‘Security’ Archive

Disable Komodo IDE debugger (bound to 0.0.0.0, run by default) 2016-03-14 No Comments

Komodo IDE starts a debugger bound to 0.0.0.0, by default. Maker ActiveState’s reaction was rather irritating to me at the time when I asked for an option to bind to 127.0.0.1, instead (update: page offline by now). I can no longer add links to that post, but I can link to my demo Komodo IDE […]

Fwd: The Case of the Modified Binaries / Downloading binaries through plain http:// 2015-08-24 No Comments

It seems I forgot to forward this when it blew my mind the first time. If you still need a reason to not download binaries from http:// URLs, this is it: The Case of the Modified Binaries http://www.leviathansecurity.com/blog/the-case-of-the-modified-binaries/ While SourceForge is another story, they are an example of a website offering binaries through plain http://, […]

Fwd: One in every 600 websites has .git exposed 2015-07-27 No Comments

One in every 600 websites has .git exposed http://www.jamiembrown.com/blog/one-in-every-600-websites-has-git-exposed/

Fwd: Hacking Team: a zero-day market case study / Adobe Flash 2015-07-25 No Comments

I ran into this on Twitter, found it a very interesting read. Hacking Team: a zero-day market case study

Comment vulnerability in WordPress 4.2 2015-04-27 No Comments

Hanno Böck tweeted about WordPress 4.2 Stored XSS rather recently. The short version is: if an attacker can comment on your blog, your blog is owned. Since the latest release is affected and is the version I am using, I have been looking for a way to disable comments globally, at least until a fix […]

Apache AddHandler/AddType vulnerability: Magento <1.9.1 affected 2015-04-26 No Comments

I ran into an example of a web application vulnerable to Apache AddHandler/AddType misconfiguration by chance today. The releases notes of Magento Community Edition 1.9.1 point to a remote code execution vulnerability. Interestingly, the section Determining Your Vulnerability to the File System Attack is precisely a switch from AddHandler to SetHandler. Fantastic! Let’s see if […]

“Your browser fingerprint appears to be unique among the 5,198,585 tested so far”. What?! 2015-04-11 7 Comments

While https://panopticlick.eff.org/ is not really new, I learned about that site only recently. And while I knew that browser self-identification would reduce my anonymity on the Internet, I didn’t expect this result: Your browser fingerprint appears to be unique among the 5,198,585 tested so far. Wow. Why? Let’s try one of the others browsers I […]

Fwd: The Perl Jam: Exploiting a 20 Year-old Vulnerability [31c3] 2015-01-10 No Comments

I finally took the time to watch The Perl Jam: Exploiting a 20 Year-old Vulnerability [31c3]. Oh, my, god.

Fwd: Chrome Plans to Mark All ‘HTTP’ Traffic as Insecure from 2015 2015-01-01 1 Comment

I’ve been waiting for this (without knowing): Chrome Plans to Mark All ‘HTTP’ Traffic as Insecure from 2015 I hope it will increase the pressure on websites to turn to SSL that so far are still ignoring the issue. A few coming to my mind: BSR Shop — no SSL at all Finya — no […]

On safe-mail.net free, anonymous e-mail 2013-10-05 No Comments

Since lavabit.com went down, I have been looking for a substitute: a mail provider with anonymous set-up process IMAP support SSL support free of cost hushmail.com reserves IMAP access to paying customers. With safe-mail.net it is the other way around: SMTP access is reserved to paying customers, IMAP is not. So it is a good […]