Google chrome browser is pretty simple.  Once you start you’re presented with a fresh white page that’s pretty much separate in borders and most of the common buttons that you would see on a traditional browser.  A security code work behind the application that tries to block malware from executing and interacting with the main operating system.  This “sandbox” feature gives all browser processes just enough privilege to run inside of Chrome and Google hopes it will stop the majority of hacker attacks.

Sandboxing applications isn’t anything new and most people have heard of JAVA applications running in a sandbox. Users dont bother about programming, they are concern of the application usage and its authentication.  Using a vulnerability that was showed off at this year’s Black Hat security conference, Aviv Raff has developed proof of concept code that forces Chrome to open up applications on the desktop.  You can run the code at this link, but don’t worry it doesn’t do anything too horrible as it just pops up a notepad window.

But before you shout OMG vulnerability!, notice what you had to do to get that window to open.  First you had to be tricked into browsing to the website (ok not really that hard to do) and then you had to click the download button in the bottom-left corner that shows an executable .JAR icon.  Hmmmm…. Not exactly a huge vulnerability for security conscious users, but perhaps a minor annoyance to regular folks – just hope the hacker doesn’t run anything more serious than Notepad.

Chrome browser has some great security features that far eclipses any “vulnerability” so far discovered.  New browser tabs inside of Chrome run are processed independently of others and if one tab crashes if doesn’t take the rest of the browser with it.  There’s also an incognito mode that lets you browse web pages without caching any information.

So don’t worry and give Chrome a try.  Yeah the browser is beta and yes there may be some undiscovered security vulnerabilities, but really can you say anything difference about Firefox and Internet Explorer?

One cannot say the chrome is foolproof but the concept behind its development is simple and aim at anti hacking activities. Lets see how the hackers discover the loopholes in this application especially designed to deal hackers.

Tags: google, google chrome, hacker attacks, security code

Google is making a huge investment in developing the Ajax approach. All of the major products Google has introduced over the last year — Orkut, Gmail, the latest beta version of Google Groups, Google Suggest, and Google Maps — are Ajax applications. (For more on the technical nuts and bolts of these Ajax implementations, check out these excellent analyses of Gmail, Google Suggest, and Google Maps.) Others are following suit: many of the features that people love in Flickr depend on Ajax, and Amazon’s A9.com search engine applies similar techniques.

These projects demonstrate that Ajax is not only technically sound, but also practical for real-world applications. This isn’t another technology that only works in a laboratory. And Ajax applications can be any size, from the very simple, single-function Google Suggest to the very complex and sophisticated Google Maps.

At Adaptive Path, we’ve been doing our own work with Ajax over the last several months, and we’re realizing we’ve only scratched the surface of the rich interaction and responsiveness that Ajax applications can provide. Ajax is an important development for Web applications, and its importance is only going to grow. And because there are so many developers out there who already know how to use these technologies, we expect to see many more organizations following Google’s lead in reaping the competitive advantage Ajax provides.

Tags: Ajax security, beta version, developers, google maps

Ajax is a method by which developers bring end users closer to interfaces being exposed by Service Oriented Architectures. The push to create loosely coupled service-based architectures is a promising idea with many benefits in enterprise environments. As more of these service-based “endpoints” become developed, and as Ajax introduces the ability to push more sophisticated processing to the end user, the possibility of moving away from the standard three-tier model arises.

Typically, many web services within an enterprise (as opposed to on the Internet overall) were designed for B2B, and therefore designers and developers often did not expect interaction with actual users. This lack of foresight lead to some bad security assumptions during design. For example, the initial designers may have assumed that authentication, authorization and input validation would be performed by other middle tier systems. Once one allows “outsiders” to directly call these services through the use of Ajax, an unexpected agent is introduced into the picture. A real-life example of such usage is the consistent pitch from Microsoft to use Atlas  hand-in-hand with web services. Developers can now write JavaScript to create XML input and call the web service right from within the client’s browser. In the past this was achieved through service proxies at the server.

Tags: Ajax security, Authentication, input validation, tier systems

Hackers turned computer security specialists accuse Google of setting users up for online disasters by letting them personalize home pages with applications that could be tainted.

