Hooked On Security Tools

יום שני, פברואר 19, 2007

I realized that for some reason lately I was concentrated on tools: Scriptomania - Scripting Tools and Utilities More Powerful Security Tool Most Powerful Security Tool This blog entry is about another security tool - ShareEnum(free download) I am about to conduct Security Deployment Inspection with some project and this tool might be very handy. Another handy utility could be TCPView (free download) to identify activity for TCP and UDP You must agree that this one is nicer than black and white netstat :)   All the rest of Sysinternals goodies are here: Enjoy.
תגיות: , ,
אין תגובות

Another One Is Totally Hacked. 70,000 Individuals Affected

יום רביעי, ינואר 31, 2007

From:http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9009784&source=rss_topic82 January 30, 2007 (Computerworld) -- The Vermont Agency of Human Services (AHS) today started sending letters to about 70,000 individuals in the state warning them of a computer compromise that may have exposed their Social Security numbers and other personal data. But the AHS server that was hacked stored the data in unencrypted fashion, said Heidi Tringe, communications director for the state agency. Tringe added that the AHS now plans to stop keeping the information on the server altogether. "The original design called for the computer to store the data," she said. "That will no longer happen." According...
אין תגובות

SOA, Strong Authentication, Standard Authorization – Cool Solution

יום שני, ינואר 29, 2007

I've previously blogged about SOA Security Inside Enterprise walls This time I had couple of pretty interesting requirements from one customer that targeted B2B/Partners scenario. They had a web site that communicates to partner's web services. His concerns were sincere and pretty fair: I want to manage my creds that I use to authenticate with the partner's web service in secure way I want to pass it it over the wire in secure standard way The partner won't do any major changes to his authorization schema inside the web service Authorization schema must be easy to managed and standard Without...
3 תגובות

Strong Passwords

יום שלישי, ינואר 16, 2007

Although passwords are weakest way for authentication one can raise the security bar by creating strong passwords that hard to crack. Here are some guidelines from guidance explorer for creating strong passwords: DO use a password with mixed-case letters. Use uppercase letters throughout the password. DO NOT just capitalize the first letter, but add uppercase letters throughout the password. DO NOT use a network login ID in any form (reversed, capitalized, or doubled as a password). DO use a password that contains alphanumeric characters and include punctuation, such as ! and $. DO NOT use your...
אין תגובות

Password Cracking Tools For SQL Server

יום שלישי, ינואר 2, 2007

I was reading what's new in sql 2005 sp1 here http://www.microsoft.com/sql/sp1.mspx and in the end there is nice pointer to this: Password cracking tools for SQL Server: SearchSQLServer.com (May 9, 2006) which explains in details how to crack SQL passwords using say Cain and Abel or other juicy tools. How to get protected? Always use Windows Integrated Authentication to connect to SQL Server How do I use windows authentication for connecting to SQL server? When using Windows authentication, how can I give the default ASP.NET worker process access to a remote database server?...
אין תגובות

ScottGu Hits Again

יום רביעי, דצמבר 27, 2006

Fully blown tutorial on how to deploy web site AND it's database using new shiny free tool - SQL Server Hosting Toolkit Enjoy! - I did :)
תגיות: ,
אין תגובות

This is How They Will Hack Your Wired Network

יום שלישי, דצמבר 26, 2006

First They will get some network sniffing tool. I am extremely proud MS recently released shiny new NETMON 3 that can be downloaded for FREE here https://connect.microsoft.com/availableconnections.aspx and the team manages very nice blog here http://blogs.technet.com/netmon/default.aspx that explains in very detailed manner how to capture, filter network traffic and even automate all this. After studying all this, first thing I believe They try to sniff HTTP traffic applying proper filter: and looking for juicy information like passwords or business critical information between the frames They've captured: How to get protected? Avoid sending sensitive information over the wire....
אין תגובות

Do Not Depend on Strong Name Identity Permissions in Full Trust Scenarios

יום שבת, דצמבר 23, 2006

From: http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGGuidelines0003.asp?frame=true#pagguidelines0003_strongnames If you protect your code with a link demand for a StrongNameIdentityPermission to restrict the code that can call your code, be aware that this only works for partial trust callers. The link demand will always succeed for full trust callers, regardless of the strong name of the calling code. In .NET Framework 2.0, any fully trusted assembly will satisfy any demand, including a link demand for an identity permission that the assembly does not satisfy. In .NET Framework 1.0, this did not happen automatically. However, a fully trusted assembly could simply call Assembly.Load, supplying as evidence...
אין תגובות

SNK – To Sign or Not to Sign

from: http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGGuidelines0003.asp?frame=true · You need to add your assembly to the global assembly cache. If you want your assembly to be shared among multiple applications, then you should add it to the global assembly cache. To add your assembly to the global assembly cache, you need to give it a strong name. Adding an assembly to the global assembly cache ensures that your assembly runs with full trust. · You want to prevent partial trust callers. The CLR prevents partially trusted code from calling a strong named assembly by adding a link demand for the Full Trust...
אין תגובות