Software

How to mitigate against session hijacking attacks with HTTP Security Headers

Futuristic Graphic logo of two people eating a cookie.

Session cookies constitute one of the main attack targets against client authentication on the Web. To counter these attacks, modern web browsers implement native cookie protection mechanisms based on the HttpOnly and Secure flags. … Our analysis of the Alexa-ranked top 1000 popular websites gives clear evidence that such risks are far from remote, as the HttpOnly and Secure flags appear as yet to be largely ignored by web developers. – CookiExt: Patching the Browser Against Session Hijacking, Journal of Computer Security (2015).   Summary of Session-hijacking attacks When you login into a website, the web-server creates a “session” to identify your identity by sending the client browser a session cookie. Cookies have functions other than sessions, but perhaps the most important use of cookies from a security perspective managing your “state” or “session-state”. This is because a single IP address may have many clients connecting to the server, so…

Read more

Safari Browser URL Spoof Vulnerability

cyber-criminal-graphic

Last week, Rafay blog wrote a short blog piece about the recently publicized browser URL spoofing vulnerability in Safari. To summarize, the browser bar is considered the only reliable security indicator to validate the authenticity of the website. Looking at the browser URL bar at the top of your browser, and checking that the domain contained in the URL matches the domain of the site you expect to be visiting. If it says “google.com” or “facebook.com” you should be able to reliably tell that you are on the correct website. However, in addition, all browsers include a symbol to show whether the SSL/TLS certificates have been properly validated to authenticate the identify of the server you are communicating with, as well as initialize an encrypted connection to protect your data as it transits the internet. Besides the recent publicized vulnerability in Safari, URL spoofing has been accomplished by attackers in…

Read more

New Web-Accessibility Laws in Ontario

Graphic image with icon for each disability such as visual, hearing, and physical

In 2021 new laws will be enacted in Canada that demand web-content be accessible to people with disabilities. The law applies to any organization with 50 or more employees and fines can be up to $50,000. The new regulation sets the gold-standard for compliance at WCAG 2.0 “AA” (Web Content Accessibility Guidelines double A) standard. This is the second level of the three levels included in the WCAG. If you are a website owner and you want assitance makign your website compliant with the new regulations, please contact me by email at joseph@ripplesoftare.ca or contact me using the website contact form. web-developer or compliance officer tasked with making sure your website meets this standard, read on to find out what the standard is and how you can make your site compliant. Overview of Web-Accessibility Laws in Ontario By January 1, 2021, Ontario businesses must make their public-facing websites conformant with…

Read more

Building Your IT Security News Pipeline

If you are responsible for securing a network, you should know that monitoring reliable IT security news is now critical to mitigating threats on your precious goods. Prioritizing that news landscape and rolling out a timely response is also critical to a solid recipe for security. While it is not realistic to expect security architects to have that kind of response time, if you are ignoring IT security news, you  might need those backups you have been diligently maintaining or worse. Building a solid incoming information pipeline requires an analysis of the IT security news landscape.  The most fundamental elements of this landscape includes threat advisories & guidelines, updates to best-practices and standardization recommendations,  and changing legal requirements if they apply to your organizational assets.  Threat analysis reports and newly released Common Vulnerability Exposure details (CVEs) are critical secondary elements that relay more detailed information about vulnerabilities affecting specific software. …

Read more

What is USPTO Global Dossier?

The UPSTO Global Dossier is a portal to accessing application data from the “IP5” global patent patent offices. Global Dossier functions include: Streamlined applications to multiple international patent offices. Streamline application data access from multiple international offices. Global Dossier integrates with the “IP5” (USPTO, EPO, JPO, KIPO, SIPO) and WIPO The IP5 is comprised of the U.S. Department of Commerce’s United States Patent and Trademark Office (USPTO), the European Patent Office (EPO), the Japan Patent Office (JPO), the Korean Intellectual Property Office (KIPO), and the State Intellectual Property Office of the People’s Republic of China (SIPO). Allow applicants to file a patent application to global patent offices through a single portal. Reduce redundant processes associated with global cross-filing Monitor application process across all offices in a single portal Online access to documents and legal action history of applications Search global patent families Watch the demo below on how to access the…

Read more

How to Install Canvas LMS on Ubuntu 18.04

canvas-lms

Getting  Canvas LMS Pre-installed If you want to skip the installation of Canvas LMS and purchase a pre-installed VPS Canvas already installed, or alternatively, have a secure instance of Canvas LMS hosted on your own domain, please contact me by email  (joseph@ripplesoftware) or via contact page for more details. The full instructions for installing Canvas LMS on your own Ubuntu 18.04 server are below. Installing Canvas LMS on Ubuntu 18.04 8GB of ram is recommended for a server running Canvas LMS. However, it is possible that you can install and run Canvas LMS on a server with only 4GB or less. This installation was done on a Digital Ocean Ubuntu 18.04 VPS. Be sure to point your domain’s name-servers at your correct cloud host and edit your DNS networking so that your domain is pointed at your server before you begin. You can check using nslookup command as shown below….

Read more

Update PHP 7.x to 7.4 CentOS 7 Remi Repo

WordPress 5.4 has been reminding admins to update PHP to 7.4.  Even if you are on PHP 7.1 you will receive the message in your dashboard.  Here are the instructions to upgrade from PHP 7.1 Remi Repo on Centos 7. READ FIRST — IMPORTANT !!! Get a complete backup snapshot of your server before you complete these update steps 1. First thing you should do is do any core OS updates and package updates. # yum update -y   2. Check which version of PHP you are currently running. # php -v PHP 7.1.33 (cli) (built: Oct 26 2019 10:16:23) ( NTS ) Copyright (c) 1997-2018 The PHP Group Zend Engine v3.1.0, Copyright (c) 1998-2018 Zend Technologies   3. Print a list to see all the PHP packages you have installed. You will need to replace all these packages in PHP 7.4. You should copy this list to a file…

Read more

Building a crypto-currency POS with an API.

Bitcoin Featureed Image

I’ve recently been working on a project to create a crypto-currency wallet and API for POS transactions. I won’t tell you which crypto-currency I’m working on publicly, but if you want to hire me for helping you to create a POS system, blockchain parser, or API. Please let me know. First off, I had to choose between two packages: Node.js driven bitcoin-insight-api, and python scripted bitcoin-abe. Both are available on GitHub. https://github.com/bitcoin-abe/bitcoin-abe https://github.com/bitpay/insight-api Although it seems that node.js is increasing in popularity everyday, and python is looked down on by some for it’s high-level syntax, I eventually decided to use bitcoin-abe for the time being with hopes of eventually modifying the insight app. My reasoning is as follows: insight is dependant on bitcore.js. Right now there is not much documentation out there on modifying bitcore to work with alt-coins. There docmentation even advises that the package is still in development…

Read more

Although I’m new to security encryption techniques and do not have worlds of experience or experience under my belt, I’m constantly learning more. I’m also a regular listener of the podcast Security Now with Steve Gibson on the TWIT network. Last week, the podcast was Steve’s presentation of SQRL (pronounced “squirrel”), which attempts to solve security, privacy and usabilt issues regarding the age old computing paradigm of username / password account security. To a large degree it seems that Steve’s proposal takes from the SSH paradigm used for secure logging into remote servers; namely an asymetrical key pair. Not only does this allow the user to avoid remembering a laundry-list of usernames and passwords that need to be periodically changed for optimal security, but also improves user privacy by allowing some information about the user such as email address to be excluded from the requirements for a user account. Understandably,…

Read more