Published on 2013-03-03 16:46:00
The .NET 4.5 framework was released a couple of months ago and it included several improvements in the security area. To benefit from these improvements you need to do a few changes to you application's configuration file. The documentation is a bit
Published on 2013-01-09 16:07:00
Recently I wrote a piece of software that needed some configurable secrets — and they needed to be VERY secret. Consequently, I had to encrypt a custom configuration section. Unfortunately, I quickly ran into trouble and got an error message along
Published on 2012-09-06 16:31:00
Security headers in an HTTP response
There are many things to consider when securing a web application but a definite "quick win" is to start taking advantage of the security HTTP response headers that are supported in most modern browser. It doesn't matter which development platform you use to build your application, these headers will make a notable difference for the security of your website anyway!
The screenshot shows what the security headers look like. The security headers are included [..]
Published on 2012-07-29 12:07:00
Guids are used extensively throughout Microsoft systems and developers tend to turn to Guid.NewGuid() whenever they need to create a value to uniquely identify something. Guids might also be used as keys or identifiers in security critical operations — under the assumption that they are hard to guess for an attacker. I've been looking around the Internet to see if I could find some guidance on Guid security along with details on how they are generated in the .NET framework. I couldn't find muc [..]
Published on 2012-05-15 11:57:00
A couple of weeks ago I was remotely involved in a discussion on password hashing in .NET with @thorsheim, @skradel, and @troyhunt. (Follow them if you're on Twitter). The background for the discussion was that password hashing using MD5/SHA-1/SHA-256 isn't quite the state of the art anymore. All the recent password breaches have triggered recommendations to make password cracking harder. The algorithms that are usually recommended are PBKDF2 (Password based key derivation function), bcrypt, or [..]
Published on 2012-05-13 12:51:00
I noticed some unexpected activity on my Facebook wall the other day. I have a special list of "friends," who aren't really friends but more aquaintances. I have used that list to block them from seing much of what's going on on my Facebook wall (hey, we can still be "friends" right?).
Published on 2012-04-26 07:32:00
Tomorrow I'll be giving a talk at the ROOTS conference: Getting authentication right. It seems that the progam
Published on 2012-04-17 12:02:00
Every once in a while I've really missed having a Unix shell on my Windows box.
Published on 2012-03-19 04:45:00
Vittorio Bertocci has shared some exciting news about the upcoming WIF tools for Visual Studio 11 on his blog. The tools look really nice, especially the local development STS. Here are the direct links (for future reference):
WIF Tools for Visual Studio 11 Part I: Using The Local Development STS
WIF Tools for Visual Studio 11 Part II: Manipulating Common WIF Settings From the UI
WIF Tools for Visual Studio 11 Part III: Connecting With a Business STS (e.g. ADFS2)
WIF Tools for Visual Studio 11 [..]
Published on 2012-03-06 10:08:00
Yesterday I was playing around with the validateIntegratedModeConfiguration="true" setting on IIS 7.5. To my surprise I got an empty response back, with no indication of what went wrong.
Looking at the response with Fiddler yields:
HTTP/1.1 500 Internal Server Error
Date: Mon, 05 Mar 2012 15:59:52 GMT
There's not much to work with here! I checked the event log, there was nothing there. So I started looking around for an erro [..]
Published on 2012-03-02 11:11:00
Windows Identity Foundation (WIF) is vulnerable to replay attacks of security tokens in its default configuration. The "Replay Detection" article on MSDN presents a good example of how things can go wrong without the replay detection (why do everyone have to use online banking as their example?):
As another example, suppose that a user opens a browser on a public kiosk, logs on to a bank account using the bank’s Web site, logs off and leaves, but does not close the browser. The response to th [..]
Published on 2012-02-20 11:22:00
Today I had to add a new HttpModule to A LOT of web.configs. Adding it manually would be too tedious, so I had to figure out how to search for a single line in Visual Studio 2010 and replace it with two lines of text. If I could only find a way to search for some text, and replace it with several lines of text!
Google turned up some hints about the Regex search, but no apparent solutions. After playing around a bit with the regex search in Visual studio, I found that it supports multiline text [..]
Published on 2012-01-11 13:15:00
In connection with a bug in TransformTool, I've been looking into how text encoding is handled in the .NET framework. Turns out there are some caveats that can affect the correctness of a program, and when used in e.g. password validation they might turn out to be severe security issues.
This post assumes you are somewhat familiar with how character encodings work. You might want to check out my Introduction to character encoding if you're not. I wrote it mainly because I didn't want to explain [..]
Published on 2012-01-08 13:58:00
"FACE WITH TEARS OF JOY" (U+1F602)
Text encoding is a persistent source of pain and problems, especially when you need to communicate textual information across different systems. Every time you read or create an xml-file, a text file, a web page, or an e-mail, the text is encoded in some way. If the encoding is messed up along the way, the receiver will be looking at strange characters instead of the ori�inal t□xt. (ba-da-bing :)
I've been fighting with characters sets on several occasion [..]
