Welcome to SecurityDocs

A collection of 7,815 IT security white papers, carefully curated by professionals like yourself

How Critical Security Controls Can Help Signaling System No. 7 (SS7)

by Hassan Mourad Oct. 4, 2017

For decades, the security of one of the fundamental protocols in telecommunications networks, Signaling System No. 7 (SS7), has been solely based on the mutual trust between the interconnecting operators. Operators relied on their trust in other operators to play by the rules, and the SS7 network has been regarded as a closed trusted network. This notion of trust and security has recently changed after several security researchers announced major vulnerabilities in the SS7 protocol that threa...

Is Blockchain Really Safe?

by Saman Abbad Oct. 11, 2017

The blockchain is one of the most innovative technical innovation of current times used for cryptocurrencies like Bitcoin, since it stands as proof of all the transactions on the network. A block is the current part of a block chain which records some or all of the recent transactions, and once completed goes into the block chain as permanent database. A block chain is a public record of all bitcoin transactions that have ever been performed. A block is the current part of a block chain which...

How to disable Wi-Fi Sense on Windows 10

Oct. 8, 2017 via Hacking Tutorials

Windows 10 has a new feature called Wi-Fi Sense that will share your Wifi password automatically with your contacts (Outlook, Skype and Facebook). This way your friends and family do not have to manually enter a password to use your wireless network. If you chose the Express installation of Windows 10, the Wi-Fi Sense feature is turned on by default. Assuming you do not want to share your wireless network with every Outlook, Skype and Facebook contacts, it is suggested to turn off Wi-Fi Sense...

Web Vulnerabilities Explained eBook - InfoSec Resources

by Ivan Dimov Oct. 7, 2017 via INFOSEC Institute

This book will be useful to anyone engaged in, or studying, web development or/and penetration testing as well as those interested in information security and in web security, in particular. A wide array of vulnerabilities are discussed including code injections, XSS, Clickjacking, CSRF, DoS, Content Spoofing, Information Leakage along with many other flaws related to various parts of web applications – such as authentication flaws. Each chapter discusses a particular vulnerability and most ...

Java Security Guide - InfoSec Resources

by Rorot Oct. 7, 2017 via INFOSEC Institute

Java as a framework comes with certain inherent features that ensure the safety of deployed applications. However vulnerabilities in web applications still arise as a result of unintentional and bad coding practices. This course sheds light on some of the security issues and how they can be handled with respect to Java. In particular, the below concepts are explained in this course with reference to Java framework:

Developing Secure Java Code - Best Practices for a Team - InfoSec Resources

by Prateek Gianchandani Oct. 7, 2017 via INFOSEC Institute

The following whitepaper shall introduce to us the basic practices to be followed to write secure Java code. The following topics are touched on- general coding practices, input validation, output encoding, authentication and password management, session management, access control, cryptographic practices and error handling & logging. You will also learn how to prevent code injection via real world examples.

Top .NET Secure Coding Practices for a Team - InfoSec Resources

by Irfan Shakeel Oct. 7, 2017 via INFOSEC Institute

Developing a software and web application is not a one man (developer) job; there is a team behind the success and failure of any product (software/application). This whitepaper dives deep into the best practices associated with .NET secure coding in a team environment. You will leave with a better understanding of exception management, data access, communication & encryption management, general guidelines and more!

Top PHP Secure Coding Practices for a Team - InfoSec Resources

by Prateek Gianchandani Oct. 7, 2017 via INFOSEC Institute

This whitepaper will discuss basic PHP secure coding practices that should be followed when working in a team environment. In this paper you will learn how to write code that is protected from the most common types of attacks including file uploads, SQL injection, XSS, CSRF and other injection attacks. Best practices for session management, error handling, proper password protection and protection against remote code execution are also covered in detail.

Testing Hooks via the Windows Debugger – An Introduction to RevEngX

by Andrew Sandoval Oct. 7, 2017 via INFOSEC Institute

RevEngX is a freely available extension for the Debugging Tools for Windows. It offers several new commands to simplify the work of reverse engineering, code injection, hooking and other types of instrumentation that are useful when analyzing 3rd party software, malware, or developing commercial Windows applications that utilize code injection and hooking. This article will demonstrate how one might produce and test a hook on-the-fly using the debugger alone. In practice, it would be easier t...

Drunk Admin Web Hacking Challenge

by Warlock Oct. 7, 2017 via INFOSEC Institute

This challenge includes a web application generally designed for image hosting. The application has a few vulnerabilities. The challenge is to exploit the application’s vulnerability and find the hidden message for a date arrangement that Bob sent to Alice. Host the virtual machine and let’s start by identifying the target IP. We will run an Nmap ping scan for detecting all live hosts. As can be seen in above figure, nmap detected three hosts: The IP 192.168.0.1 is my router, the IP 192.168...

