First of I'd like to thank Guy for his excellent screencast - very convenient, so thanks.
Specifically I liked introductory screencast for WCF which can be found here: http://blogs.microsoft.co.il/blogs/bursteg/pages/WCF-Introduction-Demo-_2800_ScreenCast_2900_.aspx
It is dubbed in Hebrew, but the screens are flipping in so logical way so that one who does not understand Hebrew will be fine - go for it - recommended a lot for WCF newbies like me.
My interest was to understand the pipeline that the WCF Message goes through before it is put on the transport. The idea was to inject some custom modules (Inspectors) in the pipeline. Why? Is not it...
Consider the following ASPX page: Here is why it cannot be accessed: When trying to navigate there you get: Great, love URL authorization!! Now let's examine another ASPX page: When navigating to this page you surprisingly get this: The reason for that is when using Server.Transfer the request to the second page does not go through the whole ASP.NET pipeline which includes URL Authorization module Security part is here http://msdn2.microsoft.com/en-us/library/ms998375.aspx Performance part is here http://msdn2.microsoft.com/en-us/library/ms998549.aspx Performance and Security has never been good friends - fortunately...
I've recently presented Security Engineering topic during internal Microsoft convention to international audience (see Back From Seattle - Another Breathtaking Microsoft Convention) and it went really good until I ran into trouble while trying to connect to compromised server using Terminal Services. The hack was about to exploit Dynamic SQL and Over Privileged Account to run nasty xp_cmdshell extended stored procedure (turned off by default in SQL Server 2005 - Run SQL Service with lowest possible privileges) to create account on target machine and add it to administrations local group The hack (Stored Procedure Is Not A Silver Bullet Against SQL Injection...
From http://hosted.ap.org/dynamic/stories/T/TECH_TEST_NETWORKED_SPYCAM?SITE=AP&SECTION=HOME&TEMPLATE=DEFAULT&CTIME=2007-02-08-16-15-46 “If you've ever wondered whether the neighbors are taking a dip in your pool while you're at work or how the baby sitter is really treating your kids, the LukWerks Spy Camera might be for you.” Now let’s run some different scenario - you get cool present from your closest friend and you put it on your desktop. By doing so you just let your “closest friend” and millions of other connected to the Internet to spy on you… I know, I know… I am paranoid guy :) Cheers
From:http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9009784&source=rss_topic82 January 30, 2007 (Computerworld) -- The Vermont Agency of Human Services (AHS) today started sending letters to about 70,000 individuals in the state warning them of a computer compromise that may have exposed their Social Security numbers and other personal data. But the AHS server that was hacked stored the data in unencrypted fashion, said Heidi Tringe, communications director for the state agency. Tringe added that the AHS now plans to stop keeping the information on the server altogether. "The original design called for the computer to store the data," she said. "That will no longer happen." According...
It is not about the OS or Development Platform rather about what you do with this and how easy it can be done
Please, read this Security no matter what the OS
And then go for these depending on who you are at current moment:
http://www2.csoonline.com/blog_view.html?CID=28334 "The Tower Group, a research and advisory company focused on the financial services industry, believes that many mobile commerce offerings now emerging from the financial services sector "lack a reasonable and justifiable focus" on mobile security." Great!! We share our beliefs :) Cheers
http://www.gnucitizen.org/blog/what-happens-to-your-computer-if-you-mispell-googlecom Still hesitating about Security Engineering? Did you read Gadi's blog? Read more "The Non-Admin blog" And start thinking on how to protect your Web and WinForm apps from XSS Cheers
"The log-in system used by Nordea has been the target of much criticism during recent months. Users log in to their accounts using their date of birth, a standing four-digit security code and a one-time code." Building your own custom authentication system instead using industry proven one - recipe for the above. Here are some helpfull resources: How To: Create GenericPrincipal Objects with Forms Authentication How To: Protect Forms Authentication in ASP.NET 2.0 How To: Use Authorization Manager (AzMan) with ASP.NET 2.0 How To: Use Forms Authentication with Active Directory How To: Use Forms Authentication with Active Directory in...
This time it is large retails chain which "suffered a massive computer breach on a portion of its network that handles credit card, debit card, check and merchandise transactions in the United States and abroad" The result: "Between eight and 10 Massachusetts banks have already had customers whose accounts were raided as a result of the breach." Building new retail software or supporting the current one? - Security Engineering is your friend Cheers