Copyrighted Material
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
On the Incoherencies in Web Browser Access Control Policies
On the Incoherencies in Web Browser Access Control Policies Kapil Singh∗, Alexander Moshchuk†, Helen J. Wang† and Wenke Lee∗ ∗Georgia Institute of Technology, Atlanta, GA Email: {ksingh, wenke}@cc.gatech.edu †Microsoft Research, Redmond, WA Email: {alexmos, helenw}@microsoft.com Abstract—Web browsers’ access control policies have evolved Inconsistent principal labeling. Today’s browsers do piecemeal in an ad-hoc fashion with the introduction of new not have the same principal definition for all browser re- browser features. This has resulted in numerous incoherencies. sources (which include the Document Object Model (DOM), In this paper, we analyze three major access control flaws in today’s browsers: (1) principal labeling is different for different network, cookies, other persistent state, and display). For resources, raising problems when resources interplay, (2) run- example, for the DOM (memory) resource, a principal is time changes to principal identities are handled inconsistently, labeled by the origin defined in the same origin policy and (3) browsers mismanage resources belonging to the user (SOP) in the form of <protocol, domain, port> [4]; but principal. We show that such mishandling of principals leads for the cookie resource, a principal is labeled by <domain, to many access control incoherencies, presenting hurdles for > web developers to construct secure web applications. path . Different principal definitions for two resources are A unique contribution of this paper is to identify the com- benign as long as the two resources do not interplay with patibility cost of removing these unsafe browser features. To do each other. However, when they do, incoherencies arise. For this, we have built WebAnalyzer, a crawler-based framework example, when cookies became accessible through DOM’s for measuring real-world usage of browser features, and used “document” object, DOM’s access control policy, namely the it to study the top 100,000 popular web sites ranked by Alexa. -
Practical Web Privacy with Firefox
Practical Web Privacy with Firefox Chuck Willis [email protected] Live-OWASP DC 2007 September 6, 2007 About Me Principal Consultant with MANDIANT in Alexandria, VA • Full spectrum information security company: Professional Services Government Services Education Software • Services include Application Security, Network Security, Incident Response, and Computer Forensics • Offices in Alexandria, VA, NYC, and other locations Member of OWASP-DC / Maryland Chapter See more on my web site www.securityfoundry.com 1 Privacy on the Web Web sites use a variety of techniques to gather data on users These techniques can be thwarted with the proper configuration of your web browser This presentation will describe information gathering techniques and ways to prevent them using the Firefox web browser Emphasis will be on techniques with minimal impact on the web surfing experience 2 Agenda Cookies Scripts and other Active Content Referer Header Google IP Address Tracking and Geolocation History and Cache Snooping Site Registrations Privacy at a Public Hotspot 3 Cookies Third Party Cookies Issue: When visiting a web site that imports content from another site, the third party site can set and receive cookies to track users Solution: • Disable third party cookies • This is set by changing Network.cookie. cookieBehavior to 1 in about:config • Only the site appearing in the URL will be sent cookies • This is the same setting that used to appear in the UI for Firefox 1.5 and below as allowing cookies "for the originating site -
The Smart Girl's Guide to Privacy
SHELVE IN: COMPUTERS/GENERAL The whirlwind of social media, online dating, and mobile apps can guide to privACY THE SMART GIRL’s make life a dream—or a nightmare. For every trustworthy website, violet blue there are countless jerks, bullies, and scam artists who want to harvest your personal information for their own purposes. But you can fight back, right now. In The Smart Girl’s Guide to Privacy, award-winning author and investigative journalist Violet Blue shows you how women are targeted online and how to keep yourself safe. Blue’s practical, user-friendly advice will teach you how to: • Delete personal content from websites • Use website and browser privacy controls effectively • Recover from and prevent identity theft • Figure out where the