YES24 보안사고  보도:

http://www.yonhapnews.co.kr/bulletin/2016/04/04/0200000000AKR20160404181900005.HTML



인터파크 보안사고 보도

http://www.itworld.co.kr/news/100473

블로그 이미지

오픈이지 제로킴

시큐어코딩 교육/컨설팅 전문가 그룹

https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project#tab=OWASP_Internet_of_Things_Top_10_for_2014


Manufacturer IoT Security Guidance

(DRAFT)


The goal of this section is help manufacturers build more secure products in the Internet of Things space. The guidance below is at a basic level, giving builders of products a basic set of guidelines to consider from their perspective. This is not a comprehensive list of considerations, and should not be treated as such, but ensuring that these fundamentals are covered will greatly improve the security of any IoT product.

CategoryIoT Security Consideration
I1: Insecure Web Interface
  • Ensure that any web interface in the product disallows weak passwords
  • Ensure that any web interface in the product has an account lockout mechanism
  • Ensure that any web interface in the product has been tested for XSS, SQLi and CSRF vulnerabilities
  • Ensure that any web interface has the ability to use HTTPS to protect transmitted information
  • Include web application firewalls to protect any web interfaces
  • Ensure that any web interface allows the owner to change the default username and password
I2: Insufficient Authentication/Authorization
  • Ensure that any access requiring authentication requires strong passwords
  • Ensure that user roles can be properly segregated in multi-user environments
  • Implement two-factor authentication where possible
  • Ensure password recovery mechanisms are secure
  • Ensure that users have the option to require strong passwords
  • Ensure that users have the option to force password expiration after a specific period
  • Ensure that users have the option to change the default username and password
I3: Insecure Network Services
  • Ensure all devices operate with a minimal number of network ports active
  • Ensure all devices do not make network ports and/or services available to the internet via UPnP for example
  • Review all required network services for vulnerabilities such as buffer overflows or denial of service
I4: Lack of Transport Encryption
  • Ensure all communication between system components is encrypted as well as encrypting traffic between the system or device and the internet
  • Use recommended and accepted encryption practices and avoid proprietary protocols
  • Ensure SSL/TLS implementations are up to date and properly configured
  • Consider making a firewall option available for the product
I5: Privacy Concerns
  • Ensure only the minimal amount of personal information is collected from consumers
  • Ensure all collected personal data is properly protected using encryption at rest and in transit
  • Ensure only authorized individuals have access to collected personal information
  • Ensure only less sensitive data is collected
  • Ensuring data is de-identified or anonymized
  • Ensuring a data retention policy is in place
  • Ensuring end-users are given a choice for data collected beyond what is needed for proper operation of the device
I6: Insecure Cloud Interface
  • Ensure all cloud interfaces are reviewed for security vulnerabilities (e.g. API interfaces and cloud-based web interfaces)
  • Ensure that any cloud-based web interface disallows weak passwords
  • Ensure that any cloud-based web interface has an account lockout mechanism
  • Implement two-factor authentication for cloud-based web interfaces
  • Ensure that all cloud interfaces use transport encryption
  • Ensure that any cloud-based web interface has been tested for XSS, SQLi and CSRF vulnerabilities
  • Ensure that users have the option to require strong passwords
  • Ensure that users have the option to force password expiration after a specific period
  • Ensure that users have the option to change the default username and password
I7: Insecure Mobile Interface
  • Ensure that any mobile application disallows weak passwords
  • Ensure that any mobile application has an account lockout mechanism
  • Implement two-factor authentication for mobile applications (e.g Apple's Touch ID)
  • Ensure that any mobile application uses transport encryption
  • Ensure that users have the option to require strong passwords
  • Ensure that users have the option to force password expiration after a specific period
  • Ensure that users have the option to change the default username and password
I8: Insufficient Security Configurability
  • Ensure password security options are made available (e.g. Enabling 20 character passwords or enabling two-factor authentication)
  • Ensure encryption options are made available (e.g. Enabling AES-256 where AES-128 is the default setting)
  • Ensure secure logging is available for security events
  • Ensure alerts and notifications are available to the user for security events
I9: Insecure Software/Firmware
  • Ensure all system devices have update capability and can be updated quickly when vulnerabilities are discovered
  • Ensure update files are encrypted and that the files are also transmitted using encryption
  • Ensure that update files are signed and then validated by the device before installing
  • Ensure update servers are secure
  • Ensure the product has the ability to implement scheduled updates
I10: Poor Physical Security
  • Ensure the device is produced with a minimal number of physical external ports (e.g. USB ports)
  • Ensure the firmware of Operating System can not be accessed via unintended methods such as through an unnecessary USB port
  • Ensure the product is tamper resistant
  • Ensure the product has the ability to limit administrative capabilities in some fashion, possibly by only connecting locally for admin functions
  • Ensure the product has the ability to disable external ports such as USB

