Category Archives: Security

ORGCon 2012 – interesting links

ORGCon Logo

A collection of interesting privacy, activism and anti-intrusion links from ORGCon 2012 (notice who uses HTTPS by default!):

Privacy Tools

Tech Tools for Activism (HTTPS)
Sets of tools to help campaign and organise more securely online. The site is aimed primarily at activists and campaigners, but will be useful to anybody interested in protecting their online privacy and security, or those seeking alternatives to corporate online services.

The Guardian Project (HTTPS)
The Android-based Guardian Project aims to create easy to use apps, open-source firmware MODs, and customized, commercial mobile phones to protect communications and personal data from unjust intrusion and monitoring.

Survival in the Digital Age serves as a practical, visual and fun resource for learning about a subject that can make people feel paranoid or just technically overwhelmed.

Tom Lowenthal
Mozilla’s “Do-Not-Track header” advocate.

Pro-Democracy Tools

Parltrack is a European initiative to improve the transparency of legislative processes. It combines dossiers, MEPs, vote results and committee agendas into a unique database and allows the tracking of dossiers using email and RSS. Most of the data displayed is also available for further processing in JSON format. Using Parltrack it’s easy to see at a glance which dossiers are being handled by committees and MEPs.

Pippi Long Strings
(can’t find link!)


The Communications Capabilities Development Programme (CCDP) is a UK government initiative to create a ubiquitous mass surveillance scheme for the United Kingdom. It would involve the logging of every telephone call, email and text message between every inhabitant of the UK, and is intended to extend beyond the realms of conventional telecommunications media to log communications within social networking platforms such as Twitter and Facebook.

The Facilitators of the Big Brother State

Packet Forensics
Packet Forensics develops network surveillance packages: customers range from governments and global telecom network operators to universities and medium-sized businesses.

Glimmerglass develops Facebook-stalking

VUPEN sell weaponised exploits to the government and defence sectors.

Hacking Team
Hacking Team sell “easy-to-use” weaponised exploits to the worldwide law enforcement and intelligence communities.

Gamma Group (HTTPS)
Gamma Group International provides advanced technical surveillance and monitoring solutions – “trial equipment” was found in the Egyptian Secret Service’s headquarters post-revolution (source).

Telephonic interception, signaling, media and packet processing.

Telecommunications interception.

More comms interception.

Write It Like It’s Stolen: Keeping Software Security After Theft

Symantec Logo

Deadliest Web Attacks has published an article rallying against the dearth of high quality, secure code. Although most code is never seen by anyone but the core development team, in light of the recent Symantec source code theft the article is particularly pertinent:

How would you alter the risks associated with your web site if its source code were stolen? Hard-coded passphrases? String concatenation of SQL statements? How much security relies on secrecy of functionality versus secrecy of data? Think of it in terms of Kerchoff’s Principle, roughly “The system must not require secrecy and can be stolen by the enemy without causing trouble”. Kerchoff was writing about cryptography, but the concept applies well to software.

This would be a good time to double-check the OWASP Top Ten Vulnerabilities and re-watch the OWASP Appsec Tutorial Series.

PuTTY Release Fixes “Password Not Wiped From Memory” Bug


PuTTY has fixed a vulnerability that could allow malware to read your SSH passwords from memory:

When PuTTY has sensitive data in memory and has no further need for it, it should wipe the data out of its memory, in case malware later gains access to the PuTTY process or the memory is swapped out to disk or written into a crash dump file. An obvious example of this is the password typed during SSH login; other examples include obsolete session keys, public-key passphrases, and the private halves of public keys.

The bug existed from PuTTY 0.59 to 0.61 inclusive. Vulnerability report and download page.

Covert, private browsing: how to stop yourself being tracked

Top Marks

The web is a surveillance society – from Evercookie to KISSmetrics, everybody wants to know what you’re doing and where, and they’re willing to pay good money for it.

If the thought of having your life collated, codified and flogged doesn’t sit well with you (considering the furore this Facebook tracking post caused you’re not alone) here are some privacy-oriented plugins to facilitate covert browsing:

  • Disconnect disables third-party tracking (from Digg, Facebook, Google, Twitter, and Yahoo) and handily depersonalizes searches, thwarting the Filter Bubble
  • Facebook Disconnect blocks all traffic from third-party sites to Facebook servers
  • TrackMeNot (Firefox) periodically issues randomized search-queries to popular search engines, hiding users’ actual search trails in a cloud of ‘ghost’ queries
  • Ghostery tracks who’s tracking you and provides a roll-call of the ad networks, behavioral data providers and web publishers interested in your activity
  • Tor (portable) Browser Bundle lets you use Tor on Windows, Mac OS X, or Linux without needing to install any software. Slow, with mild concerns about edge nodes, but certainly the most secure (legal) way to route traffic

And the essential ad-blocking add-ons:

  • Adblock (Chrome) prevents ads downloading, also available for Safari
  • Adblock Plus the most current Firefox ad-blocking offering (also cross-platform)
  • AdFree Android (for rooted phones) removes most ads in the browser and other apps by redirecting DNS lookups to localhost

Programming guidelines, references and best-practices

Top Marks

A competent programmer is expected to have many strings to their bow, to keep up with the latest technologies and to produce beautiful, efficient and secure code – a non-trivial task.

