Security Flaw in Keychain Management?

Similar Messages

• Screen Saver Password Protection - Security Flaw

  Although I have always felt OS X has been a solid and secure operating system, there continues to remain one painful, and blatant security flaw. I keep thinking that Apple will address the issue, but they certainly haven't done so thus far.
  Explanation:
  With any good security policy, and in any secure environment, there will always be a need to "lock" (password protect) a system when not in use. That is, after 'X' period of time, the user interface is password protected so as not to allow access to the system while not in use. This is probably the most common and fundamental security measure in any environment. However, Apple's (GUI) password protection falls short in a number of ways. The only current method of password protecting the user interface is through the Screen Saver. Although at a glance it appears functional, it is a poor design and is easy to disable.
  The screen saver configuration lies within two files; the ~/Library/Preferences/com.apple.dock.plist and ~/Library/Preferences/ByHost/com.apple.screensaver.<variable>.plist. It is especially important to note that both of these files are located in the users home folder, which gives them full access to the configuration files. There is absolutely nothing preventing a user from deleting these files, and thus, disabling the only mechanism to password protect the user interface. Giving the user the ability to disable or remove ANY security related configuration is a poor design.
  Now initially we thought we had a solution by setting the user immutable flag on the ByHost screen saver plist using chflags. This would still allow user access, but would prohibit them from deleting the ByHost plist. Well, it sounded good in theory. However, if ~/Library/Preferences/com.apple.dock.plist is deleted, you can say goodbye to your password protected screen saver, despite locking the screen saver plist. So naturally the idea occurred to me to set the user immutable flag on ~/Library/Preferences/com.apple.dock.plist. This works, but makes it impossible to modify the Dock. Needless to say, if the Dock can't be modified, there's no point in even having it.
  Now that isn't the only thing wrong with the screen saver password protection. You would expect that an administrator could unlock a users (password protected) screen saver, but you would also assume that the user was logged off as a result. Not in this case... If an admin unlocks a password protected screen saver for a user, they are now logged in as that user and have access to everything the user was doing when it was locked (email, spreadsheets, confidential information... anything). This is not the preferred method. If for some reason an admin needs to unlock a password protected screen saver, it should log off that user, not allow access to the user's session.
  Finally, the biggest flaw yet. With a recent update, the password protection doesn't even work, as indicated by several people in the following threads.
  http://discussions.apple.com/thread.jspa?messageID=2706417&#2706417
  http://discussions.apple.com/thread.jspa?messageID=1950444&#1950444
  http://discussions.apple.com/thread.jspa?messageID=2648700&#2648700
  I have personally seen this issue while developing our corporate OS X image. Despite any fix or workaround, the simple fact that this has occurred is disturbing. ...As if the design wasn't bad enough, it now has the potential to stop working entirely.
  Now don't get me wrong, I love OS X and prefer to work on it over any other operating system. Nonetheless, the current design for the "screen lock" is inadequate at best. For a large enterprise environment with stringent security requirements, it's far from sufficient. My hope in posting this is that someone from Apple acknowledges the design flaw and incorporates a more effective solution into the next OS.
  MacBook   Mac OS X (10.4.6)  

