You are here: Home > Security
Tag Archives: Security

Infoweek security issues

by on September 23, 2008 in Uncategorized

Today, while I was surfing the website of InfoWeek, a leading IT magazines in Switzerland, in order to change my email subscription I was granted with the following error message:

At first I am happy to see that they are using CFML as their choice of deplyoment, but when looking at the above code I saw some poor coding techniques at work.

First off, one should never use the “*” for getting back all the columns of the database. This is slowing the database server down and is a poor man coding style. In todays tool environment there is no excuse for using the “*” anymore (I am talking for production use here).

The next thing is that the variable “MailAdress” is not scoped and far worse is subject to the famous SQL Injection, because the developers neglected the <cfqueryparam> tag. Sure enough, I was able to log in to my account with adding the variable to the URL. If I wanted to, I could even see and alter some other email addresses.

The solution to the above is so simply, one wonders why developers still chose to neglect it. With a simple;

<cfqueryparam cfsqltype=”cf_sql_varchar” value=”#post.MailAdress#”>

the variable is scoped and secured against SQL Injection code at the same time.

As long as I see applications like this on the web (believe me I see a couple of these things in a week) I am sure my company has enough to do :-) …..and yes I did call them and told them the error, but it looks like they are not in a hurry to fix it.

Comments { 47 }

Apple Security Update 2008 – 002

by on March 18, 2008 in Apple

Looks like a Update Day from Apple. Apple just released the “Security Update 2008 – 002″ for 10.5.2 and I believe 10.4.11. The update addresses some issues with;

  • Apache: Updated to 2.2.8/1.3.41 to address several vulnerabilities
  • FireWall
  • OpenSSH: A remote attacker may be able to execute arbitrary code with elevated privileges
  • PHP: PHP is updated to version 5.2.5/4.4.8 to address multiple vulnerabilities
  • Preview: Saving to encrypted PDF in Preview produces files that may be read without the password
  • and much more…

Looks to be quite an important update for your own safety. You can read up on the full release notes here. The update can be obtained with the build in Software Update function.

Comments { 3 }

Small Guide for eMail Security and Encryption

by on January 5, 2008 in Apple

eMail has become without a doubt one of the most important communication tools in this day and age. But when eMail was introduced, the Internet was still a safe place to be. This has changed rapidly, as more and more cruel individual abuse eMail for their highly questionable “business ideas”. Still, a lot of people treat eMail as a “safe” way to communicate and send passwords and critical information in plain text over the Internet.

Fortunately, there are easy steps to make your eMail communication safe and secure.

Get a Digital Certificate for eMail

The meaning of a eMail Digital Certificate is used to verify that the sender of an eMail is actually from the owner of that eMail-Address and not from somebody else. At the same time you can use the very same Digital Certificate to encrypt the message. In other words, your first step is to get yourself a Digital Certificate.

There are a couple of places to get a Digital Certificate, but I have found that Thawte, owned by VeriSign, offers a valid and free Digital Certificate for eMail. As by the definition of Thawte this means;

[Quote]

thawte has recognized that all individuals have the right to secure communication,. Therefore, the thawte Personal E-mail Certificate is offered absolutely FREE of charge in order to promote a culture of trust on the Internet.

A thawte Personal E-mail Certificate:

  • allows you to sign and encrypt all your personal e-mails
  • signs e-mail so that the recipient is able to verify the e-mail address that the message originated from – this inspires trust in those who receive your e-mail communication
  • encrypts e-mail to prevent anyone except the intended recipient(s) from gaining access to the message contents. This assures information privacy and protection while in transit

[/Quote]

So, let’s go ahead and Click here to get your Personal E-mail Certificate now (If you are on a Mac use Safari to browse to this page!). There are a couple of steps involved, but most of it should be self explanatory. First, you will need to Login and get yourself an account. If you got more then one eMail that you want to secure you can request a certificate later on for every eMail address.

Once done, you should request X.509 Format certificate. Depending on your need you can choose the software you use. If you are on a Mac and want to use the certificate for Entourage, Apple Mail or alike then choose “Mozilla Firefox/Thunderbird, Netscape Communicator/Messenger”.

Click on next until you get to the “Certificate Extensions” and “Accept the Default Extensions”.

Choose “2048 (High Grade)” to encrypt your public key.

After that you are finished and you will receive, after some time, a eMail from Thawte with the confirmation of your generate key.

Log back in to the Thawte site and download your certificate by clicking on the “view certificate status” link on the left side. Here you are then able to download and install your certificate (On a Mac you simply click on the “type” of the certificate and Safari will install/import the certificate to your Keychain application).

Configure your eMail application

Since we use Apple MacOS X with Entourage we are showing how to configure Entourage to Mail Security. But it should be almost the same steps for any other application or platform.

Edit your Account (Tools/Accounts) and choose “Mail Security”.



(this is how it looks like after you selected your certificate)

To select your certificate simply click on the “Select…” Button. In the popup window you should see your eMail certificate (if you have more eMail certificates choose the appropriate one for your account). Do the same for the “Encryption” part.

Now you are ready to send signed and even encrypted messages to the world. Now the next time you send a message you are able to choose if you want to sign your message or not (I choose to sign every outgoing message automatically). In any case, Entourage tells you about the status of your message.

At the same time you can also encrypt the message. But encrypting a message only works if you have stored the recipient eMail address as well and could verify it. The simplest way to do this is to have the person send you a eMail, you then can add their certificate to your Keychain and save it for future references. Once confirmed you will be able to sign and encrypt the message to the sender.

We hope this small guide helps to make your eMail communication more secure and the Internet a safer place. Feel free to ask us some questions or comment on this post by leaving a comment below.

Comments { 380 }

NSA is reading your email also for foreigners

by on September 5, 2007 in Uncategorized

This is kinda scary and makes one wonder how long it will take until we are all shut down….

The NSA got the approval to read any emails and listen in to phone conversations of all foreigners. In the name of "international terrorism" the US Congress gave the NSA all rights to do so. No need to say, that all persons as well as organizations are affected by this new law.

All in all, every email that goes into the USA could be read by the NSA. If you have a provider located in the USA and are using it for your corporate or even private emails then the NSA has full access to every data of you.

1984 anyone?

 

Comments { 17 }
Older posts