Page 139 of 139 FirstFirst ... 3989129137138139
Results 1,381 to 1,389 of 1389

Thread: IT Geek Speak ... IT Professionals and the like

  1. #1381
    RiderCoach 8000 Posts! WoodstockJeff's Avatar
    Join Date
    Jan 2007
    Location
    Woodstock, IL
    Posts
    8,517
    Blog Entries
    1
    Quote Originally Posted by Sxy Rdr View Post
    If only this guy actually did work.... and apparently I'm not the only one who has noticed this issue.
    Oh, so you're now Wally's PHB?

    http://dilbert.com/strip/2017-12-03
    Jeff

    "The future is so much easier to predict when you have a handle on how you arrived at now.... Works with traffic just as well as the rest of life. "

    "Warning! Use of this ingredient in ways not listed on the package is called 'cooking'. Do so at your own risk!"

    '13 XT250
    '10 ZG-1400 (operational again)

  2. #1382
    RiderCoach 5000 Posts!
    Join Date
    Jul 2012
    Location
    Bealeton, VA
    Posts
    5,227
    Quote Originally Posted by WoodstockJeff View Post
    Oh, so you're now Wally's PHB?

    http://dilbert.com/strip/2017-12-03


    And how funny... we have a team building event tomorrow afternoon....

  3. #1383
    RiderCoach 8000 Posts! WoodstockJeff's Avatar
    Join Date
    Jan 2007
    Location
    Woodstock, IL
    Posts
    8,517
    Blog Entries
    1
    In April, we had a penetration test done on one of our sites. It revealed that we had not put in server-side support for blocking browser (and user) vulnerabilities, so we made a few changes, and requested the site be rescanned in early May. No scan took place (we KNOW when a scan is happening!).

    After many months, we get a message complaining that the site hasn't had its required PenTest within the required testing window. "Well, we gave you permission to test whenever, and even set up a date for you to do it, and you didn't. Why didn't you?"

    A PenTest was quickly scheduled.

    After a large number of tests, we get back a report, listing 5 programs as being vulnerable to "Click Jacking" (CJ), and a high vulnerability score because of that, and one program that did not use Cross Site Request Forgery (CSRF) tokens. The 5 CJ programs were simple HTML pages with links to the client's site and a literal "blank page" that is a place holder for a frame that gets filled in with an entry program when the user selects their options. They're vulnerable because they don't ask the browser to enforce "same origin", even though they can't DO anything useful. So we fixed that.

    The other (CSRF tokens) was done months ago.

    "Tester didn't find any tokens."
    "Do you see a POST variable named [name of token]?"
    "Yes."
    "That's the token. If you check, it's unique to each potential page request, and it isn't valid for more than one request."
    "You can't name CSRF tokens anything but CSRFToken."
    "We thought the idea was to USE the tokens, not advertise which variable was the token."
    "If it isn't named CSRFToken, it's not a CSRF token!"

    Sigh... Fortunately, doing the stupid thing is only one variable change. Our original design was that the token name could change randomly, so it was more difficult to try to forge the anti-forgery token, but apparently the stupidity of the PenTest software wins out.

    "We're running the test a second time, because the first time it aborted prematurely due to navigation problems."
    "Well, if it fooled around with the CSRF token value, the user session is destroyed, logging the user out immediately, which would put a kink in page navigation that relies upon being logged in...."
    "But CSRF problems shouldn't log you out!"
    "That isn't what your department said was the best action when we had a conference call on this back in May..."

    Good thing I'm out of town for the next three days...
    Jeff

    "The future is so much easier to predict when you have a handle on how you arrived at now.... Works with traffic just as well as the rest of life. "

    "Warning! Use of this ingredient in ways not listed on the package is called 'cooking'. Do so at your own risk!"

    '13 XT250
    '10 ZG-1400 (operational again)

  4. #1384
    RiderCoach 8000 Posts! WoodstockJeff's Avatar
    Join Date
    Jan 2007
    Location
    Woodstock, IL
    Posts
    8,517
    Blog Entries
    1
    Gee, I wonder how "Wally" did on the team building exercise....

    Got the "full report" on the PenTest back. 80% of the points were for things that were mitigated WHILE the second test was running (the five programs that could be "click jacked"), but most of the rest are tied to our "unconventional" CSRF token name.

    One program was listed as causing the server to stop responding when they mucked around with the "CSRF token that isn't named CSRFToken", when in reality it simply logged them out rather forcefully, and refuses to talk to the origin IP for 120 seconds after doing so. This definitely qualifies as "not responding to prevent flood attacks", but not "server crashed by input values". But the testing program doesn't care about WHY, just WHAT.

