rules
More on WordPress xmlrpc denial of service attacks
- Albert Zenkoff
- 2014-09-08
- Technology, apache, attack, conditions, denial of service, DOS, protection, rewrite, rewrite_mod, rules, service, user agent, WordPress, xmlrpc
The attacks on WordPress using xmlrpc.php service are rather common. I already mentioned that you could filter out unwanted user-agents using the redirect capability of Apache. That would, however, take care only of obvious cases, where you see that this particular user-agent could not possibly be your reader. What do we do if the user-agent ...
Read MoreSecurity Breach at Unique Vintage
- Albert Zenkoff
- 2013-09-27
- Management, breach, credit card, customer information, exposure, news, rules, security diligence, user information, web
There is news that women’s clothing website Unique Vintage has sent notifications to the customers that the site has been breached and the customer information was exposed. What is interesting is that the website is fully PCI compliant, i.e. it follows all rules for security set forth by the credit card industry. And still, it ...
Read More
Password recovery mechanisms – Part 3
- Albert Zenkoff
- 2013-05-22
- Technology, advice, captcha, Development, general, guidance, guide, password management, password recovery, passwords, rules, software, software design, user information
Passwords remain the main means of authentication on the internet. People often forget their passwords and then they have to recover their access to the website services through some kind of mechanism. We try to make that so-called “password recovery” simple and automated, of course. There are several ways to do it, all of them ...
Read MorePassword recovery mechanisms – Part 2
- Albert Zenkoff
- 2013-05-21
- Technology, authentication, Development, general, guidance, guide, password database, password management, passwords, rules, secondary channel, software design, user information
Passwords remain the main means of authentication on the internet. People often forget their passwords and then they have to recover their access to the website services through some kind of mechanism. We try to make that so-called “password recovery” simple and automated, of course. There are several ways to do it, all of them ...
Read MorePassword recovery mechanisms – Part 1
- Albert Zenkoff
- 2013-05-21
- Technology, authentication, Development, dumpster diving, general, guidance, password management, passwords, protection, rules, secret questions, security design, software design, user information
Passwords remain the main means of authentication on the internet. People often forget their passwords and then they have to recover their access to the website services through some kind of mechanism. We try to make that so-called “password recovery” simple and automated, of course. There are several ways to do it, all of them ...
Read More
Common passwords blacklist
- Albert Zenkoff
- 2013-01-09
- Technology, blacklist, brute force attack, general, Password, password database, password verification, passwords, rules, technology
Any system that implements password authentication must check whether the passwords are not too common. Every system faces the brute-force attacks that try one or another list of most common password (and usually succeed, by the way). The system must have a capability to slow down an attacker by any means available: slowing down system ...
Read MoreKeep it simple – user names
- Albert Zenkoff
- 2012-07-18
- Technology, Login, random, rules, user id, user information, user name
All right, now after the lengthy discussion on user names and ids let’s have some simple rules: Do not use sequential numbers for user ids. Do use random numbers for user ids. Do not use any scheme for user names that ties (semi-)public user information to the user name. Use user nicknames (aliases) if “natural” ...
Read MoreAbout the author
Albert Zenkoff
Managing corporate security in both technical and business sense in the context of long-term business strategy and sustainability.
For security consulting, training, certification and audit mail albert@aruberusan.com.
Share and stay updated