General Recommendations

Consider the following recommendation for all Internet of Things products:

  • Avoid the potential for persistent vulnerabilities in devices that have no update capability by ensuring that all devices and systems are built with the ability to be updated when vulnerabilities are discovered
  • Rebranded devices used as part of a system should be properly configured so that unnecessary or unintended services do not remain active after the rebranding

[ NOTE: Given the fact that each deployment and every environment is different, it is important to weigh the pros and cons of implementing the advice above before taking each step. ]


Developer IoT Security Guidance

(DRAFT)

The goal of this section is help developers build more secure applications in the Internet of Things space. The guidance below is at a basic level, giving developers of applications a basic set of guidelines to consider from their perspective. This is not a comprehensive list of considerations, and should not be treated as such, but ensuring that these fundamentals are covered will greatly improve the security of any IoT product. Strongly consider using a Secure IoT Framework in order to proactively address many of the concerns listed below.

CategoryIoT Security ConsiderationRecommendations
I1: Insecure Web Interface
  • Ensure that any web interface coding is written to prevent the use of weak passwords
  • Ensure that any web interface coding is written to include an account lockout mechanism
  • Ensure that any web interface coding has been tested for XSS, SQLi and CSRF vulnerabilities
  • Ensure that any web interface has the ability to use HTTPS to protect transmitted information
  • Ensure that any web interface coding is written to allow the owner to change the username and password
  • Consider the use of web application firewalls to protect any web interfaces

When building a web interface consider implementing lessons learned from web application security. Employ a framework that utilizes security controls to ensure that vulnerabilities are mitigated in code. Be sure to plan for eventual upgrades or security fixes to the framework as well. If you use optional plugins to the framework be sure to review them for security.

Deploy and protect the web interface in the same way you would any web application. Utilize encrypted transport protocols if possible, being sure to validate certificates. Limit access in whatever ways possible. Assume users will not change configuration so deploy in a secure manner with strong credentials already in place.

I2: Insufficient Authentication/Authorization
  • Ensure that applications are written to require strong passwords where authentication is needed
  • Ensure the application takes into account multi-user environments and includes functionality for role separation
  • Implement two-factor authentication where possible
  • Ensure password recovery mechanisms are written to function in a secure manner
  • Ensure that applications are written to include the option to require strong passwords
  • Ensure that applications are written to include the option to force password expiration after a specific period
  • Ensure that applications are written to include the option to change the default username and password

Refer to the OWASP Authentication Cheat Sheet

I3: Insecure Network Services
  • Ensure applications that use network services don't respond poorly to buffer overflow, fuzzing or denial of service attacks
  • Ensure applications test ports are taken out of service before going to production

Try to utilize tested, proven, networking stacks and interfaces that handle exceptions gracefully. Be sure that any test or maintenance interfaces are disabled or properly protected. Avoid exposing unauthenticated protocols (such as TFTP) or unencrypted channels (such as telnet) if possible. Consider the attack surface that device network services present. Turn off unnecessary services and deploy measures to protect required services, detect malicious activity, and react to an attack with measures such as lock-outs or temporary firewall rules.

I4: Lack of Transport Encryption
  • Ensure all applications are written to make use of encrypted communication between devices and between devices and the internet
  • Use recommended and accepted encryption practices and avoid proprietary protocols
  • Consider making a firewall option available for the application

Utilize encrypted protocols wherever possible to protect all data in transit. Where protocol encryption is not possible consider encrypting data before transfer.

I5: Privacy Concerns
  • Ensure only the minimal amount of personal information is collected from consumers
  • Ensure all collected personal data is properly protected using encryption at rest and in transit
  • Ensuring data is de-identified or anonymized
  • Ensuring end-users are given a choice for data collected beyond what is needed for proper operation of the device

Data can present unintended privacy concerns when aggregated. As a rule collect the minimal amount of data possible. Consult with data scientists, legal and compliance teams to determine risk of data collection and storage. Consider implications of consent and the fact that IoT devices may not present an interface for collecting consent and may passively collect data about people other than owners and operators. IoT may collect information about individuals who cannot provide consent (such as minors) and data collection should be modified accordingly.

