Security DevCenter
oreilly.comSafari Books Online.Conferences.


Security DevCenter Articles

1 to 50 of 211 Next

CAS+: Single Sign-On With Jifty (Part 2) by Andrew Sterling Hanenkamp
In the second and final part of this series, Andrew Sterling Hanenkamp goes under the hood of his single sign-on tool, CAS+, and shows how it actually works. Along the way, there's lots of useful information about the underlying mechanisms that make all SSO solutions purr. 06/14/2007

A BSD Rootkit Primer by Federico Biancuzzi
We've all heard about Windows Rootkits, but open source operating systems aren't immune either. In this edition of Federico Biancuzzi's periodic BSD Interview series, he talks to Joseph Kong, author of Designing BSD Rootkits about creating and defending against rootkits. 05/31/2007

CAS+: Single Sign-On with Jifty (Part 1) by Andrew Sterling Hanenkamp
Single Sign-On (SSO) authentication is a necessary component of most enterprise infrastructures. No one wants to supply credentials more than once, and centralizing authentication reduces the number of places password data needs to be duplicated. Andrew Sterling Hanenkamp introduces us to CAS+, a single sign-on solution for Jifty in the first part of a two-part series. 05/31/2007

Greylisting with PF by Dan Langille
Greylisting--delaying mail delivery briefly per the SMTP RFCs--is an effective way to reduce the amount of incoming spam. While many greylisting solutions require customization of your SMTP server, OpenBSD's PF can do it too. Dan Langille shows how to use the powerful packet filter to identify and pass legitimate mail, delay and divert potential spammers, and throw in some OS fingerprinting to ward off certain zombie clients. 01/18/2007

Caching Dynamic Content with Apache httpd by Rich Bowen
Dynamic websites tend to be easier to manage than large collections of similar static files, but they often get many times more reads than they do writes. Every database hit and page generation can eat up precious CPU cycles. Rich Bowen shows off mod_cache, which trades disk space or memory for CPU and can help improve performance on your servers. 11/16/2006

Detecting Web Application Security Vulnerabilities by Shreeraj Shah
Your web application is only as secure as the data coming in, and how you treat user input determines how secure you are. A little bit of thought and Python programming can help you analyze potential vulnerabilities in your code; Shreeraj Shah demonstrates. 11/02/2006

OpenBSD 4.0: Pufferix's Adventures by Federico Biancuzzi
On October 18th, OpenBSD celebrated its 11th birthday. Now it's time for the release of OpenBSD 4.0. To celebrate both milestones, Federico Biancuzzi interviewed over 20 developers to discuss the new features of this release and the continual work to get hardware specifications from vendors. 10/26/2006

Managing a Honeypot by Peter Mikhalenko
If intruders are always scanning the Internet for potential victims--and they are--can you find the intruders and their exploits by putting up fake networks that only a deliberate scan could find? That's the theory behind honeypots. Peter Mikhalenko discusses the implementation, theory, and legality of using a honeypot to protect your network. 09/28/2006

How Shellcodes Work by Peter Mikhalenko
Buffer overflow problems are well-known. Fewer people know how exploits can help attackers execute their malware through buffer overflows and other holes. Peter Mikhalenko walks through the construction and refinement of a shellcode to show how they work so that you can protect your machines. 05/18/2006

What Is Wireless Security by Swayam Prakasha
Wireless LANs have evolved into more affordable and logistically acceptable alternatives to wired LANs. But to take advantage of their benefits, your company's wireless network needs to be properly secured. This article covers the types of attacks wireless networks encounter, preventive measures to reduce the chance of attack, guidelines administrators can follow to protect their wireless LANs, and an excellent supply of online resources for setting up a secure wireless network. 03/30/2006

Building Detailed Network Reports with Netflow by Michael W. Lucas
You can trace every packet on your network from source to destination, if you really want to. Having all of this information is useless unless you can actually find what you need to know. Netflow not only helps record traffic information but also can help you report on just the types of packets you want. Michael W. Lucas demonstrates. 10/27/2005

Assessing Web App Security with Mozilla by Shreeraj Shah
If your web application expects only that users always follow instructions and can never do anything other than what you want, it's probably insecure. You might find it surprising how much information your app exposes to a potentially hostile world. Shreeraj Shah demonstrats how to use Mozilla's LiveHTTPHeaders extension to see what your app does and probe it for vulnerabilities. 10/20/2005

