Tired of constantly logging into your applications? Don't you wish they would just remember you each time you visit, logging you right in? It isn't as always easy to achieve such a status. There are multiple ways remember me can be implemented. Lets take a look at some of them. Remember UserName One of the most common ways for a site to implement the remember me functionality is to remember the username only. The username is typically stored in a cookie on the client's computer. … [Read more...] about Remember Me Features
security
Introducing our Slack channel
It is a new year and time for some new ways for all of us to communicate. We appreciate all that have read the posts and listened to the podcast. Both of these will continue to move forward in 2017 with some new material on the way. We are happy to announce we have started a Slack channel. You can find it at developsec.slack.com. The blog and podcasts have been great in providing information in a read-only manner. Slack is an opportunity to open up more conversation and create more … [Read more...] about Introducing our Slack channel
MongoDBs under attack from ransomware
In recent news, it was identified that MongoDB databases are being exposed on the internet and infected with ransomeware. In a little under a week, the infection count went from 200 to 10,000. That is a quick ramp up. In this case, misconfigurations may bind the database port to the public interface, while also allowing anonymous access. This combination can be devastating. Doing a quick search on Shodan you may find there are thousands of misconfigured MondoDB servers exposed on the … [Read more...] about MongoDBs under attack from ransomware
The 1 thing you need to know about the Daily Motion hack
It was just released that Daily Motion suffered a hack attack resulting in a large number of usernames and email addresses being released. Rather than focusing on the number of records received (the wow factor), I want to highlight what most places are just glancing over: Password Storage. According to the report, only a small portion of the accounts had a password associated with it. That is in the millions, and you might be thinking this is bad. It is actually the highlight of the story. … [Read more...] about The 1 thing you need to know about the Daily Motion hack
SSL Labs and HSTS
Qualys recently posted about some grading changes coming to SSL Labs in 2017. If you are not aware of SSL Labs, it is a service to check your SSL/TLS implementation for your web applications to determine how secure they are. While there were more changes listed, you can read about them in the link above, I wanted to focus on the one regarding HTTP Strict Transport Security (HSTS). If you haven't heard of HSTS, or want a quick refresher, you can check out this post: HTTP Strict Transport … [Read more...] about SSL Labs and HSTS
Insulin Pump Vulnerability – Take-aways
It was recently announced that there were a few vulnerabilities found with some insulin pumps that could allow a remote attacker to cause the pump to distribute more insulin than expected. There is a great write up of the situation here. When I say remote attack, keep in mind that in this scenario, it is someone that is within close proximity to the device. This is not an attack that can be performed via the Internet. This situation creates an excellent learning opportunity for anyone that … [Read more...] about Insulin Pump Vulnerability – Take-aways