SEARCH RESULTS
 
Showing 1-10 of 21 records
 
Expand article

Stealing Phorm Cookies

2008-04-22 17:49:01 by Richard Clayton in Light Blue Touchpaper
 
...cookies, which I elaborate upon in this post. I have written about Phorms system before , and you can read a detailed technical explanation , but for the present, what it is necessary to know is that through some sleight-of-hand, users whose ISPs deploy Phorm will end up with tracking cookies stored on their machine, one for every website...
 
Tags: phorm, cookie, phorm cookie, isps deploy phorm, phorm identifier, identifier, unique phorm, phorm system strips, system
 
 
 
 
Expand article

Hardened stateless session cookies

2008-05-16 12:40:30 by Steven J. Murdoch in Light Blue Touchpaper
 
...cookies. Given the history of Wordpress security, it seems likely that there will eventually be a vulnerability discovered which allows the key, which authenticates cookies, to be leaked Its good practice in security engineering to design systems with the widest possible range of attacker capabilities. I therefore designed a cookie scheme...
 
Tags: scheme, cookie generation scheme, cookie, cookie authentication schemes, cookies, stateless session cookies, fake cookie, cookie authentication key, authentication database
 
 
 
 
Expand article

Buffer overflows can be prevented by GS cookies

2008-07-01 09:25:40 by Joel Scambray in WhatIs: Enterprise IT tips and expert advice
 
Buffer overflows have plagued Windows users for years, but by using a compile time technology known as GS cookies, you can prevent them from damaging your Windows shop
 
Tags: buffer overflows, compile time technology, cookies, windows users, windows shop, prevent
 
 
 
 
Expand article

Twisty little passages, all alike

2008-05-18 19:29:56 by Richard Clayton in Light Blue Touchpaper
 
...cookies (which didnt matter much because Phorm specifically uses first-party cookies), and Id managed to reference RFC2695 rather than RFC2965 In my original document, Id waved my hands a little bit about how the system worked if people had blocked cookies for specific domains, and so I swapped some more email with Phorm to better understand,...
 
Tags: cookie, phorm identifier cookie, identifier, phorm identifier, phorm, phorm fools, phorm unique identifier, phorm system redirects, phorm system breaks
 
 
 
 
Expand article

SDL and Web 2.0

2008-02-28 22:26:00 by sdl in The Security Development Lifecycle
 
...cookies, Evil Eve would not have been able to steal those cookies. However, HttpOnly is just a defense-in-depth measure and not a complete solution for the inherent problem of end users being able to write malicious code into the web site Web mashups are another popular component of Web 2.0. JavaScripts Same Origin Policy prevents web...
 
Tags: web, site, chriss web site, mashups, web mashups, site cookies, persistent cross-site, cookies, benefit anyones web
 
 
 
 
Expand article

The Phorm Webwise System

2008-04-04 16:53:06 by Richard Clayton in Light Blue Touchpaper
 
...cookies to determine if the user has opted out of their system, so that they can set a unique identifier for the user (or collect it if it already exists), and finally to add a cookie that they forge to appear to come from someone elses website. A number of very well-informed people on the UKCrypto mailing list have suggested that the last of...
 
Tags: phorm, system, phorm assumes, phorm argue, phorm system, extensive technical details, technical details, system anonymises, details
 
 
 
 
Expand article

Wordpress 2.5 cookie integrity protection vulnerability

2008-04-25 16:03:19 by Steven J. Murdoch in Light Blue Touchpaper
 
...cookies are generated. The authentication code was substantially overhauled for Wordpress 2.5, in part to deal with security problems in the password database. Now, the authentication cookies take the form of wordpress . COOKIEHASH = USERNAME . | . EXPIRY TIME . | . MAC Where: COOKIEHASH MD5 hash of the site URL (to maintain cookie...
 
Tags: cookie, time, user expiry time, wordpress, secure cookie protocol, expiry time, vulnerability, username, maintain cookie uniqueness
 
 
 
 
Expand article

TRICARE breach affects 4,700 households

The Article has images
2007-12-20 12:15:59 by Evan Francen in The Breach Blog
...cookies have fixed all known vulnerabilities associated with this incident. In addition, the CMS application has since been taken off-line. EDS has completed the forensics analysis of the server and is performing a by-line code review to ensure there are no further critical vulnerabilities present in the code Evan] Should EDS be the ones...
 
Tags: tricare, information, personal information, code review, by-line code review, information security, tricare beneficiaries, beneficiaries, breach
 
 
 
 
Expand article

Google Changes Privacy Policy

2007-03-15 08:31:00 by Eric Marvets in The Security Samurai
 
...cookies (the number one feature to choose FireFox over IE); a practice that was instigated when I learned Google sent the same cookie from each machine when a search was made. I use Tor and Privoxy to achieve true anonymity when researching certain topics. I will never use their desktop client However, two pieces of good news have come out...
 
Tags: privacy, google, privacy concerns, policy, google chat, financial data, data, google desktop, users privacy
 
 
 
 
Expand article

New faces and predictions for the New Year...

2008-01-22 22:11:00 by sdl in The Security Development Lifecycle
 
...cookies for authenticating users - is more of a design flaw and not a simple implementation issue. This makes them tougher to identify and to remove. They can't be mitigated solely through input validation techniques the way that Cross-Site Scripting and SQL injection can As the new web application security guy on the SDL team, it's my job to...
 
Tags: sdl team, team, sdl, sdl blog crew, cve, cve vulnerabilities, microsoft, single prediction, microsoft products