Published on 2011-12-16 06:18:00
Last week the IE team announced that they'll soon start to automatically upgrade IE across Windows 7, XP, and Vista through Windows Update. A follow up from Microsoft's IT pro team details that IE 6 and IE 7 will be upgraded to IE 8 on Windows XP, while Vista and Windows 7 users will get IE 9. With Microsoft joining the herd of auto-upgraders the final pieces of the puzzle start to fall into place, now "everybody" does it. Other major browser manufacturers (Opera, Chrome, and Firefox) have been [..]
Published on 2011-12-13 07:42:00
Just now on Facebook I got the following advertisement:
I didn't quite react at the first glance, since every once in a while you get served the ads for "Russian ladies looking for love" etc. (hope I'm not the only one getting those). Then I realized that this ad was for Match.com! That's amazing. I clicked on it, and yes, it led me to: no.match.com.
The title of the ad suggests that it leads to one of the more sleazy sites on the Internet. If you do a Google search for free pics of women, [..]
Published on 2011-11-05 09:14:00
A couple of months ago I blogged about Giving up your privacy for nothing at Yahoo News, ranting about how the Tweet button on a Yahoo News article required you to give complete control of your Twitter account to some Twitter application. Well, I just had a more encouraging experience!
You've probably heard about this Klout thing. On Twitter there has lately been several reports of people getting Klout perks, so I became a bit curious on how all of this worked. After all, there's not that many [..]
Published on 2011-11-02 14:01:00
Are you using one of the many web pages that let you base64 decode data? In that case you should take a moment to think about the nature of the data you want to decode and what those pages could be doing with the data — apart from showing you the decoded version.
tl;dr: Check out transformtool.codeplex.com for an offline alternative to the online Base64 decoders.
Google's keyword tool reports 9,900 monthly searches for "base64 decode online". How many of these searches lead to disclosure of s [..]
Published on 2011-10-22 06:40:00
Oracle recently released an update to its Java software, fixing more than 20 critical security issues in the software. Krebs has a good post on the update, briefly discussing the vulnerabilities and the fact that Java vulnerabilities are exploited for real.
I have to say that in recent years I've installed Java more due to habit than because of an actual need for the software. So when I got the update bubble in the corner of my screen, I figured "of course". I knew they, among other things, fi [..]
Published on 2011-10-09 15:50:00
Early this year Google started rolling out their new two-factor authentication procedure, which they refer to as 2-step verification. On their corporate blog they provided a few hints on why they were rolling out a new authentication procedure — mentioning risks associated with password reuse and phishing attacks. 2-step verification is now widely deployed, by June it was available in 150 countries, and in 40 different languages.
Of course, I took interest in how the two-step verification was [..]
Published on 2011-10-08 07:28:00
Mozilla now aims to add silent updates to Firefox — much like Chrome and Opera already does — as summarized in this Computerworld article. This marks an important milestone, and is an important follow up to Mozilla's decision back in June to auto-upgrade the then soon-to-be unsupported Firefox 3.5. Back then, I blogged about the importance of the bold decision to NOT leave users behind on an unsupported version.
Later in June when Firefox 5 was released, Firefox 4 users where prompted to up [..]
Published on 2011-09-16 15:08:00
My bug reporting has been on fire lately. This week I received confirmation from the Google security team that a security bug I reported was found worthy of a reward (a couple of weeks ago Google fixed some issues in their two-step verification procedure). I'll be blogging the details on the security issue anytime soon.
Just now, my hotmail told me that the Visual Studio 2010 firewall setup bug I blogged about last month will be fixed in the next major release of Visual Studio. Cool!
Now, if I [..]
Published on 2011-06-23 12:39:00
This weekend I read a somewhat disturbing article on Yahoo News about a Jewish court sentencing a dog to death by stoning by children and decided to share the story on Twitter. Most news sites include buttons to conveniently tweet articles, Yaho
Published on 2011-06-21 16:23:00
Following up on my recent blog post on how auto-upgrade as opposed to auto-update of web browsers can help make the Internet a safer place, here is the prompt I just got from Firefox 4:
Gotta love it! Firefox 5 is a "security and stability update".
Published on 2011-06-19 12:11:00
I finally got around to publish the slides for the two talks I did in May: the talk about the online banking trojans at the DND/ISACA/ISF member meeting as well as the lightning talk on browser security at the Roots conference. I figured I'd give Goo
Published on 2011-06-14 11:43:00
I've installed the 32-bit version of the Windows Identity Foundation runtime on my x64 Windows 7 installation. It does not play well if you run the application pool in 64-bit mode:
Exception Details: System.BadImageFormatException: Could not load fi
Published on 2011-06-12 08:35:00
The Firefox team has decided to stop supporting Firefox 3.5. They've put a great deal of thought into how they will handle the ~12 million Firefox 3.5 installations around the world. Firefox 3.5 will be updated to the latest 3.6 version, through the
Published on 2011-05-22 13:45:00
I'll be giving a lightning talk at the Roots Conference Bergen 2011 tomorrow. I'm excited, I've given quite a few talks but never a lightning talk. It's always fun to take on new challenges!
