|
|
February 27 · Issue #21 · View online
Email digest of dylanninin
|
|
Computer security, also known as cybersecurity or IT security, is the protection of computer systems from the theft or damage to the hardware, software or the information on them, as well as from disruption or misdirection of the services they provide. - Wikipedia
|
|
|
Cloudflare parser bug and its impact
Last Friday, Tavis Ormandy from Google’s Project Zero contacted Cloudflare to report a security problem with our edge servers. He was seeing corrupted web pages being returned by some HTTP requests run through Cloudflare. It turned out that in some unusual circumstances, which I’ll detail below, our edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. And some of that data had been cached by search engines. For the avoidance of doubt, Cloudflare customer SSL private keys were not leaked. Cloudflare has always terminated SSL connections through an isolated instance of NGINX that was not affected by this bug. A memory leak caused by Cloudflare parse bug, which could contain private information and it had been cached by search engines.
- Stupidity
- Using the wrong tools or using them in the wrong way.
- Unusual environments
And surely, this is an unusual environment: “So, the bug had been dormant for years until the internal feng shui of the buffers passed between NGINX filter modules changed with the introduction of cf-html.”
|
Announcing the first SHA1 collision
Cryptographic hash functions like SHA-1 are a cryptographer’s swiss army knife. You’ll find that hashes play a role in browser security, managing code repositories, or even just detecting duplicate files in storage. Hash functions compress large amounts of data into a small message digest. As a cryptographic requirement for wide-spread use, finding two messages that lead to the same digest should be computationally infeasible. Over time however, this requirement can fail due to attacks on the mathematical underpinnings of hash functions or to increases in computational power. Today, more than 20 years after of SHA-1 was first introduced, we are announcing the first practical technique for generating a collision. Nothing is 100% secure. Technologies that seem perfect or more secure today may be obsoleted within a few years, especially with cloud infrastructure.
|
从“黑掉Github”学Web安全开发 | CoolShell
Egor Homakov 是一个Web安全的布道士,他前两天花了4个小时把github给黑了,并给github报了5个安全方面的bug,并因此挣了4000美金。我们可以通过他黑掉Github的过程学习一下Web安全开发。 作者用自己的话阐述 Egor Homakov 黑掉 GitHub 的思路和原文中提到的5个bug。同时,提醒从事 Web 开发的同学要警惕和学习安全事项,可参考作者另一篇翻译批注的 《Web开发中的你需要了解的东西》。
|
Ruby on Rails Security Guide — Ruby on Rails Guides
This manual describes common security problems in web applications and how to avoid them with Rails. After reading this guide, you will know:
- All countermeasures that are highlighted.
- The concept of sessions in Rails, what to put in there and popular attack methods.
- How just visiting a site can be a security problem (with CSRF).
- What you have to pay attention to when working with files or providing an administration interface.
- How to manage users: Logging in and out and attack methods on all layers.
- And the most popular injection attack methods.
Learn common security problems with Rails. There’s also a pragmatic Security Guide for Developers repo on GitHub, providing a checklist on the most common issues to help you create more secure systems.
|
|
Newbie: Intro to cron
Cron is the name of program that enables unix users to execute commands or scripts (groups of commands) automatically at a specified time/date. This file is an introduction to cron, it covers the basics of what cron does, and how to use it. It’s very easy to use cron jobs, but you may learn something new.
|
How To Install and Configure Postfix on Ubuntu 16.04 | DigitalOcean
Postfix is a popular open-source Mail Transfer Agent (MTA) that can be used to route and deliver email on a Linux system. It is estimated that around 25% of public mail servers on the internet run Postfix. In this guide, we’ll teach you how to get up and running quickly with Postfix on an Ubuntu 16.04 server. Have a basic MTA email functionality to get started, and with dynamic aliases you can receive emails from your servers.
|
|
年终盘点之国内IaaS云个人使用体验报告
都说2015年是国内云计算元年,对我个人来说,2015年也是本人正式全面接触云服务的元年。本文仅从个人角度分析当前国内主流IaaS云的使用体验,主要从各云厂商提供的功能抽象,管理后台,付费机制等方面进行分析,不包括以下方面内容:
云服务确实降低了用户的使用门槛,越来越普及。但一方面云服务缺乏标准或最佳实践,各家玩法不一样;另一方面云服务像一个黑匣子,内部如何运作普通人无法洞察。
|
|
Redis persistence demystified
It is very important for a developer to have a feeling about what the community of users, and the community of non users, think about the product he is developing. And my feeling is that there is no Redis feature that is as misunderstood as its persistence.
In this blog post I’ll do an effort to be truly impartial: no advertising of Redis, no attempt to skip the details that may put Redis in a bad light. All I want is simply to provide a clear, understandable picture of how Redis persistence works, how much reliable is, and how it compares to other database systems. Demystify Redis persistence modes: RDB and AOF.
|
|
BCrypt: Hash Passwords Correctly - Matthew James Davis
BCrypt is not the best algorithm out there; however, it is sufficient for the large majority of use cases, and it is just as easy to implement, if not easier, than the basic hash-and-salt method. What sets BCrypt apart is that instead of the more typical SHA-* algorithm, it leverages the Blowfish algorithm, which has the advantage of being much slower in parallel. Since users log in one-at-a-time, this makes it much harder for attackers, who will test numerous passwords, to beat the algorithm. It’s a cryptographic hash function on a different approach, you can set work factor to slower down the attacks.
|
|
《烧脑24小时》第六季:激光里的孙悟空 - 腾讯安全联合实验室
科技公司为保系统安全出新招请来安全专家上演攻防大战双方对决,愈演愈烈安全专家如何变身“孙悟空”,攻破科技公司的防御系统 来自腾讯玄武实验室,发现影响整个条码阅读器行业二十年的严重安全漏洞,世界首次实现通过发射激光入侵系统。 随便扫码真危险!
|
Did you enjoy this issue?
|
|
|
|
In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
|
|
|