Generating Random Pronounceable Passwords(www.blackwasp.co.uk)

submitted by BlackWasp(4217) 2 months, 9 days ago

The use of passwords as a security measure is increasingly common for technical and non-technical users alike. Generating passwords that are both strong and memorable can be difficult. This article describes one method to alleviate this problem. read more...

add a comment |category: Security |Views: 6

tags: Security another

ASP.NET session hijacking with Google and ELMAH(www.troyhunt.com)

submitted by troyhunt(831) 4 months, 19 days ago

ELMAH is one those libraries which is both beautiful in its simplicity yet powerful in what it allows you to do. Combine the power of ELMAH with the convenience of NuGet and you can be up and running with absolutely invaluable error logging and handling in literally a couple of minutes. Yet, as the old adage goes, with great power comes great responsibility and if you’re not responsible with how you implement ELMAH, you’re also only a couple of minutes away from making session hijacking of your ASP.NET app – and many other exploits – very, very easy. read more...

1 comment |category: Security |Views: 267

tags: Security another

Vulnerabilities in .NET Framework Could Allow Elevation of Privilege(technet.microsoft.com)

submitted by pwhe23(972) 4 months, 23 days ago

This security update resolves one publicly disclosed vulnerability and three privately reported vulnerabilities in Microsoft .NET Framework. The most severe of these vulnerabilities could allow elevation of privilege if an unauthenticated attacker sends a specially crafted web request to the target site. An attacker who successfully exploited this vulnerability could take any action in the context of an existing account on the ASP.NET site, including executing arbitrary commands. In order to exploit this vulnerability, an attacker must be able to register an account on the ASP.NET site, and must know an existing user name. read more...

3 comments |category: Security |Views: 132

tags: Security another

OWASP Top 10 for .NET developers part 9: Insufficient Transport Layer (www.troyhunt.com)

submitted by troyhunt(831) 6 months ago

When it comes to website security, the most ubiquitous indication that the site is “secure” is the presence of transport layer protection. The assurance provided by the site differs between browsers, but the message is always the same; you know who you’re talking to, you know your communication is encrypted over the network and you know it hasn’t been manipulated in transit. But unfortunately we often find sites lacking and failing to implement proper transport layer protection. Sometimes this is because of the perceived costs of implementation, sometimes it’s not knowing how and sometimes it’s simply not understanding the risk that unencrypted communication poses. Part 9 of this series is going to clarify these misunderstandings and show to implement this essential security feature effectively within ASP.NET. read more...

add a comment |category: Security |Views: 33

tags: Security another

Keep it secret, keep it safe - Eric Lippert on Crypto(blogs.msdn.com)

submitted by dpeterson(4397) 8 months ago

Eric Lippert discusses cryptography, its difference from security, and discusses some of the different types of cryptography using the Bob and Alice (and a few extras) scenarios to explain how the different types work. read more...

add a comment |category: Security |Views: 12

tags: Security another

Checking Password Strength(www.blackwasp.co.uk)

submitted by BlackWasp(4217) 8 months, 8 days ago

Many computer systems require that a password is provided before permitting access to sensitive data. As some passwords are easy to crack using brute force techniques, it is common to give the user feedback to show the strength of their selected password. read more...

add a comment |category: Security |Views: 14

tags: Security another

Securing Strings in Memory(www.beckshome.com)

submitted by thbst16(26) 8 months, 17 days ago

I recently had the opportunity to look into and make use of the Microsoft System.Security.SecureString class. This class is one of those dark corners of the .NET Framework that you don’t think about on a day-to-day basis but are really glad that it’s there when your security auditor starts asking questions about how PII data such as social security numbers are protected while resident in memory. The SecureString class takes care of this problem, helping you avoid a situation where unencrypted sensitive String data is left lingering around on the .NET heap. However, since this class does reference unmanaged memory buffers, its use is not entirely intuitive. I’ve attempted to demystify things with the explanation, drawing and code snippets in this post. read more...