  One thing I forgot to mention is that "Workgroup Manager.app" is a part of the "Server Admin Tools" which can be downloaded free from Apple. Although it seems to be primarily intended to be used to configure OS X Server from an OS X Client machine, many of its functions can be used to configure the OS X Client machine itself, in the complete absence of OS X Server. Unfortunately, the 'mcx_settings' aren't really "image friendly" - as far as using them on OS X client is concerned, they are something that seem to need to be applied to user accounts individually (although it is possible to copy all of the settings at once so it isn't necessary to go through the whole configuration process for each setting for each user). I have tried tinkering and applying them to groups, but group members don't seem to automatically be restricted (I may be missing something). The "tools" are available here:
  http://www.apple.com/support/downloads/serveradmintools104.html
  I don't know if it would be any better than the screen saver "hot corner", but there is an option to lock the screen from the "Keychain Access" menu extra, which can normally be enabled through "/Applications" > "Utilities" > "Keychain Access.app", from its "Preferences". This setting is then stored in the "com.apple.systemuiserver.plist" file (ie independent of the "Dock"), but could in principle be controlled from 'mcx_settings' as well. The level of control seems to be incomplete - the user can still drag the item off of the menu bar, but it returns during the next login. However, it does provide convenient access to a method to lock the screen and keychains, and has a nice "padlock" icon so that its function is obvious. It is also potentially possible to assign a two-step keyboard shortcut to the "Lock Screen" item, but it would be somewhat less convenient than a direct key combo...
  One other note regarding the "admin" user's ability to unlock the screensaver. The configuration file allowing the "admin" user to do this is "/etc/authorization", under 'system.login.screensaver'. Currently, the "rule" is set to 'authenticate-session-owner-or-admin'. Changing it to 'authenticate-session-owner' would be expected to remove the "admin" user's ability to unlock the screensaver, and if "Fast user switching" is available, the "admin", being unable to authenticate, should be able to switch to the "login window" from the authentication dialogue. I haven't tested this at all in "Tiger", but in "Panther", there was apparently a problem with it (which is why it had slipped my mind since at the time it was rejected as a viable option) - the person who posts here as "LittleSaint" had mentioned some problem with user logins when set up that way but I don't remember what it was, and so can't test if it has been fixed in "Tiger" (not very reassuring, and I apologize). And again, this is a setting that an "admin" would be able to reverse for themselves. Also, should "Fast user switching" become disabled for some reason, and the screen saver kicks in and the user isn't available, it might be a hassle to get back into the machine (it might be possible to do something over ssh). Nevertheless, it might be something to look in to.

• Fatal Security Flaw in WRT54GS?

  Sorry I don't have the hardware revision handy.
  Firmware is 1.52.0.  Model is WRT54GS.
  I'm configured with WPA2-PSK/AES.  Broadcasting my SSID.  No MAC access filtering.
  HTTPS access only to the config pages.  Custom (not default) password.  Remote management disabled.
  Summary:
  The router simply "forgot" its assigned SSID and reverted to broadcasting as "linksys".
  It also ceased encrypting its broadcast.
  I was able to log in and change it back.  It retained many of the OTHER settings I had previously configured.
  What causes this?  Is it a known issue?  Is there a fix?
  Details:
  Two days ago, I noticed my client (laptop) could no longer see the usual SSID that I connect to on my home network.
  However, there was a new SSID in the area, named "linksys", broadcasting UNSECURED.
  Coincidentally, this new "linksys" access point had the exact same signal strength that my usual access point typically had.
  So, I connected to it, you know, just to see.
  I was only able to access the config pages at my custom IP address (not at x.y.0.1), prefixed with the "https://" scheme identifier.
  And it didn't prompt for a password.  Hopefully because it recognized the cookie my browser still carried from the last time I logged in to it.  But maybe because it had temporarily dropped ALL of its security measures...
  It was definitely my router.  Just, stripped of its usual encryption/authentication and its usual SSID.
  So, I switched the SSID back to what it usually is.
  And I turned the WPA2-PSK/AES encryption back on.
  The router "remembered" my WPA2 passphrase, which it helpfully displayed to me as plaintext when I pulled down the "security mode" dropdown menu and selected "WPA2 Personal".
  After re-configuring, it works as well as ever.
  Is this a known security flaw in the WRT45GS?  Because....it seems like a fatal one, as far as network security is concerned.
  Is it limited to one firmware release?  Is there a firmware upgrade to fix it?
  (Again, I regret not having my hardware revision handy.)
  Thanks.

