Archive for the 'Security' Category

OpenSQL Camp 2008 is coming!

October 9th, 2008 by epugh

There’s a free conference about open-source databases planned for November 14-16 at Cityspace (inspired by beCamp, which is a local BarCamp event I attended earlier this year). Free meals, good times. (We have sponsorship from Sun, Google and others. There are opportunities for local sponsorship, too :)

A lot of the most illustrious names in open-source databases will be here. This will definitely be a place you can meet people who know how to make databases sing and dance. For example Peter Zaitsev of mysqlperformanceblog.com fame will be here, as will the creator of SQLite and many more.

It would be great if you would

  1. spread the word — put badges on your sites, blog about it, tell
    friends to come
  2. help organize
  3. attend!

See http://opensqlcamp.org/

Grab badges from
http://www.xaprb.com/blog/2008/10/04/opensql-camp-badges-are-ready/

Tags: Database · Event · Open Source · Programming · Security · Tools Comment

weeCamp: Web Application Security

September 25th, 2007 by Steve Stedman

weecamp logo beCamp was such a huge success that we’d like to see if we can get a little of that magic to rub off on some topic-focused mini-conferences. These one-day mini-conferences, let’s call them “weeCamp“, would zoom in on a broad topic of interest to beTechies and others keen on advancing their Web knowledge. As with beCamp, the participants of weeCamp will have pleny of opportunities to teach, learn, and share with their peers. The proposed format for such an event might go something like this.

Of course, since this is only a single day, business-hours event, we’re tossing out some of the mojo that made beCamp work so well. That’s right, no t-shirts, no beer, no jamming with Wendy and the Wii (not to mention Surfzilla!). But we also don’t have to pan-handle for sponsors either. Perhaps it’s a workable tradeoff. Let’s see.

Web Application Security

Marty Peterman and the ITC Security Department have volunteered their support for the first weeCamp event. On October 8, 2007, spend a day with your peers on the topic of Web Application Security. Our “keynote speaker” will be none other than Dan Goldberg—founder of MADJiC Consulting, the technical director of Global Information Assurance Certification (GIAC), and an incident handler for the Internet Storm Center. We’re ecstatic to have Marty and Dan on-board and to have such an engaging, crucial topic to kick-off our first weeCamp.

weeCamp: Web Application Security

  • Monday, October 8
  • 8:00AM-6:00PM
  • Newcomb Hall South Room

Tags: Application · Event · Security · beCamp 1 Comment

Stop Form Spam with reCAPTCHA

June 28th, 2007 by Steve Stedman

reCAPTCHA form screen shot Tired of form spam? Doug Chestnut recommends reCAPTCHA—a free and very intriguing CAPTCHA service from Carnegie Mellon University. It’s one of those projects that seems so simple in hindsight that it’s a wonder no one ever thought of it before.

ReCAPTCHA serves up an accessible, secure means for ensuring that your comment forms, email forms, etc. are being submitted by an actual human being and not some clever spam bot. What’s more, by completing the CAPTCHA phrases, your users are actually helping Carnegie Mellon digitize its book collection (the phrases contain text that is unreadable by the OCR computer programs). Brilliant!

More Info from reCAPTCHA Site

  • It’s Free! Yep, reCAPTCHA is free. The only reason we would charge is if you are a large corporation that uses a lot of our bandwidth, or if you require special services from us.
  • It’s Useful. Why waste the effort of your users? By using reCAPTCHA instead of other CAPTCHA implementations, you are helping to digitize books.
  • It’s Easy. reCAPTCHA is a Web service. As such, adopting it is as simple as adding 4 lines of code on your site. For many applications and programming languages such as Wordpress and PHP we also have easy-to-install plugins available. We generate and check the distorted images, so you don’t need to run costly image generation programs.
  • It’s Accessible. Most other implementations of CAPTCHAs block visually impaired individuals, who cannot read images of distorted text. reCAPTCHA, on the other hand, has an audio test that allows blind people to freely navigate your site.
  • It’s Secure. reCAPTCHA is run by the original creators of CAPTCHA and has the highest security standards. Many other implementations of CAPTCHAs can be easily broken.