law protects you—and where it doesn’t • Set up safe online profiles • Remove yourself from people-finder websites Even if your privacy has already been compromised, don’t panic. It’s not too late to take control. Let The Smart Girl’s Guide to VIOLET BLUE help you cut through the confusion and start protecting your the smart Privacy online life. Violet Blue is an investigative tech reporter for ZDNet, CNET, Engadget, and CBS News, girl’s guide and an award-winning sex writer and columnist. She is also a member of the Internet Press Guild and an advisor for Without My Consent. She currently maintains a sexuality blog at tinynibbles.com and can be found on Twitter, @violetblue. to privacy $17.95 ($20.95 CDN) practical tips for staying safe online www.nostarch.com THE FINEST IN GEEK ENTERTAINMENT ™ the smart girl’s guide to privacy the smart girl’s guide to privacy practical tips for staying safe online violet blue The Smart Girl’s Guide to Privacy. -
Low Tech Hacking: Street Smarts for Security Professionalsen
Low Tech Hacking Street Smarts for Security Professionals Jack Wiles Dr. Terry Gudaitis Jennifer Jabbusch Russ Rogers Sean Lowther Neil Wyler, Technical Editor AMSTERDAM • BOSTON • HEIDELBERG • LONDON NEW YORK • OXFORD • PARIS • SAN DIEGO SAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO Syngress is an imprint of Elsevier Acquiring Editor: Chris Katsaropoulos Development Editor: Mstt Cater Project Manager: Paul Gottehrer Designer: Russell Purdy Syngress is an imprint of Elsevier 225 Wyman Street, Waltham, MA 02451, USA # 2012 Elsevier, Inc. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher’s permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions. This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein). Notices Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods or professional practices, may become necessary. Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information -
Hacking Firefox : More Than 150 Hacks, Mods, and Customizations
01_596500 ffirs.qxd 6/30/05 2:34 PM Page iii Hacking Firefox™ More Than 150 Hacks, Mods, and Customizations Mel Reyes 01_596500 ffirs.qxd 6/30/05 2:34 PM Page ii 01_596500 ffirs.qxd 6/30/05 2:34 PM Page i Hacking Firefox™ 01_596500 ffirs.qxd 6/30/05 2:34 PM Page ii 01_596500 ffirs.qxd 6/30/05 2:34 PM Page iii Hacking Firefox™ More Than 150 Hacks, Mods, and Customizations Mel Reyes 01_596500 ffirs.qxd 6/30/05 2:34 PM Page iv Hacking Firefox™: More Than 150 Hacks, Mods, and Customizations Published by Wiley Publishing, Inc. 10475 Crosspoint Boulevard Indianapolis, IN 46256 www.wiley.com Copyright © 2005 by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada ISBN-13: 978-0-7645-9650-6 ISBN-10: 0-7645-9650-0 Manufactured in the United States of America 10987654321 1B/SR/QX/QV/IN No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at http://www.wiley.com/go/permissions. -
Pro Blogger's Black Book
Pro Blogger’s Black Book This compilation was created about a year ago, and I simply never got around to releasing it. It is possible that some of the listings in this document have expired in the last year, but it is still a pretty useful directory. - David Risley Advertising! 4 Article Directories! 9 Blog Tools! 11 Call Centers! 14 Collaboration / Conferencing! 14 Content – Multimedia! 19 Content Written! 20 Customer Relationship Management! 23 Customer Service! 27 E – Commerce! 28 Email Marketing! 30 Facebook Applications! 32 Finance! 32 Free Classifieds! 35 Fulfilment Resource! 37 Fun! 37 Government! 38 Graphic Design! 39 Blog Marketing Academy - Page 1 Hosting/Domains! 44 Idea Management! 48 IP Address! 49 iPhone Applications! 49 Latest Resources! 50 Marketing Blogs! 52 Marketing Resources! 54 Media Buys! 61 Membership Sites! 64 Multimedia Tools & Apps! 64 Music! 66 News! 67 Online Apps! 68 Outsourcing! 72 Printing! 75 Productivity Tools and Resources! 76 Products To Sell! 81 Project Management! 85 Public Domain! 89 Public Relations! 90 Research Keyword! 93 Research Niche! 95 Blog Marketing Academy - Page 2 Search Resources! 97 SEO Resources! 100 Shopping! 106 Software! 111 Stock Images! 115 Testing and Tracking! 117 Travel! 121 URL Shortener! 125 Video Sites! 126 Video Tools! 130 Web Design and Development! 131 Work Resources! 137 Blog Marketing Academy - Page 3 Advertising Adap.tv – http://adap.tv Offers the OneSource online video ad management platform that provides a complete, end-to-end solution to increase advertising revenue and grow streams. AdEngage - http://adengage.com AdEngage allows webmasters to earn money selling ad space and allows advertisers to easily place ads on hundreds of websites. -