  Thanks for the reply.
  Yeah, the initial configuration was done wired.
  Subsequent reconfigurations were done wirelessly, on the encrypted wireless, connected via https.
  Remote management was NEVER enabled (and remained disabled, even after the router's little spell of amnesia).
  This particular router has been up and (mostly) stable for something like three years.  For the past year, WPA2-PSK encryption ahs been enabled.  The present WPA2-PSK passphrase is NOT the same as the old WEP key.
  I'll assume (just for a moment) that nobody hacked the router.  The only reason my router would be intresting for anyone to hack is simply because it's there.  And there are half a dozen other WPA2-PSK networks and a handfull of WEP networks within shouting distance.  And, if it was hacked from the outside, that would also indicate a "fatal security flaw" in the WRT54GS...
  So, let's assume it just glitched out and forgot its own name for 12hrs.
  Tell me more about what happens to NVRAM as it ages.  Does it become less N(on) and more V(olatile) with time?
  I know the router got hit by a storm-related power surge about 9 months ago.  It was reset at that time, exhibited some strange behavior (not wanting to display the config web pages) and then it "settled down" after a day or two.
  While it's performed fine since then, it may have sustained some subtle sort of damage at that time.
  But no parameters were lost or altered in the NVRAM.  And there was no obvious surge-type event to precipitate it now.
  What's the life expectancy of these things anyway?  Is this an early warning sign that I should upgrade to new hardware?

• Acrobat 9.2.0 Update Breaks Text Box Tool, Possibly Introduces a New Security Flaw.

  Anyone have any ideas for this one?
  Once we upgraded to version 9.2.0 (This is a major security release that fixes a Javascript security flaw) our text box tool no longer works the way we want it and crashes the program.
  Try this:
  1. Open any PDF document on a  Windows XP SP3 computer with Adobe Acrobat 9.2.0.
  2. Add the 'Text Box Tool'  to the toolbar by right-clicking the toolbar and selecting 'MoreTools' then placing a checkbox next to the 'Text Box Tool'.
  3. Click the 'Text Box Tool' on the toolbar and draw a new textbox anywhere on the PDF document.
  4. Click out of the textbox to cancel typing mode, then single click back on the textbox that you just created.
  5. Right-click the textbox that you created and select 'Properties..."
  6. Under the 'Appearance' tab,
  a. Select Style: No Border
  b. Select Fill Color: No Color
  c. Check the box 'Make Properties Default'
  d. Click OK.
  7. Click the Text Box Tool again, and draw another textbox (Since there is no border you will not see it but you will still be drawing a textbox).
  8. Let go of the mouse when you are done drawing your textbox rectangle and the program will crash at this point.
  Results:
  1. "An internal error occurred." dialog box is displayed.
  2. After clicking ok the following "Microsoft Visual C++ Runtime Library" dialog box is displayed:
  "Runtime Error!
  Program: C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat.exe
  R6025
  - pure virtual function call
  3. After clicking ok another dialog box is displayed:
  Error signature
  AppName: acrobat.exe AppVer: 9.2.0.124 ModName: acrobat.dll Offset: 000509dd
  4. The same error has occurred on all five computers that we tested the new version on.
  Expected results: A new textbox is created and you may start typing in text (This was the behavior in version 9.1.3).
  Additional Information
  At times, we need to add information to PDF files (i.e missing dates, etc). We have always used the Text Box Tool to do this with no border, and with no fill color as this is the EASIEST and FASTEST way to add information to PDF files in a precise manner. We want the fill color to be transparent so that we can fit text in between and exactly on lines easier, and so that there is not a solid background box behind the text. We want no border because a border around text that needs to go on a line looks stupid. Up until version 9.2 this procedure worked fine. Now, the program will crash. Perhaps this even adds another security vulnerability if the crash could be exploited. We want to maintain security by patching Adobe to address the JavaScript vulnerability that was addressed in version 9.2.0, however, we are not able to update our users as the new version breaks the fundamental purpose that we use Adobe Acrobat for. We are stuck with the vulnerable version 9.1.3 until this problem is addressed. Disabling JavaScript is not an option either, as we use a Java plug-in on a daily basis.
  Any thoughts would be great, I have attached screenshots of the errors.

