DotNetKicks.com - Stories tagged with Security

Generating Random Pronounceable Passwords

Thu, 22 Mar 2012 06:13:23 GMT

The use of passwords as a security measure is increasingly common for technical and non-technical users alike. Generating passwords that are both strong and memorable can be difficult. This article describes one method to alleviate this problem.

ASP.NET session hijacking with Google and ELMAH

Mon, 09 Jan 2012 11:17:10 GMT

ELMAH is one those libraries which is both beautiful in its simplicity yet powerful in what it allows you to do. Combine the power of ELMAH with the convenience of NuGet and you can be up and running with absolutely invaluable error logging and handling in literally a couple of minutes. Yet, as the old adage goes, with great power comes great responsibility and if you're not responsible with how you implement ELMAH, you're also only a couple of minutes away from making session hijacking of your ASP.NET app - and many other exploits - very, very easy.

Why software isn't secure

Fri, 06 Jan 2012 20:30:42 GMT

High level view of what happens on software projects that leads to software insecurity

Vulnerabilities in .NET Framework Could Allow Elevation of Privilege

Fri, 06 Jan 2012 14:39:48 GMT

This security update resolves one publicly disclosed vulnerability and three privately reported vulnerabilities in Microsoft .NET Framework. The most severe of these vulnerabilities could allow elevation of privilege if an unauthenticated attacker sends a specially crafted web request to the target site. An attacker who successfully exploited this vulnerability could take any action in the context of an existing account on the ASP.NET site, including executing arbitrary commands. In order to exploit this vulnerability, an attacker must be able to register an account on the ASP.NET site, and must know an existing user name.

OWASP Top 10 for .NET developers part 9: Insufficient Transport Layer

Tue, 29 Nov 2011 14:25:11 GMT

When it comes to website security, the most ubiquitous indication that the site is "secure" is the presence of transport layer protection. The assurance provided by the site differs between browsers, but the message is always the same; you know who you're talking to, you know your communication is encrypted over the network and you know it hasn't been manipulated in transit. But unfortunately we often find sites lacking and failing to implement proper transport layer protection. Sometimes this is because of the perceived costs of implementation, sometimes it's not knowing how and sometimes it's simply not understanding the risk that unencrypted communication poses. Part 9 of this series is going to clarify these misunderstandings and show to implement this essential security feature effectively within ASP.NET.

Keep it secret, keep it safe - Eric Lippert on Crypto

Fri, 30 Sep 2011 14:46:42 GMT

Eric Lippert discusses cryptography, its difference from security, and discusses some of the different types of cryptography using the Bob and Alice (and a few extras) scenarios to explain how the different types work.

Checking Password Strength

Wed, 21 Sep 2011 18:49:18 GMT

Many computer systems require that a password is provided before permitting access to sensitive data. As some passwords are easy to crack using brute force techniques, it is common to give the user feedback to show the strength of their selected password.

Securing Strings in Memory

Mon, 12 Sep 2011 14:28:16 GMT

I recently had the opportunity to look into and make use of the Microsoft System.Security.SecureString class. This class is one of those dark corners of the .NET Framework that you don't think about on a day-to-day basis but are really glad that it's there when your security auditor starts asking questions about how PII data such as social security numbers are protected while resident in memory. The SecureString class takes care of this problem, helping you avoid a situation where unencrypted sensitive String data is left lingering around on the .NET heap. However, since this class does reference unmanaged memory buffers, its use is not entirely intuitive. I've attempted to demystify things with the explanation, drawing and code snippets in this post.

Security in Software

Mon, 29 Aug 2011 04:04:12 GMT

The term security has many meanings based on the context and perspective in which it is used. Security from the perspective of software/system development is the continuous process of maintaining confidentiality, integrity, and availability of a system, sub-system, and system data. This definition at a very high level can be restated as the following: Computer security is a continuous process dealing with confidentiality, integrity, and availability on multiple layers of a system.

How to Implement 2-Step Verification in ASP.NET MVC

Thu, 11 Aug 2011 23:48:23 GMT

In this post Keyvan walks through an example to show how to implement 2-step verification (with phone) in ASP.NET MVC applications.

OWASP Top 10 for .NET devs part 8: Failure to Restrict URL Access

Mon, 01 Aug 2011 07:13:26 GMT

What makes this particular risk so dangerous is that not only can it be used to very, very easily exploit an application, it can be done so by someone with no application security competency - it's simply about accessing a URL they shouldn't be. On the positive side, this is also a fundamentally easy exploit to defend against. ASP.NET provides both simple and efficient mechanisms to authenticate users and authorise access to content. In fact the framework wraps this up very neatly within the provider model which makes securing applications an absolute breeze.

The padlock icon must die

Tue, 19 Jul 2011 08:36:44 GMT

What do you think of when you see the padlock icon on a webpage? You're probably thinking something along the lines of "it means the page is secure". The more tech savvy among you may suggest that it means HTTPS has been used to encrypt the content in transit. The problem is that it doesn't mean anything of the kind. In fact it had absolutely nothing to do with website security. And therein lies the problem - the padlock lies to us, it implies things that it is not and it's downright misleading.

