We present a practical protection mechanism against SQL injection attacks. Such attacks target databases that are accessible through a web front-end, and take advantage of flaws in the input validation logic of Web components such as CGI scripts. We apply the concept of instruction-set randomization to SQL, creating instances of the language that are unpredictable to the attacker. Queries injected by the attacker will be caught and terminated by the database parser. We show how to use this technique with the MySQL database using an intermediary proxy that translates the random SQL to its standard language. Our mechanism imposes negligible performance overhead to query processing and can be easily retrofitted to existing systems.
Read the rest of this entry »

• 0 Comments

Although traditional firewalls have effectively prevented network-level attacks, most future attacks will be at the application level, where current security mechanisms are woefully inadequate. Application-level security vulnerabilities are inherent in a Web application’s code, regardless of the technology in which the application is implemented or the security of the Web server and backend database on which it is built. A recent advisory published by Internet Security Systems (see the “Internet Resources” sidebar, p. 44) claims that 11 widely deployed shopping cart applications are vulnerable to a simple attack that lets hackers pur- chase goods for much less than their listed price. Worryingly, the attack does not require particular technical skill; it suffices to save the shopping cart’s HTML confirmation form to disk, use a text editor to modify the price of the goods (stored in a hidden form field), and load the HTML form back into the browser.
Read the rest of this entry »

• 0 Comments

A Word About Secure Database Access
Unfortunately, this database access code exhibits insecurities of its own. For example, you should never use the sa account (or an equivalent) to access databases from Web applications. Instead, use weak accounts that lack permission to drop tables, insert, update, and delete records, and the like. In addition, you should use stored procedures or parameterized commands in lieu of dynamic SQL commands for added protection against malicious input parameters. Finally, consider encrypting database connection strings to minimize the risk of information disclosure if your source code falls into the wrong hands. And note that truly paranoid ASP.NET programmers encrypt connection strings and store them in ACLed registry keys. When it comes to Web security, a little paranoia can be a good thing.
Read the rest of this entry »

• 0 Comments

This paper details various security concerns and risks associated with web 2.0 technologies such as Asynchronous Java script and XML (AJAX), Syndication, aggregation and notification of data in RSS or Atom feeds, mashups created by merging content from different sources. This paper also describes the security implications leading with the usage of web 2.0 technologies such as AJAX, RSS, and Mashups. Increase in application functionality leading to the emerging new web technologies (web 2.0). These new web technologies open more avenues to security threats to the online applications and users. Efficient protection mechanisms should be considered when dealing with web 2.0 technologies usage.
Read the rest of this entry »

• 0 Comments

The TL-WA501G 54Mbps Wireless Access Point is the basic building block of a wireless LAN infrastructure. It provides connectivity between Ethernet wired networks and radio-equipped wireless notebook systems, desktop systems, print servers, and other devices.

The TL-WA501G 54Mbps Wireless Access Point acts as a bridge between the wired LAN and wireless clients. Connecting multiple TL-WA501G Access Points via a wired Ethernet backbone can further lengthen the wireless network coverage. As a mobile computing device moves out of the range of one access point, it moves into the range of another. As a result, wireless clients can freely roam from one Access Point to another and still maintain seamless connection to the network.
Read the rest of this entry »

• 0 Comments

When you use your client adapter with the Mac OS operating system, you can protect your data as it is transmitted through your wireless network by encrypting it through the use of Wired Equivalent Privacy (WEP) encryption keys. With WEP encryption, the transmitting device encrypts each packet with a WEP key, and the receiving device uses that same key to decrypt each packet.
Read the rest of this entry »

• 0 Comments

Whether at home and in the office, each day we save an increasing amount of data (documents, worksheets, contracts, pictures, drawings, projects, videos, music, etc.). Protecting this data is essential but, at times, we only realize this when it’s too late. Today, traditional backup devices (DVD, external HD, USB keys, floppy disks, etc.) have become obsolete since unreliable, costly and inconvenient. A new service is now on the market that promises to revolutionize how we protect and organize our files: Online Backup. The purpose of this guide is to help you select the Online Backup service that best meets your business or home needs.
Read the rest of this entry »

• 0 Comments

A database manager is a computer program for storing information in an easily retrievable form. It is used mainly to store text and numbers (for example, the Library catalogue, which includes the author, title, class number and accession number for each book). Most modern database managers also allow the storage of other types of information such as dates, hyperlinks, pictures and sounds. As well as being able to store data, a database allows you to select information quickly and easily (for example, a list of the books written by a particular author or those on a certain subject). Finally, it may allow you to produce printed summaries (reports) of the information selected.
Read the rest of this entry »

• 0 Comments