Security – Remove the lock on the app

I installed a specific app two months ago. When I opened it for the first time, a pop-up opened with a suggestion to enable the screen lock pin. And I have activated the screen lock. From this point on, the PIN is always requested when opening the app. I have used the app the last two months without any problems. However, in the last few days, I can not open the same application because the PIN entry is displayed even if I entered the correct PIN. I thought it was a mistake of that particular application and reported it to them. They told me that the application did not ask for a PIN to access it. I was asked to check the access and security information on my phone, open the apps, and remove the app from the list of apps. But I can not find any attitude to check on my phone. Could someone tell you how to check the access and security information to open the apps and how to remove them?

Is it a security concern to publish the current boot_id?

Under Linux, a machine with a Machine ID,

The man page is said to be "confidential" and should not be suspended untrustworthy Parties.

Should the boot_id (from / proc / sys / kernel / random / boot_id) are also considered "confidential"?

I use the first 6 hex number of the boot_id (so Not the whole thing) to see if the web server has been restarted (or not) and to display it on the main page. However, this is not a public server. You have to log in.

Security – Secure dynamic SQL for general search

Because of the discussion on SQL injection, I wanted to provide a proof-of-concept to get feedback on whether this is actually secure and protected against SQL injection or other malicious use. For a good reference on creating a dynamic dynamic SQL search, I would probably look around there.

This is intended to be a proof-of-concept rather than a complete working solution to illustrate how users accept text input but treat it as if it were properly parameterized.

The assumptions are as follows:

1) We do not want to execute code on the client side – theoretically this could have been done in a middle tier as a kind of API. Even if there is a mid-level API endpoint, this does not make sense if the query that is created on behalf of the user is not parameterized properly. Moreover, using it in SQL means that it is now generic to all clients that need functionality, but at the cost of poor portability. This probably works only on Microsoft SQL Server, not on other database providers, at least not without significant changes.

2) Under No Under certain circumstances, users should be allowed to write dynamic SQL directly or indirectly. The only thing the dynamic SQL should write is our code, without user input. This means that additional indirection is required to ensure that user input does not become part of the dynamic SQL to be created.

3) We assume that users only need to search a single table, want all the columns, but may want to filter by columns. This is just to simplify proofing the concept – there is no technical reason why it can not be done, provided the practices described in the proof of concept are strictly followed.

Auxiliary function for data types

First, we need a feature that helps us to create a formatted data type because the sys.types Do not present the information in the friendliest way to write a parameter. This could be more complex, but is sufficient for most cases:

CREATE OR CHANGE THE FUNCTION dbo.ufnGetFormattedDataType (
@DataTypeName sysname,
@Precision int,
@Scale int,
@MaxLength int
) RETURNS nvarchar (255)
WITH SCHEMABINDING AS
BEGIN
DECLARE @Suffix nvarchar (15);

SET @Suffix = CASE
WHEN @DataTypeName IN (Nvarchar & # 39 ;, n & nbsp ;, N & min; varchar & nb ;, & nbsp; & nbsp; var & nb ;, & nbsp; & nbsp; varbinary & #; 39 ;, N & # 39; binary & # 39;
THEN CONCAT (N; (#, IIF (@MaxLength = -1, N MAX MAX,, CAST (@MaxLength AS nvarchar (12))), #) & 39 # 39)

WHEN @DataTypeName IN (N # decimal #, N # numeric #)
THEN CONCAT (N; (#, @ Precision, N,, #, @ Scale, N #) #)

WHEN @DataTypeName IN (N, datetime2, N, datetimeoffset, # 39, N & # 39; time & # 39 ;,)
THEN KONKAT (N & # 39; (& # 39 ;, @Scale, N & # 39;) & # 39;))

ELSE N & # 39; & # 39;
THE END;

RETURN CONCAT (@DataTypeName, @Suffix);
THE END;

Dynamic master search procedure

With the function, we can then create our main procedure for creating the dynamic SQL to support the generic search:

CREATE OR CHANGE PROCEDURES dbo.uspDynamicSearch (
@TableName sysname,
@ParameterXml xml
) AS
BEGIN
DECLARE @stableName sysname,
@stableId int,
@err nvarchar (4000)
;

CHOOSE
@stableName = o.Name,
@stableId = o.object_id
FROM sys.objects AS o
WO o.name = @tableName;

IF @stableName is NULL
OR @stableId is NULL
BEGIN
SET @err = N & #; Invalid table name specified. & # 39 ;;
THROW 50000, @err, 1;
RETURN -1;
THE END;

