Tagged with web security

tek – bad guy for a day

fuck per programming language chart
Image by gpuliatti via Flickr

K, trying a bit of live(ish) blogging. This will be interesting since this will be stream of thought on the tutorial as it goes on.

Todays tutorial is given by Arne Blankerts.

We’re starting off with an over view of websecurity and what we’ll be doing today. Looks like I missed questions, good thing I didn’t have any.

We’ll be getting source to look at, makes me wish I wasn’t lazy and had set up an environment.

Starting off with types of security. Transport layer,infrastructure, data warehouse,interface design, user level and application level…those sort of things.

Remember to secure your infrastructure. Anecdote about a setup with default root of database was given. Keep in mind how you train users. Example error alerts training people to accept errors as ok and to click through.

Continue reading

openid seems to hate me

been trying to comment on Chris Shiflett’s post on the twitter “Don’t Click” debacle and can’t seem to get authenticated through openid. so having to post my reply here (below).

cavaet: i’m not an expert on anything and a n00b at a lot of things

liked the article, however I want to disagree that it isn’t a csrf attack since “The attack works by including a link or script in a page that accesses a site to which the user is known (or is supposed) to have authenticated” (according to wikipedia [oh no, i’m that guy. *sigh*]). @ramsey said it didn’t affect him because he wasn’t logged in on the website.

It seems to me that it used clickjack ui redressing to carry out the authentication exploit.

Want to know the funny thing? The only reason I logged into the website was to follow @shiflett.