headers
thompson.julian | 1 May 2010 01:12
Picon

Re: ICMP Redirect Help

But note that the reservation is for 128.0.0.0/16 - A Class B - Which
would be 128.0.0.0 - 128.0.255.255

He's talking about a 128.6.x.x

:)

On Wed, Apr 28, 2010 at 7:09 AM, Anderson Carvalho (Netplan)
<anderson <at> netplan.com.br> wrote:
> I think Mark is correct. ICMP redirects work just like Mark mentioned. Note
> that on RFC 3330, the IP range 128.0.0.0 is a reserved number.
>
> http://tools.ietf.org/html/rfc3330
>
>
>
>
>
> Atenciosamente
> Anderson Carvalho
> Consultor de Projetos
>
> Netplan Informática
> anderson <at> netplan.com.br
> Site: www.netplan.com.br
> 47 3801 3005
>
> -----Mensagem original-----
> De: listbounce <at> securityfocus.com [mailto:listbounce <at> securityfocus.com] Em
> nome de Mark
(Continue reading)

Permalink | Reply | 0 comments |
headers
Ali Asghar Toraby Parizy | 1 May 2010 09:27
Picon

Re: How can I secure my site?

Hi.  my host runs php 4.x and PDO extension is not available. But I
have used sql injection addslashes() and some codes to prevent bad sql
strings.

On Sat, May 1, 2010 at 4:00 AM, Raymond <infosec <at> masterofbits.com> wrote:
> From a PHP perspective, make sure that you "clean" all of your inputs. You
> should do this on the client side and also on the server side. Never trust
> your data, and do not rely on Regular Expressions to clean your data. Stay
> away from addslashes() as well, as that provides little protection. It may
> still be possible to craft strings that will still evaluate properly to the
> database. What I mean by that is when using SQL in PHP you should use
> something like PDO (http://php.net/manual/en/book.pdo.php). With PDO you can
> use bindings for all of your inputs. That will help prevent against SQL
> injections. Hope that helps some.
>
> http://www.phpro.org/tutorials/Introduction-to-PHP-PDO.html
> http://notan00b.com/2009/08/php-pdo-and-sql-injections/
>
>
> On Wed, Apr 28, 2010 at 9:05 AM, J. Bakshi <bakshi12 <at> gmail.com> wrote:
>>
>> On Wed, 28 Apr 2010 01:21:50 +0430
>> Ali Asghar Toraby Parizy <aliasghar.toraby <at> gmail.com> wrote:
>>
>> > Hi
>> > I have written a php website. In this site I sell some license and
>> > serial number. I need to protect serial numbers and user names and
>> > passwords against sniffers and crackers. Now I want to secure this
>> > site and encrypt sessions using https.
>> > What do i have to do?
(Continue reading)

Permalink | Reply | 2 comments |
headers
Ali Asghar Toraby Parizy | 1 May 2010 09:55
Picon

Re: How can I secure my site?

Hello everybody. Thanks for your help.
I have not https folder on my host. When I asked my ISP they said that
you must pay 50$ for each SSL certificate. What is the difference
between SSL certificate that we purchase from certificate authorities
with others which created by ourselves?
According to I haven't https folder on host, How can I make it for myself?
Thanks for your considerations for these naive questions.

On Sat, May 1, 2010 at 10:17 AM, TAS <p0wnsauc3 <at> gmail.com> wrote:
> Hi Ali,
>
> You can also have a self signed certificate created for free. It will be pretty much the same as a paid
certificate but it just that you are yourself gonna be the issuer as opposed to an authority like CA or Verisign.
>
> Secondly, it will be an good idea to get a pentest done before you go live with the website. This pen test will
pretty much take care of your concerns with regards to security.
>
> One your business flourishes you can afford to buy and certificate.
>
> Cheers
> TAS!
>
> Sent from BlackBerry® - Vodafone
>
> -----Original Message-----
> From: Ali Asghar Toraby Parizy <aliasghar.toraby <at> gmail.com>
> Date: Wed, 28 Apr 2010 09:12:40
> To: <security-basics <at> securityfocus.com>
> Cc: Rockey<skg102 <at> gmail.com>
> Subject: Re: How can I secure my site?
(Continue reading)

Permalink | Reply | 2 comments |
headers
Raymond | 1 May 2010 14:16

Re: How can I secure my site?

You should not use addslashes(). That does little to protect you.
You should at the very least use mysql_real_escape_string().

On Sat, May 1, 2010 at 3:27 AM, Ali Asghar Toraby Parizy
<aliasghar.toraby <at> gmail.com> wrote:
>
> Hi.  my host runs php 4.x and PDO extension is not available. But I
> have used sql injection addslashes() and some codes to prevent bad sql
> strings.
>
> On Sat, May 1, 2010 at 4:00 AM, Raymond <infosec <at> masterofbits.com> wrote:
> > From a PHP perspective, make sure that you "clean" all of your inputs. You
> > should do this on the client side and also on the server side. Never trust
> > your data, and do not rely on Regular Expressions to clean your data. Stay
> > away from addslashes() as well, as that provides little protection. It may
> > still be possible to craft strings that will still evaluate properly to the
> > database. What I mean by that is when using SQL in PHP you should use
> > something like PDO (http://php.net/manual/en/book.pdo.php). With PDO you can
> > use bindings for all of your inputs. That will help prevent against SQL
> > injections. Hope that helps some.
> >
> > http://www.phpro.org/tutorials/Introduction-to-PHP-PDO.html
> > http://notan00b.com/2009/08/php-pdo-and-sql-injections/
> >
> >
> > On Wed, Apr 28, 2010 at 9:05 AM, J. Bakshi <bakshi12 <at> gmail.com> wrote:
> >>
> >> On Wed, 28 Apr 2010 01:21:50 +0430
> >> Ali Asghar Toraby Parizy <aliasghar.toraby <at> gmail.com> wrote:
> >>
(Continue reading)