Michal Zalewski on the Wire by Federico Biancuzzi
What motivates a hacker? Perhaps curiosity, the pursuit of knowledge, and the simple joy of saying "Hmm, that's funny! What happens if I ...?" Eccentric security researcher Michal Zalewski exhibits these traits. Fearless interviewer Federico Biancuzzi recently talked with Zalewski about his curious approach to computer security, the need for randomness, and how the hacker mind works. 08/25/2005

Important Notice for Security DevCenter Readers About O'Reilly RSS and Atom Feeds

O'Reilly Media, Inc. is rolling out a new syndication mechanism that provides greater control over the content we publish online. You'll notice some improvements immediately, such as better standards compliance, graphical tiles accompanying article descriptions, and enclosure support for podcatching applications. We've tested the new feeds using a variety of popular newsreaders and aggregators, but we realize that there may be a few bumps along the way. If you experience problems, please don't hesitate to send mail to Please include detail about your operating system and reader applications. We also welcome your suggestions. Thank you for your continued support of the Security DevCenter.

The following URLs represent the Security DevCenter's article and weblog content in a variety of popular formats:

Atom 1.0
RSS 1.0
RSS 2.0

We will begin automatically redirecting the existing feeds to the new feeds above, but we recommend that you update your feedreader's subscription settings to ensure continuous and uninterrupted service.

O'Reilly Media, Inc.'s Online Publishing Group


Information Security with Colin Percival by Michael W. Lucas
The recent disclosure of side-channel techniques to retrieve cryptographic secrets on hyperthreading machines caused stirs in security and operating system development communities. Colin Percival, a FreeBSD security officer, reported the vulnerability and weathered the questions and criticisms. Michael W. Lucas recently interviewed him on this vulnerability, vendors' responses, and security research. 07/21/2005

Securing Web Services with mod_security by Shreeraj Shah
Web services build atop HTTP to allow more flexible applications. However, their flexibility and ubiquity do not always protect against vulnerabilities due to the way HTTP works. Fortunately, the mod_security module and some planning can block potential attacks at both the protocol and application level before they start. Shreeraj Shah explains. 06/09/2005

Anatomy of an Attack: The Five Ps by Kerry J. Cox, Christopher Gerg
The five Ps--Probe, Penetrate, Persist, Propagate, and Paralyze--represent a model of how a security attack progresses. In this excerpt from Managing Security with Snort & IDS Tools, the authors discuss an attack's progression through these five steps, whether the attack is sourced from a person or an automated worm or script, with emphasis on the Probe and Penetrate phases, the stages that Snort monitors. 03/31/2005

Deploying a VPN with PKI by Scott Brumbaugh
Security and convenience often conflict with each other. It'd be nice to have access to your office network from anywhere, but you can't trust the Internet. Virtual private networks are one solution. Scott Brumbaugh explains how to deploy a VPN using OpenVPN and OpenSSL. 10/21/2004

Network Tool Development with hping3 by Federico Biancuzzi
Network security analysts sometimes need access to create and analyze raw packets. Salvatore Sanfilippo's hping is a tool that allows them to do just that. Federico Biancuzzi recently interviewed Salvatore on the project's design, implementation, and goals. 10/07/2004

Google Your Site For Security Vulnerabilities by Nitesh Dhanjani
The fact that Google indexes pages you might never have known were public is both good and bad. It's good when you're searching for specialized or esoteric information. It's bad when Google indexes potential security vulnerabilities on your site. Nitesh Dhanjani demonstrates how to use the Google API to help identify your inadvertently shared secrets. 10/07/2004

VPNs and Public Key Infrastructure by Scott Brumbaugh
Security and convenience often conflict with each other. It'd be nice to have access to your office network from anywhere, but you can't trust the Internet. Virtual private networks are one solution. How do they keep your data safe, though? Scott Brumbaugh explains the basics of Public Key Infrastructure, the cryptographic basis for secure VPNs. 09/23/2004

Open Source Security: Still a Myth by John Viega
Does the open source process guarantee better security than proprietary development methods do? Not necessarily, warns John Viega. There are several security challenges facing open source software that many developers have so far failed to recognize. 09/16/2004