Software that hackers can trick people into installing on “iGoogle” home pages can track users’ activities and control their machines, SecTheory chief executive Robert Hansen showed AFP on Friday.

“I could force you to download child porn or send subversive material to China,” Hansen said. “The exploitation is almost limitless. Google has to fix it.”

Google lets people customize iGoogle home pages with mini-software programs called “gadgets” such as to-do lists, news feeds, currency converters, and calendars.

Hackers can program malicious code into proffered gadgets or break into systems hosted by engineers providing legitimate mini-programs.

“It turns out a lot of people who develop these things aren’t good at security,” Hansen said, citing research he and Cenzic security analyst Tom Stracener shared at a notorious annual DefCon hacker gathering in Las Vegas.

“We pretty much break into anything we try.”

Hackers can resort to a tactic of luring people to websites that trick people into installing applications in iGoogle home pages. A hacker can remotely control a victim’s computer as long as the iGoogle page is open.

Gmail users face danger from the same “hole” in security, according to Hansen, whose hacker name is “RSnake.”

“We’ve been telling Google about these vulnerabilities for years and they have not made corrective actions,” Hansen said.

“They chose to open the doors and insomuch put a lot of consumers at risk.”

Google says it checks gadgets for malicious code, rarely finding any, and that it removes tainted programs.

Tags: hackers, malicious code, Vulnerabilities

COM/ActiveX
Invalid COM or ActiveX object entries in the Windows registry can cause application failures, document and information loss, and system crashes.  Registry Fix It! will scan and remove these entries automatically, setting your mind at ease.

Uninstall Entries
When an application’s installer does not correctly set up the uninstall process, the Registry becomes clogged with invalid information. Registry Fix It! scours your registry for invalid information left behind by incorrect uninstall processes.

Font Entries
Often application errors – especially in Word processing applications – are caused by missing or corrupt font files.  Registry Fix It! resolves these inconsistencies for you ensuring that font files taking up space in your registry are valid.

Shared DLLs
Invaild entries in the Shared DLLs section of the Registry can cause a certain type of application failure commonly known ad “DLL hell”. Registry Fix It! puts your mind at ease by repairing and restoring your Registry automatically.

Application Paths
Disk directories that are not referenced correctly can often cause programs to fail.  Registry Fix It! will scan and fix the Application Paths section of the Window registry.

Help Files Information
The last thing you need when you are looking for help on an application is for it to crash!  Registry Fix It! takes care of invalid help file references so you never have to worry about the registry containing incorrect help information.

Windows Startup Items
Registry Fix It! quickly finds and deletes missing program entries in the startup items area of the Windows registry.  Incorrect installation programs will cause these problems without you even realizing it!

File/Path References
Some registry items can be associated with non-existent files and folders – such as when temporary files are used for storage. Registry Fix It! will help you remove the invalid entries every time you scan!

Program Shortcuts
Incorrect program shortcuts can cause applications to take much longer to start – or simply stop them from running at all. Registry Fix It! effortlessly finds these entries and removes them for you.

Empty Registry Keys
Registry Fix It! will remove Registry keys that have no value, sweeping out the useless entries that clog up your system.

Shell Extensions
Shell extensions provide you with useful enhancements to the working environment of your PC. Invalid shell extension entries can cause irregularities that will frustrate and slow you down.  The Registry Fix It! scan will find these entries so that they can be removed permanently.

Custom Scans
You can customize how Registry Fix It! scans your registry by selecting only the items you want to be scanned.

Automatic Scanning with the Scheduling Tool
With Registry Fix It! you can create schedules so that a registry scan is done automatically on the time you choose.  Using the scheduling feature you can set more than one schedule to run daily, weekly, monthly, at system startup, and more.

Selection and Removal
You can choose which items Registry Fix It! has detected after it completes the registry scan.

Ignore List
Registry Fix It! offers you the ability to ignore items that have been detected after the registry is scanned. In this way these items will be ignored for subsequent scans.  You can manage an Ignore list should you want to have these items scanned and removed in the future.

Automatic Repair
Registry Fix It! offers you the ability to perform an automatic repair of detected items after a scan.  You can configure the settings so that a repair of detected items occurs after each scan.

Backup and Restore
An automatic backup is created every time you use Registry Fix It!.  You can restore any items any time for peace of mind.

