10/13/2013 08:39:00 AM
SSL Labs A grade
I guess it was long
overdue for me to follow up on my Hardening Windows Server 2003 SSL/TLS configuration and Windows server 2003 vs 2008, SSL/TLS comparison posts. They
were two of my very first blog posts and they still receive a
09/14/2013 16:50:00 PM
Just a quick note on an error I often run into when I'm working on my Azure applications. I usually create Azure packages and upload them by hand through the Azure management portal. Ever so often I get the following error when I create the package i
07/16/2013 19:50:00 PM
OWASP recently released their Top Ten 2013 list of web application vulnerabilities. If you compare the list to the 2010 version youll see that Broken Authentication and Session Management
06/29/2013 10:50:00 AM
Microsoft's widely used e-mail service Hotmail was recently overhauled and rebranded Outlook.com. One of the less known services they provide is the support for custom domains. A couple of months ago, I was looking for a new (preferably free) e-mail
03/03/2013 16:46:00 PM
The .NET 4.5 framework was released a couple of months ago and it included several improvements in the security area. To benefit from these improvements you need to do a few changes to you application's configuration file. The documentation is a bit
01/09/2013 16:07:00 PM
Recently I wrote a piece of software that needed some configurable secrets and they needed to be VERY secret. Consequently, I had to encrypt a custom configuration section. Unfortunately, I quickly ran into trouble and got an error message along
09/06/2012 16:31:00 PM
Security headers in an HTTP response
There are many things to consider when securing a web application but a definite "quick win" is to start taking advantage of the security HTTP response headers that are supported in most modern browser. It doesn't matter which development platform you use to build your application, these headers will make a notable difference for the security of your website anyway!
The screenshot shows what the security headers look like. The security headers are included [..]
07/29/2012 12:07:00 PM
Guids are used extensively throughout Microsoft systems and developers tend to turn to Guid.NewGuid() whenever they need to create a value to uniquely identify something. Guids might also be used as keys or identifiers in security critical operations under the assumption that they are hard to guess for an attacker. I've been looking around the Internet to see if I could find some guidance on Guid security along with details on how they are generated in the .NET framework. I couldn't find much [..]
05/15/2012 11:57:00 AM
A couple of weeks ago I was remotely involved in a discussion on password hashing in .NET with @thorsheim, @skradel, and @troyhunt. (Follow them if you're on Twitter). The background for the discussion was that password hashing using MD5/SHA-1/SHA-256 isn't quite the state of the art anymore. All the recent password breaches have triggered recommendations to make password cracking harder. The algorithms that are usually recommended are PBKDF2 (Password based key derivation function), bcrypt, or [..]
05/13/2012 12:51:00 PM
I noticed some unexpected activity on my Facebook wall the other day. I have a special list of "friends," who aren't really friends but more aquaintances. I have used that list to block them from seing much of what's going on on my Facebook wall (hey, we can still be "friends" right?).
04/26/2012 07:32:00 AM
Tomorrow I'll be giving a talk at the ROOTS conference: Getting authentication right. It seems that the progam
04/17/2012 12:02:00 PM
Every once in a while I've really missed having a Unix shell on my Windows box.
03/19/2012 04:45:00 AM
Vittorio Bertocci has shared some exciting news about the upcoming WIF tools for Visual Studio 11 on his blog. The tools look really nice, especially the local development STS. Here are the direct links (for future reference):
WIF Tools for Visual Studio 11 Part I: Using The Local Development STS
WIF Tools for Visual Studio 11 Part II: Manipulating Common WIF Settings From the UI
WIF Tools for Visual Studio 11 Part III: Connecting With a Business STS (e.g. ADFS2)
WIF Tools for Visual Studio 11 [..]
03/06/2012 10:08:00 AM
Yesterday I was playing around with the validateIntegratedModeConfiguration="true" setting on IIS 7.5. To my surprise I got an empty response back, with no indication of what went wrong.