It'll be interesting to attend the rest of the program as
Published on 2011-05-17 16:51:00
IIS refuses to serve static files that cannot be mapped to a particular MIME type. Since I'm a Windows n00b I spent some time figuring this out for myself. Here's what happened, and how to deal with it.
I tried to serve a proxy.pac file from the IIS
Published on 2011-05-16 11:16:00
I'm baffled. IIS 7.5 does not log to files by default, you have to enable the feature manually. In the settings it's called "HTTP logging", here's how to enable it:
If you can't find IIS log files in C:inetpublogs you should open your IIS Manager
Published on 2011-05-02 05:55:00
I'll be giving a talk today at a member meeting for The Norwegian computer society, The Norwegian information security forum, and the ISACA Norway chapter in Bergen, Norway. The talk will be given in Norwegian. Hope to see you there!
The talk i
Published on 2011-04-13 16:49:00
I've just wasted a couple of hours trying to install Windows 7 on a laptop. I downloaded the Windows 7 Enterprise Edition x32 image from MSDN, burned it to a cd, and thought that all was well.
To my surprise I got this interesting error messag
Published on 2011-04-05 17:19:00
Norwegian media reports of a supposedly attack on Norwegian Facebook users, here's a link to the Norwegian news article.
Facebook users are calling their local police about the incident, phones started ringing at 22:15 CEST. At the time of writ
Published on 2011-04-03 17:48:00
The other day, I received an "encrypted e-mail" through the Cisco Registered Envelope Service. Their "about" page states:
If the envelope is password-protected, it can only be opened by authorized recipients who authenticate themselves. If you are a
Published on 2011-04-01 18:02:00
The last couple of months large players such as Microsoft, Google, and Facebook have announced changes to their login procedures and how they authenticate their users. Facebook and Hotmail offer single-use codes to avoid compromise of users' regular
Published on 2011-03-26 05:37:00
If you work in an environment where several people fiddle around on the same servers, every once in a while you'll get the message "The terminal server has exceeded the maximum number of allowed connections" when you try to log on to a shared server
Published on 2011-03-07 16:31:00
Researcher Jon Oberheide explains on his blog how users can be tricked into installing apps on their Android phones — through an XSS vulnerability! This tops of the last weeks fuzz about Android security.
On Saturday, the Google mobile team blogge
Published on 2011-02-14 14:58:00
I just got a new and shiny iPhone, and I wanted to sync a few Google calendars to it. It took a bit of Googling to figure out how to do it, so here's the recipe.
First, check out this article to do the initial account setup for your Google account i
Published on 2011-02-06 16:36:00
I just read an interesting article on the Naked Security blog: New Android Market web store could open backdoor for phone hackers. Turns out, you can trigger installation of applications from the store and the installation procedure will si
Published on 2011-01-26 17:44:00
Just a comment on the latest blog post on security by one of the Facebook engineers.
First, it's a good thing that Facebook finally offers its users the most fundamental of all security measures, a secure connection to their website. Still I would h
Published on 2011-01-24 13:21:00
If one of your ASP.NET applications need to access to a certificate from the certificate store along with its private key, you'll probably run into trouble. The private key is saved in a special file with an unguessable name. It's not readable for ev
Published on 2011-01-17 14:52:00
I just discovered that Facebook reveal to search engines the users who "Like" a page , regardless of their privacy settings. Try a Google search and see for yourself — if you've disabled "Public Search" for your profile that is:
Published on 2011-01-13 11:43:00
Well, when I have trouble reaching particular websites I often check whether Google works — to verify that my Internet connection is working ok. The assumption: Google is always online.
However, just now:
And yes, for once I was able to
Published on 2011-01-11 15:02:00
A couple of days ago I tweeted that I had trouble with NewTwitter. It turns out that Twitter does not work correctly with Safari in "Private mode." At the time, only the top bar would load, no other content was visible in my browser. After switching
Published on 2011-01-11 11:12:00
I just found out that Terminal services manager does not exist in Windows 7. But fear not, the Remote Desktop Services Manager will do the trick. It is included in the Remote Server Administration Tools for Windows 7, which can be downloaded fro
Published on 2011-01-06 11:01:00
I stumbled across a great series of articles on how the .Net configuration features can be used:
Unraveling the Mysteries of .NET 2.0 Configuration by Jon Rista.
You'll find the MDSN documentation for System.Configuration here.
Published on 2011-01-01 08:03:00
Yesterday I blogged that MSDN subscribers got an Azure subscription for free. Today, I decided to activate an Azure subscription and take the first small steps into the cloud.
The ancient browser problemI've been using Opera as my primary browse
Published on 2010-12-31 09:19:00
Well, som terms apply:
Windows Azure Platform Benefits for MSDN Subscribers
And also a notice of warning:
You'll need your credit card to sign up. If you use more than the amount of services included with your MSDN subscription, we'll bill your ca
Published on 2010-12-18 16:36:00
A couple of weeks ago I attended a great talk by Dominick Baier on WIF (Windows Identity Foundation) at an NNUG meeting. I've been contemplating for some time to dig into WIF and learn first hand how just how beneficial the framework is. Mr. Baier's