Xerox Repair Services – Reliable Choice of Professionals

Hp 3000 Series realm Of Feature-rich Computers

Kim Kardashian And APTs

On Wednesday, American footwear company Skechers agreed to pay the US Federal Trade Commission $40 million. This settlement resulted from a series of commercials that deceived consumers claiming that the Shape-Ups shoe line would "help people lose weight, and strengthen and tone their buttocks, legs and abdominal muscles." Professional celebrity Kim Kardashian appeared in a 2011 Super Bowl commercial personally endorsing the health benefits of these shoes.

This settlement was part of an ongoing FTC campaign to "stop overhyped advertising claims." A similar effort would serve the information security community well. For example, one particular claim that causes me frequent grief is: "solution X detects and prevents advanced persistent threats." It is hard, dare I say impossible, to work in information security and not have heard similar assertions. I have heard it twice this week already, and these claims make my brain hurt.

Hp Repair Contract – Forward-Looking Step towards Mental Peace

Carwasher. Net: CWE&S Excellent Services And Maintenance

Law Office Printers | Law Office Technology & Marketing

HDS Blogs: Storage Virtualization to Reduce Cost of Copies – The …

The View From Here: Where do you draw the line on securing your …

Year Of Security for Java – Week 20 – Trust Nothing

What is it and why should I care?
While trust spawns interesting philosophical discussions, here I want to discuss the implications of trust within the applications we build. Trust is a funny thing in that we implicitly give it frequently without considering what we’re trusting. A simple example:

//bad bad do not use
executeDbQuery("select * from my_table where id = " + request.getParameter("my_id"));
//bad bad do not use

Here we’ve said that we trust that the user of the application has not tampered with the my_id request parameter in any way that may cause problems for our application. Obviously this is a poor assumption. We can do better by moving the above query to a prepared statement with parameter binding to prevent SQL injection and we can also validate the my_id parameter for appropriate input, but why do we do that?

It’s because we don’t trust the input to our system. We don’t (and shouldn’t) trust that a user or system is going to use our application in the way we would expect, or even the ways we’ve thought of necessarily (a good reason against blacklisting for security). We must build systems that not only are functional (use) but stand up under attack (abuse) or ignorant usage. Our systems must be robust or as some have called it, rugged. Whatever your term, the idea of trust is either explicitly or implicitly central to the idea. We can’t trust the environment.

If we can’t trust the environment, what does that mean? Does that mean we deal with XSS and SQLi? Yes, but much more than that, it’s a different way of thinking about the application. It becomes that simple picture of input-processing-output at varying levels of scope. A single request has inputs (request parameters, headers, database input, etc.), processing (authn/z, logic, etc.) and outputs (DB, screen, file, etc.). The application as a whole has inputs, processing and outputs that are essentially the combination of all the individual components of the application, and then you can scale on up to systems and organizations.

The “environment” I’m referring to changes depending on your specific situation, and it’s difficult to say that you simply can’t trust anything, because that’s usually a non-starter. You may have to trust your configuration files or your external SSO system, or any number of other entities. The idea is that you specifically label those things as trusted (an assumption) and treat everything else as being tainted.

These types of issues are considered in threat modelling, which is another planned topic in this series. For now, it’s sufficient to simply note that you should be thinking in terms of what data am I taking in, processing and sending out?

What should I do about it?
Now that we’ve established the environment can’t be trusted, the next logical question is what constitutes the environment?

This could be a long answer depending on your setup, but a decent starting list for web applications in particular might look like the following:

• web request data (parameters, headers, body, cookies)
• database data
• directory data (ldap)
• filesystem data
• web service data (any data in headers or body)
• external system data (any data you receive from another system – software you’re integrating with)
• network connection data (any data you receive while acting as the “server” – generally socket-based communication)
• user input (command line input)
• system environment variables
• third party software (libraries that you call that provide you data)

This list is incomplete I’m sure, but the idea is there. Any data you receive from any of these users or systems is generally untrusted, possibly with certain organization/application-specific well defined exceptions. When you start to view your applications in this way, you start to build better protections around them. You build better defences, and better logging/auditing so that you can detect when something actually does break (it will, I promise). However, thinking in this way can go a long way to helping you build safer and more secure systems.

References
———–
http://www.ruggedsoftware.org/
http://www.schneier.com/book-lo.html
http://en.wikipedia.org/wiki/Robustness_principle
http://www.jtmelton.com/2012/05/01/year-of-security-for-java-week-18-perform-application-layer-intrusion-detection/
http://www.jtmelton.com/2012/04/10/year-of-security-for-java-week-15-audit-security-related-events/

Technorati Tags: Trust Nothing

Best of your business phone system hardware | the down coats cheap

Is The Time Right To Spread Your Risk?

For many years, security professionals have lived by the three pillars of risk management - AVOID, TREAT, ACCEPT. These great tenets have served the profession well, enabling CISOs to build appropriately secure networks at a tolerable level of cost. Unfortunately, as evidenced by the litany of security breaches we have seen over the past 12 months, it's clear that the landscape is changing. More than ever before, security is clearly a 'no-win' game.