WITH BaseData AS (
CHOOSE
x.value (N & # 39; @ name & # 39 ;, N & # 39; sysname & # 39;) AS ParameterName,
x.value (N & # 39; @ Value & # 39; N & nb; arvar (MAX) & # 39;) AS ParameterValue
FROM @ ParameterXml.nodes (N & # 39; / l / p & # 39;) AS t (x)
)
CHOOSE
ROW_NUMBER () OVER (ORDER BY) AS Id,
c.name AS ColumnName,
d.ParameterValue AS ParameterValue,
c.user_type_id AS DataTypeId,
t.name AS DataTypeName,
c.max_length AS MaxLength,
c.precision AS Precision,
c.scale AS Scale,
dbo.ufnGetFormattedDataType (t.name, c.precision, c.scale, c.max_length) AS ParameterDataType
INTO #ParameterData
FROM BaseData AS d
INNER JOIN sys.columns AS c
ON d.ParameterName = c.name
INNER JOIN system types AS t
ON c.user_type_id = t.user_type_id
WHERE c.object_id = @stableId;

DECLARE @Sql nvarchar (MAX) = CONCAT (N & # 39; SELECT * FROM & # 39 ;, @stableName);

IF EXISTS (
SELECT NULL
FROM #ParameterData
)
BEGIN
DECLARE @And nvarchar (5) = N & # 39; AND & # 39 ;;

SET @Sql + = CONCAT (N & # 39; WHERE & # 39 ;, STUFF (()
CHOOSE
CONCAT (@And, QUOTENAME (d.ColumnName), N = @ P & # 39 ;, id)
FROM #ParameterData AS d
FOR XML PATH (N & # 39;)
), 1, LEN (@And), N & # 39;));

DECLARE @Params nvarchar (MAX) = CONCAT (N & # 39; DECLARE & # 39 ;, STUFF (()
CHOOSE
CONCAT (N,, @ P,, d.Id, N &,, d.ParameterDataType, N = = (SELECT CAST (d.ParameterValue AS #, d.ParameterDataType, N) FROM #ParameterData AS d WHERE d.Id = #, d.Id, N #) #)
FROM #ParameterData AS d
FOR XML PATH (N & # 39;)
), 1, 2, N & # 39 ;, N & # 39 ;;);

SET @Sql = @Params + @Sql;
THE END;

EXEC sys.sp_executesql @sql;
THE END;

analysis

Let's go through the procedures in part to explain the reasons for the design, starting with the parameters.

@TableName sysname,
@ParameterXml xml 

The table name is a matter of course, but users must specify their search conditions as an XML document. It does not have to be an XML document. JSON would work as well (assuming you are using a recent version of SQL Server). The point is that it must be a well-defined format with native support for content parsing. An XML example might look something like this:


  

The XML is basically a (l) is the (p) parameter in name-value pairs.

We have to validate both parameters. First, it is easy to do:

CHOOSE
@stableName = o.Name,
@stableId = o.object_id
FROM sys.objects AS o
WO o.name = @ TableName;

Because we do it Not To get users' input directly into the dynamic SQL, we use a separate variable. @stableName That would be the same value as the @Tabellenname but just if the user is not malicious and tries to inject additional characters. There we filter it through the sys.objectsthat implicitly enforces the SQL Server Identifier rules to verify that the input is valid.

We need a bit more work for the parameters, so we need to load into a temporary table.

WITH BaseData AS (
CHOOSE
x.value (N & # 39; @ name & # 39 ;, N & # 39; sysname & # 39;) AS ParameterName,
x.value (N & # 39; @ Value & # 39; N & nb; arvar (MAX) & # 39;) AS ParameterValue
FROM @ ParameterXml.nodes (N & # 39; / l / p & # 39;) AS t (x)
)
CHOOSE
ROW_NUMBER () OVER (ORDER BY) AS Id,
c.name AS ColumnName,
d.ParameterValue AS ParameterValue,
c.user_type_id AS DataTypeId,
t.name AS DataTypeName,
c.max_length AS MaxLength,
c.precision AS Precision,
c.scale AS Scale,
dbo.ufnGetFormattedDataType (t.name, c.precision, c.scale, c.max_length) AS ParameterDataType
INTO #ParameterData
FROM BaseData AS d
INNER JOIN sys.columns AS c
ON d.ParameterName = c.name
INNER JOIN system types AS t
ON c.user_type_id = t.user_type_id
WHERE c.object_id = @stableId;

In addition to checking the column names that we want to use for filters, we collect metadata from the sys.columns and sys.types, Note that the XML itself can not be used to tell us which data types the user wants to use. This would be a vector for malicious attacks. Therefore, we must rely on the information from the catalog views and only accept the values ​​that come directly from the user-provided XML.

Note that LINE NUMBER () Generate the IDs of the parameters. That's important, as we'll see later.