Startup Management
Registry Fix It! offers quick and easy access to all the programs that are launched when you start your computer.  You can enable and disable applications in the Manage Startup list with a few simple clicks.

Tags: application failures, information registry, object entries, system crashes, window registry

Software development is a process in which each and every aspect is a concern. When it comes to security it becomes the priority of software management team because a single flaw can ruin the development process. Following are some concerning areas where loophole may occurs.

1- Validating Input 

There must be a verification and validation of data input so the attacker cannot confuse the system.

2-Integrity of Application programming interfaces

API Application programming interfaces are ways to access software functions. If you access such features in unexpected ways, you can create security loopholes.

3- Encryption and Authentication 

Encryption and Authentication  are two areas where loopwhole can occur and later will be damaging to the whole system.

4- Common Errors 

This is the area where simple mistakes can cause loopwhole. Normally due to debugging process this can be control but still due concern in this area is needed.

5- Coding Standard 

Coding must be up to a standard and  strict guideline to be observed is applied there. The poor quality coding can create loopwholes which are more vulnerable to system.

6- Autonomy
Autonomous systems working together across networks need to be aware of each other’s state of operation. If attackers can find loopholes to exploit differences in state, distributed applications can be compromised.

Tags: Authentication, Encryption, security loopholes, software functions, software-development, verification and validation

Endpoint security application is a best for your security needs. Before you choose endpoint security system, take look on following

Does endpoint security allows you to take control of following

• Floppy disks
• CDs and DVD ROMs
• iPods
• Storage devices
• Printers
• PDAs
• Network adapters
• Modems
• Imaging devices
• other hardwares

Other features to be consider are

• Scan and detect a list of devices that have been used or are currently still in use
• Password protected agents to avoid tampering
• Set up custom popup messages for users when they are blocked from using a device
• Browse user activity and device usage logs through a backend database
• Maintenance function that allows you to delete information that is older than a certain number of days
• Support for operating systems in any Unicode-compliant language

Tags: security application, security system, storage devices, unicode

Microsoft issued a “critical” security alert about a hole in its Internet Explorer browser that could allow hackers to use an outdated Internet protocol to seize control of people’s computers.

A problem may occur on an Internet Security and Acceleration (ISA) Server-based or Proxy Server 2.0-based computer during the processing of Internet Gopher protocol requests. A typical Gopher request may look similar to this:

gopher://gopher.example.com:70/11/example%09%09%2b

When a malicious request is received, the ISA Server-based or Proxy Server 2.0-based computer may send back a response that is not valid, generate an access violation error message, and stop providing services.

A successful attack against the ISA Server-based or Proxy Server 2.0-based computer requires a malicious Gopher request. This request must originate from a valid user who is permitted by the firewall policy and that is received by the Web Proxy service. This means that a valid client would have to submit the initial request.

The vulnerability results because of an unchecked buffer in the code. This code handles information that is returned from a server by using the Gopher protocol. By configuring a Gopher server to return information in a particular manner in response to requests, an attacker might attempt to overflow the buffer and load code on the computer.

You must install ISA Server Service Pack 1 (SP1) before you apply the following hotfix.

For additional information about how to obtain the latest ISA Server service pack, click the article number below to view the article in the Microsoft Knowledge Base:

How to Obtain the Latest Internet Security and Acceleration Server 2000 Service Pack

The following file is available for download from the Microsoft Download Center:

Download Isahf177.exe

Tags: critical security, gopher server, internet gopher protocol, proxy server, web proxy service

A page may be corrupted if a previous user interrupted its transmission and an incomplete page is stored in cache, or a user may wish to download a new copy of a page to ensure it is the most up-to-date.In Netscape Navigator, hold the Shift key and press Reload (Macintosh users should use option instead of shift). Netscape sends a special code causing all proxies on the way to bypass the cache, go directly to the source and cache the result.

Currently, Internet Explorer does not implement this facility. If you run a Squid server, you may also use the Cache Manager, cachemgr.cgi, which allows you to force a refresh of a cached object.