Tags: Accessibility · Application · Security · Tools Comment

Web Server Stories Follow-up

June 22nd, 2007 by Steve Stedman

One of the biggest beTech audiences to date showed up to hear ITC Unix Group’s Hamp Carruth and Steve Losen share their University Web server war stories. It was a fun session chock full of entertaining ‘misguided user stories’ and tips for making Web sites more secure. Now, thanks to Scott Crittenden’s deft audio engineering, you can relive this magical moment in glorious MP3 stereo (44MB).

And for those that want to follow along, here are some of the links mentioned:

A mighty big thanks goes out to Hamp and Steve for sharing their time with us. If there’s interest, perhaps we can have them come out to chat about their services on an annual or bi-annual basis. Whaddya think?

Tags: Internet · PHP · Programming · Security · Server · beTech Comment

beTech Presents: UVa Web Server Stories

June 18th, 2007 by Steve Stedman

This Wednesday, June 20, Hamp Carruth and his posse will host a rather informal, open session on the wide-ranging topic of the University’s Web servers. Come on out and hear from the Sage of Servers (official title: Computer Systems Chief Engineer) how the UVa Web server service blossomed into what it is today and how that growth guided some of the idiosyncrasies we experience. Furthermore, find out what the future of ITC’s Web services hold for the average users and all you advanced developers out there.

Hamp and his colleagues will also impart their knowledge and experience on SUPHP (and share how it can make your PHP applications more secure), MyGroups, NetBadge, and much, much more. If you have questions about the nature of the University’s Web server environment, this is the session you need to attend!

UVa Web Server Stories: from the Trenches

  • Wednesday, June 20
  • 2:00pm-3:30pm
  • Newcomb Hall Room 389

Tags: Event · Internet · PHP · Programming · Security · Server Comment

Beware of Cross-Site Scripting (XSS)

September 25th, 2006 by Steve Stedman

Soon after posting an article about the rise of hacker Cross-site Scripting (XSS) attacks, online security magazine Dark Reading was alerted to XSS vulnerabilities on its own site. The holes were quickly plugged and a valuable lesson was learned: don’t assume you’re safe, trust no one, and validate everything.

What may be even spookier for much of the beTech audience is that .edu sites may be particularly juicy XSS targets for hackers (according to Jaimie Sirovich, search engine marketing guru). And with a recent Mitre report placing XSS at the top of the list of Common Vulnerabilities and Exposures (CVE) and plenty of additional resources for the mischevious popping up everyday, you can be sure your site security skills will be put to the test for some time to come.

So what the heck is this XSS stuff? SecurityDocs defines XSS thus:

…an XSS attack is when an attacker manages to inject Java script code or sometimes other code… into a website causing it to execute the code.

What harm could this cause? Well if an attacker made a specially crafted link and sent it to an unsuspecting victim and that victim clicked the link and a piece of Java Script code could be executed which would send the victims cookie away to a CGI Script, obviously the attack could do some serious damage. When an attacker creates a malicious link he/she will usually encode the Java Script code in HEX or some kind of encoding in order to try and hide the malicious code.

Websites that are vulnerable to XSS attacks are running some sort of Dynamic Content, Dynamic Content is anything that changes due to user interaction or information stored in a database about a user, things such as Forums, Web Based Email and places where information is submitted are vulnerable to XSS attacks.

As you can see, the user and the host are at risk. Aside from stealing client cookies and login information, XSS can be used to locate and potentially take advantage of vulnerabilities in unprotected web sites. As a web developer, you should be concerned with both scenarios. Your site and your data may be your primary concern, but securing your user’s login and other sensitive information is of paramount importance if you wish to maintain their trust.

What can you do? As a developer, you trust no one and validate all incoming data—especially HTML text coming in on links. As a user, you try to manage JavaScript’s XSS weaknesses with tools like the NoScript extension for Firefox or Stanford’s SafeCache (another Firefox extension). The bottom line for both sides of the server is that XSS is on the rise, so trust no one and keep an eye on those links.

Additional information:

Tags: JavaScript · Security · Server Comment

'Security' Category

  • You are currently browsing the archives for the Security category.

About Us

  • Building the University of Virginia web development community one passionate geek at a time.

Mailing List Sign-up

  • What's going on behind the scenes? Join the beTech mailing list and find out.
  • (listserv)

If you would like to write, present, or otherwise get more involved with beTech, please contact .

RSS feed icon