  The question still is not answered.
  The problem continues in Acrobat 8.1.7 for Windows, even after updating toAcrobat  8.2.0. ( I can't comment on whether recent updates to Acrobat 9 fix the problem in Acrobat 9.)
  The internal error after text insertion problem occurs even with PDF documents created in Acrobat 8, i.e., not only old versions of PDF files. We have the text box insertion icon in the toolbar, and the properties set to "no color" for the box and "0" width for the text box lines, as other commentators have noted.
  The problem did not exist when Acrobat 8 Pro was installed, it was introduced by one of the updaters.
  The main reason we use Acrobat, rather than much cheaper PDF-creation software, is to annotate PDF files (including inputting data into spaces in standard forms).
  So justify the high price of Acrobat and fix the problem please, Adobe !

• Security flaw-To use CSOM/Javascript code for Custom Office365(Sharepoint Online) application

  Hi,
  I've developed custom application in Office365(Sharepoint Online) using CSOM/Javascript. Security team from client side has been reported one major issue to the our application that any end user can comment our CSOM/Javascript code and bypass the validation
   or can update / insert into sharepoint list item using developer tool/ Console in Google Chrome(F12 Key).
  Also end user can write his own separate code in console of Google Chrome (Developer Tool / F12) and can update / insert  into Sharepoint List.
  Note:- End user has Add, Edit, View permission on all Sharepoint List.
  This is one major security flaw of the Sharepoint/Office365 to use CSOM /Javascript for writing code, to overcome this issue could you please provide me some solution.
  Your help would be greatly appreciated!!!  
  Looking for reply.
  Thanks,
  Mahesh Sherkar
  Web: http://Mahesh-Sherkar.com
  Email: [email protected]

  Hello Paras, 
  Did you get any solution for this? I think your website was implemented this form. Can you please tell me the way how I can achieve it? I am also facing same problem. Please reply me as early as possible.
  Thanks,
  Mihir

• Security Flaw: Since upgrading to iOS 8.3, I can by-pass passcode security by simply hitting RETURN on my bluetooth keyboard

  I noticed when I typed my passcode incorrectly on my Logitech Fabric Skin Keyboard Folio, the iPad allowed me to log in.  I checked again, but this time by just hitting RETURN key without entering any passcode, and again it allowed me to log in.
  If I disconnect the keyboard, and use the soft keyboard on the iPad itself, it only allows the correct passcode.
  Has anybody else seen this security flaw?
  iPad Air
  iOS 8.3

  Please describe the problem in as much relevant detail as possible. The "etrecheck" fad hasn't made that step any less necessary. The better your description, the better the chance of a solution.
  For example, if the computer is slow, which specific actions are slow? Is it slow all the time, or only sometimes? What other changes did you make, if any, just before it became slow? Have you seen any alerts or error messages? Have you done anything to try to fix it? Most importantly, do you have a current backup of all data? If the answer to the last question is "no," back up now. Ask if you need guidance. Do nothing else until you have a backup.

• How can I acces Secure Notes from Keychain on my other Macs?

  I have build up many Secure Notes in Keychain with important stuff and I'd like to be able to access these notes on my four Macs and other Apple devices. Is this possible? If not, maybe a poor alternative would be to create a secure .txt file and store it in iCloud? Any better ideas?

  Put the photos you want to upload to your iPhone in an album in iPhoto.  Connect the iPhone to the Mac and launch iTunes. 
  Click on your iPhone icon
  and then on Photos
  Next check Sync Photos and Selected albums.  Find the album with the photos you want to upload and select it. 
  Lastly click on the Sync button.

