Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
I was thinking of creating an on-screen keyboard to protect against keyloggers. The main problem is that I have found that there is a category of keloggers, called screenshot key loggers, which are able to take screenshots of the screen every time the mouse button is clicked.
For this reason, I feel that my approach of creating an on-screen keyboard does not protect against this category of keyloggers. Is there a way of coding the application which does not allow screenshots to be taken, or else alerts the user if these are being taken without his permission?
Edit
I am assuming that only the user is present in the room. Therefore, I am not trying to protect against other users from taking photos with their digital cameras. I only want to protect against screenshot keyloggers.
This is an issue that Trusted Computing can potentially address, but not on any system you'd likely be trying to deploy this for. Beyond screenshots, remember that if a device or piece of code can have local access, screenshots are one way to take that data. Another way would be to take that data passing through memory or other avenues of processing through the system. It's a very hard thing to prevent entirely.
If you are that paranoid so that you cannot trust the computer you are working on, I would highly advise introducing "factor" in the authentication.
"Google Authenticator" is an open-source "two-factor" security system (like a software version of an RSA token). It means a user would have to have it running on their smartphone, but it means if one does NOT have the phone, even if they have successfully sniffed the username and password, they cannot log-in. Google "Google Authenticator".
Other 2-factor methods involve sending one-time login codes to ones' cell phone (which again must be held), using a hardware-token key, or a list of one-time-only passwords.
I actually created an Apache-specific port of this if you want to use it: https://code.google.com/p/google-authenticator-apache-module/
Related
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 2 years ago.
Improve this question
I am new to web development, and particularly for the back end, I was wondering what are the first basic precautions should be implemented to ensure cybersecurity to avoid any exploits which could leak user data or credential for example.
First of all make sure you are following the CIA model:
Confidentiality: Refers to access control of information to ensure that those who should not have access are kept out. This can be done with passwords, usernames, and other access control components.
Integrity: Ensures that the information end-users receive is accurate and unaltered by anyone other than the site owner. This is often done with encryption, such as Secure Socket Layer (SSL) certificates which ensure that data in transit is encrypted.
Availability: Ensures information can be accessed when needed.
Some other tips would be :
Use SSL certificate.
Take precautions when accepting file uploads through your site.(Incase if you have)
Use CSP (To prevent against Cross-site scripting)
Set permissions that controls who can read, write, and execute any given file or folder of your website.
Limit Login Attempts and temporarily lock out IP Addresses that make several failed attempts to get inside.
Keep scripts up-to-date.
Maintain multilayer security and keep backup.
And please take care of your Database, how you create and link it.
Lastly, show the beta version of your website to someone with good experience to look for any loopholes before your website goes live.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
A couple weeks ago, I noticed a question where a site owner was asking about how they could better manage user passwords for their site. They were storing the passwords using an excel sheet as a database.
I am not finding that question now, but there were several comments pointing out using Excel as a password database was not a good idea. The pure inappropriateness of this has not left my thoughts and I wonder, how many sites use low level password word protection.
If I were to test on that particular web site, by changing my password to '=2+2' and then trying to logon with '4' as my password. That might give me an indication that my site password was not being well managed.
What should I look for, or what tests can I perform to validate what level of protection a site is using to protect the password I use there?
It can be incredibly difficult (or even impossible) to judge the security of some site without straddling some legal gray areas.
One easy way to test if password managament on a site is awful is if you do a "forgot password" request, and they email you your password in plaintext. That means they are at worst, storing your password in plaintext, and at best encrypting it instead of hashing it (still bad practice).
Other than gaining access to the system (or, of course, asking the developers) you can't really be sure about what methods are being used. They could store your password in plaintext and still not send it in an email. It eventually comes down to trust and using necessary precatuitons (such as unique passwords, or limiting what info you give them).
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
I am attempting to automate committing some files to SVN during our automated build process. Hudson does not have a tool (that works) to do this simply. I found Plugin to commit hudson build artifact which shows a second example using a simple command. The difficulty is now on obfuscating the credentials supplied.
I didn't really like the idea of building my batch into an exe -- it seemed a bit too bulky and not able to change. I was racking my brain for other ideas and coworker and I came up with this:
Create a new user in SVN with no privileges. I've called this user 'hudson'
Give hudson only the ability to read/commit to the one project in question. It cannot delete.
Use username/password unobfuscated. :x
Now, accessing our Hudson build server requires authentication. So, there is at least one level of implied authentication before being able to hit the unobfuscated password. If a malicious user had the ability to see this unobfuscated password then it is implicit that they have more privileges than having the unobfuscated password would grant them. Does that make sense? Is this sound? I feel really dirty for doing this, but I can't think of a simpler way to do it.
In the broadest terms, this is not a problem. However, there are several things you can do to improve it.
The password in question should be long and random. It's only used by a program; why should it be easy to read?
I generally apply small obfuscations to such password, particularly if they are not long and random for some reason (such as them being also used by humans). The reason is to prevent someone looking over my shoulder from suddenly knowing the password. Mild screening is useful anytime you're going to put a password in a script.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 11 years ago.
Improve this question
What is best strategy of protecting from "registration bots". Ones that just POSTing registration forms to my server, creating dumb users.
For my application, it started with just several new accounts per day. But now it became a real problem.
I would like to avoid confirmation mail, as much as possible. What are strategies to prevent this?
You can use a variety of techniques here:
Use a CAPTCHA like reCaptcha
Present the user with a trivial problem like "2+2=?". A human will be able to respond correctly where as a bot won't.
Add a hidden text field to your form. Bots are programmed to fill in every field they can. If you find that the hidden field has some data in it when the form was submitted, discard the request.
Use something like reCaptcha
Any kind of captcha will do it. eg: reCAPTCHA, but for popular bots a simple check like: "from the following checkboxes below please select the nth one" will do it.
Also, if you use a popular app like phpBB, just a little tweaking of registration page will do it.
If your site is very popular, then it's a different story altogether, and there will be always a way to write bots specifically designed for your site, but these basic tricks should be enough to stop generic bots.
You could log the IPs of those bots and block them. That is if they are not rotating lots of IPs.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
Generally speaking.
How do a project manager evaluate and track the security issue for a project? Or is there any online resource that I can use as a reference ?
I would say that you would track this like everything else you track on your project.
Make sure that there is an architecture and project requirement review -- go though all aspect of the architecture and design and document any issues and questions as you go along. Depending on your application, it may include securing external communication and communication between different parts of the application, and understand any possibilities for malicious user input. If your application store any data, review what data is stored, and ask "what would happen if the data was lost or leaked". Understand how all sensitive data store is encrypted, and make sure that user passwords are never stored (store a oneway hash instead). Review how/if any encryption keys can be rotated, so that loss/leak of key does not mean compromise of security.
Document all issues and questions found in your favorite bug tracking and task management tool, even if just as reminder to get back and inspect actual implementation.
I think you add them as 'risks' or 'tasks' in your ALM system, depending on which phase you are current in with respect to your project.
How to evaluate security issues is usually deferred first to Devs or IT Profs depending on the nature and then reported back to the PM for review.