An Intensive Analysis of Security and Privacy Browser Add-Ons
An intensive analysis of security and privacy browser add-ons Nikolaos Tsalis1, Alexios Mylonas2, Dimitris Gritzalis1 1 Information Security & Critical Infrastructure Protection (INFOSEC) Laboratory Dept. of Informatics, Athens University of Economics & Business 76 Patission Ave., Athens, GR-10434, Greece 2 Faculty of Computing, Engineering and Sciences, Staffordshire University Beaconside, Stafford, ST18 0AD, United Kingdom {ntsalis, dgrit}@aueb.gr, [email protected] Abstract. Browsers enable the user to surf over the Internet and access web sites that may include social media, email service, etc. However, such an activity in- corporates various web threats (e.g. tracking, malicious content, etc.) that may imperil the user’s data and any sensitive information involved. Therefore, web browsers offer pre-installed security controls to protect users from these threats. Third-party browser software (i.e. add-ons) is also available that enhances these pre-installed security controls, or substitutes them. In this paper, we examine the available security controls that exist in modern browsers to reveal any gaps in the offered security protection. We also study the available security and privacy add- ons and observe whether the above mentioned gaps (i.e. when a security control is unavailable) are covered or need to be revisited. Keywords: Web browser security, privacy, add-ons, user protection, malware, phishing, controls 1 Introduction Web browsing activities (e.g. e-commerce, online banking, social media, etc.) are ac- companied by web threats that pose a direct risk towards the user, such as phishing attacks, malicious software, tracking sensitive information etc. [1]. When a user selects one of the popular web browsers (i.e. -
Password Management Strategies for Online Accounts
Password Management Strategies for Online Accounts Shirley Gaw Edward W. Felten Department of Computer Science Center for Information Technology Policy Princeton University Wilson School of Public and International Affairs Princeton, NJ USA Department of Computer Science [email protected] Princeton University Princeton, NJ USA [email protected] ABSTRACT passwords to prevent dictionary attacks. As bad as pass- Given the widespread use of password authentication in on- words are, users will go out of the way to make it worse. If line correspondence, subscription services, and shopping, you ask them to choose a password, they'll choose a lousy there is growing concern about identity theft. When peo- one. If you force them to choose a good one, they'll write it ple reuse their passwords across multiple accounts, they in- on a Post-it and change it back to the password they changed crease their vulnerability; compromising one password can it from the last month. And they'll choose the same pass- help an attacker take over several accounts. Our study of word for multiple applications." [22] In short, poor password 49 undergraduates quanti¯es how many passwords they had practices undermine the system. and how often they reused these passwords. The majority Many projects focus on developing new technology around of users had three or fewer passwords and passwords were these poor practices without studying them. In contrast, reused twice. Furthermore, over time, password reuse rates this paper broadly looks at password practices, quantifying increased because people accumulated more accounts but password reuse and also surveying the contributing factors did not create more passwords. -
Exposing Security and Privacy Liabilities in Modern Browsers
Exposing security and privacy liabilities in modern browsers Nikolaos Tsalis March 2017 Exposing security and privacy liabilities in modern browsers Nikolaos Tsalis A dissertation submitted for the partial fulfillment of a Ph.D. degree March 2017 ii Supervising Committee: 1. Dimitris Gritzalis, Professor, Athens University of Economics & Business (Chair) 2. Theodoros Apostolopoulos, Professor, Athens University of Economics & Business 3. Ioannis Marias, Assistant Professor, Athens University of Economics & Business Examination Committee: 1. Dimitris Gritzalis, Professor, Athens University of Economics & Business 2. Theodoros Apostolopoulos, Professor, Athens University of Economics & Business 3. Ioannis Marias, Associate