Looking at the response with Fiddler yields:
HTTP/1.1 500 Internal Server Error
Date: Mon, 05 Mar 2012 15:59:52 GMT
There's not much to work with here! I checked the event log, there was nothing there. So I started looking around for an erro [..]
03/02/2012 11:11:00 AM
Windows Identity Foundation (WIF) is vulnerable to replay attacks of security tokens in its default configuration. The "Replay Detection" article on MSDN presents a good example of how things can go wrong without the replay detection (why do everyone have to use online banking as their example?):
As another example, suppose that a user opens a browser on a public kiosk, logs on to a bank account using the banks Web site, logs off and leaves, but does not close the browser. The response to the [..]
02/20/2012 11:22:00 AM
Today I had to add a new HttpModule to A LOT of web.configs. Adding it manually would be too tedious, so I had to figure out how to search for a single line in Visual Studio 2010 and replace it with two lines of text. If I could only find a way to search for some text, and replace it with several lines of text!
Google turned up some hints about the Regex search, but no apparent solutions. After playing around a bit with the regex search in Visual studio, I found that it supports multiline text [..]
01/11/2012 13:15:00 PM
In connection with a bug in TransformTool, I've been looking into how text encoding is handled in the .NET framework. Turns out there are some caveats that can affect the correctness of a program, and when used in e.g. password validation they might turn out to be severe security issues.
This post assumes you are somewhat familiar with how character encodings work. You might want to check out my Introduction to character encoding if you're not. I wrote it mainly because I didn't want to explain [..]
01/08/2012 13:58:00 PM
"FACE WITH TEARS OF JOY" (U+1F602)
Text encoding is a persistent source of pain and problems, especially when you need to communicate textual information across different systems. Every time you read or create an xml-file, a text file, a web page, or an e-mail, the text is encoded in some way. If the encoding is messed up along the way, the receiver will be looking at strange characters instead of the ori?inal t?xt. (ba-da-bing :)
I've been fighting with characters sets on several occasions th [..]
12/16/2011 06:18:00 AM
Last week the IE team announced that they'll soon start to automatically upgrade IE across Windows 7, XP, and Vista through Windows Update. A follow up from Microsoft's IT pro team details that IE 6 and IE 7 will be upgraded to IE 8 on Windows XP, while Vista and Windows 7 users will get IE 9. With Microsoft joining the herd of auto-upgraders the final pieces of the puzzle start to fall into place, now "everybody" does it. Other major browser manufacturers (Opera, Chrome, and Firefox) have been [..]
12/13/2011 07:42:00 AM
Just now on Facebook I got the following advertisement:
I didn't quite react at the first glance, since every once in a while you get served the ads for "Russian ladies looking for love" etc. (hope I'm not the only one getting those). Then I realized that this ad was for Match.com! That's amazing. I clicked on it, and yes, it led me to: no.match.com.
The title of the ad suggests that it leads to one of the more sleazy sites on the Internet. If you do a Google search for free pics of women, [..]
11/05/2011 09:14:00 AM
A couple of months ago I blogged about Giving up your privacy for nothing at Yahoo News, ranting about how the Tweet button on a Yahoo News article required you to give complete control of your Twitter account to some Twitter application. Well, I just had a more encouraging experience!
You've probably heard about this Klout thing. On Twitter there has lately been several reports of people getting Klout perks, so I became a bit curious on how all of this worked. After all, there's not that many [..]
11/02/2011 14:01:00 PM
Are you using one of the many web pages that let you base64 decode data? In that case you should take a moment to think about the nature of the data you want to decode and what those pages could be doing with the data apart from showing you the decoded version.
tl;dr: Check out transformtool.codeplex.com for an offline alternative to the online Base64 decoders.
Google's keyword tool reports 9,900 monthly searches for "base64 decode online". How many of these searches lead to disclosure of se [..]
10/22/2011 06:40:00 AM
Oracle recently released an update to its Java software, fixing more than 20 critical security issues in the software. Krebs has a good post on the update, briefly discussing the vulnerabilities and the fact that Java vulnerabilities are exploited for real.