• ADF Security to J2EE Container Managed Security Problems

  Hi al!
  I had ADF security enabled in my application. I've added roles and users to embedded OC4J Server Preferences..., configured authorization using pageDefs... (following the Introduction to ADF Security in JDeveloper 10.1.3.2 howto).
  For the sake of friendlier user and roles management I decided to go to 2EE Container Managed Security (I want application manager in production environment to be able to manage users in only one place, not in DB table and extra for web app). I followed Frank Nimphius's Database Authentication and Authorization in J2EE Container Managed Security article.
  Now I have some problems. I removed users and roles from embedded OC4J Server Preferences... (I believe this are used only for ADF security, am I right?). I can log to application with admin user account (app index page doesn't have any binds and even pageDef), but when trying to access admin pages I get 401 Unauthorized page.
  What am I doing wrong, probably I've forgotten something? I'm a bit confused now with users and roles settings and ADF and container managed security.
  Part of my web.xml file:
  <servlet>
  <servlet-name>adfAuthentication</servlet-name>
  <servlet-class>oracle.adf.share.security.authentication.AuthenticationServlet</servlet-class>
  <init-param>
  <param-name>success_url</param-name>
  <param-value>/faces/app/index.jspx</param-value>
  </init-param>
  <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet-mapping>
  <servlet-name>adfAuthentication</servlet-name>
  <url-pattern>/adfAuthentication/*</url-pattern>
  </servlet-mapping>
  <security-role>
  <description>Admins</description>
  <role-name>admin_role</role-name>
  </security-role>
  <security-role>
  <description>Users</description>
  <role-name>user_role</role-name>
  </security-role>
  <security-role>
  <role-name>oc4j-administrators</role-name>
  </security-role>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>AllAdmins</web-resource-name>
  <url-pattern>faces/admin/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>admin_role</role-name>
  </auth-constraint>
  </security-constraint>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>AllUsers</web-resource-name>
  <url-pattern>faces/app/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>user_role</role-name>
  <role-name>admin_role</role-name>
  </auth-constraint>
  </security-constraint>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>adfAuthentication</web-resource-name>
  <url-pattern>/adfAuthentication</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>oc4j-administrators</role-name>
  <role-name>user_role</role-name>
  <role-name>admin_role</role-name>
  </auth-constraint>
  </security-constraint>
  Do I have to remove this adfAuthentication tags?
  I know I've made things a bit complicated for me now and for anyone to help, but I hope I will get at least some pointers what to do now and maybe some explanation about roles in container managed security? Is it enaugh to have security constraints and roles defined in web.xml file or they have to be defined somewhere else also (beside the database)?
  Thank you in advance!
  Bye
  PS
  Maybe stack trace after login:
  FINE: LoginConfigProvider.ctr: lmm=[LoginModuleManager: jznCfg=[JAZNConfig null], appConfigEntries={oracle.security.jazn.oc4j.CertificateAuthenticator=[javax.security.auth.login.AppConfigurationEntry@3625d0], oracle.security.jazn.tools.Admintool=[javax.security.auth.login.AppConfigurationEntry@eca6e7], oracle.security.jazn.oc4j.WebCoreIDSSOAuthenticator=[javax.security.auth.login.AppConfigurationEntry@c1c7c4], oracle.security.jazn.oc4j.DigestAuthenticator=[javax.security.auth.login.AppConfigurationEntry@221f81], oracle.security.wss.jaas.SAMLAuthManager=[javax.security.auth.login.AppConfigurationEntry@426e05], oracle.security.jazn.oc4j.JAZNUserManager=[javax.security.auth.login.AppConfigurationEntry@145240a], current-workspace-app=[javax.security.auth.login.AppConfigurationEntry@4120aa], oracle.security.wss.jaas.JAASAuthManager=[javax.security.auth.login.AppConfigurationEntry@1c78f98]}]
