Archive for August, 2008

JavaScript barebones

Posted August 30, 2008 at 6:34 pm in Programming | No Comments

JavaScript has nothing to do with Java.

Comments use //.

Variable declaration with initialization syntax is 

var variable_name = value/"string";

Variables follow normal programming scope. If they are created within the function, they are local only to that function and if they are created outside of a specific function, they are global variables.

Event handlers include:

  1. onabort() — Page loading aborted.
  2. onblur() — Object’s focus lost.
  3. onchange() — Object changed.
  4. onclick() — Object clicked.
  5. onerror() — Script encountered an error.
  6. onfocus() — Object has focus.
  7. onload() — Object finished loading.
  8. onmouseover() — Cursor placed over object.
  9. onmouseout() — Cursor moved off object.
  10. onselect() — Object’s content selected.
  11. onsubmit() — Form submitted.
  12. onunload() — Page has been left.

Function syntax: 

function function_name() {statement(s);}

The prompt() function prompts the user for an input within a pop-up box.

The alert() function pops-up a box with an alert message.

To perform concatenation or use variables within strings, use +. Example: 

document.write("Your name is " + name + "!");

Conditional syntax follows the same pattern as every other programming language. 

if (condition) {statement(s);} else {statment(s);}

document.write(); writes to the DOM and document.window(); will point to a URI.

document.getElementById(“id”) will search the DOM for the id.

Defense In Depth

Posted August 29, 2008 at 7:17 pm in General | No Comments

Defense in depth, a phrase coined by the military, is a defensive technique that layers security countermeasures upon one another. It uses multiple computer security techniques to help mitigate the risk of one component of the defense being compromised or circumvented.

Defense in depth seeks to delay and deter attackers rather than prevent the advance of an attacker by buying time and delaying the ultimate succession of the attack.

From the military play book, rather than defeating an attacker with a single, strong defensive line, defense in depth relies on the tendency of an attack to lose momentum over a period of time.

Using multiple vendors is a best practice that supports this layered approach. If an attacker has to compromise two firewalls and each is from a different vendor, the attacker will have to find separate vulnerabilities for each, which adds time to the attack. Time usually works against an attacker and in favor of defensive countermeasures.

Defense in depth is designed so that if one security control fails, it is unlikely that the attack will penetrate the next layer.

Vulnerabilities by layer

Posted August 29, 2008 at 7:04 pm in Vulnerabilities | No Comments

This is a short list of network layers and their possible vulnerabilities/attack vectors.

Human Social engineering, phishing, dumpster diving, shoulder surfing, scams, caller ID spoofing, poor policies
 
Application Buffer overflows, XSS, malware, virii, worms, trojans, code exploits, application attacks
 
Presentation Cleartext extraction/sniffing, NetBIOS enumeration, protocol attacks
 
Session Session hijacking, SYN flooding, password attacks
 
Transport Port scans, DoS attacks, service manipulation, flag manipulation
 
Network IP attacks, ARP poisoning, MAC flooding, ICMP attacks, routing attacks
 
Data Link Sniffing, MAC spoofing, WEP attacks
 
Physical Wiretapping, interception, hardware hacks, lock picking, physical access attacks
Page 1 of 512345