Tuesday, May 22, 2012

Everything you ever wanted to know about building a secure password reset feature

Tuesday, May 22, 2012

Recently I’ve had a couple of opportunities to think again about how a secure password reset function should operate, firstly whilst building this functionality into ASafaWeb and secondly when giving some direction for someone else doing a similar thing. In that second instance, I wanted to point them to a canonical resource on the ins and outs of securely implementing a reset function. Problem is though, there isn’t one, at least not covering everything I believe is important. So here it is.

You see, the world of forgotten passwords is actually a little murky. There are plenty of different perfectly legitimate angles and a bunch of pretty bad ones as well. Chances are you’ve experienced each many times as an end user so let me try and draw on some of these examples to see who’s doing it well, who’s not and what you need to focus on to get it right in your app.

Read more

Thursday, May 17, 2012

Talking cloud: Not all .NET roads lead to Microsoft

Thursday, May 17, 2012

Strangely enough, there are time when I talk about things that aren’t directly related to security and yesterday’s guest appearance on the Uhuru podcast was one of these. In fact “the cloud” is something I’m deeply interested in and have spent a lot of time thinking about and working with lately, one significant of example of which has been the use of AppHarbor for hosting ASafaWeb.

Yesterday I had a short chat to Michael Surkan from Uhuru Software on how I was adapting to the new world cloud order and particularly what I like about the AppHarbor offering. I’d had some involvement with the Azure in the very early days and made the decision to choose AppHarbor about a year back so hopefully those timeframes put some of my comments in context (but I’m sure people more knowledgeable about Azure than me will call me on the inevitable mistakes in what I said!). This is now up on the Uhuru website:

Listen: Not all .NET roads lead to Microsoft 

We had a good chat offline afterwards and one thing that really stuck out is the number of players entering the cloud market and the different angles they’re approaching IaaS / PaaS / SaaS from. It’s great news for those of us on the development side as we can choose from a much broader range of app hosting models than we ever had access to before. Offerings such as Azure are a very different paradigm to the likes of AppHarbor which is very different again to what you get from the Amazon offerings. Good times to be a developer!

Wednesday, May 9, 2012

Speaking about ASP.NET security on the OWASP podcast

Wednesday, May 9, 2012

OWASP logoI’ve been writing and speaking about OWASP for long enough now that it was probably about time I contributed to the podcast so when Jim Manico invited me to talk, it was a no-brainer! I had a good chat with Jim about a range of aspects related to ASP.NET; good stuff in the framework, not such good stuff in the framework, where I’m seeing people go wrong with .NET security and then a bit about some of the things I’m doing in terms of writing the OWASP Top 10 for .NET devs and ASafaWeb.

You can listen to it now via MP3 or do yourself a favour and subscribe to the podcast on iTunes or via RSS.

Tuesday, May 8, 2012

Interview with the man behind Comantra, the “cold call virus scammers”

Tuesday, May 8, 2012

If you live in a western country and have a landline telephone with a listed phone number, chances are you’ve been “cold called” by someone on the other side of the world with an introduction that goes something like this:

“Hello, I am from the Microsoft technical support division and I am calling you because we have detected some problems with your computer. This is very important – I need you to go and turn your computer on right away…”

It doesn’t matter if you have a computer, in fact it doesn’t matter if you’ve never even touched a computer because these calls are totally random. There is no implicit support that will proactively monitor your computer from a central location, these calls are nothing more than a scam intended to prey on the fear of unsuspecting people who can be convinced there are genuine problems with their PC so that they can be parted from their hard earned cash for “support” they don’t need.

I had been on the receiving end of this scam myself a number of times so I began recording several of the events and posting them to YouTube and this blog. Tens of thousands of views and hundreds of comments later, its clear this scam is rampant and many people are indeed being stung by it.

So I decided to contact the man behind the company which most frequently features in these scam calls: Comantra. That man is Rajesh Bajaj:

Rajesh Bajaj

I came across Rajesh after doing some basic research on Comantra and a quick Google confirms he is indeed the man to talk to. As it turns out, Rajesh has his own counterview of how Comantra operates and was willing to answer some email questions which I promised to reproduce in their entirety.

Read more