September 19, 2010

Fuzzing of a Mod_rewrite "Protected" Site

There is a growing possibility of encountering some sites on the Internet that hide parameters passed to an application using the mod_rewrite Apache module. Often, web developers have an illusion that this can protect a web application against attacks, such as SQL Injection, Cross-Site Scripting, etc. In fact, this is a common delusion, similar to the delusion that hiding “fingerprints” of services improves the security of the services. There is no doubt that the use of mod_rewrite for hiding parameters passed to an application, just as hiding fingerprints, is a certain obstacle for an attacker. However, as they say, “there is no such obstacle that could not be surmounted”.

September 17, 2010

Chaos Constructions 2010 (resume)

At the end of the last month, traditionally takes part computer festival named Chaos Construction 2010. Chaos Constructions (CC) — this annual festival held at the end of August in St.Petersburg. Starting 2006, its format is similar to LAN party format.

CC festival started in 1995 as "demo party" – a competition between programmers, painters and musicians in several nominations, the main one is "demo" – a program with size limitations, that is usually a kind of video file but with animation (it can be used in short fragments). As a rule, demo is a program that can demonstrate realistic 3D graphics via special complex calculations. In most case this is true but earlier (and sometimes now) demo was considered to be a kind of story with special effects are just means to make the story more understandable.

September 3, 2010

PCI DSS and Red Hat Enterprise Linux (Part #5)

Requirement 7. Limit access to system components and cardholder data to only those individuals whose job requires such access

The both requirements given in this section are rather complex; many sub-systems are involved in configuration of OS in compliance with these requirements. CIS RHEL analogs of the requirement 7.2.1 are contained in items 8.1, 8.2, 8.5, 8.8, 9.2, 9.8, 9.11, SN.7, and SN.11, but these analogs don’t cover all access isolation mechanisms available in the system. Partial CIS analogs of the requirement 7.1.1 are presented in items 7.2 and 7.6.

September 1, 2010

PCI DSS and Red Hat Enterprise Linux (Part #4)

Requirement 4. Encrypt transmission of cardholder data across open, public networks


In this chapter, data encryption requirements, which have no CIS analogs, are given. The key ideas are: application of tools for VPN channel creation, support of web traffic encryption, and application of certificates.