Category: security

Total 23 Posts

2023 Hive Systems Password Tables

Hive Software Systems recently released their 2023 update for their password tables showing a matrix of the complexity of.a password and how long it will take to crack it using currently technology. For the full details, go to https://www.hivesystems.io/blog/are-your-passwords-in-the-green.

The post describes the different methodologies they used to create the table. It also discusses how the table has changed since 2020 with changes in technology. The full article is worth the read. My reading would recommend using a password manager to generate passwords of at least 16 characters containing random string of numbers, uppercase, lowercase and symbols. But if you are using a password manager, you may as well make that random string even longer…

Categories of Cyber Attack

The Sept./Oct. 2012 issue of CrossTalk: The Journal of Defense Software Engineering in the article "Identifying Cyber Ecosystem Security Capabilities" by Peter M. Fonash has a table of cyber attack categories. The list is presented here for reference:

  • Attrition (brute force)
  • Malware
  • Hacking
  • Social Tactics
  • Improper Usage (Insider Attack
  • Physical Action / Loss or Theft of Equipment
  • Multiple Component (Combining multiple techniques)
  • Other

I have found list list useful when considering areas of risk.

 

Security Enumerations

The September/October 2009 Crosstalk has an article by Robert A. Martin entitled "Making Security Measurable and Manageable" which includes a list of security enumerations. The security enumerations are:

  • CVE
  • Common Weakness Enumeration (CWE)
  • Common Attack Pattern Enumeration and Classification (CAPEC)
  • Common Configuration Enumeration (CCE)
  • Common Platform Enumeration (CPE)
  • The SANS Institute Top 20 Security Risks
  • Open Web Application Security Project’s Top 10
  • Web Application Security Consortium’s Threat
  • CWE/SANS Top 25 Most Dangerous Programming Errors

 

Simple Java Program to Verify SSL Certificate

I was recently install some certificates into my local store and wanted to verify that they were working correctly. I put together a simple Java program that verifies the target sites can be loaded.


/**
* SSL Test -- tests that JVM is configured correctly to load an SSL certificate
*/
package com.meesqa.sample;

import org.apache.commons.httpclient.HttpClient;
import org.apache.commons.httpclient.HttpMethod;
import org.apache.commons.httpclient.HttpStatus;
import org.apache.commons.httpclient.methods.GetMethod;

public class SSLTest
{

public static final String test1URL = "https://www.google.com/";
public static final String test2URL = "https://login.live.com/";

public static void testURL( String url )
{
HttpClient client = new HttpClient();
HttpMethod method = new GetMethod( url );

try
{
client.executeMethod( method );

if( method.getStatusCode() == HttpStatus.SC_OK )
{
System.out.println( url + " access OK." );
}
else
{
System.out.println( url + " access FAILED." );
}
}
catch( Exception e )
{
System.out.println( url + " access FAILED with an exception: " + e.getMessage() );
}
}

public static void main( String[] args )
{
SSLTest.testURL( test1URL );
SSLTest.testURL( test2URL );
}

}

Running the program tests the 2 urls specified:

java com.meesqa.sample.SSLTest
https://www.google.com/ access OK.
https://login.live.com/ access OK.

 

Reference – Security Bug Assessment Model – STRIDE

Before the current focus on security at Microsoft, all security bugs at Microsoft were rated using the DREAD model. (See prior post). Now, Microsoft rates each security bug using the STRIDE model. STRIDE is an acronym that stands for:

  • Spoofing
  • Tampering
  • Repudiation
  • Information Discovery
  • Denial of Service (DoS)
  • Elevation of Privilege (EoP)

 

Security Reference: CIA Triad

In security parlance, the following 3 points make up the "CIA Triad":

  • Confidentiality
  • Integrity
  • Availability

The Wikipedia article on the CIA Triad describes confidentiality in this context as "prevent the disclosure of information to unauthorized individuals or systems"; integrity as "data cannot be modified without authorization"; and availability is described as when the information can be accessed.

Two Cross Site Scripting Cheat Sheets

I love cheat sheets. They jog my memory about things I need to do or should test for – especially when I have not done it for awhile.

From a test perspective, my favorite test value cheat sheet for cross site scripting (XSS) is http://ha.ckers.org/xss.html. If you have not tried out these samples (and variations on the themes) in your own web application, you need to do it now.

From a developer perspective, OWASP’s (Open Web Application Security Project) XSS (Cross Site Scripting) Prevention Cheat Sheet provides a set of rules to implement.

 

The Power of Ten – Rules for Developing Safety Critical Code

I was reading an article when I saw a reference to how NASA’s Jet Propulsion Laboratory (JPL) was using 10 simple coding guideline to develop safe code. The article referenced the following URL: http://spinroot.com/p10/. Going to this site, you will discover that the work was originally published in the June 2006 issue of IEEE Computer in The Power of Ten – Rules for Developing Safety Critical Code by Gerard J. Holzmann.

The paper and site describes 10 rules:

  1. Restrict to simple control flow constructs.
  2. Give all loops a fixed upper-bound.
  3. Do not use dynamic memory allocation after initialization.
  4. Limit functions to no more than 60 lines of text.
  5. Use minimally two assertions per function on average.
  6. Declare data objects at the smallest possible level of scope.
  7. Check the return value of non-void functions, and check the validity of function parameters.
  8. Limit the use of the preprocessor to file inclusion and simple macros.
  9. Limit the use of pointers. Use no more than two levels of dereferencing per expression.
  10. Compile with all warnings enabled, and use one or more source code analyzers.

Check the site and the paper out.

 

New Security Paradigms Workshop

I was listening to Security Now 229: The Rational Rejection of Security Advice when there was a reference to site/conference that I found intriguing. The entire episode was based on a paper from the conference.

The site, www.nspw.org, is the companion to the "New Security Paradigms Workshop" events. The description of the workshop is what I find so fascinating:

The New Security Paradigms Workshop (NSPW) is an annual, small invitation-only workshop for researchers in information security and related disciplines. NSPW’s focus is on work that challenges the dominant approaches and perspectives in computer security. In the past, such challenges have taken the form of critiques of existing practice as well as novel, sometimes controversial, and often immature approaches to defending computer systems. By providing a forum for important security research that isn’t suitable for mainstream security venues, NSPW aims to foster paradigm shifts in information security.

It happens that all of the proceedings for the conference are available online. Well worth reviewing.