Executable Code Injection

by D12d0x34X Oct. 7, 2017 via INFOSEC Institute

Code injection is a process of injecting executable code in a running process or static executable. Executable code in web applications can be injected by exploiting them with XSS (cross site scripting), LFI (local file inclusion), or remote file inclusion vulnerabilities (RFI). On the other hand, code can be injected in an executable using the following methods: 1: Code injection using CreateRemoteThread API. 2: PE file infection. Code injection is mainly used when we exploit a vulnerabil...

What's new in SQL Server 2016

Oct. 6, 2017 via ADMIN Magazine

A fairly stable Community Technology Preview version 2.2 of SQL Server 2016 has been available since July 2015. With the newest release, Microsoft wants to optimize the features that have already been on board since SQL Server 2014. Microsoft places great emphasis on providing databases quickly and efficiently for analysis. This includes in-memory data processing. In this process, SQL Server stores frequently used tables directly in the working memory to provide faster access. It should also ...

Keeping Docker containers safe

Oct. 6, 2017 via ADMIN Magazine

Few debate that the destiny of a hosting infrastructure is running applications across multiple containers. Containers are a genuinely fantastic, highly performant technology ideal for deploying software updates to applications. Whether you're working in an enterprise with a number of critical microservices, tightly coupled with a pipeline that continuously deploys your latest software, or you're running a single LEMP (Linux, Nginx, MySQL, PHP) website that sometimes needs to scale up for bus...

Making Jenkins CI Systems More Secure

by Allen Jeng Oct. 4, 2017

With over 100,000 active installations worldwide, Jenkins became the top choice for continuous integration and automation. A survey conducted by Cloudbees during the 2012 Jenkins Users Conference concluded that 83% of the respondents consider Jenkins to be mission critical. The November 2015 remotely exploitable Java deserialization vulnerability stresses the need to lock down and monitor Jenkins systems. Exploitation of this weakness enables hackers to gain access to critical assets such as ...

Using Static Analysis to Harden Open Source Intrusion Detection Systems (IDS)

by Jeff Sass Oct. 3, 2017

When deploying an open source Intrusion Detection System (IDS) into a network, it is critical to harden it against attackers. An IDS is designed to detect attacks instead of inadvertently enabling them. One approach to assist in this effort is to use static code analysis on the source code of the IDS. This paper details how to use Coverity’s static analysis tools on the Security Onion distribution to find security vulnerabilities. A look at Coverity’s security code checkers, with a focus towa...

Crawling Ajax-driven Web 2.0 Applications

by Shreeraj Shah Oct. 1, 2017 via Infosecwriters

Crawling web applications is one of the key phases of automated web application scanning. The objective of crawling is to collect all possible resources from the server in order to automate vulnerability detection on each of these resources. A resource that is overlooked during this discovery phase can mean a failure to detect some vulnerabilities. The introduction of Ajax throws up new challenges [1] for the crawling engine. New ways of handling the crawling process are required as a result ...

Are smart appliances safe?

by A. Michele Parrish Oct. 1, 2017 via Infosecwriters

More and more homes are getting smart appliances. They have refrigerators, toilets, garage doors, thermostats and other appliances that are connected to the Internet and can be controlled from anywhere. The problem is can they also be controlled by anyone or just the homeowners? With the proliferation of smart appliances are homeowners exposing their homes and therefore their private lives to outsiders without knowing it? In this paper I explain what are smart appliances and how and why the m...

Cisco Identity Services Engine

by Harrison Christopher Forest Oct. 1, 2017 via Infosecwriters

An ever-present concern in today’s information systems is network security and data integrity. It is essential for enterprises globally to maintain a strict network policy to ensure that data breaches are mitigated by all means possible. Businesses must strive to adhere to global security standards and constantly maintain a network that protects the company itself, the data within and most importantly the client information. Large data breaches have been occurring globally in recent times ...

Technologies for Securing Healthcare Computer Networks

by Ming-Li Tabor Oct. 1, 2017 via Infosecwriters

One celebrity’s photos were posted online. She uploaded her pictures to Apple iCloud. Therefore, her conclusion was that Apple iCloud was breached. Apple Company claimed their system was not breached. In the health care area, medical records are not the only data in the file. Patients use credit cards to pay bills. A patient can be like the celebrity and lose information, such as credit card numbers, social security number, or medical records. Patients could lose private information in a heal...

Comparison of SNMP: Versions 1, 2 and 3

by Eddie Bibbs, Brandon Matt, and Xin Tang Oct. 1, 2017 via Infosecwriters

During its development history, the communities of researchers, developers, implementers and users of the DARPA/DoD TCP/IP protocol suite have experimented with a wide range of protocols in a variety of different networking environments. The Internet has grown, especially in the last few years, as a result of the widespread availability of software and hardware supporting this system. The scaling of the size and scope of the Internet and increased use of its technology in commercial applicati...

Subscribe

We'll send you a carefully curated list of the best IT security white papers to your mailbox every Friday.