What "Countermeasures" Really Means by Paco Nathan
As the number and range of attacks on computer systems have grown exponentially and conventional firewalls and intrusion detection systems have proven inadequate for the task, security researchers have started to talk about employing "countermeasures" to preserve security. 08/03/2004

Detecting Network Intrusions with Packet Filtering by Don Parker
An intrusion detection system (IDS) can scan your network for suspicious packets, but someone has to review the logs. Having previously shown how to construct packet filters, Don Parker demonstrates how to analyze an intrusion attempt, in order to gauge your network's security. 07/22/2004

Stealing the Network: A Prequel by Ryan Russell
Ryan Russell, one of the coauthors of Stealing the Network: How to Own a Continent (from Syngress), has written a "prequel" that depicts a '70s-era security hack, set at a tech company back East. If you've been curious about Stealing the Network, this short bit of fiction provides a real sense of the concept behind the book. And be sure to respond to the talkback at the end of this tale -- we'd like to hear your theory. 07/01/2004

Filtering IDS Packets by Don Parker
Intrusion detection systems (IDS) can scan your network for suspicious packets but someone has to review the logs. Even if you find something odd, can you wade through hundreds of thousands of packets looking for evidence? Clever security administrators understand how to narrow down the search. Don Parker explains how to use Berkeley packet filters and bitmask filters to improve your IDS use. 06/17/2004

Writing Nessus Plugins by Nitesh Dhanjani
Today's best vulnerability detector will be out-of-date next week unless you can somehow teach it about new exploits and vulnerabilities. Fortunately, Nessus and NASL make that easy. Nitesh Dhanjani walks through the creation of a custom Nessus vulnerability plugin. 06/03/2004

Top Ten Ethereal Tips and Tricks by Angela D. Orebaugh
Ethereal evangelist Angela Orebaugh offers her top ten list of Ethereal tips and tricks. From installing the packet capture driver to using Ethereal to process other sniffer capture files, these tips will have you saying, "Wow, I didn't know Ethereal could do that!" Angela is a coauthor of the recently released Ethereal Packet Sniffing (from Syngress). 05/20/2004

OpenBSD PF Developer Interview, Part 2 by Federico Biancuzzi
With the release of OpenBSD 3.5, users and administrators gear up for new features. Federico Biancuzzi interviewed six leading OpenBSD developers responsible for PF, the powerful packet filter, on new features and goals. This is the second half of the interview. 05/06/2004

Installing and Configuring Nessus by Nitesh Dhanjani
If you're connected to the global Internet, people are already scanning your network for vulnerabilities for free. They're probably not so good about informing you of their findings. Why not get a jump on the competition by analyzing your network yourself? Nitesh Dhanjani explains how to install and configure Nessus, an open source network vulnerability scanner. 04/22/2004

OpenBSD PF Developer Interview by Federico Biancuzzi
On the eve of OpenBSD's 3.5 release, users and administrators gear up for new features. Federico Biancuzzi interviewed six leading OpenBSD developers responsible for PF, the powerful packet filter, on new features and goals. 04/15/2004

Using Penetration Testing to Identify Management Issues
Bob Ayers wrote a thought-provoking foreward for Chris McNab's Network Security Assessment that details network attack and penetration techniques in line with U.K. (CESG CHECK) and U.S. (NSA IAM) government standards. Chris has slightly modified Bob's foreward for the book and presents it here in article form. 04/08/2004

Cookie Specification Vulnerabilities by Alexander Prohorenko
For years, privacy-minded people have distrusted cookies in web browsers. While recent advances have improved privacy concerns, the specification leaves room for easy attacks. Alexander Prohorenko explains the situation and tests several recent browsers. Is it time for a new cookie specification? 04/01/2004

Top Ten Tips to Make Attackers’ Lives Hell by Chris McNab
Chris McNab breaks down his top ten tips all network administrators should follow to protect their networks from opportunistic threats and make it hard for the more determined attackers to get anywhere. Chris is the author of the recently released Network Security Assessment. 03/25/2004

Symbiot on the Rules of Engagement by Andy Oram
Andy Oram talks to the chief officers of Symbiot Security about their controversial white paper, "The Rules of Engagement". 03/10/2004