The high profile attackers, state-sponsored or otherwise, are one threat - but it goes deeper than this. The keys to the kingdom are no longer in the hands of the generals and policy makers; their decisions and discussions are enabled by email, IM and IP telephony, all of which sit firmly in the domain of the IT department and system admin - and stressed, poorly paid employees do not make the ideal custodians of such critical information. As an example, Anonymous claims to have access to every classified government database in the US, but they didn't hack them - disaffected system administrators and employees simply opened the doors for them, or sent them the access codes.

As the broadening gap between our ambitions for a secure enterprise and our abilities to deliver on such a vision become self-evident, the time has come to pay equal attention to the poor cousin of risk management, "TRANSFER." For many CISOs, risk transference is a topic that is largely theoretical as, even when a task is outsourced, the risk associated with a breach commonly remains with the data owning organisation. Cyber insurance offers a different solution.

PC Peripherals » Cisco SMARTnet Hardware and Software …

How To Deal With A Wet Basement » Articles Alternative

City of Napa, Calif., Forms Insourcing Agreement With Ambulance …

University of New Brunswick Hacked, Login Data Leaked

Laser Printer – Ultra-Fast & Affordable Printing Brand

Do You Need Accounting Software For Your Small Business …

VERUS Specialist, Multilingual OCR Computer software (5000 …

Xerox Repair – Expansion of Printing Maintenance

Negotiating Oracle year-end deals

Basin Futures Articles » Businesses Are Shifting To Cloud Hosting In …

Active Resource Management – Choosing Maintenance Services …

Six reasons not to use the VoIP Internet telephony, Internet …

Oracle JD Edwards World Announces Release A9.3

How we leveraged the Oracle Fusion Applications User Experience Patterns in JD Edwards

Do You Need Accounting Software For Your Small Business? | Articles

Difference between Oracle’s Exadata and Exalogic

Oracle Exadata (Oracle Exadata Database Machine) is strictly a data processing solution offered by Oracle. Initially conceived and promoted as a solution for mainly large data warehouse data load processing, Oracle now boldly proclaims that Exadata is suitable for high concurrency OLTP applications as well. It’s important to understand that Exadata isn’t something you use in addition to your current Oracle databases – rather, it comes with its own prepackaged Linux based Oracle database. Exadata is a prepackaged box that consists of the Oracle Exadata Storage Server software , Oracle Database 11g software, in addition to Sun branded hardware (RAM and CPUs) and Infiniband network technology software. Oracle’s claims of ultra fast data processing with Exadata are well supported by actual field experience of several companies, making this a really big success for Oracle Corporation. In addition to enabling fast processing of heavy amounts of data, Exadata also helps you consolidate multiple Oracle databases into a single easily manageable system. It’s important to note that the Exadata package (servers, software, network and storage) is completely preoptimized and preconfigured by Oracle.

If you’re running high volume, mission critical OLTP applications, or if you are having problems making sure that your current Oracle databases can crunch through heavy loads of warehouse data, it’s time to take a close look at Exadata – it’s more than likely that you’ll be surprised at the ease with which you can transition to Exadata from your current Oracle database based applications. Oracle claims that you’ll need fewer CPUs to run Exadata as compared to a non-Exadata solution. Exadata is configured in a balanced format, in units of “Racks” that are similar to standard data center rack configurations – you can purchase a quarter, half or a full rack and you can easily upgrade to more processing power by ordering additional Exadata racks.

Oracle Exalogic (Oracle Exadata Elastic Cloud) is also an “engineered system” and is similar to Exadata in the sense that it’s also a prepackaged hardware plus software solution, designed to be managed and monitored as a single stack. However, the main purpose of Exalogic isn’t data crunching – it’s an engineered system designed to provide high performance for Oracle middleware using custom Java EE applications, Oracle Applications and similar enterprise level applications.

Both Exadata and Exalogic are part of Oracle’s new paradigm of “purpose built systems” that provide pretested and preconfigured standardized sets of hardware, smart storage, and network and software components. The key goals are easy implementation, high speed processing and easy scalability on demand. The fundamental idea behind Oracle’s engineered systems – that standardizing and optimizing al the components will provide a higher performance through the exploitation of the synergies among the various components seems to be borne by the experience of users..

The art of saving money, or how to do more with less… – Mainframe …

Characteristics Of A Good Home Healthcare Software

Why do the French get it for free?

What do they get for free you ask? Patent licenses. That’s right, costly patent licenses don’t apply to French developers. How did this information all of a sudden come to light? With the anticipation of Windows 8 being shipped by Microsoft, minus the popular Media Center installed, the blogs are a chatter about an alternative to Media Center. A French developer has created a completely free program called VLC Media Player. It comes highly recommended and is completely 100% free. VLC Media Player is not subject to MPEG-2 licensing fees…nice huh?

This kind of thing would never fly in the United States, but because the developer is French and considered a non-profit (as it began as a student project), it is out of the reach of lawmakers in the U.S.

While this goes against everything Copyright law was created to prevent – what does it mean for us? Free Media player for Windows 8!