DECLARE @Sql nvarchar (MAX) = CONCAT (N & # 39; SELECT * FROM & # 39 ;, @stableName);

We build our first part of dynamic SQL. We assume that it is okay to allow users to select the entire table, although this can be difficult if there are many records. In a complete solution, it may be more cautious to have one TOP 100 or something like that.

In the future, we assume that we have a set of parameters to filter for.

SET @Sql + = CONCAT (N & # 39; WHERE & # 39 ;, STUFF (()
CHOOSE
CONCAT (@And, QUOTENAME (d.ColumnName), N = @ P & # 39 ;, id)
FROM #ParameterData AS d
FOR XML PATH (N & # 39;)
), 1, LEN (@And), N & # 39;));

Here we abuse the FOR XML PATH a concatenation of the filter predicate for the FROM WHERE Clause. Using the XML example above, the output would have been similar FROM WHERE [First Name] = @ P1 AND [Last Name] = @ P2, Note the awful naming of columns with spaces to indicate the value of QUOTENAME to make sure that even in a crappy database schema, no error with an iffy identifier occurs.

DECLARE @Params nvarchar (MAX) = CONCAT (N & # 39; DECLARE & # 39 ;, STUFF (()
CHOOSE
CONCAT (N,, @ P,, d.Id, N &,, d.ParameterDataType, N = = (SELECT CAST (d.ParameterValue AS #, d.ParameterDataType, N) FROM #ParameterData AS d WHERE d.Id = #, d.Id, N #) #)
FROM #ParameterData AS d
FOR XML PATH (N & # 39;)
), 1, 2, N & # 39 ;, N & # 39 ;;);

This is the input that the user is most likely to receive – we would read from the same temporary table that we created, and assign it to a parameter we create ourselves, with a OCCUPATION, Note that we could have used a TRY_CAST But to avoid a runtime error, I would argue that an error must occur if users make incorrect inputs. In a complete solution, the procedure could be included in a TRY / CATCH to clear the error message somehow.

If you use the XML example from the top again, it would look something like this:

DECLARE @ P1 varchar (100) = SELECT CAST (d.ParameterValue AS varchar (100)) FROM #ParameterData AS d WHERE d.Id = 1;

Note that we did not even use the name the users gave us. We used a numeric ID that was concatenated by our own code. Also, the code reads from the temporary table and OCCUPATION it in the parameter we want. This makes it easier for us to handle different types of data for different parameters that users may send to us without linking the values ​​they provide to our dynamic SQL.

Once we have that, we link the assignments to the @sql and do it:

EXEC sys.sp_executesql @sql;

Note that we did not use this @params Parameters of sp_executesql – There are no parameters that we can really pass, because the parameters are in a temporary table. Because of this, we've used dynamic SQL mappings to move user input from an XML document to a parameter in Dynamic SQL.

Can that be broken?

As mentioned earlier, the discussion about SQL injection asked me if I might have missed or assumed something, that the malicious user could still bypass the indirection levels I introduced and inject his nasty little SQL.

Encryption – does the combination of TOR and VPN lead to absolute security and anonymity?

I want absolute anonymity online without anyone being able to track me or the sites I visit. Are TOR nodes safe? If you use VPN, does that mean that someday somebody can trace the exit gate node and then your VPN code, or are you totally sure? Is this 100% secure, are you safe from the United States Government or not?

Users are no longer allowed to use old passwords for security reasons. How can you alleviate this pain point?

I work for a healthcare start-up whose login credentials are pretty strict, especially because protecting patient and vendor data is so important in this industry. Although our rigor meets an important need, it can cause a lot of headaches for our providers. The source of many of these frustrations is the fact that Vendors may not reuse any of their last 12 passwords when changing their passwords. And they have trouble remembering their old passwords, and there is no safe / systematic way to pass that information on to them. Worse, they have to change their passwords every 90 days. Between the cognitive burden required to remember all current passwords and the frequency with which they need to update their passwords, vendors are fed up with frustration or reliance on customer support with which they are flooded, requests to change the provider's passwords for them.

Does anyone have experience with the problem "previous password"? And if so, what approaches have you used to mitigate this? Thanks for your help!

(And for your information, I asked my security team if there was any margin for the frequency of the Pw change as well as the change criteria, but they said that this was pretty much carved in stone.)

Encryption – Encryption of mobile user data in the event of a PIN / device security breach

As I understand it, modern mobile operating systems often encrypt app data when a device is locked with a PIN or password. How do I protect users if their device or PIN has been compromised?

If I manually encrypt certain parts of my app data, where do I store the key to decrypt it if a hacker or unauthorized user holds the physical device or PIN / password in their hands?

[WTS] # 1 Stable Webhosting Plans | DailyRazor.com

Do you need reliable and superfast Linux and Windows web hosting?

DailyRazor.com is a provider of professional web hosting and other web services such as domain names, e-commerce, web design, search engine optimization and marketing, graphics and consulting for small businesses and individuals around the world.