I have to say that in recent years I've installed Java more due to habit than because of an actual need for the software. So when I got the update bubble in the corner of my screen, I figured "of course". I knew they, among other things, fi [..]
10/09/2011 15:50:00 PM
Early this year Google started rolling out their new two-factor authentication procedure, which they refer to as 2-step verification. On their corporate blog they provided a few hints on why they were rolling out a new authentication procedure mentioning risks associated with password reuse and phishing attacks. 2-step verification is now widely deployed, by June it was available in 150 countries, and in 40 different languages.
Of course, I took interest in how the two-step verification was [..]
10/08/2011 07:28:00 AM
Mozilla now aims to add silent updates to Firefox much like Chrome and Opera already does as summarized in this Computerworld article. This marks an important milestone, and is an important follow up to Mozilla's decision back in June to auto-upgrade the then soon-to-be unsupported Firefox 3.5. Back then, I blogged about the importance of the bold decision to NOT leave users behind on an unsupported version.
Later in June when Firefox 5 was released, Firefox 4 users where prompted to upda [..]
09/16/2011 15:08:00 PM
My bug reporting has been on fire lately. This week I received confirmation from the Google security team that a security bug I reported was found worthy of a reward (a couple of weeks ago Google fixed some issues in their two-step verification procedure). I'll be blogging the details on the security issue anytime soon.
Just now, my hotmail told me that the Visual Studio 2010 firewall setup bug I blogged about last month will be fixed in the next major release of Visual Studio. Cool!
Now, if I [..]
06/23/2011 12:39:00 PM
This weekend I read a somewhat disturbing article on Yahoo News about a Jewish court sentencing a dog to death by stoning by children and decided to share the story on Twitter. Most news sites include buttons to conveniently tweet articles, Yaho
06/21/2011 16:23:00 PM
Following up on my recent blog post on how auto-upgrade as opposed to auto-update of web browsers can help make the Internet a safer place, here is the prompt I just got from Firefox 4:
Gotta love it! Firefox 5 is a "security and stability update".
06/19/2011 12:11:00 PM
I finally got around to publish the slides for the two talks I did in May: the talk about the online banking trojans at the DND/ISACA/ISF member meeting as well as the lightning talk on browser security at the Roots conference. I figured I'd give Goo
06/14/2011 11:43:00 AM
I've installed the 32-bit version of the Windows Identity Foundation runtime on my x64 Windows 7 installation. It does not play well if you run the application pool in 64-bit mode:
Exception Details: System.BadImageFormatException: Could not load fi
06/12/2011 08:35:00 AM
The Firefox team has decided to stop supporting Firefox 3.5. They've put a great deal of thought into how they will handle the ~12 million Firefox 3.5 installations around the world. Firefox 3.5 will be updated to the latest 3.6 version, through the
05/22/2011 13:45:00 PM
I'll be giving a lightning talk at the Roots Conference Bergen 2011 tomorrow. I'm excited, I've given quite a few talks but never a lightning talk. It's always fun to take on new challenges!
It'll be interesting to attend the rest of the program as
05/17/2011 16:51:00 PM
IIS refuses to serve static files that cannot be mapped to a particular MIME type. Since I'm a Windows n00b I spent some time figuring this out for myself. Here's what happened, and how to deal with it.
I tried to serve a proxy.pac file from the IIS
05/16/2011 11:16:00 AM
I'm baffled. IIS 7.5 does not log to files by default, you have to enable the feature manually. In the settings it's called "HTTP logging", here's how to enable it:
If you can't find IIS log files in C:inetpublogs you should open your IIS Manager
05/02/2011 05:55:00 AM
I'll be giving a talk today at a member meeting for The Norwegian computer society, The Norwegian information security forum, and the ISACA Norway chapter in Bergen, Norway. The talk will be given in Norwegian. Hope to see you there!
The talk i
04/13/2011 16:49:00 PM
I've just wasted a couple of hours trying to install Windows 7 on a laptop. I downloaded the Windows 7 Enterprise Edition x32 image from MSDN, burned it to a cd, and thought that all was well.