I6: Insecure Cloud Interface
  • Ensure all cloud interfaces are reviewed for security vulnerabilities (e.g. API interfaces and cloud-based web interfaces)
  • Ensure that any cloud-based web interface coding is written to disallows weak passwords
  • Ensure that any cloud-based web interface coding is written to include an account lockout mechanism
  • Implement two-factor authentication for cloud-based web interfaces
  • Ensure that any cloud interface coding has been tested for XSS, SQLi and CSRF vulnerabilities
  • Ensure that all cloud interfaces use transport encryption
  • Ensure that cloud interfaces are written to include the option to require strong passwords
  • Ensure that cloud interfaces are written to include the option to force password expiration after a specific period
  • Ensure that cloud interfaces are written to include the option to change the default username and password

Cloud security presents unique security considerations, as well as countermeasures. Be sure to consult your cloud provider about options for security mechanisms. Consult the OWASP Cloud Top 10 Security Risks documents.

I7: Insecure Mobile Interface
  • Ensure that any mobile application coding is written to disallows weak passwords
  • Ensure that any mobile application coding is written to include an account lockout mechanism
  • Implement two-factor authentication for mobile applications (e.g Apple's Touch ID)
  • Ensure that any mobile application uses transport encryption
  • Ensure that mobile interfaces are written to include the option to require strong passwords
  • Ensure that mobile interfaces are written to include the option to force password expiration after a specific period
  • Ensure that mobile interfaces are written to include the option to change the default username and password
  • Ensure that mobile interfaces only collect the minimum amount of personal information needed

Mobile interfaces to IoT ecosystems require targeted security. Consult the OWASP Mobile Project for further guidance.

I8: Insufficient Security Configurability
  • Ensure applications are written to include password security options (e.g. Enabling 20 character passwords or enabling two-factor authentication)
  • Ensure applications are written to include encryption options (e.g. Enabling AES-256 where AES-128 is the default setting)
  • Ensure all applications are written to produce logs for security events
  • Ensure all applications are written to produce alerts and notifications to the user for security events

Security can be a value proposition. Design should take into consideration a sliding scale of security requirements. Architect projects with secure defaults and allow consumers to select options to be enabled or disabled. IoT design should be forward compatible with respect to security - as cipher suites increase and new security technologies become widely available IoT design should be able to adopt these new technologies.

Remember the security lifecycle of protect, detect, and react. Design systems to allow for the detection of malicious activity as well as self defending capabilities and a reaction plan should a compromise be detected. Design all stages of the lifecycle to be evolutionary so improvements can be added to a system or device future releases, updates, or patches.

I9: Insecure Software/Firmware
  • Ensure all applications are written to include update capability and can be updated quickly when vulnerabilities are discovered
  • Ensure all applications are written to process encrypted update files and that the files are transmitted using encryption
  • Ensure all applications are written to process signed files and then validate that file before installation

Many IoT deployments are either brownfield (i.e. applied over existing infrastructure) and/or have an extremely long deployment cycle. To maintain the security of devices over time it is critical to plan for patches and updates.

Confidentiality, Integrity, and Availability (CIA) are primary concerns when providing binaries and updates to edge devices. Encrypt updates before distribution, providing decryption keys along with download instructions to authorized devices. Updates should have cryptographic signatures using public key cryptography that can be verified by devices. A cryptographic signature allows for distribution of updates over untrusted channels, such as Content Delivery Network (CDN), peer-to-peer, or machine to machine (M2M).

Devices should always validate cryptographic certificates and discard updates that are not properly delivered or signed. If unencrypted updates are utilized be sure that a cryptographic hash of the update is provided over an encrypted channel so the device can detect tampering.

Provide a mechanism for issuing, updating and revoking cryptographic keys as well. Key management and lifecycle should be taken into consideration prior to deployment. This includes the SSL trust store, or root trust, on a device, which may have to be modified over the lifespan of the device.

I10: Poor Physical Security
  • Ensure applications are written to utilize a minimal number of physical external ports (e.g. USB ports) on the device
  • Ensure all applications can not be accessed via unintended methods such as through an unnecessary USB port
  • Ensure all applications are written to allow for disabling of unused physical ports such as USB
  • Consider writing applications to limit administrative capabilities to a local interface only

Plan on having IoT edge devices fall into malicious hands. Utilize whatever physical security protections are available. Disable any testing or debugging interfaces, utilize Hardware Security Modules (HSM's), cryptographic co-processors, and Trusted Platform Modules (TPM's) wherever possible.

Consider the implications of a compromised device. Do not share credentials, application or cryptographic keys across multiple devices to limit the scope of damage due to a physical compromise.

Plan for the transfer of ownership of devices and ensure that data is not transferable along with the ownership.

General Recommendations

Consider the following recommendations for all user interfaces (local device, cloud-based and mobile):

  • Avoid potential Account Harvesting issues by:
    • Ensuring valid user accounts can't be identified by interface error messages
    • Ensuring strong passwords are required by users
    • Implementing account lockout after 3 - 5 failed login attempts

[ NOTE: Given the fact that each deployment and every environment is different, it is important to weigh the pros and cons of implementing the advice above before taking each step. ]

Consumer IoT Security Guidance

(DRAFT)

The goal of this section is help consumers purchase secure products in the Internet of Things space. The guidance below is at a basic level, giving consumers a basic set of guidelines to consider from their perspective. This is not a comprehensive list of considerations, and should not be treated as such, but ensuring that these fundamentals are covered will greatly aid the consumer in purchasing a secure IoT product.

CategoryIoT Security Consideration
I1: Insecure Web Interface
  • If your system has the option to use HTTPS, ensure it is enabled
  • If your system has a two factor authentication option, ensure that it is enabled
  • If your system has web application firewall option, ensure that it is enabled
  • If your system has a local or cloud-based web application, ensure that you change the default password to a strong one and if possible change the default username as well
  • If the system has account lockout functionality, ensure that it is enabled
  • Consider employing network segmentation technologies such as firewalls to isolate IoT systems from critical IT systems
I2: Insufficient Authentication/Authorization
  • If your system has a local or cloud-based web application, ensure that you change the default password to a strong one and if possible change the default username as well
  • If the system has account lockout functionality, ensure that it is enabled
  • If the system has the option to require strong passwords, ensure that is enabled
  • If the system has the option to require new passwords after 90 days for example, ensure that is enabled
  • If your system has a two factor authentication option, ensure that it is enabled
  • If your system has the option to set user privileges, consider setting user privileges to the minimal needed for operation
  • Consider employing network segmentation technologies such as firewalls to isolate IoT systems from critical IT systems
I3: Insecure Network Services
  • If your system has a firewall option available, enable it and ensure that it can only be accessed from your client systems
  • Consider employing network segmentation technologies such as firewalls to isolate IoT systems from critical IT systems
I4: Lack of Transport Encryption
  • If your system has the option to use HTTPS, ensure it is enabled
I5: Privacy Concerns
  • Do not enter sensitive information into the system that is not absolutely required, e.g. address, DOB, CC, etc.
  • Deny data collection if it appears to be beyond what is needed for proper operation of the device (If provided the choice)
I6: Insecure Cloud Interface
  • If your system has the option to use HTTPS, ensure it is enabled
  • If your system has a two factor authentication option, ensure that it is enabled
  • If your system has web application firewall option, ensure that it is enabled
  • If your system has a local or cloud-based web application, ensure that you change the default password to a strong one and if possible change the default username as well
  • If the system has account lockout functionality, ensure that it is enabled
  • If the system has the option to require strong passwords, ensure that is enabled
  • If the system has the option to require new passwords after 90 days for example, ensure that is enabled
I7: Insecure Mobile Interface
  • If the mobile application has the option to require a PIN or password, consider using it for extra security (on client and server)
  • If the mobile application has the option to use two factory authentication such as Apple's Touch ID, ensure it is enabled
  • If the system has account lockout functionality, ensure that it is enabled
  • If the system has the option to require strong passwords, ensure that is enabled
  • If the system has the option to require new passwords after 90 days for example, ensure that is enabled
  • Do not enter sensitive information into the mobile application that is not absolutely required, e.g. address, DOB, CC, etc.
I8: Insufficient Security Configurability
  • If your system has the option, enable any logging functionality for security-related events
  • If your system has the option, enable any alert and notification functionality for security-related events
  • If your system has security options for passwords, ensure they are enabled for strong passwords
  • If your system has security options for encryption, ensure they are set for an accepted standard such as AES-256
I9: Insecure Software/Firmware
  • If your system has the option to verify updates, ensure it is enabled
  • If your system has the option to download updates securely, ensure it is enabled
  • If your system has the ability to schedule updates on a regular cadence, consider enabling it
I10: Poor Physical Security
  • If your system has the ability to limit administrative capabilities possible by connecting locally, consider enabling that feature
  • Disable any unused physical ports through the administrative interface

General Recommendations

If you are looking to purchase a device or system, consider the following recommendations:

  • Include security in feature considerations when evaluating a product
  • Place Internet of Things devices on a separate network if possible using a firewall

[ NOTE: Given the fact that each deployment and every environment is different, it is important to weigh the pros and cons of implementing the advice above before taking each step. ]

블로그 이미지

오픈이지 제로킴

시큐어코딩 교육/컨설팅 전문가 그룹

보호되어 있는 글입니다.
내용을 보시려면 비밀번호를 입력하세요.

HTTPS와 SSL 인증서

2015.08.27 07:59

보호되어 있는 글입니다.
내용을 보시려면 비밀번호를 입력하세요.

SSO

2015.08.25 23:55

보호되어 있는 글입니다.
내용을 보시려면 비밀번호를 입력하세요.

보호되어 있는 글입니다.
내용을 보시려면 비밀번호를 입력하세요.

보호되어 있는 글입니다.
내용을 보시려면 비밀번호를 입력하세요.

옥션 해킹 사례

2015.07.09 01:01

보호되어 있는 글입니다.
내용을 보시려면 비밀번호를 입력하세요.

KT 홈페이지 해킹사례

2015.07.09 00:49

보호되어 있는 글입니다.
내용을 보시려면 비밀번호를 입력하세요.

보호되어 있는 글입니다.
내용을 보시려면 비밀번호를 입력하세요.

보호되어 있는 글입니다.
내용을 보시려면 비밀번호를 입력하세요.

웹 보안 프로토콜 HSTS, Proposed Standard로 승인2012.10.05

웹 보안 프로토콜인 HSTS (HTTP Strict Transport Security)가 IETF에서 Proposed Standard로 승인됨

※ IETF (Internet Engineering Task Force)는 국제 인터넷 표준화 기구로, 인터넷 운영 프로토콜의 표준과 관련된 사항을 정의함

웹 보안 프로토콜 HSTS가 IETF에서 스티어링 그룹(steering group)으로부터 Proposed Standard로 승인

  • HSTS는 HTTP 세션 하이재킹을 피하기 위해 제안된 프로토콜임
    ※ draft-ietf-websec-strict-transport-sec-14
  • 보안성의 향상을 위한 방안이며, 웹 사이트 연결 시 항상 보안 연결 상태로 접근
    ※ 암호화되지 않은 웹 사이트로 인한 인터넷 하이재킹으로부터 인터넷 사용자들을 보호하기 위해 웹 보안 프로토콜이 제안됨

인터넷 드래프트 문서 상의 HSTS 정책 관련 설명으로는, 보안 연결로만 접근 가능함을 웹 사이트 자신이 선언할 수 있는 메커니즘을 정의하는 것이라고 되어 있음

  • 주요 사항으로는 use cases, HSTS 정책효과, 위협 모델, 요구사항, 적합성과 관련된 요구사항, HSTS 메커니즘을 들 수 있음

정책을 따르는 웹 browser는, 웹 접속 사용자가 URL을 입력 시 “https” 입력을 기억하지 않아도 자동으로 ‘보안 안 되는 링크’에서 ‘보안되는 링크’로 전환되는 것임

이러한 HSTS를 이미 지원하는 사이트 및 서비스의 예로는 PayPal, Blogspot, Etsy, Chrome, Firefox 4, Opera 12 Web browsers가 있음

※ HSTS를 아직 수용하지 않는 사이트 및 서비스 예로는 Microsoft의 Internet Explorer와 Apple의 Safari가 있음

인터넷 사용자들이 많이 이용하는 웹 browser에 대해, 이러한 보안 관련 표준화 연구가 진행되고 있음을 시사

 

[출처]

1. http://news.cnet.com/8301-1009_3-57524915-83/web-security-protocol-hsts-wins-proposed-standard-status

2. http://datatracker.ietf.org/doc/draft-ietf-websec-strict-transport-sec/?include_text=1

 

 

작성 : 침해예방단 연구개발팀

출처: https://www.krcert.or.kr/kor/data/TrendView.jsp?p_bulletin_writing_sequence=1411


블로그 이미지

오픈이지 제로킴

시큐어코딩 교육/컨설팅 전문가 그룹

REST API의 이해와 설계-#1 개념 소개          http://bcho.tistory.com/953

REST API 이해와 설계 - #2 API 설계 가이드   http://bcho.tistory.com/954

REST API의 이해와 설계-#3 API 보안            http://bcho.tistory.com/955

HMAC을 이용한 REST API 인증 방법 모음     http://bcho.tistory.com/725

 

 

 

블로그 이미지

오픈이지 제로킴

시큐어코딩 교육/컨설팅 전문가 그룹

X-Frame-Options

자신의 페이지가 Frame안에 들어가는것을 방지하게 한다. 클릭재킹을 막을 수 있다.

X-Frame-Options: DENY (프레임 안에 절대 들어가지 못하게 한다)

X-Frame-Options: SAMEORIGIN (같은 origin일 경우에만 허용한다)

X-Frame-Options: ALLOW FROM hxtp://some-domain.com (특정 origin에서만 허용한다)

 

 

가끔 누군가가 자신의 사이트와 비슷한 도메인을 사서 아무 내용도 없이 자신의 사이트를  전체 크기의 프레임으로 넣어서 접근하는 유저를  엄청 끌어모은 다음, 나중에 갑자기 내용을 바꿔서 표시하는게 가능한데. 이런것을 막을 수 있도록 자신의 페이지가 Frame안으로 들어가는 것을 방지하게 해준다.

 

 

X-Content-Type-Options

 

jpg 확장자로 js파일을 올려 우회를 한 후에 script 태그에 src로 넣는 수법을 방지하는 헤더다. 이 헤더를 넣으면 MIMETYPE과 다르게 사용하지 못하게 한다. nosniff를 넣어주면 활성화가 된다.

 

List of useful HTTP headers

From OWASP
Jump to: navigation, search

This page lists useful security-related HTTP headers. In most architectures these headers can be set in web server configuration (Apache, IIS, nginx), without changing actual application's code. This offers significantly faster and cheaper method for at least partial mitigation of existing issues, and an additional layer of defense for new applications.

Header name Description Example
Public Key Pinning Extension for HTTP The Public Key Pinning Extension for HTTP (HPKP) is a security header that tells a web client to associate a specific cryptographic public key with a certain web server to prevent MITM attacks with forged certificates. Public-Key-Pins: pin-sha256="<sha256>"; pin-sha256="<sha256>"; max-age=15768000; includeSubDomains
Strict-Transport-Security HTTP Strict-Transport-Security (HSTS) enforces secure (HTTP over SSL/TLS) connections to the server. This reduces impact of bugs in web applications leaking session data through cookies and external links and defends against Man-in-the-middle attacks. HSTS also disables the ability for user's to ignore SSL negotiation warnings. Strict-Transport-Security: max-age=16070400; includeSubDomains

X-Frame-Options,

Frame-Options

Provides Clickjacking protection. Values: deny - no rendering within a frame, sameorigin - no rendering if origin mismatch, allow-from: DOMAIN - allow rendering if framed by frame loaded from DOMAIN X-Frame-Options: deny
X-XSS-Protection This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. It's usually enabled by default anyway, so the role of this header is to re-enable the filter for this particular website if it was disabled by the user. This header is supported in IE 8+, and in Chrome (not sure which versions). The anti-XSS filter was added in Chrome 4. Its unknown if that version honored this header. X-XSS-Protection: 1; mode=block
X-Content-Type-Options The only defined value, "nosniff", prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. This also applies to Google Chrome, when downloading extensions. This reduces exposure to drive-by download attacks and sites serving user uploaded content that, by clever naming, could be treated by MSIE as executable or dynamic HTML files. X-Content-Type-Options: nosniff

Content-Security-Policy,

X-Content-Security-Policy,

X-WebKit-CSP

Content Security Policy requires careful tuning and precise definition of the policy. If enabled, CSP has significant impact on the way browser renders pages (e.g., inline JavaScript disabled by default and must be explicitly allowed in policy). CSP prevents a wide range of attacks, including Cross-site scripting and other cross-site injections. Content-Security-Policy: default-src 'self'
Content-Security-Policy-Report-Only Like Content-Security-Policy, but only reports. Useful during implementation, tuning and testing efforts. Content-Security-Policy-Report-Only: default-src 'self'; report-uri http://loghost.example.com/reports.jsp

 




블로그 이미지

오픈이지 제로킴

시큐어코딩 교육/컨설팅 전문가 그룹

 

일반 사용자들도 자신이 사용하는 브라우저 보안 설정을 통해 사용자 환경에 대한 보안을 강화할 수 있다.

크롬의 경우 웹 사이트에 접속할 때 웹사이트로 부터 사용자와 컴푸터를 보호해주는 기능이 포함되어 있다세이프 브라우징, 샌드박스, 자동업데이트와 같은 기술을 사용하여 피싱이나 악성코드 공격으로 부터 사용자를 보호한다.

 

(1) 세이프 브라우징
악성코드나 피싱이 포함되어 있는것으로 의심되는 사이트에 접속하는 경우 경고메시지를 표시한다.
"
다음 웹사이트에 멜웨어가 있습니다.", "위험: 멜웨어주의", "신고된 피싱 웹사이트 주의
",
"
방문하려는 사이트에 유해한 프로그램이 있습니다." 와 같은 메시지가 표시된다.

 

피싱 및 멜웨어 경고 사용중지 설정
Chrome
메뉴 > 설정 > 고급설정표시 > "개인정보" 에서 "피싱 및 악성코드 차단 사용" 체크박스
선택 취소

 

<참고> 멜웨어란?

알지못하는 사이에 컴퓨터에 설치되는 유해하거나 원치 않는 소프트웨어를 멜웨어라고 한다.

 

 

 

(2) 샌드박스

악성코드가 컴퓨터에 자동으로 설치 되지 않도록 하며, 하나의 브라우저 탭에서 발생한 상황이 다른 브라우저 탭에 영향을 미치지 못하게 한다.

 

(3) 자동 업데이트

크롬은 주기적으로 최신보안 업데이트를 확인하여 최신 보안 기능 및 수정사항이 자동으로 업데이트 된다.

 

 

 

 

 

 

 

 

 

 

 

 

블로그 이미지

오픈이지 제로킴

시큐어코딩 교육/컨설팅 전문가 그룹

• http://www.aldeid.com

http://www.morningstarsecurity.com

http://www.hackingdna.com

http://zer0byte.com/2013/03/19/kali-linux-complete-tools-list-installation-screen-shots/

http://www.monkey.org/~dugsong/fragroute/

http://www.sans.org/security-resources/idfaq/fragroute.php

http://flylib.com/books/en/3.105.1.82/1/

http://www.darknet.org.uk/2008/04/cdpsnarf-cdp-packet-sniffer/

http://mateslab.weebly.com/dnmap-the-distributed-nmap.html

http://www.tuicool.com/articles/raimMz

http://backtrackwasneversoeasy.blogspot.co.uk/2012/02/terminating-internet-of-whole-network.html

http://www.ethicalhacker.net

http://nmap.org/ncat/guide/ncat-tricks.html

http://nixgeneration.com/~jaime/netdiscover/

http://csabyblog.blogspot.co.uk

http://thehackernews.com

https://code.google.com/p/wol-e/wiki/Help

http://linux.die.net/man/1/xprobe2

http://www.digininja.org/projects/twofi.php

https://code.google.com/p/intrace/wiki/intrace

https://github.com/iSECPartners/sslyze/wiki

http://www.securitytube-tools.net/index.php@title=Braa.html

http://security.radware.com


http://www.kali.org/

http://www.backtrack-linux.org

http://www.question-defense.com

http://www.vulnerabilityassessment.co.uk/torch.htm

http://myexploit.wordpress.com/network-copy-router-config-pl-merge-router-config-pl/

http://www.securitytube.net

http://www.rutschle.net/tech/sslh.shtml

http://althing.cs.dartmouth.edu/local/www.thoughtcrime.org/ie.html

http://www.thoughtcrime.org/software/sslstrip/

http://ucsniff.sourceforge.net/ace.html

http://www.phenoelit.org/irpas/docu.html

http://www.forensicswiki.org/wiki/Tcpflow

http://linux.die.net/man/1/wireshark

http://www.nta-monitor.com/tools-resources/security-tools/ike-scan

http://www.vulnerabilityassessment.co.uk/cge.htm

http://www.yersinia.net

http://www.cqure.net/wp/tools/database/dbpwaudit/

https://code.google.com/p/hexorbase/

http://sqlmap.org/

http://sqlsus.sourceforge.net/

http://www.jammed.com/~jwa/hacks/security/tnscmd/tnscmd-doc.html

http://mazzoo.de/blog/2006/08/25#ohrwurm

http://securitytools.wikidot.com


https://www.owasp.org

http://www.powerfuzzer.com

http://sipsak.org/

http://resources.infosecinstitute.com/intro-to-fuzzing/

http://www.rootkit.nl/files/lynis-documentation.html

http://www.cirt.net/nikto2

http://pentestmonkey.net/tools/audit/unix-privesc-check

http://www.openvas.org

http://blindelephant.sourceforge.net/

http://code.google.com/p/plecost

http://packetstormsecurity.com/files/94305/UA-Tester-User-Agent-Tester-1.03.html

http://portswigger.net/burp/

http://sourceforge.net/projects/websploit/

http://www.edge-security.com/wfuzz.php

https://code.google.com/p/wfuzz

http://xsser.sourceforge.net/

http://www.testingsecurity.com/paros_proxy

http://www.parosproxy.org/

http://www.edge-security.com/proxystrike.php

http://www.hackingarticles.in

http://tipstrickshack.blogspot.co.uk/2012/11/how-to-use-websploit.html

http://cutycapt.sourceforge.net/

http://dirb.sourceforge.net


http://www.skullsecurity.org/

http://deblaze-tool.appspot.com

http://www.securitytube-tools.net/index.php@title=Grabber.html

http://rgaucher.info/beta/grabber/

http://howtohack.poly.edu/wiki/Padding_Oracle_Attack

http://blog.gdssecurity.com/labs/2010/9/14/automated-padding-oracle-attacks-with-padbuster.html

https://code.google.com/p/skipfish/

http://w3af.org/

http://wapiti.sourceforge.net/

http://www.scrt.ch/en/attack/downloads/webshag

http://www.hackingdna.com/2013/01/webshag-on-backtrack-5.html

http://www.digininja.org/projects/cewl.php

http://hashcat.net

https://code.google.com/p/pyrit

http://www.securiteam.com/tools/5JP0I2KFPA.html

http://freecode.com/projects/chntpw

http://whatisgon.wordpress.com/2010/01/28/chntpw-tutorial-resetting-windows-passwords-editing-registry-linux/

http://www.cgsecurity.org/cmospwd.txt

http://adaywithtape.blogspot.co.uk/2011/05/creating-wordlists-with-crunch-v30.html

http://hashcat.net

http://ixplizit.wordpress.com/2012/04/08/hashcat-the-very-basic/

https://code.google.com/p/hash-identifier/

http://www.osix.net/modules/article/?id=455


http://cse.spsu.edu/raustin2/coursefiles/forensics/How_to_use_Volatility_v2.pdf

http://thesprawl.org/projects/pack/#maskgen

http://dev.man-online.org/man1/ophcrack-cli/

http://ophcrack.sourceforge.net/

http://manned.org

http://www.onlinehashcrack.com/how_to_crack_windows_passwords.php

http://project-rainbowcrack.com

http://www.randomstorm.com/rsmangler-security-tool.php

http://pentestn00b.wordpress.com

http://bernardodamele.blogspot.co.uk/2011/12/dump-windows-password-hashes.html

http://manpages.ubuntu.com/manpages/natty/man1/sipcrack.1.html

http://www.leidecker.info/projects/sucrack.shtml

http://santoshdudhade.blogspot.co.uk/2012/12/findmyhash-112-python-script-to-crack.html

http://www.foofus.net/jmk/medusa/medusa.html#how

http://www.irongeek.com/i.php?page=backtrack-r1-man-pages/medusa

http://nmap.org/ncrack/man.html

http://leidecker.info/projects/phrasendrescher.shtml

http://wiki.thc.org/BlueMaho

http://flylib.com/books/en/3.418.1.83/1/

http://www.hackfromacave.com

http://www.pentest.co.uk/downloads.html?cat=downloads&section=01_bluetooth

https://github.com/rezeusor/killerbee

https://code.google.com/p/nfc-tools/source/browse/trunk/mfoc/src/mfoc.c?r=977


http://nfc-tools.org

http://www.binarytides.com/hack-windows-social-engineering-toolkit-java-applet/

http://seclists.org

http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8

http://recordmydesktop.sourceforge.net/manpage.php

http://www.truecrypt.org

http://keepnote.org

http://apache.org

https://github.com/simsong/AFFLIBv3

http://www.computersecuritystudent.com/FORENSICS/VOLATILITY

http://csabyblog.blogspot.co.uk/2013/01/backtrack-forensics-volafox.html

http://www.sleuthkit.org/autopsy/desc.php

http://sysforensics.org/2012/02/sleuth-kit-part-2-mmls-and-mmstat.html

http://guymager.sourceforge.net/

http://www.myfixlog.com/fix.php?fid=33

http://www.gnu.org/software/ddrescue/manual/ddrescue_manual.html

http://www.spenneberg.org/chkrootkit-mirror/faq/

http://www.aircrack-ng.org/

https://sites.google.com/site/clickdeathsquad/Home/cds-wpacrack

http://www.willhackforsushi.com

http://www.ciscopress.com

http://openmaniak.com/kismet_platform.php

http://sid.rstack.org/static/


http://www.digininja.org

http://thesprawl.org/projects/dnschef/

http://hackingrelated.wordpress.com

http://r00tsec.blogspot.co.uk/2011/07/hacking-with-evilgrade-on-backtrack5.html

https://github.com/vecna/sniffjoke

http://tcpreplay.synfin.net

http://dallachiesa.com/code/rtpbreak/doc/rtpbreak_en.html

http://tomeko.net/other/sipp/sipp_cheatsheet.php?lang=pl

http://sipp.sourceforge.net/

https://code.google.com/p/sipvicious/wiki/GettingStarted

http://voiphopper.sourceforge.net/

http://ohdae.github.io/Intersect-2.5/#Intro

http://obscuresecurity.blogspot.co.uk/2013/03/powersploit-metasploit-shells.html

http://dev.kryo.se/iodine/wiki/HowtoSetup

http://proxychains.sourceforge.net/

http://man.cx/ptunnel(8)

http://www.sumitgupta.net/pwnat-example/

https://github.com/

http://www.dest-unreach.org/socat/doc/README

https://bechtsoudis.com/webacoo/

http://inundator.sourceforge.net/

http://vinetto.sourceforge.net/

http://www.elithecomputerguy.com/classes/hacking/



블로그 이미지

오픈이지 제로킴

시큐어코딩 교육/컨설팅 전문가 그룹

티스토리 툴바