How To Hack WCF – New Technology, Old Hacking Tricks

יום חמישי, מרץ 1, 2007

First of I'd like to thank Guy for his excellent screencast - very convenient, so thanks. Specifically I liked introductory screencast for WCF which can be found here: http://blogs.microsoft.co.il/blogs/bursteg/pages/WCF-Introduction-Demo-_2800_ScreenCast_2900_.aspx It is dubbed in Hebrew, but the screens are flipping in so logical way so that one who does not understand Hebrew will be fine - go for it - recommended a lot for WCF newbies like me. My interest was to understand the pipeline that the WCF Message goes through before it is put on the transport. The idea was to inject some custom modules (Inspectors) in the pipeline. Why? Is not it...
אין תגובות

Performance Gain – Security Risk

יום שישי, פברואר 23, 2007

Consider the following ASPX page: Here is why it cannot be accessed: When trying to navigate there you get:   Great, love URL authorization!!   Now let's examine another ASPX page: When navigating to this page you surprisingly get this: The reason for that is when using Server.Transfer the request to the second page does not go through the whole ASP.NET pipeline which includes URL Authorization module Security part is here http://msdn2.microsoft.com/en-us/library/ms998375.aspx Performance part is here http://msdn2.microsoft.com/en-us/library/ms998549.aspx  Performance and Security has never been good friends - fortunately...
2 תגובות

Overdoing Home Work Only Hurts

יום רביעי, פברואר 14, 2007

I've recently presented Security Engineering topic during internal Microsoft convention to international audience (see Back From Seattle - Another Breathtaking Microsoft Convention) and it went really good until I ran into trouble while trying to connect to compromised server using Terminal Services. The hack was about to exploit Dynamic SQL and Over Privileged Account to run nasty xp_cmdshell extended stored procedure (turned off by default in SQL Server 2005 - Run SQL Service with lowest possible privileges)  to create account on target machine and add it to administrations local group The hack (Stored Procedure Is Not A Silver Bullet Against SQL Injection...
תגובה אחת

Whatch Out – Your Closest Frineds Might Be Spying On you

יום ראשון, פברואר 11, 2007

From http://hosted.ap.org/dynamic/stories/T/TECH_TEST_NETWORKED_SPYCAM?SITE=AP&SECTION=HOME&TEMPLATE=DEFAULT&CTIME=2007-02-08-16-15-46 “If you've ever wondered whether the neighbors are taking a dip in your pool while you're at work or how the baby sitter is really treating your kids, the LukWerks Spy Camera might be for you.” Now let’s run some different scenario - you get cool present from your closest friend and you put it on your desktop. By doing so you just let your “closest friend” and millions of other connected to the Internet to spy on you… I know, I know… I am paranoid guy :) Cheers
אין תגובות

Another One Is Totally Hacked. 70,000 Individuals Affected

יום רביעי, ינואר 31, 2007

From:http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9009784&source=rss_topic82 January 30, 2007 (Computerworld) -- The Vermont Agency of Human Services (AHS) today started sending letters to about 70,000 individuals in the state warning them of a computer compromise that may have exposed their Social Security numbers and other personal data. But the AHS server that was hacked stored the data in unencrypted fashion, said Heidi Tringe, communications director for the state agency. Tringe added that the AHS now plans to stop keeping the information on the server altogether. "The original design called for the computer to store the data," she said. "That will no longer happen." According...
אין תגובות

Stop Wasting Your Time Comparing Who Has Bigger One…

יום שלישי, ינואר 30, 2007

It is not about the OS or Development Platform rather about what you do with this and how easy it can be done Please, read this Security no matter what the OS And then go for these depending on who you are at current moment: Home Users: IT folks: Developers: Cheers
אין תגובות

Say, Got New Shiny Mobile Device? Get Ready To Be Hacked

יום שלישי, ינואר 23, 2007

http://www2.csoonline.com/blog_view.html?CID=28334 "The Tower Group, a research and advisory company focused on the financial services industry, believes that many mobile commerce offerings now emerging from the financial services sector "lack a reasonable and justifiable focus" on mobile security." Great!! We share our beliefs :) Cheers
אין תגובות

Very, Very Scary Movie – No Kids Allowed!!

יום שני, ינואר 22, 2007

http://www.gnucitizen.org/blog/what-happens-to-your-computer-if-you-mispell-googlecom Still hesitating about Security Engineering? Did you read Gadi's blog?  Read more "The Non-Admin blog" And start thinking on how to protect your Web and WinForm apps from XSS Cheers
תגובה אחת

Approximately US$1.2 Million, Has Been Stolen From The Scandinavian Bank – Jan 19, 2007

יום שבת, ינואר 20, 2007

"The log-in system used by Nordea has been the target of much criticism during recent months. Users log in to their accounts using their date of birth, a standing four-digit security code and a one-time code." Building your own custom authentication system instead using industry proven one - recipe for the above. Here are some helpfull resources: How To: Create GenericPrincipal Objects with Forms Authentication How To: Protect Forms Authentication in ASP.NET 2.0 How To: Use Authorization Manager (AzMan) with ASP.NET 2.0 How To: Use Forms Authentication with Active Directory How To: Use Forms Authentication with Active Directory in...
אין תגובות

Hackers Are Where the Money Is

יום שישי, ינואר 19, 2007

This time it is large retails chain which "suffered a massive computer breach on a portion of its network that handles credit card, debit card, check and merchandise transactions in the United States and abroad" The result: "Between eight and 10 Massachusetts banks have already had customers whose accounts were raided as a result of the breach." Building new retail software or supporting the current one? - Security Engineering is your friend Cheers
אין תגובות