To my surprise I got this interesting error messag
04/05/2011 17:19:00 PM
Norwegian media reports of a supposedly attack on Norwegian Facebook users, here's a link to the Norwegian news article.
Facebook users are calling their local police about the incident, phones started ringing at 22:15 CEST. At the time of writ
04/03/2011 17:48:00 PM
The other day, I received an "encrypted e-mail" through the Cisco Registered Envelope Service. Their "about" page states:
If the envelope is password-protected, it can only be opened by authorized recipients who authenticate themselves. If you are a
04/01/2011 18:02:00 PM
The last couple of months large players such as Microsoft, Google, and Facebook have announced changes to their login procedures and how they authenticate their users. Facebook and Hotmail offer single-use codes to avoid compromise of users' regular
03/26/2011 05:37:00 AM
If you work in an environment where several people fiddle around on the same servers, every once in a while you'll get the message "The terminal server has exceeded the maximum number of allowed connections" when you try to log on to a shared server
03/07/2011 16:31:00 PM
Researcher Jon Oberheide explains on his blog how users can be tricked into installing apps on their Android phones through an XSS vulnerability! This tops of the last weeks fuzz about Android security.
On Saturday, the Google mobile team blogge
02/14/2011 14:58:00 PM
I just got a new and shiny iPhone, and I wanted to sync a few Google calendars to it. It took a bit of Googling to figure out how to do it, so here's the recipe.
First, check out this article to do the initial account setup for your Google account i
02/06/2011 16:36:00 PM
I just read an interesting article on the Naked Security blog: New Android Market web store could open backdoor for phone hackers. Turns out, you can trigger installation of applications from the store and the installation procedure will si
01/26/2011 17:44:00 PM
Just a comment on the latest blog post on security by one of the Facebook engineers.
First, it's a good thing that Facebook finally offers its users the most fundamental of all security measures, a secure connection to their website. Still I would h
01/24/2011 13:21:00 PM
If one of your ASP.NET applications need to access to a certificate from the certificate store along with its private key, you'll probably run into trouble. The private key is saved in a special file with an unguessable name. It's not readable for ev
01/17/2011 14:52:00 PM
I just discovered that Facebook reveal to search engines the users who "Like" a page , regardless of their privacy settings. Try a Google search and see for yourself if you've disabled "Public Search" for your profile that is:
01/13/2011 11:43:00 AM
Well, when I have trouble reaching particular websites I often check whether Google works to verify that my Internet connection is working ok. The assumption: Google is always online.
However, just now:
And yes, for once I was able to
01/11/2011 15:02:00 PM
A couple of days ago I tweeted that I had trouble with NewTwitter. It turns out that Twitter does not work correctly with Safari in "Private mode." At the time, only the top bar would load, no other content was visible in my browser. After switching
01/11/2011 11:12:00 AM
I just found out that Terminal services manager does not exist in Windows 7. But fear not, the Remote Desktop Services Manager will do the trick. It is included in the Remote Server Administration Tools for Windows 7, which can be downloaded fro
01/06/2011 11:01:00 AM
I stumbled across a great series of articles on how the .Net configuration features can be used:
Unraveling the Mysteries of .NET 2.0 Configuration by Jon Rista.
You'll find the MDSN documentation for System.Configuration here.
01/01/2011 08:03:00 AM
Yesterday I blogged that MSDN subscribers got an Azure subscription for free. Today, I decided to activate an Azure subscription and take the first small steps into the cloud.
The ancient browser problemI've been using Opera as my primary browse
12/31/2010 09:19:00 AM
Well, som terms apply:
Windows Azure Platform Benefits for MSDN Subscribers
And also a notice of warning:
You'll need your credit card to sign up. If you use more than the amount of services included with your MSDN subscription, we'll bill your ca
12/18/2010 16:36:00 PM
A couple of weeks ago I attended a great talk by Dominick Baier on WIF (Windows Identity Foundation) at an NNUG meeting. I've been contemplating for some time to dig into WIF and learn first hand how just how beneficial the framework is. Mr. Baier's