Tags: cache manager, Internet Explorer security, proxies, shift key

To block direct web access for your network(s) and force people to use proxies, you should add the following access list to your router LAN port (inbound).Here is a sample cisco router configuration:

router#configure terminal
router(config)#access-list 100 permit tcp any host 192.189.54.60 eq www
router(config)#access-list 100 deny tcp any any eq www
router(config)#access-list 100 permit ip any any
router(config)#interface Ethernet0
router(config-if)#ip access-group 100 in
router(config-if)#end
router#copy running-config startup-config

The option in the second line allows your users to use proxy.connect.com.au proxy autoconfig scripts. (NB: Using these scripts will bypass your proxy to use AAPT’s.)

This assumes that access-list 100 was unused. If you have your own proxy and want to bypass the Connect caches (permanently or occasionally) you need an additional rule which allows the cache access to port 80.

For example:

router(config)#access-list 100 permit tcp host xx.xx.xx.xx
any eq www

before the deny rule. Otherwise, you should configure your browsers to use proxy.connect.com.au, port 8080. Also, proxy.connect.com.au may be accessed for proxy auto-config.

If you are already using an inbound access-list on the LAN interface,then this has to be merged with your current list of course. The filter can alternatively be applied to the WAN interface (outbound).

Tags: caches, proxies, proxy auto config, web access, web proxy cache

If you are new to proxy servers and don’t know exactly what are they, here is a short explaination. A proxy server is a computer that is running a proxy server application, which allows you to connect to it, and request data. So, instead of surfing directly to a website, you can request that website from a proxy server, which will request it from the website’s server, and send it to you.

One of the main reasons why would you use a proxy is because using an anonymous proxy server to connect to websites, makes you anonymous. Because you don’t have any connection with the website, the website can’t get any information from you directly. All information it gathers, is sent from the proxy servers. This also prevents some malicious attempts that some websites perform on their visitors.

There are three types of proxy servers with different anonymity levels. A transparent proxy server offers no protection at all, so we don’t advise you to use them. The seccond type of proxy is an anonymous proxy, which protects you from revealing your computer’s IP address to websites. The last, most anonymous, is the so called elite proxy server, which also protects you from revealing your computer’s IP address. The difference between an anonymous and an elite proxy is that when using an anonymous proxy, websites do know you use a proxy, while the elite proxy servers don’t reveal this information.

You can surf our website by pressing the buttons on the menu above, selecting a category you are interested in. Once you are in the choosen category, you will see new related topics on the menu on the left. Our proxy tool section, offers some tools made by us, to help you in hunting proxies and testing your anonymity. Under applications, you can find applications that you may come handy to you once you know more about proxies. With each application, there also comes a small tutorial on how to use it. The tutorial section offers some basic tutorials that you might be interested in.

Read below about a website which give quiet details about proxies.

Explanantion 

Tags: anonymous proxy server, proxies, proxy servers, server application

Security is a complex matter, balancing many competing interests. Each organization has different requirements and preferences for how it operates, as well as different levels of expertise and capability with its internal staff. Interhack’s Information Assurance practice complements whatever in-house expertise the client has to ensure that security is addressed strategically as well as tactically. Our deep technical expertise includes networks, software, operating systems, cryptography, and large-scale architectures.

Information assurance is a process that begins with strategy, a high-level definition of risk tolerance and expected rewards. At one extreme are start-up companies: they focus on growing to meet specific objectives for revenue or size and will typically shut down if the plan doesn’t work out. At the other extreme are companies that have been around a long time: they also want to make money but are able to be more patient about doing it and place more importance on being in business five years from now than growing by some margin. The start-ups are inherently high-risk and will therefore tolerate more risk in their information management practices. Companies that have a high need to continue longevity will put more emphasis on mitigating risk to protect their brands and operations. Adding to this mix is the maturity of the industry and the impact of regulation on security requirements.

Even the best strategy in the world is ultimately useless if the tools and techniques aren’t up to the task. Hence, Interhack’s Information Assurance practice includes a wide range of services that will also help to ensure that networks, computers, communications devices, and software are all doing what they should be doing in order to support the organization’s security strategy.

No two companies are identical. Even within an industry, competitors differentiate themselves in part by how they address risk. It makes no more sense for an organization to adopt a downloadable security strategy than a cookie cutter business plan.

Source Interhack 

Tags: information assurance, risk tolerance, security requirements, security strategy