3 comments |category: Security |Views: 33

tags: Security another

OWASP Top 10 for .NET devs part 8: Failure to Restrict URL Access(www.troyhunt.com)

submitted by troyhunt(831) 9 months, 27 days ago

What makes this particular risk so dangerous is that not only can it be used to very, very easily exploit an application, it can be done so by someone with no application security competency – it’s simply about accessing a URL they shouldn’t be. On the positive side, this is also a fundamentally easy exploit to defend against. ASP.NET provides both simple and efficient mechanisms to authenticate users and authorise access to content. In fact the framework wraps this up very neatly within the provider model which makes securing applications an absolute breeze. read more...

add a comment |category: Security |Views: 19

tags: Security another

OWASP Top 10 for .NET developers part 7: Insecure Cryptographic Storag(www.troyhunt.com)

submitted by troyhunt(831) 11 months, 14 days ago

In the 7th part of the series on addressing the OWASP Top 10 within ASP.NET, we look at how cryptographic storage can be implemented securely. The post looks at how poorly implemented hashing can be easily broken with rainbow tables then moves onto secure hash algorithms, proper use of salts and the implementation of symmetric encryption. read more...

add a comment |category: Security |Views: 16

tags: Security another

.NET Security-Interview Questions-CodeGain(www.codegain.com)

submitted by codegain(2794) 1 year, 1 month ago

Collection of interview questions in .NET Framework.The questions are belongs to Framework general and .NET Security sections. read more...

add a comment |category: Security |Views: 5

tags: Security another

Creating an Asymmetric or Symmetric Cryptography Secure Stream without(thebigsecurity.com)

submitted by hanjian(19) 1 year, 2 months ago

how to create a secure stream that uses asymmetric cryptography to connect and symmetric cryptography to continue without the need for SSL or Certificates read more...

add a comment |category: Security |Views: 5

tags: Security another

Free PHP Encoder by TheBigSecurity(thebigsecurity.com)

submitted by hanjian(19) 1 year, 2 months ago

PHP obfuscator is an application that serves to protect the PHP code from piracy read more...

add a comment |category: Security |Views: 4

tags: Security another

Salted Password Hashing(www.blackwasp.co.uk)

submitted by BlackWasp(4217) 1 year, 3 months ago

There are many ways in which passwords can be stored, with varying levels of security. Salted password hashing uses a non-reversible hashing algorithm with the inclusion of a randomised element to make it more difficult to obtain user passwords. read more...

add a comment |category: Security |Views: 223

tags: Security another

SSL is not about encryption(www.troyhunt.com)

submitted by troyhunt(831) 1 year, 4 months ago

It’s about assurance. It’s about establishing a degree of trust in a site’s legitimacy that’s sufficient for you to confidently transmit and receive data with the knowledge that it’s reaching its intended destination without being intercepted or manipulated in the process. Last week I wrote a (slightly) tongue-in-cheek post about the Who’s who of bad password practices. I was critical of a number of sites not implementing SSL as no indication of it was present in the browser. “But wait!” some commenters shouted, “you can still post to HTTPS and the data will be encrypted” they yelled, “stop propagating fear and misunderstanding”, they warned. I thought carefully about these responses and made a little update at the end of the post but the story of posting data from HTTP to HTTPS is worth more than just a footnote. The real misunderstanding in this story is believing that just because the credentials are encrypted in transit, SSL has been properly implemented. Let’s took a good look at what’s wrong with that belief and why there’s more to SSL than just encryption. read more...

1 comment |category: Security |Views: 44

tags: Security another

Who’s who of bad password practices – banks, airlines and more(www.troyhunt.com)

submitted by troyhunt(831) 1 year, 4 months ago

Ah, passwords. Love ‘em or hate ‘em, they’re a necessary evil of the digital age. The reality is we all end up with an alphabet soup of passwords spread over dozens of various sites and services across the internet. Whilst we might not always practice it, we all know the theory of creating a good password; uniqueness, randomness and length. The more of each, the better. But what happens when the website won’t allow you to create a secure password? Or at least when they severely constrain your ability to create long, random, unique passwords? And what about when they don’t allow you to send it between your computer and their server securely? Even worse, what happens when our most “secure” institutions implement lazy password policies? Unfortunately, all of this is pretty rampant practice. read more...

add a comment |category: Security |Views: 11

tags: Security another

Continuous web app security scanning with Netsparker and TeamCity(www.troyhunt.com)

submitted by troyhunt(831) 1 year, 4 months ago

Nothing destroys reputation like security holes (I take it Gawker is still fresh in everyone’s minds), and when it comes to web applications, security holes are everywhere. This post looks at integrating the Netsparker security scanner into a TeamCity build to automatically analyse applications after deployment. It generates fantastic reports which are easy to consume and act on. And because it's a TeamCity build, there's a great audit trail of vulnerabilities over time. read more...

add a comment |category: Security |Views: 19

tags: Security another