SAML, developed by the Security Services Technical Committee of the Organization for the Advancement of Structured Information Standards (OASIS), is an XML-based framework for communicating user authentication, entitlement, and attribute information. As its name suggests, SAML allows business entities to make assertions regarding the identity, attributes, and entitlements of a subject (an entity that is often a human user) to other entities, such as a partner company or another enterprise application.
Read the rest of this entry »

• 0 Comments

XML Web Services provide a flexible API for building distributed systems as a collection of endpoints that can send and receive SOAP messages. These systems are secured using message-based cryptographic mechanisms defined in a series of specifications developed by Microsoft, IBM, and others. Such home-grown security protocols often go wrong; they are prone to a well-known class of attacks, formalized by Dolev and Yao, where an attacker can intercept, modify, and replay messages. The vulnerability is only increased by the flexible message formats and complex trust configurations allowed by the standards. Our goal is to verify the security of families of protocol configurations, such as those deployed for Microsoft’s WSE and Indigo web services implementations.
Read the rest of this entry »

• 0 Comments

E-commerce, pay-per-use online services, user-authentication and tracking for e-learning, online gaming, contests… What do all of these applications have in common? The need for secure transfer of encrypted data between client workstations and server applications. According to a study by Gartner Consulting, the growing concern for Internet security parallels the evolution of e-business. In the earliest days of Internet development, the emphasis was on distributing content over the web and making it available to anyone. Now, as the Internet matures, clients are more concerned with ensuring that their assets, both monetary and intellectual, are protected from those who may commit fraud or abuse them. This is why more and more developers have been looking for security solutions.
Read the rest of this entry »

• 0 Comments

SSH (Secure SHell) is a network protocol which provides a replacement for insecure remote login and command execution facilities, such as telnet, rlogin and rsh. SSH encrypts traffic in both directions, preventing traffic sniffing and password theft. SSH also offers several additional useful features:
• Compression: traffic may be optionally compressed at the stream level.
• Public key authentication: optionally replacing password authentication.
• Authentication of the server: making ”man-in-the-middle” attack more difficult
• Port forwarding: arbitrary TCP sessions can be forwarded over an SSH connection.
• X11 forwarding: SSH can forward your X11 sessions too.
• File transfer: the SSH protocol family includes two file transfer protocols.
Read the rest of this entry »

• 0 Comments

This proposal aims to create a module that implements the GData protocol specification in Drupal. The Google data APIs provide a simple standard protocol, called “GData”, for reading and writing data on the web using either of two standard XML-based syndication formats: Atom or RSS. This module will handle all the basic stuff a developer shouldn’t have to worry about when developing modules that extend its functionality such as data transfer, protocol adherence, and authentication. It will expose its own API which will allow other developers to create modules that easily interact with information provided by Google’s many service APIs. Using this module, module developers who need access to this information need only concern themselves with what’s important: the data.
Read the rest of this entry »

• 0 Comments

The Amazon Inventory Management (AIM) API provides a secure and automated method to upload inventory and manage orders on Amazon.com Marketplace, zShops and Seller Central. This guide provides a detailed description of this API.

Amazon Inventory Management API provides a secure and automated method to upload inventory and manage orders on Amazon.com Marketplace, or on Seller Central for upgraded accounts. Sellers can use the API to execute the following operations:
• Upload Inventory
• Generate and download Order Reports
Read the rest of this entry »

• 0 Comments

With Active Directory, Microsoft has provided administrators with a powerful directory service to organize network data and to control access to network resources from a central point. However, “powerful” by necessity also means complex, and the complexity of Active Directory has probably contributed to slowing down the rollout of Windows 2000 and 2003 servers. Initially, many organizations found simply migrating their flat NT4 domain structures into a more sophisticated Active Directory wrapping to be a significant challenge. By now, many have defined their Active Directory Forests, survived an often cumbersome deployment process, and seen their directories mature into efficient tools for centralized administration. Policies have become the levers of network management, and, as a result, Active Directory has become a repository holding extremely sensitive data.
Read the rest of this entry »

• 0 Comments

The Point-to-Point Tunneling Protocol (PPTP) is used to secure PPP connections over TCP/IP links. In this paper we analyze Microsoft’s Windows NT implementation of PPTP. We show how to break both the challenge/response authentication protocol (Microsoft CHAP) and the RC4 encryption protocol (MPPE), as well as how to attack the control channel in Microsoft’s implementation. These attacks do not necessarily break PPTP, but only Microsoft’s implementation of the protocol.
Read the rest of this entry »

• 0 Comments