We have more than 15 years of experience in Java, .NET, PHP, Ruby, CGI, network administration, systems integration and related technologies to support mission-critical hosting for applications based on these platforms. In addition, we offer web hosting packages to support popular technologies such as Perl, Python, and Ruby, as well as database support for the ever-growing and popular Microsoft Access, Microsoft SQL Server, MySQL, and PostgreSQL databases.

Our features:

  • Professional support around the clock
  • 30-day money-back guarantee
  • 99.9% availability guarantee
  • Fast and fast server infrastructure
  • 1-Click App Installer (hundreds to choose from)
  • Award Winning Web Hosting
  • Over 15 years experience in Linux and Windows hosting

Our Web Hosting Plans should contribute to the success of your website! We offer an instant installation software called Softaculous, which allows you to automatically install over 276 open source scripts with a mouse click. You can install WordPress, Joomla, OpenCart, PrestaShop, PHPBB, Drupal, SMF, MyBB, Magento, Dolphin, OpenBlog, TextPattern, LifeType, etc. in one click!

NoteEach hosting plan includes: disk space, bandwidth, email accounts, FTP accounts as much as you need + FREE domain name.

Dailyrazor also offers Tomcat hosting, Joomla hosting, OpenCart hosting and vBulletin hosting Solutions!

Use code: SUPER SHARED and get up 60.40% OFF on all hosting plans!

Starter
1 website / domain
10 databases
Free Domain Domain
FREE Website Builder
FREE SSL security
cPanel Control Panel
3.15 USD / month 60.40% DISCOUNT (previously 7.95 USD) – ORDER NOW
Click here for more plans and details: https://www.dailyrazor.com/web-hosting/

Our Superior ASP.NET hosting Plans should contribute to the success of your website!
Use code: SUPER SHARED and get up 60.40% OFF on all hosting plans!

Starter
1 website / domain
10 databases
Free Domain Domain
FREE Website Builder
FREE SSL security
cPanel Control Panel
3.94 USD / month 60.40% DISCOUNT (previously 9.95 USD) – ORDER NOW
Click here for more plans and details: https://www.dailyrazor.com/asp-net-hosting/

Our Ultimate Reseller Hosting Plans should contribute to the success of your website!
Use code: SUPERRESELL and get up 10% REDUCED on all reseller hosting plans!

bronze
Host unlimited domains / websites
25 GB hard disk space
250 GB transfer / bandwidth
WHM / cPanel Control Panel
11.65 USD / month 10.00% DISCOUNT (previously 12.95 USD) – ORDER NOW
Click here for more plans and details: https://www.dailyrazor.com/reseller-hosting/

Our Expert ColdFusion Hosting Plans should contribute to the success of your website!
Use code: CFPRIMO and get up REDUCED BY 50 PERCENT on all ColdFusion hosting plans!

CF-One
1 website / domain
1 MS SQL database
5 MySQL databases
FREE domain name
Plesk Control Panel
7.98 USD / month 50% DISCOUNT (previously $ 15.95) – ORDER NOW
Click here for more plans and details: https://www.dailyrazor.com/coldfusion-hosting/

We also offer a robust one-click application installation software that integrates with our Plesk Control Panel, allowing you to automatically install tons of open source scripts with a mouse click. You can install WordPress, Joomla, OpenCart, PrestaShop, PHPBB, Drupal, SMF, MyBB, Magento, Dolphin, OpenBlog, TextPattern, LifeType, etc. in one click!

Our guarantee:
Try one of our hosting packages FREE for 30 days! We let our quality service speak for us and if you are not satisfied with our service, just contact us to cancel before or on the 30th day. We will refund your deposited amount without further questions!

If you have any questions, please contact Contact our support: Submit ticket

Like DailyRazor FACEBOOK SITE
Follow DailyRazor over TWITTER ACCOUNT

,

To install security updates on Drupal 7.3.4 hosted on Windows 2012 R2 IIS 8.0

I'm new to Drupal. I have noticed that security updates are available
for my version. If I select the first item that requires an update and select Download, the following error message will be displayed An HTTP Error 0 occurred while getting https://ftp.drupal.org/files/projects/mimemail-7.x-1.1.tar.gz.

I would appreciate if anyone could help figure out the cause of this problem and point out documentation for installing security updates on Drupal on IIS 8.0

Security – Export the Edge Scan vulnerability report with listed port and protocol

I am trying to collect a report of information on live.edgescan.com

I notice I can export a CSV report of the vulnerabilities found on https://live.edgescan.com/app#/vulnerabilities. This does not include the port and protocol of each vulnerability, along with the host information. There is a drop-down tab below each item on the vulnerability page. However, they will not appear as columns in the report or on the page.

How can I access and add it to a report?