Permalink | Reply | 1 comment |
headers
vijaych2779 | 3 May 2010 07:42
Picon

Corporate and IT Governance for Health Informatics

I am working on a project which requires understanding of corporate & IT governance inline with ISO TS
29585, ISO 22221:2006 and NEHTA standards/guidelines. I havent been able to get any details on the above
standards from internet. Is there a specific site/forum I should be looking at. Any help is appreciated.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL
works, how it benefits your company and how your customers can tell if a site is secure. You will find out how
to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout,
best practices for set-up are highlighted to help you ensure efficient ongoing management of your
encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Permalink | Reply | 0 comments |
headers
vijaych27 | 3 May 2010 01:29
Picon

Security architecture review

Hi all,

I am currently working on a project that involves security architecture review. Key points that I am
looking at would include perimeter security, placement of DMZ, redundancy, network topology (from
security perspective), security around network services, business's dependency towards IT..etc. I
have come to realise that the review is probably going in a direction which is based on my understanding
(read as experience) of network security which may not cover all aspects of network security. Is there a
standard/best practice/guidelines that I can refer to which would cover all areas of network security.

Apologize if the question is bit vague.
Any help/direction is much appreciated.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL
works, how it benefits your company and how your customers can tell if a site is secure. You will find out how
to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout,
best practices for set-up are highlighted to help you ensure efficient ongoing management of your
encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Permalink | Reply | 0 comments |
headers
Daniel Hood | 3 May 2010 02:40
Picon

Auditing Windows RPC

Wondering what tools are available for auditing Windows servers with
various RPC services enabled to me?

Looking for any tools in regards to information gathering to full on
penetration. Google comes up with a lot of tools but a lot of them
seem to be 2003ish type tools that don't work anymore.

Regards,

Dan

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL
works, how it benefits your company and how your customers can tell if a site is secure. You will find out how
to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout,
best practices for set-up are highlighted to help you ensure efficient ongoing management of your
encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Permalink | Reply | 2 comments |
headers
vijaych2779 | 3 May 2010 07:35
Picon

Security architecture review

Hi all,

I am currently working on a project that involves security architecture review. Key points that I am
looking at would include perimeter security, placement of DMZ, redundancy, network topology (from
security perspective), security around network services, business's dependency towards IT..etc. I
have come to realise that the review is probably going in a direction which is based on my understanding
(read as experience) of network security which may not cover all aspects of network security. Is there a
standard/best practice/guidelines that I can refer to which would cover all areas of network security.

Apologize if the question is bit vague.
Any help/direction is much appreciated.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL
works, how it benefits your company and how your customers can tell if a site is secure. You will find out how
to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout,
best practices for set-up are highlighted to help you ensure efficient ongoing management of your
encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Permalink | Reply | 0 comments |
headers
Todd Haverkos | 3 May 2010 21:15

Re: Corporate domain registrar

Ivan Carlos <icarlos <at> icarlos.net> writes:

> Hi masters,
>
> Actually I use a little domain registrar affiliated to zoneedit.com
> (and internic accredited) to hold my corporate international
> domains. 
>
> I noticed that a lot of big companies uses 2 big players - Network
> Solutions and GoDaddy - as your main registrar. 
>
> Haves any issue about using these small partners or all these
> registrars haves same expertise and responsibility about hold and
> secure your internic domains?

Hi Ivan, 

In my experience, the biggest worry is whether the 
   a) kid reselling domains out of Mom's basement, or
   b) single sole proprietor, or 
   c) any other tiny company 

...for some reason stops paying their bills to the upstream registrar
thereby:
     1) making your domain inaccessible/redirected, 
     2) leaving you without any control panel access to repoint
        your domains elsewhere
     3) leaving no one around at the losing registrar who has a
        whole lot of interest in approving your domain's transfer
        to another registrar
(Continue reading)

Permalink | Reply | 1 comment |
headers
Walter Goulet | 3 May 2010 21:20
Picon

Re: How can I secure my site?

Hi,

The most significant difference between a certificate you create
yourself (a self-signed certificate) vs. one you get from a CA is that
uses who visit your website will see a certificate error message since
the certificate is not signed by a root CA that is built into the
browser.

In order to avoid these errors, your users will have to accept the
self-signed certificate as an exception that is stored permanently in
their browser (until the certificate expires when they will have to do
it again).

In general, it is not a good security practice to use self-signed
certificates except in very controlled, specific environments like
corporate intranets or private networks. You will also find yourself
bogged down supporting users who are wondering what the error message
means and what steps they need to take to accept the certificate as an
exception.

For a full ad-nasueam treatment, I wrote a SANS gold paper on
assessing enterprise PKI deployments which has some good background on
certificates and how they are used in SSL:
http://www.sans.org/reading_room/whitepapers/auditing/analyzing-enterprise-pki-deployments_33284

Walter

On Sat, May 1, 2010 at 2:55 AM, Ali Asghar Toraby Parizy
<aliasghar.toraby <at> gmail.com> wrote:
> Hello everybody. Thanks for your help.
(Continue reading)

Permalink | Reply | 0 comments |

Gmane