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
  FINE: [DBTableOraDataSourceLoginModule] option data_source_name = jdbc/TESTDbDS
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
  FINE: [DBTableOraDataSourceLoginModule] option table = APPLICATION_USER
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
  FINE: [DBTableOraDataSourceLoginModule] option groupMembershipTableName = APPLICATION_ROLE
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
  FINE: [DBTableOraDataSourceLoginModule] option usernameField = USR_EMAIL
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
  FINE: [DBTableOraDataSourceLoginModule] option passwordField = USR_PSW
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
  FINE: [DBTableOraDataSourceLoginModule] option groupMembershipGroupFieldName = ROLE_NAME
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
  FINE: [DBTableOraDataSourceLoginModule] option user_pk_column = USR_EMAIL
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
  FINE: [DBTableOraDataSourceLoginModule] option roles_fk_column = USR_EMAIL
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
  FINE: [DBTableOraDataSourceLoginModule] option pw_encoding_class = null
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
  FINE: [DBTableOraDataSourceLoginModule] option realm_column = null
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
  FINE: [DBTableOraDataSourceLoginModule] option application_realm = null
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
  FINE: [DBTableOraDataSourceLoginModule] option casing = toupper
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule login
  FINE: [DBTableOraDataSourceLoginModule]login called on DBTableLoginModule
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule login
  FINE: [DBTableOraDataSourceLoginModule]Calling callbackhandler ...
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule login
  FINE: [DBTableOraDataSourceLoginModule]Username returned by callback = admin
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule login
  FINE: [DBTableOraDataSourceLoginModule]Username changed to case as defined by toupper to ADMIN
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
  FINE: [DBTableOraDataSourceLoginModule]User query string: select USR_EMAIL,USR_PSW from APPLICATION_USER where USR_EMAIL= (?)
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
  FINE: [DBTableOraDataSourceLoginModule]User primary key value found = ADMIN
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
  FINE: [DBTableOraDataSourceLoginModule]Password encoded by: oracle.security.jazn.login.module.db.util.DBLoginModuleClearTextEncoder
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
  FINE: [DBTableOraDataSourceLoginModule]User ADMIN authenticated successfully
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
  FINE: [DBTableOraDataSourceLoginModule]Roles query string: select ROLE_NAME from APPLICATION_ROLE where USR_EMAIL= (?)
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
  FINE: [DBTableOraDataSourceLoginModule]DBUser Principal Name: ADMIN
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
  FINE: [DBTableOraDataSourceLoginModule]DBRole Principal Name: admin_role
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule login
  FINE: [DBTableOraDataSourceLoginModule]Logon Successful = true
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule commit
  FINE: [DBTableOraDataSourceLoginModule]Subject contains 0 Principals before auth
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule commit
  FINE: [DBTableOraDataSourceLoginModule]Local LM commit succeeded
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule commit
  FINE: [DBTableOraDataSourceLoginModule]Subject contains 2 Principals after auth
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule commit
  FINE: [DBTableOraDataSourceLoginModule]Cleaning internal state!

