UFW or IPTables directly, as long as it bans the IP's. I'd probably run it as a cron task. What I'm having trouble with is understanding how to use line of the result file as a seperate variable to do something like: ufw deny $IP1 $IP2 $IP3, ect Any ideas? Thanks.

  Read the article

• How can I allow a user to stream my videos securely?

  - by John Baber

  I've got a script that records 10 minute videos from a webcam to video1.mp4 video2.mp4 video3.mp4 video4.mp4 Then records over video1 again in rotation. I'd like one user to be able to view these in winamp or itunes by having a playlist with the four of them on repeat. (This is my way of getting around the many hours of figuring out how to actually livestream from a webcam with VLC). I don't see any examples of things like icecast being used for video, and I don't see any mentions of secure streaming. My question is, is there any way to have these videos be seen securely? I can do things like https on my server, but I don't have great access to the user's machine, so just sharing a directory by samba or sshfs isn't much of an option.

  Read the article

• Making Agile and DevOps methodology compatible with PCI requirements

  - by kenchew

  Would like to hear from those working in a PCI compliance environment and is practicing agile development and devops methodology, how you maintain compliance with PCI requirements. Specifically, what do you do to address: separation of duties between development/test and production alignment of continuous integration / deployment and change control alignment of agile stories to requirement documentation

  Read the article

• Steps after SQL Injection detected

  - by Zukas

  I've come across SQL injection vulnerabilities on my companies ecommerce page. It was fairly poorly put together. I believe I have prevented future attempts however we are getting calls about fraudulent credit card charges on our site and others. This leads me to believe that someone was able to get a list of our credit card numbers. What doesn't make sense is that we don't store that information and we use Authorize.net for the transaction. If someone was able to get the CC#s, what should I do next? Inform ALL of our customers that someone broken into our system and stole their information? I have a feeling that will be bad for business.

  Read the article

• Significant number of non-HTTP requests hitting my site

  - by Mark Westling

  I'm seeing a significant number of non-HTTP requests hitting a site I just launched. They show up in the server (nginx) logs as non-ASCII and get rejected (correctly) with a 400 status. Here are some lines from the log: 95.132.198.189 - - [09/Jan/2011:13:53:30 -0500] "œ$A\x10õœ²É9J" 400 173 "-" "-" 79.100.145.126 - - [09/Jan/2011:13:57:42 -0500] "#§i²¸oYi á¹„\x13VJ—x·—œ\x04N \x1DÔvbÛè½\x10§¬\x1E0œ_^¼+\x09ÜÅ\x08DÌÃiJeT€¿æ]œr\x1EëîyIÐ/ßýúê5Ǹ" 400 173 "-" "-" 79.100.145.126 - - [09/Jan/2011:13:58:33 -0500] "¯Ú%ø=Œ›D@\x12¼\x1C†ÄÀe\x015mˆàd˜Û%pÛÿ" 400 173 "-" "-" What should I make of this? Is this some sort of scripted attack? Or could these be correct requests that have somehow been garbled? They're not affecting the performance of the site and I'm not seeing any other signs of attacks (e.g., no strange POSTs) so at this point I'm more curious than afraid.

  Read the article

• Automatically locking screen without shutting it off

  - by milkandtang

  Hey everyone— I have a home theater PC running Ubuntu 11.10, outputting over HDMI (for audio and video). I'm having an issue: I'd like the screen to lock automatically (when video is not playing, of course) but do not want the screen to turn off automatically, because that kills audio. I can manually lock the screen, of course, but it appears that if you set the "Turn off screen" setting to "never", the screen will never lock, no matter what the "lock screen" timeout is set to. Is there a way to do what I'm asking, or will I have to install xscreensaver?

  Read the article

• How to protect Ubuntu from fork bomb

  - by dblang

  I heard someone talking about a fork bomb, I did some research and found some dreadful information about some strange looking characters people can have you type at the command line and as a result do bad things on the computer. I certainly would not issue commands I do not understand but one never knows what can happen. I heard that some OS allows the administrator to place some limit on user processes to mitigate the effects of fork bombs, is this protection in Ubuntu by default or would a person with sudo privilege have to set this? If so, how?

  Read the article

• Paypal hide address [closed]

  - by Rob F

  I hope this question is okay for this website, to me it seemed most fitting among the stackexchange sites at least. 8) I want to release my software for free, but allow donations for it. So far, I couldn't find any option in Google Checkout to set up a donation button (and website link). I am registered as merchant, but am still waiting for my bank account verification code, that may be the reason. But then, I guess I will not be able to use it anyway because it seems the 'Donation' functionality requires to be a nonprofit organization. My understanding of 'Donation' seems to be unknown to Google (yet). So unfortunately, the one remaining option is Paypal. However, even having upgraded my account to a business account, I can find no option how to remove my living address from the Checkout pages. Basically I have nothing to hide ;) but feel uncomfortable having my address displayed publicly because of the kind of software I'm offering. We live in a world with crazy people it seems, and I don't want to have nightmares of people knocking on my doors at night. So is there a way to deactivate my address from being displayed on Paypal's checkout pages?

  Read the article

< Previous Page | 133 134 135 136 137 138 139 140 141 142 143 144  | Next Page >