Professor, Athens University of Economics & Business 4. Vasileios Katos, Professor, Bournemouth University, United Kingdom 5. Ioannis Stamatiou, Associate Professor, University of Patra 6. Panos Kotzanikolaou, Assistant Professor, University of Piraeus 7. Alexios Mylonas, Lecturer, Bournemouth University, United Kingdom iii Exposing security and privacy liabilities in modern browsers Copyright © 2017 by Nikolaos Tsalis Department of Informatics Athens University of Economics and Business 76 Patission Ave., Athens GR-10434, Greece All rights reserved. No part of this manuscript may be reproduced or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the author. iv "Η έγκριση διδακτορικής διατριβής υπό του Τμήματος Πληροφορικής του Οικονομικού Πανεπιστημίου Αθηνών δεν υποδηλοί αποδοχή των γνωμών του συγγραφέως.” (Ν. 5343/ 1932, άρθρο. 202) v Acknowledgements First and foremost, I would like to thank my Ph.D. supervisor Prof. Dimitris Gritzalis. We met back in 2008, while I was on my second year of undergraduate studies. I had selected Information Systems Security as an optional module without too much thought, as I was certain from the beginning that this was the field I would like to excel and purchase a career in. -
Instructables.Com
Home Sign Up! Explore Community Submit All Art Craft Food Games Green Home Kids Life Music Offbeat Outdoors Pets Photo Ride Science Tech How To Make Firefox The Most Useful Web Browser There Is by heyzuphowsitgoin on March 5, 2008 Table of Contents License: General Public License (gpl) . 2 Intro: How To Make Firefox The Most Useful Web Browser There Is . 2 step 1: Getting Firefox . 2 step 2: Speed 'er Up! . 3 step 3: Still Movin' Fast! . 3 step 4: MORE MEMORY . 3 step 5: Adding The Themes . 3 step 6: Adding Addons . 4 step 7: Adding Search Engines . 4 step 8: Done . 4 Related Instructables . 4 Advertisements . 5 Comments . 5 http://www.instructables.com/id/How-To-Make-Firefox-The-Most-Useful-Web-Browser-Th/ License: General Public License (gpl) Intro: How To Make Firefox The Most Useful Web Browser There Is If you are already not convinced that firefox is better than everything out there, here are a few tips and tweaks that will make you want to switch. If you are using firefox, maybe you still didn't know about these. step 1: Getting Firefox Just download and install firefox... Works with just about every operating system there is... But don't get the beta, there aren't as many themes and plugins for those http://www.mozilla.com/en-US/firefox/ http://www.instructables.com/id/How-To-Make-Firefox-The-Most-Useful-Web-Browser-Th/ step 2: Speed 'er Up! Do this if you have high speed internet, it won't work as well if you are using dial-up. -
Technical and Market Failures in Human Authentication on the Web
The password thicket: technical and market failures in human authentication on the web Joseph Bonneau Sören Preibusch Computer Laboratory Computer Laboratory University of Cambridge University of Cambridge [email protected] [email protected] Abstract We report the results of the first large-scale empirical analysis of password implementations deployed on the Internet. Our study included 150 websites which offer free user accounts for a variety of purposes, including the most popular destinations on the web and a random sample of e-commerce, news, and communication websites. Although all sites evaluated relied on user-chosen textual passwords for authentication, we found many subtle but important technical variations in im- plementation with important security implications. Many poor practices were commonplace, such as a lack of encryption to protect transmitted passwords, storage of cleartext passwords in server databases, and little protection of passwords from brute force attacks. While a spectrum of imple- mentation quality exists with a general co-occurrence of more-secure and less-secure implementa- tion choices, we find a surprising number of inconsistent choices within individual sites, suggesting that the lack of a standards is harming security. We observe numerous ways in which the technical failures of lower-security sites can compromise higher-security sites due to the well-established ten- dency of users to re-use passwords. Our data confirms that the worst security practices are indeed found at sites with few security incentives, such as newspaper websites, while sites storing more sensitive information such as payment details or user communication implement more password se- curity.