  Hi there!
  I have another question about this. I've modified a bit DBRolePrincipal class to see what's going on. At the beginning of the equals(Object another) method I added this lines:
  log("method equals start",0);
  log("another type = " + another.getClass(), 0);
  if (another instanceof Principal)
  Principal mine = (Principal)another;
  log("Principal mine.getName() = " + mine.getName(), 0);
  The result is this output (after navigating to page that gives 401 forbidden):
  07/10/12 08:38:36 [DBRolePrincipal] method equals start
  07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.security.jazn.oc4j.JAZNUserAdaptor
  07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = admin_user
  07/10/12 08:38:36 [DBRolePrincipal] method equals start
  07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.adf.share.security.authentication.ADFRolePrincipal
  07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = anyone
  07/10/12 08:38:36 [DBRolePrincipal] method equals start
  07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.security.jazn.oc4j.JAZNUserAdaptor
  07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = admin_user
  07/10/12 08:38:36 [DBRolePrincipal] method equals start
  07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.adf.share.security.authentication.ADFRolePrincipal
  07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = anyone
  07/10/12 08:38:36 [DBRolePrincipal] method equals start
  07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.security.jazn.oc4j.JAZNUserAdaptor
  07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = admin_user
  07/10/12 08:38:36 [DBRolePrincipal] method equals start
  07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.adf.share.security.authentication.ADFRolePrincipal
  07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = anyone
  07/10/12 08:38:36 [DBRolePrincipal] method equals start
  07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.security.jazn.oc4j.JAZNUserAdaptor
  07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = admin_user
  07/10/12 08:38:36 [DBRolePrincipal] method equals start
  07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.adf.share.security.authentication.ADFRolePrincipal
  07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = anyone
  07/10/12 08:38:36 [DBRolePrincipal] method equals start
  07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.security.jazn.oc4j.JAZNUserAdaptor
  07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = admin_user
  07/10/12 08:38:36 [DBRolePrincipal] method equals start
  07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.adf.share.security.authentication.ADFRolePrincipal
  07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = anyone
  07/10/12 08:38:36 [DBRolePrincipal] method equals start
  07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.security.jazn.oc4j.JAZNUserAdaptor
  07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = admin_user
  07/10/12 08:38:36 [DBRolePrincipal] method equals start
  07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.adf.share.security.authentication.ADFRolePrincipal
  07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = anyone
  07/10/12 08:38:36 [DBRolePrincipal] method equals start
  07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.security.jazn.oc4j.JAZNUserAdaptor
  07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = admin_user
  07/10/12 08:38:36 [DBRolePrincipal] method equals start
  07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.adf.share.security.authentication.ADFRolePrincipal
  07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = anyone
  Why is the name of ADFRolePrincipal always anyone? When I sign in with this user the output says:
  07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] User query string: select USERNAME,PASSWORD from ACTIVE_APP_USER_V where USERNAME= (?)
  07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] User primary key value found = admin_user
  07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] Password encoded by: oracle.sample.dbloginmodule.util.DBLoginModuleCearTextEncoder
  07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] User admin_user authenticated successfully
  07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] Roles query string: select ROLE_NAME from ACTIVE_APP_ROLE_V where USERNAME= (?)
  07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] DBRole Principal Name: admin_role
  07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] DBUser Principal Name: admin_user
  07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] Logon Successful = true
  07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] Subject contains 0 Principals before auth
  07/10/12 08:46:09 [DBUserPrincipal] method equals start
  07/10/12 08:46:09 [DBUserPrincipal] another type = class oracle.sample.dbloginmodule.principals.DBRolePrincipal
  07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] Local LM commit succeeded
  07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] Subject contains 2 Principals after auth
  07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] Cleaning internal state!
  Frank, if you haven't given up on this issue yet could you please try to explain this to me? Why doesn't admin_role principal never get compared in [equals[/i] method?
  Thank you!
  BB