    One program was flagged for being vulnerable to multiple injection attacks. Again. It's a program that is required by federal regulations to faithfully record notes made by the client as part of their compliance. So, any value sent must be displayed... so long as the request is made from the original source and all parameters agree that it was authorized. And it does exactly that, although the "note" is "locked" from further editing.

    So, what happens if you inject the same value in different forms? Well, the system rejects them... but then displays the first properly-inserted note... "AHA! A vulnerability!!!! Must record this!!!!!"

    I spent a number of hours in April debugging this "vulnerability", only to find that the code WASN'T vulnerable, the tester was stupid. I question the intelligence of a company that sells such stupid tool for large amounts of money. Or maybe I should question the ethics of such a company, when the SECURITY TOOL has the same problem over 6 months after it was reported to them. They say they're quick to pick up on the latest web security issues, and developing tests to detect them.... Guess figuring out how to avoid FALSE POSITIVES isn't part of their repertoire...
    Jeff

    "The future is so much easier to predict when you have a handle on how you arrived at now.... Works with traffic just as well as the rest of life. "

    "Warning! Use of this ingredient in ways not listed on the package is called 'cooking'. Do so at your own risk!"

    '13 XT250
    '10 ZG-1400 (operational again)

  5. #1385
    Flirting With The Redline 8000 Posts! Trials's Avatar
    Join Date
    Apr 2011
    Location
    Ontario
    Posts
    8,213
    You're going to love retirement

  6. #1386
    RiderCoach 8000 Posts! WoodstockJeff's Avatar
    Join Date
    Jan 2007
    Location
    Woodstock, IL
    Posts
    8,517
    Blog Entries
    1
    if I keep to my current schedule, I'm still about 50 years away from retirement.
    Jeff

    "The future is so much easier to predict when you have a handle on how you arrived at now.... Works with traffic just as well as the rest of life. "

    "Warning! Use of this ingredient in ways not listed on the package is called 'cooking'. Do so at your own risk!"

    '13 XT250
    '10 ZG-1400 (operational again)

  7. #1387
    I am not a computer geek, but my husband is. He told me a computer geek joke about UDP, which I would tell to you, but you probably wouldn't get it.

    Lori
    RiderCoach since 2010
    I think I've finally figured out what I want to be if I ever decide to grow up.

    '15 green Kawasaki NINJA 1000 ABS ("Sheldon 2")
    '10 Honda NT700V ("The DomiNaTor")--SOLD
    '08 green Kawasaki NINJA 250 ("Sheldon")--SOLD
    '05 Honda Shadow Aero VT750C-SOLD
    FUMAS: Harley-Davidson Rocker C



    ATGATT: Because the laws of physics could care less.

    Someday I hope to become the rider that my bike deserves.

    All the worry in the world doesn't prevent death. It prevents life.

  8. #1388
    RiderCoach 8000 Posts! WoodstockJeff's Avatar
    Join Date
    Jan 2007
    Location
    Woodstock, IL
    Posts
    8,517
    Blog Entries
    1
    Yeah, you would need TCP to make sure I got it.
    Jeff

    "The future is so much easier to predict when you have a handle on how you arrived at now.... Works with traffic just as well as the rest of life. "

    "Warning! Use of this ingredient in ways not listed on the package is called 'cooking'. Do so at your own risk!"

    '13 XT250
    '10 ZG-1400 (operational again)

  9. #1389
    RiderCoach 8000 Posts! WoodstockJeff's Avatar
    Join Date
    Jan 2007
    Location
    Woodstock, IL
    Posts
    8,517
    Blog Entries
    1
    Today, much stupidity accompanied the snow.

    "We need you to include a bar code on the first page of the PDF you send, so we can scan it into our paperless office system."
    "To do that, you need to print the PDF on paper, and run it through the scanner, where we could simply include the information that would go into the bar code into the file name of the PDF, so it would never need to be printed."
    "So, how much to include the bar code?"

    And the security people finally got around to do the follow-up penetration test that they should have done after Christmas. As expected, it was pretty much clean... Except for 3 cases where their test tried to inject values that, while ignored by our system, got back a valid page, rather than getting an error.

    Uh, the request was still valid after the invalid variables were discarded, so what's the problem? Again, stupid test program.

    Ah, but that's next week...
    Jeff

    "The future is so much easier to predict when you have a handle on how you arrived at now.... Works with traffic just as well as the rest of life. "

    "Warning! Use of this ingredient in ways not listed on the package is called 'cooking'. Do so at your own risk!"

    '13 XT250
    '10 ZG-1400 (operational again)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •