Saturday, November 3, 2018

deduplication


Company BOA’s SAN is nearing capacity, and will cause costly downtimes if servers run out disk
space. Which of the following is a more cost effective alternative to buying a new SAN?



A.Enable multipath to increase integrity

B.
Enable deduplication on the storage pools

C.
Implement snapshots to reduce virtual disk size

D.
Implement replication to offsite datacenter



Deduplication
A chunk is a collection of storage blocks. Deduplication works by analyzing files, locating the unique chunks of data that make up those files, and only storing one copy of each unique data chunk on the volume. Deduplication is able to reduce the amount of storage consumed on the volume because when analyzed, it turns out that a substantial number of data chunks stored on a volume are identical. Rather than store multiple copies of the same identical chunk, deduplication ensures that one copy of the chunk is stored with placeholders in other locations pointing at the single copy of the chunk, rather than storing the chunk itself.

Session Hijacking - Shijack and etterncap

shijack.tgz at packet storm security website

hijack

poisoning the network

etterncap -G
running in graphical mode

sniff
unified sniffing
eth0

host
scan for host


Add target 1
Add target 2

Click in Mitm
Sniff remote connections - to poison those two targets
OK

Putty to metasploitable2
msfadmin
msfasmin


cd /usr/share/shijack
./shijack eth0 IP port IP


LUN Masking


The LUN masking mechanism is used to configure required security policies to present the storage LUNs to only those systems and cloud storage devices that require access via the interfaces and configuration options provided by physical storage vendors.


Two storage administrators are discussing which SAN configurations will offer the MOST
confidentiality. Which of the following configurations would the administrators use? (Select TWO).

A. Deduplication
B. Zoning
C.Snapshots

D.Multipathing

E.LUN masking



LUN masking can control which LUNs are visible to each vSphere host. This is the opposite of zoning, where the storage array configuration determines which LUNs are visible to a host. This feature allows multiple vSphere hosts to be connected to a storage with multiple LUNs, while allowing only one vSphere host, which you specify, to see some particular LUNs. This feature is the same as EMC CLARiiON or VNX provide LUN masking in the storage group at the array level. You can add the host and LUNs to a storage group, and then the host will only be able to see those LUNs.

Which of the following protocols only facilitates access control?



A. XACML


Service Provisioning Markup Language (SPML) is an OASIS developed markup language designed to provide service, user, and resource provisioning between organizations. Security Assertion Markup Language (SAML) is used to exchange user authentication and authorization data. Extensible Access Control Markup Language (XACML) is used to describe access controls. 




Security Assertion Markup Language (SAML) is the best choice for providing authentication and authorization information, particularly for browser-based SSO. HTML is primarily used for web pages, SPML is used to exchange user information for SSO, and XACML is used for access control policy markup.





Extensible Access Control Markup Language (XACML) is a standard for an access control policy language using Extensible Markup Language (XML). Its goal is to create an attribute-based access control system that decouples the access decision from the application or the local machine. It provides for fine-grained control of activities based on criteria including:


Attributes of the user requesting access (for example, all division managers in London)


The protocol over which the request is made (for example, HTTPS)


The authentication mechanism (for example, requester must be authenticated with a certificate)

XACML uses several distributed components. Policy enforcement point (PEP): This entity is protecting the resource that the subject (a user or an application) is attempting to access. When it receives a request from a subject, it creates an XACML request based on the attributes of the subject, the requested action, the resource, and other information. Policy decision point (PDP): This entity retrieves all applicable policies in XACML and compares the request with the policies. It transmits an answer (access or no access) back to the PEP. XACML is valuable because it is able to function across application types. XACML is a good solution when disparate applications that use their own authorization logic are in use in the enterprise. By leveraging XACML, developers can remove authorization logic from an application and centrally manage access using policies that can be managed or modified based on business need without making any additional changes to the applications themselves.

confidentiality of data when using SOAP

A Security Administrator has some concerns about the confidentiality of data when using SOAP.
Which of the following BEST describes the Security Administrator’s concerns?
A. The SOAP header is not encrypted and allows intermediaries to view the header data. The
body can be partially or completely encrypted.
Explanation
XML defines a universal format for exchanging application data. The universal XML specification alone, however, is not enough to provide developers with the infrastructure they need to create easy and elegant web services. Although XML provides an efficient format for reading and writing program data, XML alone does not provide a standard format for structuring and interpreting that data. The SOAP specification fills that role. SOAP is a standard protocol for exchanging XML-based messages that pass between the web-service client and server.
SOAP is designed to support communication between so-called SOAP nodes. (A SOAP node is basically a computer or application that supports SOAP.) The SOAP specification defines the structure of a message that passes from the SOAP sender to the SOAP receiver. Along the way, the message might pass through intermediate nodes that process the information in some way. An intermediate node might provide logging, or it might modify the message somehow in transit to its final destination.
At the conceptual level, a SOAP message from the client says, “Here is some input. Process this and send me the output.” The functionality of the application derives from a series of these XML-based SOAP messages in which the endpoints send information and receive responses. The formal structure of the SOAP message allows the software developer to easily create a SOAP-based client application that interacts with the server. For instance, a rental company that provides car rental reservations through a web-based server application could easily make the specifications available for a developer to write a custom client application that could connect to the server and reserve a car.
The structure of a SOAP message consists of an optional header and a message body. The header contains callouts, definitions, and meta-information that will be used by any node along the message path. The body includes data intended for the message recipient. For example, in the case of the car reservation service, the message body might contain data from the client describing the car the customer would like to rent and the date the vehicle must be available.
Because the SOAP Header is an optional object, you might or might not find header information serialized in a given SOAP packet. But if there is header information, all of that information must be serialized within the SOAP Header object, which must be the first (XML) child of the Envelope element. That's where you'll find it, but what is it used for?
Well, in a nutshell, the SOAP Header is used to transmit auxiliary information relevant to the Web Service processing that isn't part of the method signature. For example, imagine that you have a Web Service that specifies the toppings and crust style of the pizza that you intend to order (in C#):
OrderInfo OrderPizza(int[] toppings, int[] crust, PaymentInfo pi);
For this example, assume that the OrderInfo structure contains delivery information such as order confirmation, delivery timeline, and so on. The integer arrays contain integers that enumerate the various toppings and crusts available to you. The payment information structure contains payment data, such as a credit card number.
The Web Service, in this case, accepts your pizza order (presumably, you called another Web Service before this to establish your identity and delivery information). But it isn't a stretch to believe that there should be some sort of encryption associated with this invocation. That is, as the customer, you probably want to see at least the payment information, if not the entire packet, encrypted.



  • Applied SOAP: Implementing .NET XML Web Services

  • By: Kenn Scribner; Mark Stiver
  • Publisher: Sams
  • Pub. Date: 

A new study finds potentially manipulative ads in apps for preschoolers

By Hamza Shaban October 30
Apps marketed to children 5 and younger deploy potentially manipulating tactics to deliver ads to children, raising questions about the ethics of child software design and consumer protection, according to a new study.

Researchers from the University of Michigan C.S. Mott Children’s Hospital looked at more than 100 apps, mostly from the Google Play app store, and found that nearly all of them had at least one type of ad, often interwoven into the apps’ activities and games. The apps, according to the researchers, used a variety of methods to deliver ads to children, including commercial characters, pop-up ads, in-app purchases, and, in some cases, distracting ads, hidden ads or ads that were posed as gameplay items.

The authors suggest that the deceptive and persuasive nature of the ads leaves children susceptible to them, because of their lack of mental development in controlling their impulses and attention.


“Our findings show that the early childhood app market is a Wild West, with a lot of apps appearing more focused on making money than the child’s play experience,” Jenny Radesky, a developmental behavioral expert and an author of the study, said in a statement. “This has important implications for advertising regulation, the ethics of child app design, as well as how parents discern which children’s apps are worth downloading.”

Children use mobile devices one hour every day, on average, highlighting the importance of researching what they encounter and how it may affect their health, Radesky added.

The study comes amid a broader backlash against technology giants and the popular apps that compete for users' time and attention. In response, some of the biggest names in tech have released “digital wellness” tools to help consumers track how much time they spend on their smartphone apps, a kind of new-age calorie counting to boost awareness of tech’s influence on people’s daily lives. But in recent months, the skepticism aimed at Silicon Valley has also focused on opposing the early adoption of digital technology.


The federal government has long regulated TV advertising to young children. But the authors say that ads found in digital media may be harder to quantify and regulate because they do not exist alongside predictable, linear TV segments, but are more immersive and personalized. According to the authors, their study is the first to examine the advertising practices used in children’s apps, finding “a high prevalence of advertising using distracting features, potentially manipulative approaches, and content that did not appear to be age-appropriate.”

The authors reviewed 135 apps and found that 95 percent of them contained at least one type of ad. They found that the prevalence of advertisements occurred at similar rates whether the apps were labeled “educational” or not.

The apps that the researchers reviewed came from another study on family mobile use and from the most-downloaded free and paid apps in the Google Play store, in the category for children 5 and younger.


A coalition of consumer groups and public interest organizations seized on the findings of the study, which is called “Advertising in Young Children’s Apps.” Led by the Campaign for a Commercial-Free Childhood and the Center for Digital Democracy, the groups sent a letter to the Federal Trade Commission on Tuesday, calling on the agency to launch an investigation of apps that cater to young children. The coalition argued that preschool apps engage in unfair and deceptive practices — a violation of consumer protection law — through the use of false marketing and tactics that manipulate kids to watch ads and purchase upgrades.

“This groundbreaking study demonstrates that popular apps for preschoolers are rife with marketing that takes unfair advantage of children’s developmental vulnerabilities,” Josh Golin, executive director of the Campaign for a Commercial Free Childhood, said in a statement Tuesday. “Disguising ads as part of gameplay and using cartoon characters to manipulate children into making in-app purchases is not only unethical, but illegal."

Cartoon - Kids and video-game


Three radical paths to equality


pip and sn1per - Kali Basic Tools series

https://github.com/Ara2104/Sn1per


Basic checks

pip install --upgrade pip

Prevent outsiders from using these Google dorks against your web systems

 Modifying the robots.txt file in your server, as follows: • Prevent indexing from Google by running the following code:  User-agent: Google...