Category Archives: Security

Covert, private browsing: how to stop yourself being tracked

Top Marks

The web is a surveillance society – from Evercookie to KISSmetrics, everybody wants to know what you’re doing and where, and they’re willing to pay good money for it.

If the thought of having your life collated, codified and flogged doesn’t sit well with you (considering the furore this Facebook tracking post caused you’re not alone) here are some privacy-oriented plugins to facilitate covert browsing:

  • Disconnect disables third-party tracking (from Digg, Facebook, Google, Twitter, and Yahoo) and handily depersonalizes searches, thwarting the Filter Bubble
  • Facebook Disconnect blocks all traffic from third-party sites to Facebook servers
  • TrackMeNot (Firefox) periodically issues randomized search-queries to popular search engines, hiding users’ actual search trails in a cloud of ‘ghost’ queries
  • Ghostery tracks who’s tracking you and provides a roll-call of the ad networks, behavioral data providers and web publishers interested in your activity
  • Tor (portable) Browser Bundle lets you use Tor on Windows, Mac OS X, or Linux without needing to install any software. Slow, with mild concerns about edge nodes, but certainly the most secure (legal) way to route traffic

And the essential ad-blocking add-ons:

  • Adblock (Chrome) prevents ads downloading, also available for Safari
  • Adblock Plus the most current Firefox ad-blocking offering (also cross-platform)
  • AdFree Android (for rooted phones) removes most ads in the browser and other apps by redirecting DNS lookups to localhost


Programming guidelines, references and best-practices

Top Marks

A competent programmer is expected to have many strings to their bow, to keep up with the latest technologies and to produce beautiful, efficient and secure code – a non-trivial task.

To that end, here are some links on the nature of programming and the eternal quest to be a better programmer: through secure, optimised design; offering effective UI; and understanding and predicting what users want.

The Principles of Good Programming
by Christopher Diggins

An excellent round-up of acronyms (DRY, KISS, YAGNI) and precepts (Separation of Concerns, Principle of least astonishment etc).

Teach Yourself Programming in Ten Years
by Peter Norvig

Why programming is difficult, how you should approach it and the lessons learnt in the author’s last 10 years.

Iterative vs. Incremental
by Bradley Holt

Thoughts on the conflation of “iterative” and “incremental” in software development.

Encyclopedia of Human-Computer Interaction
by Mads Soegaard et al

A new (as yet incomplete) free encyclopedia including videos and commentaries from luminaries in the many fields of HCI.

Front End Development Guidelines
by Tait Brown

A collection of browser-targeted practices encompassing Accessibility, HTML, CSS and JavaScript.

How to understand your users with personas
by Brad Colbow

How to assign personas to you users in an effort to better understand their thought processes and needs.

OWASP Appsec Tutorial Series
by OWASP

The OWASP Appsec Tutorial Series breaks down security concepts in an easily accessible, friendly way.


NSA Hardening Tips for Red Hat Enterprise Linux 5 (RHEL5)

Internal Server Error

The NSA publishes guidelines for securing various operating systems – most interestingly, RHEL5.

NSA has developed and distributed configuration guidance for Red Hat Enterprise Linux 5 that is currently being used throughout the government and by numerous entities as a security baseline for their Red Hat Enterprise Linux 5 systems.

The introductory points:

  • Encrypt all data transmitted over the network. Encrypting authentication information (such as passwords) is particularly important.
  • Minimize the amount of software installed and running in order to minimize vulnerability.
  • Use security-enhancing software and tools whenever available (e.g., SELinux and Iptables).
  • Run each network service on a separate server whenever possible. This minimizes the risk that a compromise of one service could lead to a compromise of others.
  • Maintain user accounts. Create a good password policy and enforce its use. Delete unused user accounts.
  • Review system and application logs on a routine basis. Send logs to a dedicated log server. This prevents intruders from easily avoiding detection by modifying the local logs.
  • Never log in directly as root, unless absolutely necessary. Administrators should use sudo to execute commands as root when required. The accounts capable of using sudo are specified in /etc/sudoers, which is edited with the visudo utility. By default, relevant logs are written to /var/log/secure.

There are security guides on the same page for OS X (Leopard, Snow Leopard), Windows (various versions) and Sun Solaris (9, 10).

XSS vector: URLs

Injection is an attack that involves breaking out of a data context and switching into a code context through the use of special characters that are significant in the interpreter being used. - OWASP

Many PHP applications will HTML encode any untrusted data using htmlentities() irrespective of context. This is a problem as htmlentities does not mitigate certain XSS injections. For example, the output of any data that will be used as a URL:

echo '<a href="', htmlentities( 'javascript:alert("xss");' ), '">XSS</a>';

In this instance htmlentities is not sufficient protection, the above outputs

<a href="javascript:alert(&quot;xss&quot;);">XSS</a>

To prevent this injection URLs should be validated on input, and htmlentites() encoded on output.

$url = 'http://hostname/path?arg=value';

$parsedUrl = parse_url( $url );

if( $parsedUrl['scheme'] != 'http' && $parsedUrl['scheme'] != 'https' ) {
    // reject URL
} else {
    $url = mysqli_real_escape_string( $mysqli, $url );
    $sql = "INSERT INTO table (url) VALUES ('$url')";
    // insert query
}

...

echo '<a href="', htmlentities( $url ), '">XSS</a>', "\n";

The URL now stored in the database should still be output using htmlentities() to encode quote marks that could inject further code, such as in this example:

http://www.test.com/" onClick="javascript:alert(\'xss\');"

For further information about XSS, the OWASP XSS (Cross Site Scripting) Prevention Cheat Sheet offers a list of XSS Prevention Rules, while RSnake’s XSS (Cross Site Scripting) Cheat Sheet is the definitive list of XSS injection test strings.