• How secure is the password manager?

  How secure is the password manager?
  Can someone hack into it and steal my password?

  You can protect stored password using master password. See:
  * https://support.mozilla.com/en-US/kb/Protecting%20stored%20passwords%20using%20a%20master%20password

• Best practices to secure out of bound management access

  What are the best practices to secure Out Of Bound Management (OOBM) access?
  I planning to put in an DSL link for OOBM. I have a console switch which supports SSH and VPN based on IPSec with NAT traversal. My questions are -
  Is it secure enough?
  Do I need to have a router/firewall in front of the console switch?
  Im planing to put a Cisco 1841 router as an edge router. What do you think?
  Any suggestions would be greatly appreciated.

  Hi,
  You're going to have an OOB access via VPN?
  This is pretty secure (if talking about IPsec)
  An 1841 should work fine.
  You can check the design recommendations here:
  www.cisco.com/go/srnd
  Chose the security section...
  Hope it helps.
  Federico.

• Serious security flaw found in IE

  *Important Information*
  A  serious  security flaw is found in Internet Explorer today and everybody is  been  advised  by  'MICROSOFT'  not  to  use  Internet Explorer for any confidential banking transactions until the new patch is released.
  The  new  patch  would  be  released  at the earliest and Microsoft advices everybody to use the browser from their rivals until the patch is released.
  Click on the below link to read:
  http://news.bbc.co.uk/2/hi/technology/7784908.stm

  I advise everybody to use the browser from their rivals, even after the the patch is released!
  I couldn´t agree more
  Maybe the browser was patched now so the data is not stolen by "someone" but to Microsoft instead when surfing MSDN
  </cynism>
  Markus

• How can i change the phonenumber for my security code in keychain on ios 7.03

  how can i change the phonenumber for my security code in keychain on ios 7.03?

  i have changed the phonenumber under icloud preferences keychain. after the update on ios 7.03 there is no sms arriving for the security code because there is a double international code in the telephone number like +49 +49. How can i fix this?

• Security Flaw on iPhone???

  Critical iPhone security flaw found
  Fortify Software, a security firm, has uncovered a critical security flaw in the Apple iPhone which could lead to phishing attacks.
  Because the iPhone only displays the first few characters of a URL in its Safari web browser, phishers could easily hide a fraudulent URL at the end of a link without the user even knowing it.
  Even worse, the iPhone connects the browser and the phone in such a way that it may be possible to embed scam telephone numbers into a site to make the phone automatically dial the scam number.
  Let’s hope Apple is working on a fix for this one because that is some scary stuff. Now, if you input addresses yourself and use bookmarks, the chances of being affected by this are relatively minimal. That said, watch out for strange emails and Google results — you can’t always trust that either.
  Anybody read this? Any comments or thoughts??? Valid?

  It's hardly a new flaw since disguising URLs in links has been common practice for some time. However, while the browser does indeed only show a limited number of characters from the URL being opened (more if in landscape mode than portrait) to get to the URL at all the user would either have to enter it manually, or encounter it in an email or web page where the full URL should readily be discovered.
  It seems probable to me that over time, security holes will be found as in all accessible and discoverable devices on the internet. Based on experience with Apple and MacOS, I would have confidence that genuine weaknesses found in the iPhone will benefit from security fixes as expeditiously as possible.

• Security flaw in bt home hub 4 & bt home hub 5

  there is a security flaw in the lastest two home hubs I recommend you avoid using these

  That's a sweeping statement. Do you want tell us what it is?
  EDIT: I see your other post
  https://community.bt.com/t5/Other-BB-Queries/WPS-no-longer-gets-disabled-by-BT/td-p/776140/page/2 
  about the "security flaw" and I see you have also been answered.

• BusinessObjects security flaw left users vulnerable to attack

  Audit found this web article "BusinessObjects security flaw left users vulnerable to attack" http://searchsap.techtarget.com/news/2240025968/BusinessObjects-security-flaw-left-users-vulnerable-to-attack?asrc=EM_NLN_13056439&track=NL-137&ad=804092
  and they were wondering if our installation of BusinessObjects was also vulnerable. I was not able to answer for sure, so I asked our BASIS team. They said that it is not clear from the article what components are actually affected or in what patch level this is corrected.
  Does anyone know specifically where the security flaw is?
  Thanks,
  ~Matt Strehlow

  Hi Denis
  thanks for the reply.
  Are you absolutely sure that the passage should not be in the file any more?
  I've checked now 3 different installations and I've even checked the axis2.xml in the war files I found (dated 04/22/2010) and they all do contain these two lines:
      <parameter name="userName">admin</parameter>
      <parameter name="password">axis2</parameter>
  The installation were BOXI 3.1 SP3, meaning we used the "merged" installation files that include the SP3. One of the installations I checked has even Fix Pack 3.4 installed.
  The only axis2.xml file I found that did not contain this passage was from a BODI  installation...
  am I missing something here?
  thanks for any help!
  MU