Secure user authentication with one way password hash

Tue, 05 Jul 2011 20:43:55 GMT

eeping users passwords in your database is a part of almost every application, yet securing passwords is rarely being done correctly. I recently read an article by Coda Hale about the ineffectiveness of password salts. Coda Suggested using bcrypt to store passwords. He reasoned his argument by explaining bcrypt is extremely slow to compute, therefore making it slow to hack. I completely agree, however, I wanted to add another way of safely storing passwords in a more conventional way by hiding the salt in the hash. The idea wasn't mine. It belongs to a DBA named Scott Hulberg. It's pretty simple and for the sake of this blog post I am not going to implement it completely. I am going to prepend the salt to the password hash, making it invisible to a hacker. You can go further by writing an algorithm to plant the salt in the hash array as you see fit. Since the only way to match a one way hashed password is to use the salt we used to generate this hash, if a hacker cannot get to the salt, they cannot retrieve the original password. Let's begin by composing the method to create our hash and prefix it with the salt:

Getting up and started with the Windows Phone Developer Tools 7.1 Beta

Thu, 30 Jun 2011 15:05:41 GMT

Windows Phone Developer Tools 7.1 Beta 2 was released on 6/29/2011. Are you ready for it? If not then let my guide help you get your system prepared and go through a few new features. Download links: Web Installer of Windows Phone 7.1 Beta 2 SDK ISO Image of Windows Phone 7.1 Beta 2 SDK - (723 MB) To get started you are going to need to remove the previous version of your Windows Phone Developer Tools 7.1 Beta 1.

Windows Phone 7 vs Windows Phone Mango: Getting Device Information

Thu, 23 Jun 2011 11:46:40 GMT

Windows Phone 7 vs Windows Phone 7.1 Mango: Getting Device Information

OWASP Top 10 for .NET developers part 7: Insecure Cryptographic Storag

Tue, 14 Jun 2011 07:23:21 GMT

In the 7th part of the series on addressing the OWASP Top 10 within ASP.NET, we look at how cryptographic storage can be implemented securely. The post looks at how poorly implemented hashing can be easily broken with rainbow tables then moves onto secure hash algorithms, proper use of salts and the implementation of symmetric encryption.

RSA private key import from PEM format in C#

Mon, 13 Jun 2011 21:28:44 GMT

Source code and explanations about how to use asymmetric encryption for mutual authenticated SSL protocol by importing and using RSA OpenSSL private keys and client certificates into C#.NET application.

A brief Sony password analysis

Mon, 06 Jun 2011 04:59:36 GMT

So the Sony saga continues. As if the whole thing about 77 million breached PlayStation Network accounts wasn't bad enough, numerous other security breaches in other Sony services have followed in the ensuing weeks, most recently with SonyPictures.com where a significant portion of the database was publicly disclosed a few days back. With all this customer data now unfortunately out there for public viewing, I thought it would be interesting to do some analysis on password practices. There are some rather alarming (although not entirely surprising) findings including: 36% of passwords appear in a common password dictionary. 50% of passwords are 7 characters or less. 67% of accounts on both Sony and Gawker use the same password. 82% of passwords are lowercase alphanumeric of 9 characters or less. 99% of passwords don't contain a single non-alphanumeric character.

Bad passwords are not fun and good entropy is always important

Mon, 18 Apr 2011 07:44:38 GMT

A couple of different friends sent me over a link to an article about the usability of passwords this weekend, clearly thinking it would strike a chord. Well, let's just say I was enthralled before I even finished the second line: "Security companies and IT people constantly tells us that we should use complex and difficult passwords. This is bad advice" The crux of the article is that so long as a password is sufficiently long - the example used is "this is fun" - you're pretty damn secure (apparently 11 characters is just right). Actually, the term used was "secure forever". Wow, two pretty absolute terms. So let's take a look at these and apply a bit of objective analysis to see if they hold water. Does a brute force attack really only run at 100 attempts per second? Is "this is fun" really 10 times more secure than "J4fS<2"? Do rainbow tables really work by an attacker copying and pasting a hash into a website? Are bad password management practices on the server really not your problem?

.NET Security-Interview Questions-CodeGain

Mon, 04 Apr 2011 08:09:32 GMT

Collection of interview questions in .NET Framework.The questions are belongs to Framework general and .NET Security sections.

Free PHP Encoder by TheBigSecurity

Thu, 10 Mar 2011 07:50:18 GMT

PHP obfuscator is an application that serves to protect the PHP code from piracy

Creating an Asymmetric or Symmetric Cryptography Secure Stream without

Thu, 10 Mar 2011 07:53:35 GMT

how to create a secure stream that uses asymmetric cryptography to connect and symmetric cryptography to continue without the need for SSL or Certificates

SQL Injection vs. Lethal Injection / Protection Against SQL Injection

Sat, 05 Mar 2011 12:31:00 GMT

SQL Injection and Lethal Injection... They are both dangerous and they can be easily fatal. But how? What is SQL Injection and how it can effect my project? The answers are in this blog post.

Salted Password Hashing

Mon, 07 Feb 2011 07:48:31 GMT

There are many ways in which passwords can be stored, with varying levels of security. Salted password hashing uses a non-reversible hashing algorithm with the inclusion of a randomised element to make it more difficult to obtain user passwords.

SSL is not about encryption

Mon, 24 Jan 2011 15:41:15 GMT

It's about assurance. It's about establishing a degree of trust in a site's legitimacy that's sufficient for you to confidently transmit and receive data with the knowledge that it's reaching its intended destination without being intercepted or manipulated in the process. Last week I wrote a (slightly) tongue-in-cheek post about the Who's who of bad password practices. I was critical of a number of sites not implementing SSL as no indication of it was present in the browser. "But wait!" some commenters shouted, "you can still post to HTTPS and the data will be encrypted" they yelled, "stop propagating fear and misunderstanding", they warned. I thought carefully about these responses and made a little update at the end of the post but the story of posting data from HTTP to HTTPS is worth more than just a footnote. The real misunderstanding in this story is believing that just because the credentials are encrypted in transit, SSL has been properly implemented. Let's took a good look at what's wrong with that belief and why there's more to SSL than just encryption.