Archive for the 'Application Security' Category

by mb
on Feb 17th, 2007

The Program.exe Problem

A couple years ago I mentioned in a SecurityFocus column that Windows has a problem when you put a file named “program.exe” in the system root directory. The problem is basically in how it deals with spaces in paths that don’t have quotes around them. Anyone with the permissions to create a file in the root directory could create a malicious program that could escalate their privileges. Here’s an excerpt from that article: Continue Reading »

by mb
on Feb 15th, 2007

Be Smarter with Account Names

One thing that bothers me about many web sites out there is how I get to (or don’t get to) choose my account name. Sure, many web sites let you have any account name you want, but some web sites just want to use your e-mail address. While this is very convenient for low security sites that you rarely visit, some times it just isn’t appropriate. What do you do, for example, when your e-mail address changes? Continue Reading »

by mb
on Feb 15th, 2007

Patterns & Practices Security Wiki

If you do any kind of .NET web development, it would be well worth your time to dig through Microsoft’s Patterns & Practices Security Wiki

The Wiki is a good index of old articles and a launching point for new articles on secure web development.  Even if you have a small web application, it doesn’t hurt to be part of the solutions, not part of the problem.

by mb
on Feb 6th, 2007

My SSN is showing?

I got an e-mail earlier this week from a financial web site. The e-mail displayed the last 4 digits of my U.S. social security number. Presumably, they didn’t show the entire number for security reasons, but I wondered how secure that really is to show even the last 4 digits. Can someone easily guess my full SSN with just the last 4 digits? Continue Reading »

by mb
on Feb 2nd, 2007

Yet another failed CAPTCHA?

Today I ran across a Firefox add-on that automatically fills out the CAPTCHA form when you log in:
https://addons.mozilla.org/firefox/4381/

Although some might think this is convenient, it obviously shows that eBay’s CAPTCHA, like so many others, fails to prevent automated form filling. So many CAPTCHA’s are poorly implemented either on the development end, the visual end, or on the user experience end that they are starting to get a bad reputation. Continue Reading »

by mb
on Jan 30th, 2007

Pafwert: Smarter Passwords

I am now making available a freeware desktop version of Pafwert, a strong password generator. Although it looks simple on the surface, Pafwert is a complex software application I built based on years of research on passwords and password security.

Pafwert Screenshot - Click for larger view

Larger Screen Shot

Continue Reading »

by mb
on Dec 10th, 2006

Anti-phishing system can make phishing worse

I am constantly frustrated with poor security implementations I see all around the web. Often, these mistakes could be avoided by never breaking the simple security rules. One of these rules wrote about in my book Hacking the Code is that you should always ask for the username and password at the same time. This prevents others from harvesting user names from your login process. User names normally are not secrets, but if someone had collections of usernames from say, banks, they could launch more effective and targeted phishing attacks.

Continue Reading »