INSECURE ACCESS CONTROL 06/2011

Download
File
INSECURE_ACCESS_CONTROL_hakin9_06_2011.pdf
    • Latest News From the IT Security World
      by Armando Romeo, eLearnSecurity ID Theft Protect



    • A Hole in Your Access Control! 
      by Ali Al-Shemery 
      A couple of days ago I was called out to a do a security audit on a company’s internal network security and its access control. The audit was asked to be done on a specific day that the company chose.The reason behind that was to ensure I get no interference from their Network/System Administrator. I will not go through the audit process itself but will show and prove to you how even a well-secured network could be brought (hacked) down by a single mistake, and why implementing access controls then auditing them is an important factor to ensure their effectiveness.



    • PSN Hack Where Risk Management and Reality Collide 
      by Simon Walker and Javvad Malik 
      There have been many column inches dedicated to the PlayStation Network, which was taken offline following a breach. It has been a high-profile incident and has left Sony management red-faced with many questions thrown at them – not all of which have been answered convincingly. It is simply not possible to protect against all possible security flaws in a product – but proper risk assessment at least indicates what these might be and allows an informed decision. This is important for both companies and for you, the consumer.



    • Obscuring the Truth 
      by Israel Torres 
      Veiled in a world of pseudo-randomized padded nulls lies the answer in plain sight, laughing at you mockingly. It’s really only a matter of connecting the dots… Or is it? Can the answer be shielded better by simply adding more dots to connect? Does this help or hinder, and whom? Encryption is a double-edged sword and it is caked in blood and rust.Super-encipherment has been historically used to doubly throw off attackers (cryptanalysts) from finding the answer speedily (or at all). Once you think you’ve unlocked something you have a brand new puzzle staring at you silently.



    • Attacking, Authentication, and Access Control 
      by Rich Hoggan 
      As part of a growing trend where people utilize more services on-line, we rely more and more on entering our data into what we trust as being secure web-forms. Has it ever crossed our minds while we enter our information into web forms that our trust would ever be compromised? We assume that no one besides the service provider and ourselves will ever have access to such information. Like in the Wild West, there can’t be any room for complacency on the internet. It’s just because of this complacency that authentication and access control measures play an increasingly important role in safeguarding the privacy of our data.



    • Access Control: Lock-down Your Network 
      by Gary S. Milefsky 
      If most of the threats are coming from the inside, what are you doing about it? According to US-CERT (United States Computer Emergency Readiness Team), 95% of downtime and IT related compliance issues are a direct result of an exploit against a Common Vulnerability and Exposure. A firewall, IDS, IPS, anti-virus software and other countermeasures don’t look for or show how to remove CVEs. So most companies are really only 5% secure.



    • Flexible Access Online: ASP.NET’s Access Control for the Web 
      by Tim Kulp 
      The web was not built to remember users between trips to the server. In fact, the stateless nature of the HTTP forgets anything outside of the immediate Request traveling to the Server or Response going to the Browser. All memory must be handled by features in the Application Server or by the Browser. All memory must be handled by features in the Application Server (such as IIS, Apache, etc…) or by the Browser. This provides a challenge to a core concept in security, Access Control.



    • VoIP Access Control 
      by Ric Messier 
      Access control is a means by which we determine whether an agent is allowed to gain entry to a particular resource. In the case of physical security or even traditional network security, this may seem straightforward. For example, if you trust someone to gain access to a room where critical resources are kept, you provide that person a key or add them to a badge access list. Similarly, if you want to provide someone access to files you are sharing on a network, you would add their user id to an access control list so they would be able to get to the files they need or want.



    • Wireless ad hoc Network and its Vulnerabilities 
      by Aleksandre Lobzhanidze 
      A mobile ad-hoc network (MANET) is a self configuring infrastructure-less network, consisting of mobile devices, connected via wireless links. Each device in MANET can move independently from others in any direction, and therefore change its links very frequently. Each device on MANET must forward data unrelated to its own use and therefore serve not just as consumer of the data, but also as a router. The main challenge of MANET is to maintain the information required to properly route the traffic. Such networks may operate themselves, or be connected to the global network – Internet.



    • Msona mBox 2000 Features & Functionality Report 
      by Steve Broadhead 
      In some ways it can be seen as the Holy Grail of IT procurement – finding the all-in-one office solution that does it all, without complicated installation and management; just fire up and off you go. Of course, in reality – as an absolute – this is largely a pipe dream. But for the Small to Medium Business (SMB) especially, the benefits of an easily installed, lowmaintenance solution to their communications requirements – Internet, data and voice, secure and flexible enough to support their specific needs (dependent on their ISP, TelCo, Hosting company etc) – cannot be overvalued.



    • Why are there So Many Command and Control Channesl 
      by Matthew Jonkman 
      Command and control channels are an often unappreciated bit of art. Yes art. Most folks don’t pay that much attention to them, professionally or personally. But as a person that spends most of my day finding and picking them apart I can tell you there are some very interesting things going on behind your favorite malware or fake AV warning on the desktop. So let’s explore some of the recent stuff and reminisce about the past, from an IDS point of view. Not thinking like an antivirus engineer looking at registry keys, APIs and system calls. I can’t imagine the difficulties in that life.



    • The Asylum 
      by Jim Gilbert 
      My paintings are non-figurative, but I realized some years ago that I was interested in how I could combine words and graphics – as a result I started to draw cartoons. Specifically I am excited about The Asylum because of its minimal nature, minimal drawing, minimal words, minimal characters… maximum content.


Download
File
INSECURE_ACCESS_CONTROL_hakin9_06_2011.pdf

April 19, 2022
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023
What certifications or qualifications do you hold?
Max. file size: 150 MB.

What level of experience should the ideal candidate have?
What certifications or qualifications are preferred?

Download Free eBook

Step 1 of 4

Name(Required)

We’re committed to your privacy. Hakin9 uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.