To that end, here are some links on the nature of programming and the eternal quest to be a better programmer: through secure, optimised design; offering effective UI; and understanding and predicting what users want.

The Principles of Good Programming
by Christopher Diggins

An excellent round-up of acronyms (DRY, KISS, YAGNI) and precepts (Separation of Concerns, Principle of least astonishment etc).

Teach Yourself Programming in Ten Years
by Peter Norvig

Why programming is difficult, how you should approach it and the lessons learnt in the author’s last 10 years.

Iterative vs. Incremental
by Bradley Holt

Thoughts on the conflation of “iterative” and “incremental” in software development.

Encyclopedia of Human-Computer Interaction
by Mads Soegaard et al

A new (as yet incomplete) free encyclopedia including videos and commentaries from luminaries in the many fields of HCI.

Front End Development Guidelines
by Tait Brown

A collection of browser-targeted practices encompassing Accessibility, HTML, CSS and JavaScript.

How to understand your users with personas
by Brad Colbow

How to assign personas to you users in an effort to better understand their thought processes and needs.

OWASP Appsec Tutorial Series

The OWASP Appsec Tutorial Series breaks down security concepts in an easily accessible, friendly way.

NSA Hardening Tips for Red Hat Enterprise Linux 5 (RHEL5)

Internal Server Error

The NSA publishes guidelines for securing various operating systems – most interestingly, RHEL5.

NSA has developed and distributed configuration guidance for Red Hat Enterprise Linux 5 that is currently being used throughout the government and by numerous entities as a security baseline for their Red Hat Enterprise Linux 5 systems.

The introductory points:

  • Encrypt all data transmitted over the network. Encrypting authentication information (such as passwords) is particularly important.
  • Minimize the amount of software installed and running in order to minimize vulnerability.
  • Use security-enhancing software and tools whenever available (e.g., SELinux and Iptables).
  • Run each network service on a separate server whenever possible. This minimizes the risk that a compromise of one service could lead to a compromise of others.
  • Maintain user accounts. Create a good password policy and enforce its use. Delete unused user accounts.
  • Review system and application logs on a routine basis. Send logs to a dedicated log server. This prevents intruders from easily avoiding detection by modifying the local logs.
  • Never log in directly as root, unless absolutely necessary. Administrators should use sudo to execute commands as root when required. The accounts capable of using sudo are specified in /etc/sudoers, which is edited with the visudo utility. By default, relevant logs are written to /var/log/secure.

There are security guides on the same page for OS X (Leopard, Snow Leopard), Windows (various versions) and Sun Solaris (9, 10).

XSS vector: URLs

Injection is an attack that involves breaking out of a data context and switching into a code context through the use of special characters that are significant in the interpreter being used. - OWASP

Many PHP applications will HTML encode any untrusted data using htmlentities() irrespective of context. This is a problem as htmlentities does not mitigate certain XSS injections. For example, the output of any data that will be used as a URL:

echo '<a href="', htmlentities( 'javascript:alert("xss");' ), '">XSS</a>';

In this instance htmlentities is not sufficient protection, the above outputs

<a href="javascript:alert(&quot;xss&quot;);">XSS</a>

To prevent this injection URLs should be validated on input, and htmlentites() encoded on output.

$url = 'http://hostname/path?arg=value';

$parsedUrl = parse_url( $url );

if( $parsedUrl['scheme'] != 'http' && $parsedUrl['scheme'] != 'https' ) {
    // reject URL
} else {
    $url = mysqli_real_escape_string( $mysqli, $url );
    $sql = "INSERT INTO table (url) VALUES ('$url')";
    // insert query


echo '<a href="', htmlentities( $url ), '">XSS</a>', "\n";

The URL now stored in the database should still be output using htmlentities() to encode quote marks that could inject further code, such as in this example:" onClick="javascript:alert(\'xss\');"

For further information about XSS, the OWASP XSS (Cross Site Scripting) Prevention Cheat Sheet offers a list of XSS Prevention Rules, while RSnake’s XSS (Cross Site Scripting) Cheat Sheet is the definitive list of XSS injection test strings.