Securing AirPort Extreme Networks with WPA by Wei-Meng Lee
With the release of Mac OS X 10.3 Panther, Apple also provided a firmware upgrade for the AirPort Extreme Base Station and AirPort Extreme clients, which support the WPA security standard. WPA is far more secure than WEP. Wei-Meng Lee shows you how to set it up. 12/18/2003

Introducing mod_security by Ivan Ristic
Every layer of security you can add is one more deterrent for the bad guys. Writing (or choosing) secure code is important, but it's not the only defense. Ivan Ristic, creator of mod_security, explains how this Apache module can turn back potential attacks before they reach your code. 11/26/2003

Problems Aplenty by Noel Davis
Noel Davis looks at problems in XFree86, Stunnel, Exim, wu-ftpd, pam_smb, gdm2, pam_ldap, whois, the atari800 emulator, Horde, MPlayer, and Node. 10/15/2003

PHP Security, Part 3 by John Coggeshall
A malicious user will likely start his attack by using your system in ways you never anticipated. Your system logs are an oft-neglected defense tool. John Coggeshall shows how PHP's error logging and reporting functions can help you secure your applications. 10/09/2003

Denial-of-Service Attacks by Noel Davis
Noel Davis looks at denial-of-service attacks against Apache, OpenSSL, and FreeBSD, and problems in Perl, lsh, Teapop, ProFTPD, TclHttpd, MPlayer, Node, mpg123, and Freesweep. 10/06/2003

Sendmail Trouble by Noel Davis
Noel Davis looks at problems in Sendmail OpenSSH, Pine, saned, MySQL, gtkhtml, and Solstice AdminSuite. 09/22/2003

Inside Prelude, an Open Source IDS by KIVILCIM Hindistan
Keeping the bad guys out is important. Knowing whether, not if, they're in is even more important. Prelude, an open source IDS, takes a hybrid approach to security, collecting information from various sensors. KIVILCIM Hindistan talks to Yoann Vandoorselaere, Prelude's lead developer. 09/18/2003

Distributed Computing Sanity Checking by Howard Feldman
Distributed computing can be a little scary. Clients are running code on their computers and servers are trusting clients to send back valid data. However you're participating, how can you be secure? Howard Feldman suggests several techniques to evaluate the trustworthiness of a distributed computing project. 09/11/2003

FreeBSD Jails by Mike DeGraw-Bertsch
A common security breach involves exploiting one application to gain access to another. Keeping separate applications separate can limit the potential damage. Mike DeGraw-Bertsch explains how FreeBSD's jails can help secure necessary applications. 09/04/2003

PHP Security, Part 2 by John Coggeshall
If you have users, you'll undoubtedly have bad guys trying to break things. As a developer, it's your responsibility to make sure your code is secure. John Coggeshall explains how system calls from PHP can be exploited -- and how to make them secure. 08/28/2003

GNOME trouble by Noel Davis
Noel Davis looks at problems in BitKeeper, the GNOME Display Manager, rcpd, ViRobot Linux Server, OpenSLP, eMule, lMule, xMule, netris, and autorespond. 08/27/2003

PHP Security, Part 1 by John Coggeshall
If you have users, you'll undoubtedly have bad guys trying to break things. As a PHP developer, it's your responsibility to make sure your code is secure. John Coggeshall demonstrates one common PHP error that can leave you vulnerable, and he explains how to think like a bad guy to prevent these mistakes in the first place. 07/31/2003

Kernel Problems by Noel Davis
Noel Davis looks at problems in Linux 2.4 kernels, Apache, VMware, BRU, Oracle, fdclone, simi, wimi, phpMyAdmin, nfs-utils, mpg123, and phpGroupWare. 07/28/2003

USENIX 2003 by Dustin Puryear
USENIX's annual technical conference took place last month in Texas. Dustin Puryear was on the scene. What's surprising? Microsoft's presence, meeting the needs of Unix administrators. 07/17/2003

Unzipping Problems by Noel Davis
Noel Davis looks at problems in PHP, OpenLDAP, Xpdf, Adobe Acrobat Reader, Mozart, liece, OpenBSD's Packet Filter, unzip, Imagemagick, Ezbounce, semi, and wemi. 07/14/2003

1 to 50 of 211 Next

Sponsored by: